See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/337011424

Cybersecurity: Practice

Chapter · March 2019

DOI: 10.1007/978-3-319-69891-5_81-1

CITATIONS READS

2 1,647

1 author:

George Grispos
University of Nebraska at Omaha
57 PUBLICATIONS 865 CITATIONS

SEE PROFILE

All content following this page was uploaded by George Grispos on 04 November 2019.

The user has requested enhancement of the downloaded file.

C

Cybersecurity: Practice cybersecurity encompasses the preservation of

confidentiality, integrity, and availability of infor-
George Grispos mation in cyberspace (International Organization
School of Interdisciplinary Informatics, for Standardization/International Electrotechnical
University of Nebraska Omaha, Commission 2012). Confidentiality refers to “the
Omaha, NE, USA protection of sensitive information from
unauthorized disclosure” (Peltier 2013). Integrity
Keywords is defined as “the accuracy, completeness, and
Cybersecurity · Best practices · Standards · validity of information in accordance with busi-
Policies · Guidelines ness values and expectations” (Peltier 2013).
Availability relates to “information being avail-
able when required by the business process now
Definition and in the future” (Peltier 2013). Collectively,
confidentiality, integrity, and availability are
Cybersecurity involves the application and man- referred to as the CIA triad. An organization’s
agement of techniques with the aim of protecting cybersecurity objectives should be to protect the
the confidentiality, integrity, and availability of confidentiality, integrity, and availability of infor-
information and information assets in cyberspace. mation and information assets within its distinct
cyberspace. Various approaches can be taken to
achieve this objective including through the
Introduction implementation of security controls; enforcing
security polices, standards, and guidelines; using
The widespread use of electronic information risk management approaches; as well as, educa-
processing coupled with the emergence of tion and training initiatives. These approaches
business conducted through the Internet has have existed and matured over several decades
fueled the need for organizations to protect and have been classified in terms of generational
proprietary and customer information from waves.
malicious cyber actors and nations (Grispos et al.
2017). As a result, many organizations have rec-
ognized the importance of implementing effective Cybersecurity Waves
cybersecurity practices. According to the Interna-
tional Organization for Standardization/Interna- As part of a wider analysis into cybersecurity
tional Electrotechnical Commission (ISO/IEC), practices within organizations, Von Solms (2000,
© Springer Nature Switzerland AG 2019
L. R. Shapiro, M-H. Maras (eds.), Encyclopedia of Security and Emergency Management,
https://doi.org/10.1007/978-3-319-69891-5_81-1
2 Cybersecurity: Practice

2006) separated the evolution of cybersecurity program is to protect the CIA triad while also
countermeasures within organizations into four ensuring that any legal and regulatory require-
generational “waves”. The first generation of ments are also fulfilled. Several organizations
cybersecurity countermeasures existed up until and government agencies, such as the National
the early 1980s and can be characterized as the Institute of Standards and Technology (NIST),
“Technical Wave”. In this generation, cybersecu- the International Organization for Standardiza-
rity countermeasures focused on mainframes tion/International Electrotechnical Commission
and data centers, where solutions focused on (ISO/IEC), and the Internet Engineering Task
enhancing the cybersecurity of the operating Force (IETF), have published frameworks, pro-
system through access control lists, user IDs, and cesses, and best practice guidelines describing
the use of passwords. In addition, physical how organizations can reduce cybersecurity
security barriers were also the norm. The second risk and enhance their security posture.
generation of countermeasures (the “Management
Wave”), lasted from the early 1980s to the mid-
The NIST Cybersecurity Framework
1990s and emerged with management within
In February 2013, the President of the United
organizations realizing that security was no longer
States issued Executive Order 13636 – Improving
just a technical issue. Hence, organizations
Critical Infrastructure Cybersecurity. In particular,
needed to develop cybersecurity policies and
the Executive Order called for the development
procedures and integrate managers and executives
of a risk-based Cybersecurity Framework includ-
in the security decision-making process. The third
ing industry standards and best practices to help
generation of countermeasures (the “Institutional
organizations manage and mitigate cybersecurity
Wave”) started in the mid-1990s and continued
risks. NIST answered this call to arms by publish-
into the early 2000s. This wave is characterized
ing in 2014 a document called the “Framework for
by the demand for organizations to implement
Improving Critical Infrastructure Cybersecurity,”
cybersecurity standards and best practices. As a
which has since been updated in 2018 (National
result, many organizations looked to implement
Institute of Standards and Technology 2018).
standards and best practices such as the Interna-
To achieve these objectives, NIST have published
tional Organization for Standardization/Interna-
a series of documents, called Special Publications
tional Electrotechnical Commission (ISO/IEC)
(SPs), that can be used either collectively or indi-
27001 standard. The fourth-generation wave
vidually to secure information assets. These doc-
(Von Solms 2006) (the “Information Security
uments include:
Governance Wave”) developed at the turn of
the millennium and emerged as a result of new
• SP 800–12 provides an overview of cyberse-
legal and regulatory requirements dictating that
curity security and emphasizes the importance
organizations implement cybersecurity policies
of the cybersecurity controls and the different
and processes to protect information and informa-
ways to implement them.
tion systems. Therefore, this wave defines that an
• SP 800–14 describes common security princi-
organization’s security governance is included
ples that are used and that should be incorpo-
and part of its overall corporate governance
rated within a cybersecurity policy. These
posture.
guidelines can be used to enhance existing
policies and develop new policies.
• SP 800–37 provides a risk-based approach
Cybersecurity Programs
called the “Risk Management Framework.”
The publication provides guidelines on
In an effort to address their cybersecurity objec-
applying the Framework to information
tives, many organizations have chosen to imple-
systems with the aim of identifying what
ment cybersecurity programs (Grispos et al.
security controls are needed, how they can
2013). The primary objective of a cybersecurity
Cybersecurity: Practice 3

be implemented, and how security control reviewing an ISMS within their respective
effectiveness can be assessed. organization.
• SP 800–53 specifically describes 194 security Within the above methods, organizations are
controls that could be applied to an information required to identify and assess cybersecurity risks
system in order to enhance the security and and then select appropriate security controls.
privacy of both the system and the information ISO/IEC 27002 is a standard that provides secu-
that can reside within the system itself. rity control recommendations, which can be
used during the initiation, implementation, and
It must be noted that while NIST has developed maintenance of secure systems. SO/IEC 27002
and published the Framework and SPs with the consists of fourteen security domains, which
aim of securing critical infrastructure and federal cover cybersecurity control information including
government information systems, any organiza- security policies, asset management, human
tion is free to use this approach to establish a resource security, business continuity manage-
minimum security-control baseline within their ment, and operations security (International Orga-
specific environments (Ross 2007). nization for Standardization/International
Electrotechnical Commission 2013). The idea
behind ISO/IEC 27002 is that the security controls
ISO/IEC 27000 Family of Standards can be applied to various organizations,
The ISO/IEC 27000 family of standards are an irrespective of type, size, risks, or the threats
alternative set of practices that can be applied to faced by the organization. Hence, the range of
mitigate cybersecurity attacks. The last major security controls covered in the standard can also
revision to these standards was published in provide an organization with some flexibility to
2013. While there are nearly 50 standards in the adopt only the controls that they require within
27000 family, two main standards called ISO/IEC their distinct environment.
27001 and ISO/IEC 27002 are considered the
baseline for cybersecurity management. The IETF Request for Comments (RFC) 2196
ISO/IEC 27001 standard specifies how an organi- RFC 2196 is a cybersecurity standard, formally
zation can develop and implement an Information called “Site Security,” published by the Internet
Security Management System (ISMS). An ISMS Engineering Task Force (IETF). The standard
is defined as “the policies, procedures, guidelines, that was published in 1997 is intended to guide
associated resources, and activities, collectively organizations during the development of cyberse-
managed by an organization, in the pursuit of curity policies and procedures to protect systems
protecting its information assets” (International
connected on the Internet. While the document
Organization for Standardization/International
might appear outdated, much of the information
Electrotechnical Commission 2014). Similarly,
and practical guidance is still very much relevant
Eloff and Eloff define an ISMS as “used for
to organization trying to secure their information
establishing and maintaining a secure information
and information assets. A range of cybersecurity
environment” (Eloff and Eloff 2003). Regardless,
subjects are covered in RFC 2196 including Fire-
once an organization has met the requirements
wall implementation, network security, security
specified in ISO/IEC 27001, it can become certi- incident handling, policy development, and risk
fied following the successful completion of an
management.
audit to determine it complies with the standard.
The ISO/IEC 27001 standard recommends that
Other Cybersecurity Practices
organizations use an improvement process such
Depending on its type, an organization may
as Plan-Do-Check-Act (PDCA) or Six Sigma’s
decide to implement cybersecurity practices that
Define, Measure, Analyze, Improve, and Control
have been specifically developed for its particular
as a method for designing, implementing, and
domain. For example, the Payment Card Industry
Data Security Standard (PCI-DSS) was developed
4 Cybersecurity: Practice

by a number of major credit card companies. While PCI-DSS is not legally binding within
The purpose of PCI-DSS is to provide consistent the European Union, there are some States in the
security controls for organizations around the United States of America where specific laws
world that manage, handle, and storage payment directly refer to PCI-DSS. For example, the State
card information. At the time of writing, the of Washington has incorporated the PCI-DSS
current version of PCI-DSS (Version 3.2.1) was standard into state law, which stipulates that com-
released in May 2018. Changes are usually made pliant organizations are shielded from liability,
to the standard every 3 years. PCI-DSS specifies in the event of a data breach or a security incident
twelve requirements, which are organized into six (The House of Representatives of the State of
control objectives (PCI Security Standards Washington 2010).
Council 2018): Another example of cybersecurity practices
developed for a specific domain is the require-
1. Build and Maintain a Secure Network and ments described in the “Security Rule” within
Systems the Health Insurance Portability and Accountabil-
Requirement 1: Install and maintain a ity Act (HIPAA) of 1996. More specifically,
firewall configuration to protect cardholder the Security Rule establishes cybersecurity stan-
information. dards for healthcare organizations that are legally
Requirement 2: Do not use vendor-supplied required to protect electronic Personal Health
defaults for system passwords and other secu- Information (ePHI). This includes implementing
rity parameters. appropriate administrative, physical, and techni-
2. Protect Cardholder Data cal security controls that will ensure that confi-
Requirement 3: Protect stored dentiality, integrity, and availability of ePHI is
cardholder data. upheld. While HIPAA provides explicit security
Requirement 4: Encrypt transmission of requirements that must be implemented by
cardholder data across open, public networks. healthcare organizations, an organization can
3. Maintain a Vulnerability Management select and implement security controls from
Program various sources, including NIST Special Publica-
Requirement 5: Protect all systems against tions and ISO 27002.
malware and regularly update antivirus soft-
ware or programs.
Requirement 6: Develop and maintain Cybersecurity Programs in Practice
secure systems and applications.
4. Implement Strong Access Control Measures While some organizations could be legally
Requirement 7: Restrict access to card- required to implement cybersecurity practices,
holder data by business need to know. there are other benefits to creating, deploying,
Requirement 8: Identify and authenticate and maintaining cybersecurity programs.
access to system components. Siponen and Willison argue that organizations
Requirement 9: Restrict physical access to who implement cybersecurity programs can
cardholder data. “demonstrate their commitment to secure busi-
5. Regularly Monitor and Test Networks ness practices; apply for security certification,
Requirement 10: Track and monitor all accreditation, or a security-maturity classification
access to network resources and attesting to their compliance to a set of rules and
cardholder data. practices” (Siponen and Willison 2009). Effec-
Requirement 11: Regularly test security sys- tively, implementing cybersecurity programs
tems and processes. provides an organization with a baseline for
6. Maintain an Information Security Policy improving its overall cybersecurity management
Requirement 12: Maintain a policy that strategy.
addresses information security for all Several researchers (Siponen 2006; Siponen
personnel. and Willison 2009; Wiander 2007) have examined
Cybersecurity: Practice 5

how organizations implement cybersecurity threat from malicious actors and nations continues
programs and evaluated how these programs to increase, organizations are under continuous
impact an organization’s wider security posture. pressure to identify and implement cybersecurity
Wiander (2007) evaluated how four organizations controls to protect company and customer infor-
implemented ISO/IEC 17799 security standard. mation assets. One solution could involve an
The results from this analysis showed that organization designing and implementing a cyber-
implementing cybersecurity programs within security program based on cybersecurity best
these organizations increased the overall under- practices proposed by organizations such as
standing of cybersecurity by employees within NIST, ISO/IEC, and IETF. However, financial
the organizations (Wiander 2007). However, constraints often limit the number and type of
Wiander also observed that many individuals security controls that can be implemented within
within these organizations found it difficult to an organization. Hence, the best approach to
implement the security standard, with the read- implementing cybersecurity practices is one
ability of the standard being one of the main where an organization takes into consideration
problems cited during the study. Siponen (2006) its legal and regulatory obligations while
made similar observations and added that balancing the cost of security controls.
many cybersecurity standards are not universally
validated because they are based on personal
experiences. Hence, Siponen (2006) argues that
Cross-References
cybersecurity standards should not be treated
as a “gold standard” but rather as a library of
▶ Cybersecurity: Cybercrime and Prevention
material for organizations to enhance their
Strategies
security posture. These concerns were further
▶ Cybersecurity: Policy
validated in a later study (Siponen and Willison
2009) when four cybersecurity standards were
evaluated in several organizations. Siponen and
Willison (2009) argued that when these standards References
are developed, they do not pay enough attention
to the differences between organizations and Eloff, J. H., & Eloff, M. (2003). Information security
management: A new paradigm. Paper presented at the
their differing cybersecurity requirement. For Proceedings of the 2003 annual research conference of
example, while a larger organization could place the South African institute of computer scientists and
equal emphasis on all aspects of information information technologists on Enablement through
security, a smaller organization might lack the technology.
Grispos, G., Glisson, W. B., & Storer, T. (2013). Cloud
demand for a dedicated security incident manage- security challenges: Investigating policies, standards,
ment team and place more emphasis on antivirus and guidelines in a fortune 500 organization. Paper
solutions and firewalls. Hence, there could presented at the 21st European Conference on Informa-
be cases where some organizations are not in tion Systems, Utrecht.
Grispos, G., Jesús, G-G., Liliana, P., & Bashar N. (2017).
compliance with a particular standard because Are you ready? Towards the engineering of forensic-
they lack the resources to segregate security func- ready systems. In 2017 11th International Conference
tions (Siponen and Willison 2009). on Research Challenges in Information Science
(RCIS), pp. 328–333. IEEE.
International Organization for Standardization/Interna-
tional Electrotechnical Commission (2012). Informa-
Conclusions tion technology – Security techniques – Guidelines for
cybersecurity. Retrieved from https://www.iso.org/obp/
Addressing cybersecurity effectively is an ui/#iso:std:iso-iec:27032:ed-1:v1:en
International Organization for Standardization/Interna-
extremely difficult and complex task. This is tional Electrotechnical Commission (2013). Informa-
because there is no single solution to all of an tion technology – Security techniques – Code of
organization’s security challenges. While the practice for information security controls.
6 Cybersecurity: Practice

International Organization for Standardization/Interna- Credit and debit cards, chapter 151, laws of 2010 –
tional Electrotechnical Commission (2014). ISO/IEC House Bill 1149.
27000 – Information security management systems – Von Solms, B. (2000). Information security – The third
Overview and vocabulary. wave? Computers & Security, 19(7), 615–615.
National Institute of Standards and Technology (2018). Von Solms, B. (2006). Information security – The fourth
Framework for improving critical infrastructure wave. Computers & Security, 25(3), 165–168.
cybersecurity. Wiander, T. (2007). Implementing the ISO/IEC 17799
PCI Security Standards Council (2018). Payment Card standard in practice-findings from small and medium
Industry (PCI) Data Security Standard (DSS), version sized software organisations. Paper presented at the
3.2.1. 5th International Conference on Standardization and
Peltier, T. R. (2013). Information security fundamentals. Innovation in Information Technology, 2007. SIIT
Boca Raton: CRC Press. 2007.
Ross, R. (2007). Managing enterprise security risk with
NIST standards. IEEE Computer, 40(8), 88–91.
Siponen, M. (2006). Information security standards Further Reading
focus on the existence of process, not its content. Christou, G. (2016). Cybersecurity in the European Union:
Communications of the ACM, 49(8), 97–100. Resilience and adaptability in governance policy.
Siponen, M., & Willison, R. (2009). Information Springer. Basingstoke, United Kingdom.
security management standards: Problems and solu- Donaldson, S. E., Siegel, S. G., Williams, C. K., & Aslam,
tions. Information & Management, 46(5), 267–270. A. (2015). Enterprise cybersecurity – How to build a
The House of Representatives of the State of Washington successful cyberdefense program against advanced
(2010). Financial information security breaches – threats. New York: Apress.

View publication stats