CYB 4301, Cybersecurity and Crime 1

Course Learning Outcomes for Unit I

At the end of this unit, you should be able to:

1. Examine the relevance of cybersecurity to digital crimes.
1.1 Describe concepts and terms associated with information security and privacy.
1.2 Characterize the threats to information security and privacy.
1.3 Explore mechanisms used to protect information security and privacy.

Required Unit Resources

Chapter 1: Information Security Overview (ULO 1.1, 1.2)

Chapter 2: Privacy Overview (ULO 1.3)

Unit Lesson

Lesson: Security and Privacy (ULO 1.1, 1.2, 1.3)

Security and Privacy

As you begin your career in cybersecurity, you will be faced with the tough challenges presented by securing
networks and data while ensuring sensitive data remains protected and private. You will defend your network
against actors seeking to breach the security mechanisms protecting your network and ultimately gain access
to your organization’s sensitive data; thus it is imperative that you understand the fundamentals of security
and privacy, and that is what this unit is about. By laying the groundwork of the basic principles surrounding
security and privacy, you will be equipped to defend your network and data. Chapter 1 of the textbook
provides the importance and relevance of cybersecurity.

Let’s start by defining some basic terminology. Grama (2022) defines information security as “to protect
government, corporate, and individual information as a good business practice” (p. 4) and notes that legal
statutes transform good business practices into mandatory business requirements.

We have a good understanding of information security, but how does that relate to cybersecurity? Are the two
not one in the same, with cybersecurity the modern re-branding of information security? Not at all.
Cybersecurity is a subset of information security. For our purposes, cybersecurity can be defined as
protecting the information and information systems we rely on every day in the modern world. Consider how
information technology has transformed every aspect of modern life from the way we bank to the way we
shop to the way we navigate. Critical infrastructure such as emergency response, financial systems, power
generation, supply chains, transportation, and water delivery and purification are all reliant on an information
technology infrastructure. We carry cellphones that are many times more powerful than the desktop and
minicomputers that came before. We are surrounded by the Internet of Things (IoT), devices that surpassed
the number of human beings on the planet in the past decade and are projected to exceed 29 billion in
number by the close of this decade (Vailshery, 2022). We are part of a digital society supported by a multitude
of information systems comprising a larger unifying network known as the Internet.

These systems support our modern way of life, drive our economy, and sustain our civilization. They must be
protected, and you are taking the first steps to join that effort. What an exciting and purposeful opportunity!
But let’s not get too far ahead. We should begin at the beginning, by laying the groundwork to equip you for
the task ahead.

UNIT I STUDY GUIDE

Security and Privacy

CYB 4301, Cybersecurity and Crime 2

UNIT x STUDY GUIDE

Title

Models help us to understand concepts and relationships. A useful model in the field of cybersecurity is the
Confidentiality, Integrity, and Availability (C-I-A) Triad. Confidentiality ensures that information is accessed
only by authorized personnel with a validated purpose and need to know. Integrity ensures data is accurate
and protects against unauthorized changes. Finally, availability means that information systems and data are
reliably accessible when needed (Grama, 2022).

Note that privacy is a somewhat elusive concept to define because it exists apart from technology (Grama,
2022). Ask a friend how they think about privacy, and you might hear non-technical views like freedom from
surveillance or the right to pursue happiness. But over the past few years, people have awakened to how data
about them is used and sold. Technology plays a large part in that discussion and in how to exercise greater
control over personal data. This could include mobile carriers and advertising companies reselling data about
you, your shopping habits and choices, what you drive, how often you make calls and to whom, and even
your movements in the physical world. For these reasons, cybersecurity professionals consider privacy as a
subset of confidentiality. Lab 2: Creating a Privacy Impact Assessment will provide you the opportunity to
assess privacy using a theory-based exercise.

You cannot effectively defend against what you do not understand, and the resources provided to you will be
finite. That makes developing an understanding of the risks as a cybersecurity practitioner a fundamental
requirement. What are the things you should be concerned about?

As Gramma (2022) observed, “Protecting information is not easy” (p. 24). Gramma (2022) outlined multiple
important and interrelated areas. First, you must know what threats are present and applicable to your
organization, industry sector, and geopolitical area. You must also have a good understanding of our
environment, ranging from routers, switches, firewalls, and intrusion detection systems; server, desktop and
mobile systems and devices; network connection points; and even the physical buildings and the people
assigned. All these items have weaknesses which can be exploited by an adversary.

Once you know the threats and the vulnerabilities in your environment, you can begin to address the specific
risks involved. Dealing with risk involves a range of responses including acceptance, mitigation, and transfer.
For example, to deal with the threat of a data breach, you might consider a known weakness in specific
Microsoft Windows operating system (OS) that allows a remote attacker to gain root level privilege on
workstation within your environment. Because you previously performed an IT Asset Inventory (the subject of
Lab 1 in this unit), you realize that you have a certain number of workstations on a vulnerable version of the

CYB 4301, Cybersecurity and Crime 3

UNIT x STUDY GUIDE

Title

OS. Armed with this knowledge, you make a recommendation to your manager to patch the vulnerable
systems.

The scenario described above is just a single attack vector. Adversaries may employ other techniques such
as social engineering, a direct interaction with people to gain access they would not normally have. Another is
phishing, an indirect interaction like spoofing an email message, to send an unsuspecting person to an
attacker’s website or deliver a piece of malware, malicious logic (virus), or plant a backdoor for later access to
your network. Consider how much easier it is for an attacker to be let in the front door as an invited guest than
it is to break a door down and forcibly enter. The former allows the attacker to bypass network defenses and
potentially raise little suspicion from security tools.

Crowdstrike

Crowdstrike, a well-respected cybersecurity firm, can also provide useful insights for the defender through
their annual Global Threat Report (GTR). The GTR is published in partnership with Gartner to summarize and
attach analytical significance to Crowdstrike’s experience responding to cybersecurity incidents over the past
calendar year.

Significantly, Crowdstrike observed two important items related to this course. One of the four types of threat
activity cataloged by Crowdstrike is financially motivated eCrime activity representing a 5% growth from 2020.
Crowdstrike also highlighted Ransomware as the leading concern for activity in 2021 representing an 81%
increase in data-related leaks for 2021 (Crowdstrike, 2022).

Crowdstrike’s findings underscore the many challenges cyber personnel must address. Not only is the
adversary’s sophistication improving, but the financial incentive and effectiveness of ransomware attacks has
attracted gangs, organized crime, and rogue nationl states. Cyber criminals have discovered that sensitive
and proprietary information (e.g., social security numbers, credit card transactions, bank account information,
intellectual property) is valuable (Symantec, 2015). Denying access to information using strong encryption, in
effect creating a locked box in which only the attacker has the key, provides the leverage that entices the
victim to pay the ransom fee. Cyber criminals have found another way to ramp up the pressure on the victim,
threatening to release sensitive and sometimes embarrassing information. When these tactics are combined
with the short time limits on payment, the pressure is incredible.

With a good appreciation for the threats and concerns involved, what mechanisms can be used to protect
information security and privacy? Defenders must justify recommended protections and garner the resources
to implement risk mitigating solutions. Fortunately, laws and regulations serve as a primary mechanism for
organizations and practitioners. To be clear, laws and regulations are not optional, and violations carry severe
penalties, imprisonment, and other repercussions. Thus, laws and regulations form the basis of security
policies and will help you to establish compliance while providing a strong justification for your
recommendations.

Conclusion

To ensure the security and privacy of the network, you must stay vigilant and informed. Threats are not static,
but ever-changing. When one tactic is no longer effective, cyber criminals adapt. You must adapt, too. You
should stay informed, learn from your industry peers, and leverage threat intelligence. When you hear about a
new attack, you need to be able to understand how the attack works on both a conceptual and technical level,
right down to the protocols, ports, and services the attack uses as an attack vector. You may not always have
a patch available, but you can always take mitigating actions against the risk of an attack.

References

Crowdstrike. (2022). 2022 Global Threat Report. https://go.crowdstrike.com/rs/281-OBQ-

266/images/Report2022GTR.pdf

Grama, J. L. (2022). Legal and privacy issues in information security (3rd ed.). Jones and Bartlett.

https://online.vitalsource.com/#/books/9781284231465

CYB 4301, Cybersecurity and Crime 4

UNIT x STUDY GUIDE

Title

Symantec. (2015). Internet security report.
https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347931_GA-internet-security-threat-
reportvolume-20-2015-appendices.pdf

Vailshery, L. (2022, November 22). IoT connected devices worldwide 2019-2030 | Statista. Statista.

https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/