Foundation This module is a specialist knowledge base application to cyber security. It contains essential knowledge foundations for the majority of cyber security roles
Why cyber security matters
· Explain why information and cyber security is important to business and society.
Basic security theory
· Explain basic concepts: security, identity, confidentiality, integrity, availability, threat, vulnerability, risk & hazard: This should illustrate an understanding of what fundamentally security is and the basic concepts of risk, threat, vulnerability and hazard.
· Explain how the concepts of threat, hazard and vulnerability relate to each other and lead to risk. Describe in simple terms what risk is and how risks are usually characterised (likelihood and impact) and illustrate by use of at least one commonly used tool (e.g. a risk register).
· Understand the inherent asymmetric nature of cyber security threats.
· Describe and characterise (in terms of capability, opportunity & motive) examples of threats and also describe some typical hazards that may concern an organisation. Recognise that there are different types or classes of threat and threat actor and that these may be profiled. Relate these descriptions to example security objectives.
· Understand how an organisation balances business drivers with the outcome and recommendations of a cybersecurity risk assessment, taking account the wider business risk context
· Assurance concepts: Explain the difference between ‘trusted’ and ‘trustworthy’ and explain what assurance is for in security. Describe the main approaches to assurance (intrinsic, extrinsic, design & implementation, operational policy & process) and give examples of how these might be applied at different stages in the lifecycle of a system
· Assurance in practice (reference the concepts): Explain what penetration testing (‘ethical hacking’) is and how it contributes to assurance. Describe at least one current system of extrinsic assurance (e.g. security testing, supply chain assurance, Common Criteria) explaining the benefits and limitations. Describe at least 2 ways an organisation can provide intrinsic assurance.
Applying basic security concepts to develop security requirements (to help build a security case)
· Derive and justify security objectives. Describe how these might apply to information and infrastructure assets in at least 2 different and representative business scenarios, including a reasoned justification (taking account of the value of the assets) of the different importance and relative priorities in the different scenarios. Explain and illustrate by example how this analysis leads to an expression of security objectives or requirements.
Security concepts applied to ICT (‘cyber’) infrastructure
· Describe some common vulnerabilities in computer networks and systems (for example, non-secure coding and unprotected networks)
· Describe the fundamental building blocks (e.g. routers, switches, hubs, storage, transmission) and typical architectures (e.g. server/client, hub/spoke, non-virtual/virtual) of computers, networks and the Internet.
Attack techniques and common sources of threat
· Describe the main different types of common attack techniques (for example: phishing, social engineering, malware, network interception, blended techniques e.g. ‘advanced persistent threat’, denial of service, theft). Explain the main features of how they work and suggest where they may be effective.
· Describe the role of human behaviour in cyber security. Explain what ‘the insider threat’ is. Explain what ‘cyber security culture’ in an organisation is, describe some features that may characterise it and explain how it may contribute to security risk.
· Explain how an attack technique combines with motive and opportunity to become a threat. Explain how attack techniques are developed and why they are continuously changing.
· Describe typical hazards and how these may achieve the same outcome as an attack (e.g. flood, fire)
· Describe ways to defend against the main attack techniques, including consideration of ‘deter’, ‘protect’, ‘detect’ & ‘react’ and an ‘attack chain’. Legal, standards, regulations and ethical standards relevant to cyber security
· Describe the cyber security standards and regulations and their consequences for at least 2 sectors (e.g. Government, finance, petrochemical/process control), comparing and contrasting the differences.
· Appreciate the role of criminal law, contract law and other sources of regulation.
· Explain the benefits & costs and the main motives for uptake of significant security standards such as Common Criteria, PCI-DSS, FIPS-140-2, CESG Assisted products (CAPS).
· Describe the key features of the main English laws that are relevant to cyber security issues (including legal requirements that affect individuals and organisations), e.g.: Computer Misuse Act, Data Protection Act, Human Rights Act.
· Describe the implications of international laws and regulations that affect organisations, systems and users in the UK, movement of data and equipment across international borders and between jurisdictions (e.g. Digital Millennium Act, ITAR, Safe Harbour).
· Describe the legal responsibilities of system users and how these are communicated effectively.
· Describe by reference to at least 1 generally recognised and relevant professional body the ethical responsibilities of a cyber-security professional.
Keeping up with the threat landscape
· Describe and know how to apply at relevant techniques for horizon scanning and be able to identify at least three external sources of horizon scanning (e.g. market trend reports, academic research papers, professional journals, hacker conferences, online for a, Government sponsored sources – e.g. CISP) and recognise the value of using a diversity of sources. Illustrate with some current examples relevant to cyber security. Describe and know how to apply at least 1 technique to identify trends in research. Illustrate with an example.
Describe the significance of some identified trends in cyber security and understand the value and risk of this analysis