Cybersecurity and Third-Party Risk

Cybersecurity and Third-Party Risk
Автор книги: id книги: 2080185     Оценка: 0.0     Голосов: 0     Отзывы, комментарии: 0 3405,63 руб.     (36,45$) Читать книгу Купить и скачать книгу Купить бумажную книгу Электронная книга Жанр: Зарубежная компьютерная литература Правообладатель и/или издательство: John Wiley & Sons Limited Дата добавления в каталог КнигаЛит: ISBN: 9781119809562 Скачать фрагмент в формате   fb2   fb2.zip Возрастное ограничение: 0+ Оглавление Отрывок из книги

Реклама. ООО «ЛитРес», ИНН: 7719571260.

Описание книги

STRENGTHEN THE WEAKEST LINKS IN YOUR CYBERSECURITY CHAIN Across the world, the networks of hundreds of different world-class organizations have been breached in a seemingly never-ending stream of attacks that targeted the trusted vendors of major brands. From Target to Equifax, Home Depot, and GM, it seems as if no company is safe from a third-party incident or breach, regardless of size. And the advanced threats are now exploiting the intersection of weaknesses in cybersecurity and third-party risk management. In Cybersecurity and Third-Party Risk , veteran cybersecurity specialist Gregory Rasner walks readers through how to lock down the vulnerabilities posed to an organization’s network by third parties. You’ll discover how to move beyond a simple checklist and create an active, effective, and continuous system of third-party cybersecurity risk mitigation. The author discusses how to conduct due diligence on the third parties connected to your company’s networks and how to keep your information about them current and reliable. You’ll learn about the language you need to look for in a third-party data contract whether you’re offshoring or outsourcing data security arrangements. Perfect for professionals and executives responsible for securing their organizations’ systems against external threats, Cybersecurity and Third-Party Risk is an indispensable resource for all business leaders who seek to: Understand the fundamentals of third-party risk managementConduct robust intake and ongoing due diligencePerform on-site due diligence and close vendor risksSecure your software supply chainUtilize cloud and on-premises software securelyContinuously monitor your third-party vendors and prevent breaches

Оглавление

Gregory C. Rasner. Cybersecurity and Third-Party Risk

Table of Contents

List of Tables

List of Illustrations

Guide

Pages

Cybersecurity and Third‐Party Risk. Third Party Threat Hunting

Introduction

Who Will Benefit Most from This Book

Looking Ahead in This Book

Special Features

Chapter 1 What Is the Risk?

The SolarWinds Supply‐Chain Attack

The VGCA Supply‐Chain Attack

The Zyxel Backdoor Attack

Zyxel Patch Release

Other Supply‐Chain Attacks

Problem Scope

Compliance Does Not Equal Security

Third‐Party Breach Examples

Third‐Party Risk Management

Cybersecurity and Third‐Party Risk

The Morris Worm

Business or Technology Risk and Cybersecurity Risk

Cybersecurity Third‐Party Risk as a Force Multiplier

Conclusion

Chapter 2 Cybersecurity Basics

Cybersecurity Basics for Third‐Party Risk

Exposed Credentials

Cybersecurity Frameworks

Due Care and Due Diligence

Internal Security Standards versus External Security Standards

Cybercrime and Cybersecurity

Types of Cyberattacks

Analysis of a Breach

The Third‐Party Breach Timeline: Target

Inside Look: Home Depot Breach

Author's Note: Applies to Any Size

Conclusion

Chapter 3 What the COVID‐19 Pandemic Did to Cybersecurity and Third‐Party Risk

The Pandemic Shutdown

Timeline of the Pandemic Impact on Cybersecurity

Post‐Pandemic Changes and Trends

Working from Home and Cybersecurity

“But we have a firewall… .”

Regulated Industries

An Inside Look: P&N Bank

SolarWinds Attack Update

Conclusion

Chapter 4 Third‐Party Risk Management

Data Security Is Not Data Privacy

Third‐Party Risk Management Frameworks

ISO 27036:2013+

NIST 800‐SP

NIST 800‐161 Revision 1: Upcoming Revision

NISTIR 8272 Impact Analysis Tool for Interdependent Cyber Supply‐Chain Risks

Acquisition Security Framework (ASF)

The Cybersecurity and Third‐Party Risk Program Management

Kristina Conglomerate (KC) Enterprises

KC Enterprises' Cyber Third‐Party Risk Program

Scope

Three (or Four) Lines of Defense for Risk Management

Policy Statement and Objectives

Cybersecurity Program

Classification of Information Assets

Incident Response

Awareness and Training

Third‐Party Security and Risk

Definition and Scope

Objectives

Governance

Inside Look: Marriott

Conclusion

Chapter 5 Onboarding Due Diligence

Intake

Data Privacy

Cybersecurity

Amount of Data

Country Risk and Locations

Connectivity

Data Transfer

Data Location

Service‐Level Agreement or Recovery Time Objective

Fourth Parties

Software Security

KC Enterprises Intake/Inherent Risk Cybersecurity Questionnaire

Cybersecurity in Request for Proposals

Data Location

Development

Identity and Access Management

Encryption

Intrusion Detection/Prevention System

Antivirus and Malware

Data Segregation

Data Loss Prevention

Notification

Security Audits

Cybersecurity Third‐Party Intake

Data Security Intake Due Diligence

Production Data in Lower‐Level Environments

Next Steps

Ways to Become More Efficient

Systems and Organization Controls Reports

Chargebacks

Go‐Live Production Reviews

Connectivity Cyber Reviews

Inside Look: Ticketmaster and Fourth Parties

Conclusion

Chapter 6 Ongoing Due Diligence

Low‐Risk Vendor Ongoing Due Diligence

Moderate‐Risk Vendor Ongoing Due Diligence

High‐Risk Vendor Ongoing Due Diligence

“Too Big to Care”

A Note on Phishing

Intake and Ongoing Cybersecurity Personnel

Ransomware: A History and Future

Asset Management

Vulnerability and Patch Management

802.1x or Network Access Control (NAC)

Inside Look: GE Breach

Conclusion

Chapter 7 On‐site Due Diligence

On‐site Security Assessment

Scheduling Phase

Investigation Phase

Assessment Phase

On‐site Questionnaire

Reporting Phase

Remediation Phase

Virtual On‐site Assessments

On‐site Cybersecurity Personnel

On‐site Due Diligence and the Intake Process

Vendors Are Partners

Consortiums and Due Diligence

Conclusion

Chapter 8 Continuous Monitoring

What Is Continuous Monitoring?

Vendor Security‐Rating Tools

Installation of Malware

Exposure of Sensitive Information

Denial of Service

Legal Trouble

Much Easier Attacks

The Discovery Phase

The Investigation Phase

The Reporting and Closure Phases

Inside Look: Health Share of Oregon's Breach

Enhanced Continuous Monitoring

Software Vulnerabilities/Patching Cadence

Fourth‐Party Risk

Data Location

Connectivity Security

Production Deployment

Continuous Monitoring Cybersecurity Personnel

Third‐Party Breaches and the Incident Process

Third‐Party Incident Management

Inside Look: Uber's Delayed Data Breach Reporting

Inside Look: Nuance Breach

Conclusion

Chapter 9 Offboarding

Access to Systems, Data, and Facilities

Physical Access

Return of Equipment

Contract Deliverables and Ongoing Security

Update the Vendor Profile

Log Retention

Inside Look: Morgan Stanley Decommissioning Process Misses

Inside Look: Data Sanitization

Conclusion

Chapter 10 Securing the Cloud

Why Is the Cloud So Risky?

Introduction to NIST Service Models

Author's Note

Vendor Cloud Security Reviews

The Shared Responsibility Model

Inside Look: Cloud Controls Matrix by the Cloud Security Alliance

Security Advisor Reports as Patterns

Increased Oversight of Cloud and Cybersecurity Risks by Regulators and Governments

Inside Look: The Capital One Breach

Conclusion

Chapter 11 Cybersecurity and Legal Protections

Legal Terms and Protections

About Negotiations and Conflict

Cybersecurity Terms and Conditions

Offshore Terms and Conditions

Hosted/Cloud Terms and Conditions

Data Center Tiers

Privacy Terms and Conditions

A Note on Risk Acceptances

Inside Look: Heritage Valley Health vs. Nuance

Conclusion

Chapter 12 Software Due Diligence

The Secure Software Development Lifecycle

Lessons from SolarWinds and Critical Software

Inside Look: Juniper

On‐Premises Software

Cloud Software

Open Web Application Security Project Explained

OWASP Top 10

OWASP Web Security Testing Guide

Open Source Software

Software Composition Analysis

Inside Look: Heartbleed

Mobile Software

Testing Mobile Applications

Code Storage

Common Vulnerabilities and Exposures Explained

Conclusion

Chapter 13 Network Due Diligence

Third‐Party Connections

Personnel Physical Security

Hardware Security

Software Security

Out‐of‐Band Security

Cloud Connections

Vendor Connectivity Lifecycle Management

Zero Trust for Third Parties

Internet of Things and Third Parties

Trusted Platform Module and Secure Boot

Inside Look: The Target Breach (2013)

Conclusion

Chapter 14 Offshore Third‐Party Cybersecurity Risk

Onboarding Offshore Vendors

Ongoing Due Diligence for Offshore Vendors

Physical Security

Offboarding Due Diligence for Offshore Vendors

Inside Look: A Reminder on Country Risk

Country Risk

KC's Country Risk

Conclusion

Chapter 15 Transform to Predictive

The Data

Vendor Records

Due Diligence Records

Contract Language

Risk Acceptances

Continuous Monitoring

Enhanced Continuous Monitoring

How Data Is Stored

Level Set

A Mature to Predictive Approach

The Predictive Approach at KC Enterprises

Use Case #1: Early Intervention

Use Case #2: Red Vendors

Use Case #3: Reporting

Conclusion

Chapter 16 Conclusion

Advanced Persistent Threats Are the New Danger

Cybersecurity Third‐Party Risk

Index

(ISC)2®

About the Author

About the Technical Editor

Acknowledgments

Foreword

WILEY END USER LICENSE AGREEMENT

Отрывок из книги

Gregory C. Rasner

This book is designed to provide a detailed look into the problems and risks, then give specific examples of how to create a robust and active Cybersecurity Third‐Party Risk Management program. It begins by covering the basics of the due diligence processes and the vendor lifecycle, with models and illustrations on how to create these basic but necessary steps. Then it goes more in depth about the next parts in the creation of a mature program: cyber legal language, offshore vendors, connectivity security, software security, and use of a predictive reporting dashboard.

.....

Cybersecurity as a field is also very young, though it is older than TPRM. Cybersecurity is often thought to have begun after the first cyberattack was thwarted in 1986 in the Soviet Union, when Marcus Hess hacked into 400 military servers and the Pentagon. Intending to sell the information to the KGB, Hess was foiled by American Clifford Stoll.

In the 1970s, several attacks occurred on the early internet. For example, Bob Thomas created the first computer worm named Creeper, which traveled between early APRANET terminals with the message “I'M THE CREEPER: CATCH ME IF YOU CAN.” Also, in the same decade, Ray Tomlinson created the worm, Reaper, the first antivirus software that could find copies of Creeper and delete them. However, the one that finally illustrated the need for information security at the doorstep of the novice IT industry was the Morris Worm.

.....

Добавление нового отзыва

Комментарий Поле, отмеченное звёздочкой  — обязательно к заполнению

Отзывы и комментарии читателей

Нет рецензий. Будьте первым, кто напишет рецензию на книгу Cybersecurity and Third-Party Risk
Подняться наверх