1. Module 3: Cyber Risks and Incident Management
Types of Hackers
hackers and crackers
cyberattacks and vulnerabilities
Critical security components
Dark web and Deep web
Governance and compliance
Cyber security design and maintaining proper resilience
Security operation center
Digital forensics Cyber risk, and cyber insurance.
2. What Is a Hacker?
A hacker is a person who breaks into a computer system. The
reasons for hacking can be many: installing malware, stealing or
destroying data, disrupting service, and more. Hacking can also be done
for ethical reasons, such as trying to find software vulnerabilities so they
can be fixed.
How does hacking work?
Hackers breach defenses to gain unauthorized access into computers,
phones, tablets, IoT devices, networks, or entire computing systems.
Hackers also take advantage of weaknesses in network security to gain
access. The weaknesses can be technical or social in nature.
•Technical weaknesses: Hackers can exploit software vulnerabilities or
weak security practices to gain unauthorized access or inject malware, for
•Social weaknesses: Hackers can also use social engineering to convince
those with privileged access to targeted systems to click on malicious
links, open infected files, or reveal personal information, thereby gaining
access to otherwise hardened infrastructures.
3. Who is a Hacker?
A hacker is ideally a person who is skilled in information technology. He uses his technical
knowledge to overcome an obstacle or sometimes even achieve a goal within a
computerized system. However, in recent times, the term hacker is always associated with
a security hacker – someone who is always on the lookout for ways to acquire and exploit
sensitive personal, financial and organizational information, which is otherwise not
accessible to them. Legitimate figures often use hacking for legal purposes.
4. Types of Hackers:
Technology has evolved rapidly in the last two decades, bringing about new innovations and tools to help us
navigate our tech-driven world.
While much technological evolution has resulted in tools that help us work, live and navigate modern life with more ease,
technology has also opened a widening window of security vulnerabilities that cybercriminals love to exploit.
Hackers—and the malware they use in their crimes—have seen much evolution as well, and the methods they use to carry
out their attacks have become increasingly sophisticated. Today’s modern-day hackers are nothing short of skilled
professionals, and they fall into a few different categories based on their motives and how they perform their attacks.
In fact, not all hackers are criminals—some are actually hired to stop criminals in their tracks. Read on for a breakdown of
14 types of hackers to watch out for.
5. 1. Black Hat: Criminal Hackers
A black hat hacker is a cybercriminal who breaks into computer systems with malicious or criminal intent. Black hat
hackers are probably what you think of when you picture a typical hacker or cybercriminal. Their advanced technical
knowledge and ability to navigate the cybersecurity landscape are what makes them so skilled in carrying out their
attacks. They go out of their way to find vulnerabilities in computer systems and software, which they exploit for
financial gain or other malicious purposes.
These individuals can do serious harm to individuals and organizations alike by stealing sensitive or personal data,
compromising entire computer systems, or altering critical networks.
Motives: To profit from data breaches
Who’s most at risk? Black hat hackers pose the most risk to organizations, which they typically target to steal sensitive
data that can compromise a business financially.
6. 2. White Hat: Authorized Hackers
Similar to black hat hackers, white hat hackers are cybersecurity experts who use their skills to find vulnerabilities in
organizational networks and computer systems. The key difference between them, however, is that white hat hackers
are authorized to hack these systems for the purpose of spotting security vulnerabilities before a criminal hacker can.
Typically hired by governments or large businesses, white hat hackers identify and fix loopholes or weaknesses found
in organizational security systems to help prevent an external attack or data breach.
Motives: Help businesses prevent cybersecurity attacks
Who’s most at risk? Criminal hackers
7. 3. Grey Hat: “Just for Fun” Hackers
A grey hat hacker is a cybersecurity expert who finds ways to hack into computer networks and systems but without the
malicious intent of a black hat hacker.
Typically, they engage in hacking activities for the pure enjoyment of finding gaps in computer systems, and they might even
let the owner know if any weak points are found. However, they don’t always take the most ethical route when employing their
hacking activities—they may penetrate systems or networks without the owner’s permission (even though they aren’t trying to
cause any harm).
Motives: Personal enjoyment
Who’s most at risk? Anyone who doesn’t want unauthorized access to their systems and networks
4. Script Kiddies: Ametuer Hackers
Script kiddies are amateur hackers that don’t possess the same level of skill or expertise as more advanced hackers in the field.
To make up for this, they turn to existing malware created by other hackers to carry out their attacks.
Motives: To cause disruption
Who’s most at risk? Organizations with unsecured networks and systems
8. 5. Green Hat: Hackers-in-Training
A green hat hacker is someone who is new to the hacking world but is intently focused on increasing their cyberattack skills.
They primarily focus on gaining knowledge on how to perform cyberattacks on the same level as their black hat counterparts.
Their main intent is to eventually evolve into full-fledged hackers, so they spend their time looking for learning opportunities
from more experienced hackers.
Motives: To learn how to become an experienced hacker
Who’s most at risk? No one (yet)
6. Blue Hat: Authorized Software Hackers
Blue hat hackers are hired by organizations to bug-test a new software or system network before it’s released. Their role is to
find loopholes or security vulnerabilities in the new software and remedy them before it launches.
Motives: To identify vulnerabilities in new organizational software before it’s released
Who’s most at risk? Criminal hackers
9. 7. Red Hat: Government-Hired Hackers
Red hat hackers are hired by government agencies to spot vulnerabilities in security systems, with a specific focus on
finding and disarming black hat hackers. They’re known to be particularly ruthless in their hunt for black hat criminals, and
typically use any means possible to take them down. This often looks like using the same tactics as black hat hackers and
using them against them—using the same malware, viruses and other strategies to compromise their machines from the
Motives: To find and destroy black hat hackers
Who’s most at risk? Black hat hackers
8. State/Nation Sponsored Hackers: International Threat Prevention
State/nation-sponsored hackers are appointed by a country’s government to gain access to another nation’s computer
systems. Their cybersecurity skills are used to retrieve confidential information from other countries in preparation for a
potential upcoming threat or attack, as well as to keep a pulse on sensitive situations that could pose a threat in the future.
These types of hackers are hired solely by government agencies.
Motives: To monitor and prevent international threats
Who’s most at risk? International hackers and criminals
10. 9. Malicious Insider: Whistleblower Hackers
Malicious insider hackers are individuals who employ a cyberattack from within the organization they work for. Also
known as whistleblowers, their motivation for attack can vary from acting on a personal grudge they have against
someone they work for to finding and exposing illegal activity within the organization.
Motives: To expose or exploit an organization’s confidential information
Who’s most at risk? Internal executives and business leaders
10. Hacktivists: Politically Motivated Hackers
A hacktivist is someone who hacks into government networks and systems to draw attention to a political or social
cause—hence why the name “hacktivist” is a play on the word “activist.” They use hacking as a form of protest,
retrieving sensitive government information, which is used for political or social purposes.
Motives: To shed light on an alarming social or political cause (or to make a political or ideological statement)
Who’s most at risk? Government agencies
11. 11. Elite Hackers: The Most Advanced Hackers
Elite hackers are the cream of the crop in the world of cybercriminals and are considered to be the highest
skilled hackers in their field. They’re often the first ones to discover cutting-edge attack methods and are
known to be the experts and innovators in the hacking world.
Motives: To perform advanced cyberattacks on organizations and individuals
Who’s most at risk? High-revenue corporations
12. Cryptojackers: Cryptocurrency Mining Hackers
Cryptojackers are known to exploit network vulnerabilities and steal computer resources as a way to mine
for cryptocurrencies. They spread malware in a variety of ways, often by planting infectious viruses across
the web. These viruses and ransomware-like tactics are used to plant malicious code on victims’ systems,
which work quietly in the background without the victims’ knowledge. Once the code is planted, it sends the
results back to the hacker.
Cryptojackers are tough to spot since the malicious code can go undetected for a long time. Since their
motive isn’t to steal victims’ data, but rather to use their system as a vehicle for cryptocurrency mining, it’s
difficult to trace the source of the infection once it’s discovered.
Motives: Cryptocurrency mining
Who’s most at risk? Any individual or organization with unsecured networks
12. 13. Gaming Hackers
A gaming hacker is someone who focuses their hacking efforts on competitors in the gaming world. With the gaming
industry booming, it’s no surprise that its own specialized category of gaming hackers have emerged as a result.
Professional gamers might spend thousands of dollars on high-performance hardware and gaming credits, and hackers
typically carry out their attacks in an attempt to steal competitors’ credit caches or cause distributed denial-of-service
(DDoS) attacks to take them out of the game.
Motives: To compromise gaming competitors
Who’s most at risk? High-profile gamers
14. Botnets: Large-Scale Hackers
Botnet hackers are malware coders who create bots to perform high-volume attacks across as many devices as
possible, typically targeting routers, cameras, and other Internet of Things (IoT) devices. The bots operate by looking
for unsecured devices (or devices that still have their default login credentials intact) to plant themselves in. Botnets
can be used directly by the hacker who created them, but they’re also frequently available for purchase on the dark
web for other hackers to take advantage of.
Motives: To compromise a high volume of network systems
Who’s most at risk? Individuals with unsecured routers and WiFi-connected devices
13. What is Cracker:
A cracker is an individual who performs cracking, or the process of breaking into a computer or a network
system. A cracker might be performing cracking for malicious activities, profit, for certain nonprofit
intentions or causes, or just for a challenge. Some crackers break into a network system deliberately to
point out the flaws involved in that network's security system. In most cases, crackers aim to gain access to
confidential data, get hold of free software applications, or carry out malicious damage to files.
Cracking takes things a step farther. Cracking is when someone performs a security hack for
criminal or malicious reasons, and the person is called a “cracker.” Just like a bank robber cracks a safe
by skillfully manipulating its lock, a cracker breaks into a computer system, program, or account with the
aid of their technical wizardry.
14. Types of cracking:
“Hackers build, crackers break,” so they say. Cracking is about reaching places you shouldn’t be or accessing things you
shouldn’t have. And it’s always with the aim of doing something naughty when you’re there: stealing data, impersonating
someone, or even just using paid software for free. Let’s take a look at some common types of cracking.
1. Password cracking
Password cracking is the act of obtaining a password from stored data. Any website or service that cares even the slightest
bit about security will encode passwords with hashing. It’s a one-way process that takes a password, runs it through a
specific hashing algorithm, then stores the encrypted password. The one-way part is important: hashing cannot be
reversed. When a user attempts to log in, the password they enter is hashed as well — if the two hashes match, the user is
granted access to their account.
To crack a password, the cracker first needs to obtain the website’s stored hashes. This happens more often than you think,
because websites are hacked all the time. Next, they need to know the exact combination of hashing algorithms and any
additional techniques that a website uses to hash passwords.
With these two elements in hand, the cracker can get to work. Because hashing can’t be undone, crackers have no choice but
to try and mimic the hash instead. They’ll generate a password, hash it, and see if they get a match. Doing this manually
would take ages, so crackers use special programs and powerful custom-built computers that can output a staggering amount
of guesses every second. Brute-forcing and dictionary cracking, along with rainbow table cracking, are the most common
password cracking methods.
•Brute force cracking: The cracking algorithm outputs random strings of characters until it gets a match.
•Dictionary cracking: It’s similar to brute-force cracking, but rather than using random characters, dictionary cracking
limits itself to actual words.
•Rainbow table cracking: A rainbow table uses precomputed hash values to figure out the encryption used to hash a
15. 2.Software cracking
Software cracking is when someone alters a piece of software to disable or entirely remove one or more of its
features. Copy protections in paid software are frequent targets of software cracking, as are the pop-up purchase
reminders (or “nag screens”) you often see in free shareware.
If you’ve ever heard of (or used) “cracked” software, it usually refers to a paid product that’s had its copy protections
removed or defanged. Developers incorporate copy protections, such as serial number authentication, to prevent people
from copying and pirating software. Once cracked, the software can be distributed and used for free. Most software
cracking uses at least one of the following tools or techniques:
•Keygen: Short for “key generator,” a keygen is a program a cracker builds to generate valid serial numbers for a
software product. If you want to use the software for free, you can download the keygen and generate your own serial
number, allowing you to fool the developer’s copy protection into thinking you’ve paid for the software.
•Patch: Patches are small bits of code that modify existing programs. Developers release patches for software all the
time. Crackers can make them too, and when they do, the patch’s job is to alter the way the program works by removing
•Loader: A loader’s job is to block the software’s protection measures as the software starts up. Some loaders bypass
copy protections, while others are popular with gamers who enjoy cheating in online multiplayer games.
16. 3. Network cracking:
Network cracking is when someone breaks through the security of a LAN, or “local area
network.” Cracking a wired network requires a direct connection, but cracking a wireless network is much more
convenient because the cracker just needs to be close to the wireless signal.
A common example of a wireless LAN is the Wi-Fi system in your home. You’ve got your router, which emits a Wi-Fi
signal, and all your devices are connected to it. Together, they form a local network. Someone could theoretically stand
outside your home and attempt to crack your Wi-Fi network. If your network is password-protected, they’ll need to use
some password cracking techniques as part of their network crack.
Unsecured Wi-Fi networks are the easiest targets because there’s nothing in the way of the cracker. They don’t need to do
any actual cracking — all they need is a sniffer or a way to intercept the data flowing openly across the network. Any
wireless network is potentially at risk of network cracking, so be extra careful when using public Wi-Fi and protect your
data with a VPN.
17. Why do people crack?
There’s a colorful spectrum of nefarious activities that crackers can get up to once they’re inside a system or program. While
some are more harmful than others, one thing connects them all: cracking is always malicious. So why do crackers crack?
•Data theft: Inside a company’s or a website’s servers, a cracker can access all sorts of data. One common data heist
involves stealing user information and login credentials. Then, the cracker will sell this information on the black market to
other criminals who can use it for phishing attacks or to commit identity theft.
•Corporate espionage: Crack a company’s systems, and you’ve got firsthand access to all their juicy trade secrets.
Companies and state-sponsored cracking groups hack other companies all the time to pilfer their most valuable and closely
•Data manipulation: It’s not always about stealing information. Sometimes, a cracker may wish to edit data stored on a
server. For example, they may alter bank balance sheets, falsify legal or medical records, or transfer funds from one account
•Damage: You can copy data, as with data theft, or you can manipulate it. But another option is to remove it entirely, and this
happens frequently as well. By deleting crucial pieces of data, a cracker can cause severe damage to a computer system, such
as one responsible for critical infrastructure.
•Spreading malware:Once inside a system, a cracker can seed it with malware. This can range from spyware that logs user
activity, to adware that showers users in pop-ups, to ransomware that encrypts valuable data, or even to rootkits that keep all
the other malware hidden away.
18. How can I prevent cracking?
So long as computer systems exist, there will be folks out there who want to break into them. While you can’t prevent the act
of cracking entirely, you can reduce your own risk of becoming a victim. There are a few things you can start doing today to
make yourself and your gear more resilient to cracking.
Don’t repeat passwords: If a cracker breaks one of your passwords, they won’t have access to any of your other accounts as
long as you use different passwords for each account. Then, you just have to reset the one. And when creating new passwords,
use strong password creation practices.
Stay off public Wi-Fi: Unsecured wireless networks are not safe places for your data. If you must use public Wi-Fi, see the
Use a VPN: A VPN is a virtual private network that protects your internet traffic with an encrypted tunnel. That means if your
network gets cracked, your traffic will still be protected.
Change your router’s login info: Cybercriminals know the stock passwords for telecoms equipment like routers. Change
your router’s login info ASAP, following strong password creation practices.
19. Keep your software updated: The older your software is, the more likely it is that crackers know about its
vulnerabilities. Many software updates are issued to patch these holes.
Don’t click ads: Ads can be a disguise for cyberattacks in a practice known as “malvertising.” If you click an
infected ad, it might download malware onto your device or redirect you to a malicious phishing website. Err on
the side of caution and ignore online ads.
•Check for HTTPS: Never enter any personal info on websites that aren’t using HTTPS. Always check to see if
the website you’re visiting is safe — you’ll know it’s safe if you see a little padlock icon in the address bar, and
the URL will begin with HTTPS.
But the surest way to prevent cracking and other security threats from upending your digital life is to use a robust
antivirus tool. Avast One is especially designed by security and privacy professionals to protect your personal
information and all your online activity. Download it today to browse without fear of cracking.
20. How can I protect against cracking?
The preventative measures described above will help keep you safe from cracking, but there’s still more you can do. By
making some long-term changes in the way you approach the internet and your digital devices, you can gain even stronger
protection against cracking and other threats.
Start using a password manager today. A password manager safely stores all your passwords so you can use unique ones
for each account and not having to worry about remembering all of them yourself. It’ll even create hard-to-crack passwords
for you, freeing you from the burden of creating new ones all the time.
Activate two-factor authentication (2FA). By requiring another mode of authentication — like an SMS code — in
addition to a password, 2FA insulates your accounts against cracking. It’s not foolproof, but it’s better than just a password.
Your email should offer 2FA, as should your bank and social media accounts. Wherever you can use it, you should do so.
Restrict your social audience. Personal information helps people crack your passwords and answer your security
questions. Think twice about how much content you need to share with the global public on social media sites.
Use antivirus software. One of cracking’s main goals is to install malware. Strong antivirus software detects and blocks
malware before it can infect your device.
Never send sensitive personal info via email. Financial and banking details, PINs, credit card numbers, your social
security number, and any passwords: if you absolutely must transmit those, do so securely. Emails can be intercepted, and if
so, your information is exposed.
Ignore email attachments from unknown senders. Getting a victim to download and open a malware-infected email
attachment is one of the oldest cracking tricks in the book. If you don’t know the sender, or if the email is from a known
contact but doesn’t sound like them, ignore the attachment. The same goes for strange links that you might receive, not only
via email but also in social media messages or SMS.
21. Parameters Hackers Crackers
Definition Hackers are good people who hack devices and systems with
good intentions. They might hack a system for a specified
purpose or for obtaining more knowledge out of it.
Crackers are people who hack a system by breaking into it and violating
it with some bad intentions. They may hack a system remotely for
stealing the contained data or for harming it permanently.
Skills and Knowledge They have advanced knowledge of programming languages and
computer OS. Hackers are very skilled and intelligent people.
These people may be skilled. But most of the time, they don’t even need
extensive skills. Some crackers only have a knowledge of a few illegal
tricks that help them in stealing data.
Role in an Organization Hackers work with specific organizations to help them in
protecting their information and important data. They mainly
provide organizations with expertise in security and internet
Crackers harm an organization. These are the people from whom
hackers defend sensitive data and protect the organizations as a whole.
Ethics These are ethical types of professionals. These are illegal and unethical types of people who only focus on
benefiting themselves with their hacking.
Data Security They protect the data and never steal or damage it. Their only
intention is to gain knowledge from the concerned data and
They usually steal, delete, corrupt, or compromise the data they find
from a system’s loopholes. Your data stays vulnerable in the hands of a
Use of Tools Hackers use their own legal tools for checking network
strength, establishing security, and protecting an organization
from internet threats.
Crackers don’t have any tools of their own. They make use of someone
else’s tools for performing illegal activities and harming/ compromising
Network Strength They help improve a network’s strength. They harm and deplete a network’s strength.
Certification They always have legal certificates for hacking, for example,
XCEH certificates. Hackers have nothing to hide and perform
legal activities. Thus, they need certification for the work they
They usually don’t have any certificates as they are unskilled. But some
of them may even have certificates. Crackers usually refrain away from
certification because they prefer staying anonymous about their work.
22. Critical Security Components:
01. Inventory and Control of Enterprise Assets
The first step in developing and implementing a comprehensive cybersecurity strategy is to understand your company’s
assets, who controls them and the roles they play. This includes establishing and maintaining an accurate, updated and
detailed list of all hardware connected to your infrastructure, including assets that aren’t under your control, such as
employees’ personal cell phones. Portable user devices will periodically join a network and then disappear, making the
inventory of currently available assets very dynamic.
Why is this critical? Without this information, you can’t be sure you’ve secured all possible attack surfaces. Keeping an
inventory of all assets connecting to your network and removing unauthorized devices can dramatically reduce your risk.
02. Inventory and Control of Software Assets
It addresses threats from the dizzying array of software that modern companies use for business operations. It includes
the following key practices:
•Identify and document all software assets, and remove any that are outdated or vulnerable.
•Prevent the installation and use of unauthorized software by creating an authorized software allowlist.
•Use automated software tracking tools to monitor and manage software application
Why is this critical? Unpatched software continues to be a primary vector for ransomware attacks. A comprehensive
software inventory helps you ensure that all of your software is updated and any known vulnerabilities have been patched
or mitigated. This is particularly critical for software that contains open-source components since their vulnerabilities are
23. 03. Data Protection
Your data is one of your company’s most valuable assets. CIS Control 3 outlines a method
of protecting your data by detailing processes and technical controls to identify, classify,
securely handle, retain and dispose of data. Be sure to include provisions for:
•Data access controls
•Data encryption in all phases and on removable media
•Data flow maps
•Segmenting data processing and storage based on sensitivity
•Data loss prevention
•Logging access and activity around sensitive data
Why is this critical? Although many data leaks are the result of deliberate theft, data loss
and damage can also occur because of human error or poor security practices. Solutions
that detect data exfiltration can minimize these risks and mitigate the effects of data
24. 04. Secure Configuration of Enterprise Assets and Software
It details best practices to establish and maintain secure configurations on hardware and software assets.
Why is this critical? Even one configuration error can open up security risks and disrupt business operations.
Using automated software simplifies the process of hardening and monitoring your IT assets; for
example, Netwrix Change Tracker provides CIS-certified build templates that help you quickly establish
strong baseline configurations and alerts you to unexpected changes in real time so you can promptly take
action to minimize risk.
05. Account Management
Securely managing user, administrator and service accounts is vital to preventing their exploitation by
attackers. Control 5 includes six steps for avoiding security problems caused by vulnerable accounts:
•Create and maintain an inventory of all accounts.
•Use unique passwords.
•Disable accounts that haven’t been used for 45 days.
•Restrict use of privileged accounts.
•Create and maintain an inventory of service accounts.
•Centralize all account management.
Why is this critical? Privileged and unused accounts provide an avenue for attackers to target your network.
Minimizing and controlling these accounts will help protect your data and network from unauthorized access.
25. 06. Access Control Management
Control 6 concerns controlling user privileges. Its best practices include establishing an access granting and revoking
process, using multifactor authentication, and maintaining an inventory of systems for access control.
Why is this critical? Granting overly broad privileges for the sake of expediency opens an avenue of attack. By limiting
each user’s access rights to only what’s required to do their job, you’ll limit your attack surface.
07. Continuous Vulnerability Management
This control covers identifying, prioritizing, documenting and remediating each security vulnerability in your network.
Examples include open services and network ports, and default accounts and passwords.
Why is this critical? Organizations that don’t proactively identify infrastructure vulnerabilities and take remediation
measures are likely to have their assets compromised or suffer business disruptions.
08. Audit Log Management(Maintain Record)
Audit log management involves controls related to collecting, storing, retaining, time synchronizing and reviewing audit
Why is this critical? Security logging and analysis helps prevent attackers from hiding their location and activities. Even if you know which systems were
compromised in a security incident, if you don’t have complete logs, you’ll have a hard time understanding what an attacker has done so far and
responding effectively. Logs will also be needed for follow-up investigations and determining the origin of attacks that remained undetected for a long
26. 09. Email and Web Browser Protections
Email and web browsers are common vectors of attack. The primary technical controls for securing email servers and
web browsers include blocking malicious URLs and file types. For more comprehensive protection against such
attacks, you must also provide organization-wide training on best security practices.
Why is this critical? Using techniques like spoofing and social engineering, attackers can trick users into taking
actions that can spread malware or provide access to confidential data.
10. Malware Defenses
Organizations wielding ransomware and other malware have become as professional as mainstream businesses. This
control describes safeguards to prevent or control the installation, execution and spread of malicious software.
Centrally managing both behavior-based anti-malware and signature-based tools with automatic updates provide the
most robust protection against malware.
Why is this critical? Malware can come in the form of trojan horses, viruses and worms that steal, encrypt or destroy
your data. Ransomware is big business, with a global price tag expected to reach $265 billion by 2031. Following the
practices outlined in Control 9 will help protect your organization against an expensive and dging malware infection.
27. 12. Network Infrastructure Management
It requires you to actively manage all your network devices to mitigate the risks of attacks aimed at compromised network
services and access points.
Why is this critical? Network security is a foundational element in defending against attacks. Businesses must constantly
evaluate and update configurations, access control and traffic flows to harden their network infrastructure. Fully documenting
all aspects of your network infrastructure and monitoring it for unauthorized modifications can alert you to security risks.
13. Network Monitoring and Defense
It focuses on using processes and tools to monitor and defend against security threats across your network infrastructure and
user base. The 11 safeguards in this control cover how to collect and analyze the data required to detect intrusions, filter traffic,
manage access control, collect traffic flow logs and issue alerts about security events.
Why is this critical? Combining automated technology and a team trained to implement processes to detect, analyze and
mitigate network threats can help protect against cybersecurity attacks.
14. Service Provider Management
It deals with data, processes and systems handled by third parties. It includes guidelines for creating an inventory of service
providers, managing and classifying service providers, including security requirements in your contracts, and assessing,
monitoring and securely dismissing service providers.
Why is this critical? Even when you outsource a service, you’re ultimately responsible for the security of your data and could
be held liable for any breaches. Although using service providers can simplify your business operations, you can run into
complications quickly if you don’t have a detailed process for ensuring that data managed by third parties is secure.
28. 15. Security Awareness and Skills Training
implementing an educational program to improve cybersecurity awareness and skills among
all your users. This training program should:
•Train people to recognize social engineering attacks.
•Cover authentication best practices.
•Cover data handling best practices, including the dangers of transmitting data over insecure
•Explain the causes of unintentional data exposure.
•Train users to recognize and report security incidents and .
•Explain how to identify and report missing security updates.
•Provide role-specific security awareness and skills training.
Why is this critical? Many data breaches are caused by human error, phishing attacks and
poor password policies. Training your employees in security awareness can prevent costly
data breaches, identity theft, compliance penalties and ,other damage.
29. 16. Application Software Security
Managing the security lifecycle of your software is essential to detecting and correcting security weaknesses. You should
regularly check that you’re using only the most current versions of each application and that all the relevant patches are
Why is this critical? Attackers often take advantage of vulnerabilities in web-based applications and other software.
Exploitation methods such as buffer overflows, SQL injection attacks, cross-site scripting and click-jacking of code can
enable them to compromise your data without having to bypass network security controls and sensors.
17. Incident Response Management
Proper incident response can be the difference between a nuisance and a catastrophe. It includes planning, role definition,
training, management oversight and other measures required to help discover attacks and contain damage more effectively.
Why is this critical? Sadly, in most cases, the chance of a successful cyberattack is not “if” but “when.” Without an incident
response plan, you may not discover an attack until it inflicts serious harm. With a robust incidence response plan, you may
be able to eradicate the attacker’s presence and restore the integrity of the network and systems with little downtime.
18. Penetration Testing
This control requires you to assess the strength of your defenses by conducting regular external and internal penetration tests.
Implementation of this control will enable you to identify vulnerabilities in your technology, processes and people that
attackers could use to enter your network and do damage.
Why is this critical? Attackers are eager to exploit gaps in your processes, such delays in patch installation. In a complex
environment where technology is constantly evolving, it is especially vital to periodically test your defenses to identify gaps
and fix them before an attacker takes advantage of them.
30. Incident Management:
Security incident management is the process of identifying,
managing, recording and analyzing security threats or
incidents in real-time. It seeks to give a robust and
comprehensive view of any security issues within an IT
infrastructure. A security incident can be anything from an
active threat to an attempted intrusion to a successful
compromise or data breach. Policy violations and
unauthorized access to data such as health, financial, social
security numbers, and personally identifiable records are
all examples of security incidents.
31. THE CYBERSECURITY INCIDENT MANAGEMENT PROCESS:
As cybersecurity threats continue to grow in volume and sophistication, organizations
are adopting practices that allow them to rapidly identify, respond to, and mitigate these types of
incidents while becoming more resilient and protecting against future incidents.
Security incident management utilizes a combination of appliances, software systems, and
human-driven investigation and analysis. The security incident management process typically
starts with an alert that an incident has occurred and engagement of the incident response team.
From there, incident responders will investigate and analyze the incident to determine its scope,
assess damages, and develop a plan for mitigation.
This means that a multi-faceted strategy for security incident management must be
implemented to ensure the IT environment is truly secure. The ISO/IEC Standard
27035 outlines a five-step process for security incident management, including:
1.Prepare for handling incidents.
2.Identify potential security incidents through monitoring and report all incidents.
3.Assess identified incidents to determine the appropriate next steps for mitigating the risk.
4.Respond to the incident by containing, investigating, and resolving it (based on outcome of
5.Learn and document key takeaways from every incident.
32. HOW SECURITY INCIDENT MANAGEMENT WORKS:
While incident response measures can vary depending on the organization and related business functions,
there are general steps that are often taken to manage threats. The first step may start with a full
investigation of an anomalous system or irregularity within the system, data, or user behavior.
For example, a security incident management team may identify a server that is operating more slowly than
normal. From there the team will assess the issue to determine whether the behavior is the result of a
security incident. If that proves to be the case, then the incident will be analyzed further; information is
collected and documented to figure out the scope of the incident and steps required for resolution, and a
detailed report is written of the security incident.
If needed, law enforcement may be involved. If the incident involves exposure or theft of sensitive customer
records, then a public announcement may be made with the involvement of executive management and a
public relations team.
33. 6 Phases in the Incident Response Plan:
An incident response plan is a documented, written plan with 6 distinct phases that
help IT professionals and staff recognize and deal with a cybersecurity incident like a data
breach or cyber attack. Properly creating and managing an incident response plan involves
regular updates and training.
How to create an incident response plan
1.An incident response plan should be set up to address a suspected data breach in a series of
phases. Within each phase, there are specific areas of need that should be considered.
The incident response phases are:
34. 1. Preparation:
•This phase will be the workhorse of your incident response planning, and in the end, the most crucial phase to
protect your business. Part of this phase includes:
Ensure your employees are properly trained regarding their incident response roles and responsibilities in the event
of the data breach
•Develop incident response drill scenarios and regularly conduct mock data breaches to evaluate your incident
•Ensure that all aspects of your incident response plan (training, execution, hardware and software resources, etc.)
are approved and funded in advance
Your response plan should be well documented, thoroughly explaining everyone’s roles and responsibilities. Then
the plan must be tested in order to assure that your employees will perform as they were trained. The more prepared
your employees are, the less likely they’ll make critical mistakes.
Questions to address
Has everyone been trained on security policies?
•Have your security policies and incident response plan been approved by appropriate management?
•Does the Incident Response Team know their roles and the required notifications to make?
•Have all Incident Response Team members participated in mock drills?
35. 2. Identification
This is the process where you determine whether you’ve been breached. A breach, or incident,
could originate from many different areas.
Questions to address
When did the event happen?
•How was it discovered?
•Who discovered it?
•Have any other areas been impacted?
•What is the scope of the compromise?
•Does it affect operations?
•Has the source (point of entry) of the event been discovered?
36. 3. Containment
When a breach is first discovered, your initial instinct may be to securely delete everything so you can just get rid of it.
However, that will likely hurt you in the long run since you’ll be destroying valuable evidence that you need to determine
where the breach started and devise a plan to prevent it from happening again.
Instead, contain the breach so it doesn’t spread and cause further damage to your business. If you can, disconnect affected
devices from the Internet. Have short-term and long-term containment strategies ready. It’s also good to have a redundant
system back-up to help restore business operations. That way, any compromised data isn’t lost forever.
This is also a good time to update and patch your systems, review your remote access protocols (requiring mandatory multi-
factor authentication), change all user and administrative access credentials and harden all passwords.
Questions to address
What’s been done to contain the breach short term?
•What’s been done to contain the breach long term?
•Has any discovered malware been quarantined from the rest of the environment?
•What sort of backups are in place?
•Does your remote access require true multi-factor authentication?
•Have all access credentials been reviewed for legitimacy, hardened and changed?
•Have you applied all recent security patches and updates?
37. 4. Eradication
•Once you’ve contained the issue, you need to find and eliminate the root cause of the breach. This means all malware
should be securely removed, systems should again be hardened and patched, and updates should be applied.
Whether you do this yourself or hire a third party to do it, you need to be thorough. If any trace of malware or security
issues remains in your systems, you may still be losing valuable data, and your liability could increase.
Questions to address
Have artifacts/malware from the attacker been securely removed?
•Has the system been hardened, patched, and updates applied?
•Can the system be re-imaged?
38. 5. Recovery
This is the process of restoring and returning affected systems and devices back into your
business environment. During this time, it’s important to get your systems and business
operations up and running again without the fear of another breach.
• Questions to address
When can systems be returned to production?
•Have systems been patched, hardened and tested?
•Can the system be restored from a trusted back-up?
•How long will the affected systems be monitored and what will you look for when
•What tools will ensure similar attacks will not reoccur? (File integrity monitoring, intrusion
39. 6. Lessons Learned
•Once the investigation is complete, hold an after-action meeting with all Incident Response Team members and
discuss what you’ve learned from the data breach.
• This is where you will analyze and document everything about the breach. Determine what worked well in your
response plan, and where there were some holes.
•Lessons learned from both mock and real events will help strengthen your systems against the future attacks.
Questions to address
What changes need to be made to the security?
•How should employees be trained differently?
•What weakness did the breach exploit?
•How will you ensure a similar breach doesn’t happen again?
No one wants to go through a data breach, but it’s essential to plan for one. Prepare for it, know what to do when it
happens, and learn all that you can afterward.
40. Dark Web and Deep Web
What is Dark Web:
The dark web is the part of the internet where users can access unindexed
web content anonymously through a variety of encryption techniques. While the dark
web is popularly associated with illegal activities, it is also used by the intelligence
community, whistleblowers, members of the media, and ordinary citizens whose
communication may be monitored or restricted by the government.
An exploration of what the dark web is can begin by understanding its origins.
Developed to help anonymize government intelligence communications, the dark web
takes advantage of network routing capabilities designed initially to protect
intelligence data online via the use of special equipment and programs. A Tor Browser
or an Invisible Internet Protocol (I2P) setup must be configured to allow anonymous
online activity for dark websites to be reachable.
“Tor, which stands for ‘onion router’ or ‘onion routing,’ is designed primarily to keep
users anonymous,” the security software company Radware explains in
“Understanding the Darknet and Its Impact on Cyber Security” in Security Boulevard.
“Just like the layers of an onion, data is stored within multiple layers of encryption.
Each layer reveals the next relay until the final layer sends the data to its destination.
Information is sent bidirectionally, so data is being sent back and forth via the same
tunnel. On any given day, over 1 million users are active on the Tor network.”
41. Dark Web Services:
The dark web also presents the option of paying for sensitive data and hacking services instead of malware and virus
packages that require the buyer to have a higher level of expertise. Security writer Matias Porolli lists these services
in “Cybercrime Black Markets: Dark Web Services and Their Prices” on WeLiveSecurity:
•Ransomware as a service — Preconfigured ransomware sold on a monthly or annual basis
•Selling access to servers — Remote desktop protocol (RDP) credentials sold per server through a customizable
•Renting infrastructure — Computing resources leased for botnets and denial-of-service attacks that require
massive processing power
•Selling PayPal and credit card accounts — Account access credentials sold to cyber criminals for a fraction of the
available balance on each account
Despite the nefarious activities made possible by the dark web, it is not all bad. In “The Truth about the Dark Web”
for the International Monetary Fund, international affairs authorities Aditi Kumar and Eric Rosenbach write, “For
individuals living under oppressive regimes that block large parts of the internet or punish political dissent, the dark
web is a lifeline that provides access to information and protection from persecution. In freer societies, it can be a
critical whistleblowing and communication tool that shields people from retribution or judgment in the workplace or
42. How Cyber Security Professionals Navigate the Dark Web:
For cyber security personnel, especially those who deal directly with protecting sensitive systems against cyber
attacks, understanding the dark web can help them study the ways of the enemy, so to speak.
Dark web cyber threat intelligence mining is the process by which the more inaccessible corners of the internet are
scoured for actionable intelligence to strengthen cyber security.
In Security Intelligence's “7 Ways to Identify Darknet Cyber Security Risks,” tech writer Jasmine Henry points out
that dark web-based emerging threats and vulnerabilities can be analyzed to protect against threats before they can
Invaluable cyber threat information can be gleaned from the dark web in several ways. AI algorithms can scour the
onion sites in search of usable data while skilled cyber security researchers inject themselves into the realm of hackers
and learn from their opponents’ dark web activities.
Those who work in the cyber security industry today are entering a field where lifelong learning practices are
Cybercriminals move fast and innovate new hacks daily. Through the dark web, however, cyber security professionals
can research their ways and learn how to counter their moves before they can launch their attack.
43. How to access the dark web
The dark web was once the province of hackers, law enforcement officers, and cybercriminals. However, new technology
like encryption and the anonymization browser software, Tor, now makes it possible for anyone to dive dark if they're
Tor (“The Onion Routing” project) network browser provides users access to visit websites with the “. onion” registry
operator. This browser is a service originally developed in the latter part of the 1990s by the United States Naval Research
Understanding that the nature of the internet meant a lack of privacy, an early version of Tor was created to hide spy
communications. Eventually, the framework was repurposed and has since been made public in the form of the browser we
know today. Anyone can download it free of charge.
Think of Tor as a web browser like Google Chrome or Firefox. Notably, instead of taking the most direct route between
your computer and the deep parts of the web, the Tor browser uses a random path of encrypted servers known as "nodes."
This allows users to connect to the deep web without fear of their actions being tracked or their browser history being
Sites on the deep web also use Tor (or similar software such as I2P, the “Invisible Internet Project”) to remain anonymous,
meaning you won't be able to find out who's running them or where they're being hosted.
44. Is it illegal to go on the dark web?
Simply put, no it is not illegal to access the dark web. In fact, some uses are perfectly legal and support the
value of the “dark web.” On the dark web, users can seek out three clear benefits from its use:
•Virtually untraceable services and sites
•Ability to take illegal actions for both users and providers
As such, the dark web has attracted many parties who would otherwise be endangered by revealing their
identities online. Abuse and persecution victims, whistleblowers, and political dissidents have been frequent
users of these hidden sites. But of course, these benefits can be easily extended to those that want to act outside
of the constraints of laws in other explicitly illegal ways.
When viewed through this lens, the dark web’s legality is based on how you as a user engage with it. You
might fall to the wayside of legal lines for many reasons that are important for the protection of freedom.
Others may act in ways that are illegal for the protection and safety of others. Let’s unpack both of these
concepts in terms of the “dark web browser” and the websites themselves.
45. Types of threats on the dark web:
If you’re considering using the dark web for basic privacy purposes you might still question, “Is dark web dangerous to
use?” Unfortunately, it very much can be a dangerous place to be. Below are some common threats you may face during
your browsing experiences:
Malicious software — i.e. malware — is fully alive all across the dark web. It is often offered in some portals to give
threat actors the tools for cyberattacks. However, it also lingers all across the dark web to infect unsuspecting users just
like it does on the rest of the web.
The dark web doesn’t carry as many of the social contracts that website providers follow to protect users on the rest of
the web. As such, users can find themselves regularly exposed to some types of malware like:
If you choose to pursue exploring any sites on the dark web, you put yourself at risk of being singled out and targeted for
hacks and more. Most malware infections can be caught by your endpoint security programs.
The threats of online browsing can extend into the unplugged world if your computer or network connection can be
exploited. Anonymity is powerful with Tor and the framework of the dark web, but it is not infallible. Any online activity
can carry breadcrumbs to your identity if someone digs far enough.
46. Government monitoring
With many Tor-based sites being overtaken by police authorities across the globe, there is a clear danger of becoming a
government target for simply visiting a dark website.
Illegal drug marketplaces like the Silk Road have been hijacked for police surveillance in the past. By utilizing custom
software to infiltrate and analyze activity, this has allowed law officials to discover user identities of patrons and bystanders
alike. Even if you never make a purchase, you could be watched and incriminate yourself for other activities later in life.
Infiltrations can put you at risk of monitoring for other types of activity as well. Evading government restrictions to explore
new political ideologies can be an imprisonable offense in some countries. China uses what is known as the “Great
Firewall” to limit access to popular sites for this exact reason. The risk of being a visitor to this content could lead to being
placed on a watchlist or immediate targeting for a jail sentence.
Some alleged services like the professional “hitmen” may just be scams designed to profit from willing customers. Reports
have suggested the dark web offers many illegal services, from paid assassinations to trafficking for sex and weapons.
Some of these are well-known, established threats that circulate in this nook of the web. However, others may be taking
advantage of the dark web’s reputation to trick users out of large sums of money. Also, some users on the dark web may
attempt phishing scams to steal your identity or personal information for extortion.
47. End user protection against exploitation by the dark web
Regardless of being a business, parent, or any other user of the web, you’ll want to take precautions to keep
your information and private life off the dark web.
Identity theft monitoring is critical if you want to keep your private information from being misused. All
types of personal data can be distributed online for a profit. Passwords, physical addresses, bank account
numbers, and social security numbers circulate in the dark web all the time. You may already be aware that
malicious actors can use these to harm your credit, engage in financial theft, and breach of your other online
accounts. Leaks of personal data can also lead to damage to your reputation via social fraud.
Antimalware and antivirus protections are equally crucial to prevent malicious actors from exploiting
you. The dark web is filled with information theft from malware-infected users. Attackers can use tools like
keyloggers to gather your data, and they can infiltrate your system on any part of the web. Endpoint security
programs like Kaspersky Security Cloud are comprehensive to cover both identity monitoring and antivirus
48. How to access the dark web safely
If you have a legitimate or viable need to access the dark web, you’ll want to make sure you stay safe if you decide to use it.
7 Tips for safe access to the dark web
1.Trust your intuition. To avoid being scammed, you’ll want to protect yourself with smart behavior on the web. Not
everyone is who they seem. Staying safe requires that you watch who you talk to and where you visit. You should always take
action to remove yourself from a situation if something doesn’t feel right.
2.Detach your online personal from real life. Your username, email address, “real name,” password, and even your credit
card should never be used anywhere else in your life. Create brand-new throwaway accounts and identifiers for yourself if
necessary. Acquire prepaid, unidentifiable debit cards before making any purchases. Do not use anything that could be used to
identify you — whether online or in real life.
3.Employ active monitoring of identity and financial theft. Many online security services now offer identity protection for
your safety. Be sure to take advantage of these tools if they are made available to you.
4.Explicitly avoid dark web file downloads. Fear of malware infection is significantly higher in the lawless territory that is
the dark web. Real-time file scanning from an antivirus program can help you check any incoming files in case you do opt to
5.Disable ActiveX and Java in any available network settings. These frameworks are notorious for being probed and
exploited by malicious parties. Since you are traveling through a network filled with said threats, you’ll want to avoid this
6.Use a secondary non-admin local user account for all daily activities. The native account on most computers will have
full administrative permissions by default. Most malware must take advantage of this to execute its functions. As such, you
can slow or halt the progress of exploitation by limiting the account in-use to strict privileges.
7.Always restrict access to your Tor-enabled device. Protect your children or other family members so they aren't at risk of
stumbling across something no one should ever see. Visit the Deep Web if you're interested, but don't let kids anywhere near
49. What Is the Deep Web?
The deep web is a part of the World Wide Web, the contents of which are not indexed by search engines. The deep web is
also commonly known as the invisible web, the hidden web, and the under net.
The internet is made up of different types of content, some of which can be accessed by search engine crawlers and some of
which can not. This latter type of content is blocked from being indexed by search engines. In the case of the deep web, this
is achieved by using cyber security - such as password protection software, encryption, or dynamic pages.
The deep web encompasses any content that exists on the deep web cannot be accessed by a search engine. Apart from that,
the content that you access on the deep web is very similar to the type of content that you would access on the surface web.
The surface web, which you are most familiar with, is the content that you can find by searching on a search engine.
Although the deep web is commonly perceived as dangerous, due to its affiliation with the dark web, it is not a threatening or
malevolent area of the web. In addition, passwords and user identification are required to be able to visit these sites (thereby
ensuring privacy), rather than the Tor browser which sites on the dark web require.
Simple examples of deep web content include financial data, social security databases, email inboxes, social media, medical
documentation, legal files, blog posts that are pending review and web page redesigns that are in progress. These pages are
mostly obscured from the surface web to secure user data and privacy rather than any nefarious purpose.
However, the deep web is not entirely devoid of danger. Some portions of the deep web allow users to overcome legal
restrictions to access content that is not lawfully available in their geographical location. It is even possible to illegally
download movies, music, and other digital media without paying for it. Naturally, these lawless segments of the deep web are
rife with malware and other cyber threats.
50. Applications of Deep Web
Here are important applications of the Deep Web:
•Mainly used for Military purposes
•It is also used by businesspersons and policeman
•Journalists and whistleblowers
•Political Protesters, and Anti-Censorship Advocacy Groups
•Residents of Oppressive Political Regimes
Why not use Deep Web?
Here are the cons/drawbacks of Deep Web:
•Deep Web search engine is slower than standard search engines.
•Searching the Deep Web also needs a precise search string.
•The Deep Web does not work as smoothly
•Deep Web searches also may return sensitive personal Information from normally
•It may create ethical dilemmas and leave individuals prone to fraud and helps you to
identify the theft.
51. What type of information is stored on the deep web?
The information that the deep web contains is simply content which cannot be accessed via a search
engine. The information usually requires this layer of protection because it contains private or personal
The information that is stored in this area of the web typically requires authentication and passwords to
access. These sites are stored on the deep web so that they can only be accessed by the owner. In doing
so, the owner’s privacy is protected.
In fact, the deep web accounts for over 96% of all content that exists online. The vast majority of this
online content is entirely benign.
The majority of internet users will have accessed the deep web, and this is commonly done on a day-to-
day basis, without even knowing that it is the deep web that they are using. The deep web is used to
access a wide variety of different web pages and online information in a way that retains its privacy.
For example, the sites on the deep web can be used to access information such as:
•Online banking accounts
•Social media accounts
•Sites containing the private databases of companies
•Content from scientific databases
•Information within academic databases
•Different types of legal documents
•A company’s gated pages
52. Industries That Use Deep and Dark Web Data
Public Safety Teams:
•Discover drug, weapon, and human trafficking cases
•Find discussions and marketplace listings related to cybercrime
•Monitor communications between threat actors (planning attacks or other crimes)
•Find fraudulent passports and other documents
Corporate Security Agencies:
•Protect brand reputation
•Discover insider threats
•Discover data breaches
•Protect executives and enforce personal information security
•Detect and avoid DDoS attacks
53. Financial Institutions:
•Discover and protect against:
• Money laundering
• Counterfeit currency
• Credit card fraud
• Internal attacks
• Data breaches
• Employee-directed phishing attacks
• Ransomware, malware, and crypto-jacking
• Unsecure third-party vendors and cloud-based service providers
• Spoofing and DDoS attacks
• ATM attacks
•Discover stolen goods and counterfeit sales
•Find fraudulent gift cards
•Conduct post-burglary investigations
•Discover company-branded credit card fraud
54. S. No. DEEP WEB DARK WEB
The deep web is part of the WWW whose contents banking are not indexed by standard
The dark web is the WWW content that exists on darknets, overlay
networks that use the Internet but require specific software,
configurations, or authorization to access.
The Deep Web is that part of the Internet that is not visible to the naked eye, as opposed
to the Surface Web.
The Dark Web is a network of one of the largest online criminal and
terrorist activities in the world.
3. The contents are not indexed by the regular search engines.
The content is only available on personal encrypted networks or peer-to-
4. An enormous collection of invisible websites.
Web that is not regulated and whose IP addresses are intentionally
It can be accessed through a valid username and a password and via regular search
It can be only accessed with specialized and specified software.
The system or websites which need authentication for login are categorized under Deep
Dark Web depends or works on the infrastructure of the Deep Web.
7. Its access is not browser-specific. Its access is browser-specific like Tor, I2P, Freenet, etc.
It is quite simple to give an accurate measure of the deep web because of its public nature.
The volume of publicly available data in the deep web is 400 to 500 times that of the
The size and scope of the dark web cannot be accurately measured.
Deep web security is a question of common-sense best practices. For example, using an
unprotected public network to pay your bills may allow fraudsters to steal your payment
Visiting the dark web, is like riddled with security and legal
Identify compliance requirements
__ Identify required compliance frameworks (such as HIPAA or PCI) and contract/agreement
__ Identify restrictions/limitations to cloud or emerging technologies.
__ Identify required or chosen standards to implement (for example NIST, ISO, COBIT, CSA,
Conduct program assessment
__ Conduct a program assessment based on industry processes such as the NIST Cyber
Security Framework (CSF) or ISO/IEC TR 27103:2018 to understand the capability and
maturity of your current profile.
__ Determine desired end-state capability and maturity, also known as target profile.
__ Document and prioritize gaps (people, process, and technologies) for resource allocation.
__ Build a Cloud Center of Excellence (CCoE) team.
__ Draft and publish a cloud strategy that includes procurement, DevSecOps, management,
__ Define and assign functions, roles, and responsibilities.
Update and publish policies, processes, procedures
__ Update policies based on objectives and desired capabilities that align to your business.
__ Update processes for modern organization and management techniques such as
DevSecOps and Agile, specifying how to upgrade old technologies.
__ Update procedures to integrate cloud services and other emerging technologies.
__ Establish technical governance standards to be used to select controls and that monitor
57. Risk management
Conduct a risk assessment*
__ Conduct or update an organizational risk assessment (e.g., market, financial, reputation, legal, etc.).
__ Conduct or update a risk assessment for each business line (such as mission, market,
products/services, financial, etc.).
__ Conduct or update a risk assessment for each asset type.
* The use of pre-established threat models can simplify the risk assessment process, both initial and
Draft risk plans
__ Implement plans to mitigate, avoid, transfer, or accept risk at each tier, business line, and asset (for
example, a business continuity plan, a continuity of operations plan, a systems security plan).
__ Implement plans for specific risk areas (such as supply chain risk, insider threat).
__ Use NIST Risk Management Framework (RMF) or other process to authorize and track systems.
__ Use NIST Special Publication 800-53, ISO ISO/IEC 27002:2013, or other control set to select,
implement, and assess controls based on risk.
__ Implement continuous monitoring of controls and risk, employing automation to the greatest extent
Incorporate risk information into decisions
__ Link system risk to business and organizational risk
__ Automate translation of continuous system risk monitoring and status to business and org risk
__ Incorporate “What’s the risk?” (financial, cyber, legal, reputation) into leadership decision-making
Monitor compliance with policy, standards, and security controls
__ Automate technical control monitoring and reporting (advanced maturity will lead to
__ Implement manual monitoring of non-technical controls (for example periodic review of
__ Link compliance monitoring with security information and event management (SIEM) and
__ Automate application security testing and vulnerability scans.
__ Conduct periodic self-assessments from sampling of controls, entire functional area, and
__ Be overly critical of assumptions, perspectives, and artifacts.
Respond to events and changes to risk
__ Integrate security operations with the compliance team for response management.
__ Establish standard operating procedures to respond to unintentional changes in controls.
__ Mitigate impact and reset affected control(s); automate as much as possible.
Communicate events and changes to risk
__ Establish a reporting tree and thresholds for each type of incident.
__ Include general counsel in reporting.
__ Ensure applicable regulatory authorities are notified when required.
__ Automate where appropriate.
59. The best way to strengthen information security is to create a framework for IT governance. Effective security
governance is managed as an organizational-wide issue that is planned, managed and measured in all areas
throughout the organization. In IT Governance, leaders are accountable for and are committed to providing
adequate resources to information security. A core set of principles to guide the framework for governance should
•Conduct an annual cybersecurity evaluation, review the evaluation results with staff, and report on performance.
•Conduct periodic risk assessments of information assets as part of a risk management program.
•Implement policies and procedures based on risk assessments to secure information assets.
•Establish a security management structure to assign explicit individual roles, responsibilities, authority, and
•Develop plans and initiate actions to provide adequate cybersecurity for networks, facilities, systems and
•Treat cybersecurity as an integral part of the system lifecycle.
•Provide cybersecurity awareness, training and education to personnel.
•Conduct periodic testing and evaluation of the effectiveness of cybersecurity policies and procedures.
•Create and execute a plan for remedial action to address any cybersecurity deficiencies.
•Develop and implement incident response procedures.
•Establish plans, procedures and tests to provide continuity of operations.
•Use security best practices guidance to measure cybersecurity performance.
The process of establishing and maintaining a framework for IT governance provides assurance that cybersecurity
strategies support business goals, and objectives, adhere to policies, standards, and internal controls, and provide
assignment of authority, roles and responsibilities in an effort to manage risks.
60. Tools of Governance and Compliance:
1. An Integrated GRC Stack
We'll help you integrate multiple GRC modules, including cyber risk in an integrated platform.
Modules can be implemented separately, yet share a common foundational architecture. We'll integrate the GRC Suite
with our Incident Management and Response core as well as the Vulnerability Assessment modules. Your risks or issues
in one module are immediately reflected in other modules and all modules continuously reflect real-time risk or
2. General Risk Management
Continually assess, mitigate, and report
By deploying a Risk Management solution that integrates your mission-critical risk management functions, you can
simplify and streamline workflows across your organization. You'll be able to accurately assess risk by leveraging
industry-standard libraries, track mitigation progress and procedures stored in centralized repositories, and generate
reports to determine the effectiveness of your risk posture.
Risk Management users can identify and close any gaps in their organization's risk management capabilities and receive
actionable insight for implementing improvements as required.
61. 3. Third Party Risk Management
When you implement a Third-Party Risk Management solution, you'll harness a powerful automation and analytics platform
to standardize and streamline cumbersome risk assessment processes associated with vendors and third parties.
You will integrate your global vendors into a centralized repository to gain complete visibility into their individual risk
levels. The solution’s robust analytics capabilities enable you to conduct third-party risk assessments and continuously
monitor them. You also get sophisticated reporting tools for the creation of in-depth risk reports.
4. Compliance Management
A real compliance management solution puts compliance oversight at your fingertips. With access to a comprehensive
standards library that is cross-mapped to hundreds of trusted sources, your organization will be empowered to stay abreast of
industry standards and regulations, as well as ensure accountability across stakeholders.
Test once and comply with multiple standards, including SOX, PCI, DSS, ISO, NIST, HIPAA, and more, with Compliance
Management powered by TruOps. The solution integrates key cross-departmental tasks into a single user-friendly platform,
which enables you to improve the accuracy of assessment data, track assessment findings to closure, and respond quickly to
new regulatory changes.
62. 5.Issue & Exception Management
Issue Management solution automates key issue management and remediation processes across your organization.
You can effectively identify, plan, and respond to events that hinder your ability to report and manage risk. Take advantage
of the troops-powered robust framework, which makes it easy to document, monitor, respond, and audit any issues detected.
Manage plans, actions, and the allocation of resources to resolve issues expediently. The solution enables you to track audits
and assessment findings, oversee issue and plan association, track the status of ongoing remediation efforts, and much more.
6.Policy Lifecycle Management
With a Policy Lifecycle Management service from Integrated Cyber, you’ll be able to automate your entire
security policy management lifecycle to ensure connectivity for application and security management. We’ll start with an
auto-discovery of your application connectivity requirements, and then automatically lead you through a process of planning
changes and assessing the risks, implementing those changes and maintaining the policy, and finally altering access rules
when applications are no longer in use or needed.
7. Cyber Insurance
In the event of a cyberattack, a cyber insurance policy protects the whole business. Your policy will cover the cost
of business continuity, damages from cyber extortion, fraudulent funds transfers, equipment replacement, and digital
information recovery, as well as legal and regulatory fees, third-party losses, attack investigation, and crisis management.
Subscribers receive a mini-sensor and monitoring that complements your cyber solutions and acts like a smoke detector,
providing an additional layer of security by inspecting network traffic for warning signs. Cutting-edge cloud-based analytics
detect cyber threats in real-time with 24x7 monitoring.
63. What is Cyber Resilience?
Cyber resilience is the ability to plan, respond
and recover from cyber-attacks and Data
Breaches while continuing to work effectively.
An Enterprise is cyber resilient when it can protect
against cyber attacks, provide appropriate risk control
for information protection, and ensure continuity of
operation during and after cyber incidents.
In recent years, cyber resilience has evolved alongside
surface management of threats, as conventional security
measures such as Penetration testing and protection
questionnaires, are no longer adequate to reduce cyber
Cyber resilience aims to maintain your ability to always
deliver goods and services. This may include the ability
to restore regular mechanisms, as well as the ability to
change or modify mechanisms continuously on an as-
needed basis even after regular mechanisms have failed,
such as during a crisis or after a security breach.
64. Four Cyber Resilience Elements:
1.Manage and protect – It includes having the ability to identify, analyse and handle security threats associated
with networks and information systems, including those through both the third-party and fourth-party vendors.
2.Identify and detect – This includes continuous security monitoring and surface management of threats to detect
anomalies and possible data breaches and data leaks before any serious damage occurs.
3.Respond and recover – This involves adequate incident response planning to ensure continuity of business,
even if you are the victim of a cyberattack.
4.Govern and assure – The final element is to ensure your cyber resilience program is supervised as usual from
the top of your organization and part of your business.
65. How Does Cyber Resilience Work?
1. Threat Protection – The more technology advances, the more cybercrime evolves. Therefore, basic safety won’t help
protect the company. What steps should an organization take to guard itself in the event of a threat?
First, the company needs to be safe from targeted Email attacks. Going beyond simple anti-spam and anti-virus software,
and incorporating DNS authentication mechanisms into the environment, is important. Do not create a void in email
protection under the presumption that the IT department has specific security products from third party vendors. Invest in
a single approach that can respond to the changing world of cyberattacks.
The best choice for your company could be an Endpoint Detection and Response (EDR) solution. EDR tools operate by
tracking endpoint and network events and storing the information in a central database where further analysis,
identification, review, reporting and alerting are carried out. Detection is enabled by using analytical tools that classify
activities that can boost the overall security status by deflecting specific attacks and enabling early detection of ongoing
66. 2. Recoverability –
Recoverability is the ability of a firm to return to normal business functions following an attack. A well-
designed attack on Ransomware can encrypt all your data, forcing you to either pay the attackers a ransom, or lose the
data. Should provide frequent and comprehensive backups on a separate network of your data which can be used to
recover any wiped data.
Compared to a fire drill, running a data breach scenario simulation will help to improve your cyber resilience. Go through
all the steps your organization will have to take in case of an infringement, i.e. how the IT team will escalate a potential
security infringement, communicate with clients, inform stakeholders, and inform law enforcement agencies.
Since attackers are continually finding new ways of escaping detection and creating new planes of attack, it is
critical that the enterprise-wide network will adapt and evolve to protect against potential threats.
To prevent attacks, the security department must be able to detect a security breach and react to it quickly. Furthermore,
administrator monitoring needs to be built in to detect users who are infected or at risk.
Adaptability is an integral part of cyber resilience. The company would be a step closer to a more cyber resilient
environment if the security department has user awareness education, can detect threats in actual, and implements
automation to eliminate those threats.
4. Durability – The durability of the company-wide cyber resilience is determined not just by the IT infrastructure but
also by the capacity of the organization to operate effectively after a cyberattack. The cyber resilience durability aspect
will improve with the IT team’s daily updates and device enhancements.
Cyber resilience’s primary aim is to protect the entire business. As the consequences of a data breach can be technical,
social, and financial, prioritizing cyber resilience by integrating business operations with IT is imperative for every
67. Why Cyber Resilience is Important?
1.To maintain the integrity of an organization – When a company lacks cyber resilience, it is difficult to monitor the
harm caused by cybercriminals. Cyber resilience protects a company from public criticism, administrative penalties, and
sudden revenue cuts, or worse, business losses.
2.Having regulatory and judicial specifications – Meeting legal requirements also offers a valuable advantage in
incorporating cyber resilience into an Enterprise. Compliance with the laws will improve the organization’s protection
framework, such as the Network and Information Systems (NIS) Directive, which requires each entity to ‘take
reasonable protection measures and inform the relevant national authority of serious incidents. There is also the General
Data Protection Regulation (GDPR) which promises to protect data privacy and restructure the way organizations
handle the privacy of their data.
3.Enhanced protection of the systems – Cyber resilience helps to respond to an attack and withstand it. It can also help
the company build IT governance strategy, enhance safety and security across sensitive assets, strengthen data
protection efforts, prevent natural disaster impacts, and reduce human error
68. 4. More trust in the customer and vendor ecosystem – Over the past decade, and rightly so, a lot of focus has been
put on vendor risk management and third-party risk management frames. Confidence is a two-way street though. Before
asking your vendors to, it is important that your company has cyber resilience strategies in place. Unless your company
has poor cyber resilience, it may harm your client’sand vendors’ credibility.
5. Improving the work culture and the process from inside – Each employee of any company must strive for data
protection and other IT infrastructures. If people are motivated at their organization to take protection seriously,
confidential information and physical properties are more likely to be in safe hands. The company will be improving the
right security actions within each department and reducing human errors that reveal confidential data.
6. Reducing the losses – No matter how strong an organization’s IT protection is, the fact is no company is immune to
cyberattacks. According to estimates, financial loss from data breach is more than one hundred thousand for small and
medium-sized businesses. That is more than a million for major organizations. Furthermore, if a security breach
succeeds, it will harm the credibility of the company in the industry as well. It can also heighten financial harm. When a
company has cyber resilience, it will mitigate the impact of the attack, and so will the financial losses.
70. Security operation center:
A security operations center (SOC) acts as the hub for an organization’s security
operations. Also called an information security operations center (ISOC), a SOC is a
centralized location where information security professionals use technologies to
build and maintain the security architecture that monitors, detects, analyzes and
responds to cybersecurity incidents, typically around the clock.
The security team, which consists of both security analysts and engineers, oversees
all activity on servers, databases, networks, applications, endpoint devices, websites
and other systems in order to pinpoint potential security threats and thwart them as
quickly as possible. They also monitor relevant external sources (such as threat lists)
that may affect the organization’s security posture.
A SOC must not only identify threats, but analyze them, investigate the source, report
on any vulnerabilities discovered and plan how to prevent similar occurrences in the
future. In other words, they’re dealing with security problems in real time, while
continually seeking ways to improve the organization’s security posture.
On a larger scale, there are also Global Security Operations Centers (GSOC),
coordinating security offices that literally span the globe. If you have offices around
the world, a GSOC (rather than establishing a SOC for each international location)
•Prevent each location from repeating tasks and functions
•Ensure that the security team has a big-picture view of what’s happening across the
71. Benefits of a SOC?
By relying on threat intelligence, SOCs offer assurance that threats will be detected and prevented in real time. Looking
at a big-picture perspective, SOCs can:
•Respond faster: The SOC provides a centralized, complete, real-time view of how the entire infrastructure is
performing from a security standpoint, even if you have several locations and thousands of endpoints. You can detect,
identify, prevent and resolve issues before they cause too much trouble for the business.
•Protect consumer and customer trust: Consumers, already skeptical of most companies, are worried about their
privacy. Creating a SOC to protect consumer and customer data can help build trust in your organization, which also
includes preventing breaches.
•Minimize costs: While many organizations think establishing a SOC is cost prohibitive, the cost associated with a
breach — including the loss and corruption of data or customer defection — are much higher. Additionally, SOC
personnel will ensure that you’re using the right tools for your business to their full potential, so you won’t waste
money on ineffective tools.
72. What Does a SOC Team Member Do?
Members of a SOC team are responsible for a variety of activities, including proactive monitoring, incident
response and recovery, remediation activities, compliance, and coordination and context.
Let’s take a deeper dive into each of these tasks.
•Proactive Monitoring: This includes log file analysis. Logs can come from end points (e.g., a notebook
computer, a mobile phone or an IoT device) or from network resources, such as routers, firewalls, intrusion
detection system (IDS) applications and email appliances. Another term for proactive monitoring is threat
monitoring. SOC team members work with various resources, which can include other IT workers (e.g., help desk
technicians), as well as artificial intelligence (AI) tools and log files.
•Incident Response and Recovery: A SOC coordinates an organization’s ability to take the necessary steps to
mitigate damage and communicate properly to keep the organization running after an incident. It’s not enough to
just view logs and issue alerts. A major part of incident response is helping organizations recover from incidents.
For example, that recovery can include activities such as handling acute malware or ransomware incidents.
•Remediation Activities: SOC team members provide data-driven analysis that helps an organization address
vulnerabilities and adjust security monitoring and alerting tools. For example, using information obtained from
log files and other sources, a SOC member can recommend a better network segmentation strategy or a better
system patching regimen. Improving existing cybersecurity is a major responsibility of a SOC.
•Compliance: Organizations secure themselves through conformity to a security policy, as well as external
security standards, such as ISO 27001x, the NIST Cybersecurity Framework (CSF) and the General Data
Protection Regulation (GDPR). Organizations need a SOC to help ensure that they are compliant with important
security standards and best practices.
74. 1. Take Stock of Available Resources
The SOC is responsible for two types of assets, the various devices, processes and applications. They are
charged with safeguarding and the defensive tools at their disposal to help ensure this protection.
•What the SOC Protects The SOC can't safeguard devices and data. Without visibility and control from the
device to the cloud, there are probable blind spots in the network security posture that can be found and
exploited. So the SOC's goal is to gain a complete view of the business' threat landscape, including the
various types of endpoints, servers and software on-premises, and third-party services and traffic flowing
between these assets.
•How the SOC ProtectsThe SOC should also have a complete understanding of all cybersecurity tools on
hand and all SOC workflows. This increases agility and allows the SOC to run at peak efficiency.
2. Preparation and Preventative Maintenance
Even the most well-equipped and agile response processes are no match for preventing problems from
occurring in the first place. To help keep attackers at bay, the SOC implements preventative measures, this
can be divided into two main categories:
•PreparationTeam members should stay informed on the newest security innovations, the latest cybercrime
trends, and the development of new threats on the horizon.
This research can help inform the creation of a security roadmap that will provide direction for the
company's cybersecurity efforts and a disaster recovery plan that will serve as ready guidance in a worst-case
•Preventative MaintenanceThis step includes all actions taken to make successful attacks more difficult,
including maintaining and updating existing systems, updating firewall policies, patching vulnerabilities,
whitelisting, blacklisting and securing applications.
75. 3. Continuous Proactive Monitoring:
tools used by the SOC scan the network to flag any abnormalities or suspicious activities. Monitoring the network around the
clock allows the SOC to be notified immediately of emerging threats, giving them the best chance to prevent or mitigate harm.
Monitoring tools can include a SIEM or an EDR, the most advanced of which can use behavioral analysis to "teach" systems
the difference between regular day-to-day operations and actual threat behavior, minimizing the amount of triage and analysis
be done by humans.
4. Alert Ranking and Management
When monitoring tools issue alerts, it is the responsibility of the SOC to look closely at each one, discard any false positives,
and determine how aggressive any actual threats are and what they could be targeting.
This allows them to triage emerging threats appropriately, handling the most urgent issues first.
5. Threat Response
An incident is confirmed. The SOC acts as a first responder, performing actions such as shutting down or isolating endpoints,
terminating harmful processes or preventing them from executing, deleting files, and more.
The goal is to respond to the extent necessary while having as small an impact on business continuity as possible.
6. Recovery and Remediation
In the outcome of an incident, the SOC will work to restore systems and recover any lost or compromised data.
This may include wiping and restarting endpoints, reconfiguring systems. When successful, this step will return the network to
the state before the incident.
76. 7. Log Management
The SOC is responsible for collecting, maintaining, and regularly reviewing the log of all network activity and
communications for the entire organization. This data helps define a baseline for "normal" network activity, can reveal the
existence of threats, and can be used for remediation and forensics in the aftermath of an incident.
Many SOCs use a SIEM to aggregate and correlate the data feeds from applications, firewalls, operating systems and
endpoints, producing their internal logs.
8. Root Cause Investigation
In the outcome of an incident, the SOC is responsible for figuring out exactly what happened when, how and why.
During this investigation, the SOC uses log data and other information to trace the problem to its source, which will prevent
similar problems from occurring in the future.
9. Security Refinement and Improvement
Cybercriminals are constantly refining their tools, tactics, and to stay ahead of them, the SOC needs to implement
The plans outlined in the Security Road Map come to life during this step, but this refinement can also include hands-on
practices such as red-teaming and purple-teaming.
10. Compliance Management
Many of the SOC's processes are guided by established best practices, but compliance requirements govern some. The SOC
is responsible for regularly auditing their systems to ensure compliance with such regulations, which may be issued by their
organization, by their industry, or by governing bodies.
77. How to build a SOC
Step 1: Develop the strategy
Start by assessing the organization's existing SOC capabilities in terms of people, processes, and technologies. Stick to
SOC's four major operations, such as monitoring, detection, response, and recovery.
To effectively discharge the duties, the team should create a strategy that considers business objectives.
For example, identifying which systems and data are vital for sustaining operations to keep the business afloat will help
determine the SOC team's priorities.
Step 2: Design a solution
Instead of relying on a broad-function SOC solution, limiting the scope to the organization's situation is a best practice.
When designing your SOC, be on the lookout for scope creep to keep it scalable to meet future needs. A focused
solution reduces the amount of time invested in implementation and achieves quick results. The design should include:
•Functional requirements, like monitored log and event sources, utilized threat intelligence sources, and performance
requirements such as response times.
•Whether you implement a dedicated SOC, virtual SOC, outsourced SOC, or hybrid SOC will be foundational to your
•Technical architecture. Plan the composition and configuration of the solution's components, identify business and
information systems, define event workflows to align with processes, automate the required solution, and determine
whether tabletop exercises are needed.
Step 3: Create procedures, processes and training
The SOC solution must follow the six phases of the Threat Lifecycle Management (TLM) framework: forensic data
collection, the discovery of potential threats, and the qualification of discovered threats to assess the potential impact
on the business, investigation, threat neutralization, and recovery.
In the case of a hybrid or outsourced SOC model, coordinate with the service provider.
78. Step 4: Prepare the environment
Check whether all the required elements are in place before deploying the solution.
Key elements include remote access mechanisms, strong authentication for remote access, and SOC staff equipment
Step 5: Implement the solution
To execute the solution, you must
•Establish a log management system
•Organize a minimal number of critical data sources
•Set up the security analytics capabilities
•Structure the security automation and orchestration capabilities
Once done, check the alignment of systems with the workflow.
Step 6: Deploy end-to-end-use cases
Next, deploy use cases that focus on end-to-end threat detection and response realization. It should be implemented across the
analytics tier, security automation, and orchestration tier.
Test all forms of the automation solution rigorously. Furthermore, verify the readability and security of the remotely accessed
Step 7: Maintain and evolve the solution
The solution will require continuous maintenance and updating at regular intervals.
Updating based on how the SOC functions in the organization's environment will increase the SOC solution's efficiency and
threat detection rate.
79. SOC Operations
Individual SOC cybersecurity providers offer different suites of products and services. However, a core set of operational
functions that a SOC must perform to add value for an organization. We have termed these as the seven competencies and
will outline them here.
80. 1. Asset Survey: For a SOC to help a company stay secure, they must have a complete understanding of what resources they
need to protect. Otherwise, they may not be able to protect the full scope of the network.
An asset survey should identify every server, router, firewall under enterprise control, and any other cybersecurity tools actively
2. Log Collection: Data is the most important thing for a SOC to function properly, and logs serve as the key source of
information regarding network activity. The SOC should set up direct feeds from enterprise systems so that data is collected in
Humans cannot digest such large amounts of information, which is why log scanning tools powered by artificial intelligence
algorithms are so valuable for SOCs. However, they do pose some interesting side effects that humanity is still trying to iron out.
3. Preventative Maintenance: The SOC can prevent cyberattacks from occurring by being proactive with their processes. This
includes installing security patches and adjusting firewall policies regularly.
Since some cyberattacks begin as insider threats, a SOC must also look within the organization for risks.
4. Continuous Monitoring: To be ready to respond to a cybersecurity incident, the SOC must be vigilant in its monitoring
practices. A few minutes can be the difference between blocking an attack and letting it take down an entire system or website.
SOC tools run scans across the company's network to identify potential threats and other suspicious activity.
5. Alert Management: Automated systems are great at finding patterns and following scripts. But the human element of a SOC
proves it's worth when it comes to analyzing automated alerts and ranking them based on their severity and priority.
SOC staff must know what responses to take and how to verify that an alert is legitimate.
6. Root Cause Analysis: After an incident occurs and is resolved, the SOC's job is just beginning. Cybersecurity experts will
analyze the root cause of the problem and diagnose why it occurred in the first place.
This feeds into continuous improvement, with security tools and rules modified to prevent future occurrences of the same
7. Compliance Audits: Companies want to know that their data and systems are safe and managed in a lawful manner.
SOC providers must perform regular audits to confirm their compliance in the regions where they operate.