Cybersecurity has become a major priority for companies and organizations around the world. There are millions of cybersecurity positions open and unfilled, and a shortage of cyber security talent. Companies and organizations need cybersecurity professionals equipped with the knowledge, skills, and abilities to stay ahead of, and to cope with, evolving threats and vulnerabilities.
Cybersecurity risk management comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats, to maintain awareness of cyber threats, to detect anomalies and incidents adversely affecting IT and data, and to mitigate the impact of, respond to, and recover from incidents. Effective risk management involves more than just protecting IT and data currently in place. It also requires planning so that maintenance, improvements, and modernization occur in a coordinated way and with appropriate regularity.
The CC(GRC)P program has been designed to provide with the knowledge and skills needed to understand and support firms and organizations in cyber risk and compliance management. The course provides with the skills needed to pass the Certified Cyber (Governance Risk and Compliance) Professional – CC(GRC)P exam.
- Managers and employees working at the strategic, tactical, and operational levels of information security, IT and risk management.
- Information security manager, employees, auditors, and consultant.
- Threat analysts.
- Vulnerability assessment manager, employees, auditors, and consultants.
- Risk and compliance manager, employees, auditors, and consultants.
- IT manager, employees, auditors, and consultants.
- Network, systems and security administrators.
- Senior managers involved in risk and compliance management.
- Data protection and privacy manager, employees, auditors and consultants.
- IT, information security, risk and compliance management vendor, suppliers, and service providers.
Part 1: Introduction
- Demand for Cyber Risk / Information Security Professionals … and compensation.
- Introduction to Cyber (Governance, Risk, Compliance).
- From Cyberspace to Information Operations (IO) to Cyber Espionage.
- Cyber risks today, and what is different for organizations and employees.
Part 2: Attacks and Modus Operandi
- Who is the attacker?
- Eleven types of internet security attacks.
- Attacks on the critical infrastructure.
- Attacks on the internet infrastructure.
- Deliberate persistent attacks on specific resources.
- Widespread automated attacks against internet sites.
- Threats, harassment, and other criminal offences involving individual user accounts.
- New types of attacks or new vulnerabilities.
- Denial of Service (DoS) and Distributed Denial of Service (DDoS).
- Forgery and misrepresentation.
- Compromise of single desktop systems.
- Copyright violations.
Step 1 – Collecting information about persons and systems
- Reconnaissance: The research phase used to identify and select targets.
- Looking for information about the systems.
- Looking for information about the persons working in the target organization (or for the target organization).
- Outsourcing and budget cuts can have hidden costs.
- Who has signed a confidentiality agreement? A good list of prime targets for all adversaries.
- Looking at our daily activities from the adversaries’ point of view.
- More prime targets: Disgruntled employees, ideologists, employees having a lavish lifestyle, employees having “weaknesses”, lawyers having access to trade secrets and sensitive information.
Step 2 – Identifying possible targets and victims
- Hardware attacks, software attacks.
- Malicious hardware modifications: Acquiring hardware components with a backdoor, and how it affects all other information security policies.
- Phishing, social phishing, spear phishing, watering hole attacks.
- Which systems and which persons? The hit lists.
Step 3 – Evaluation, recruitment and testing
- Exploiting more vulnerabilities in certain systems.
- Deciding to work more with certain persons.
- Blackmailing employees: The art and the science.
- Testing the asset.
- The problem with the sleeper agents.
Step 4 – Privilege escalation
- Vertical privilege escalation, where adversaries grant themselves higher privileges.
- Horizontal privilege escalation, where adversaries use the identity of other users with similar privileges.
- Obtaining customer account details.
- Internal information, social engineering.
Step 5 – Identification of important clients and stakeholders
- Attackers have access to personal information. What is next?
- Identifying important clients and stakeholders working in the public and the private sector.
- Repeating the process – Steps 1 to 4.
Step 6 – Critical infrastructure
- Creating backdoors.
- Covering their tracks.
- Ticking time bombs and backdoor triggers based on specific input data.
- Selling information in the secondary markets (to other attackers, competitors, spies and the organized crime).
Part 3: Information Warfare, Cyber Espionage
- The famous paradoxical trinity of Clausewitz.
- Cyberspace – a domain of war.
- Jus ad bellum, just in bello, jus post bellum.
- Article 2(4) and Article 51, United Nations (UN) Charter.
- Interpretations of Article 2(4) and Article 51.
- From the International Strategy for Cyberspace, to the G7 Finance Ministers and Central Bank Governors, to the Law of War Manual, Cyber Operations.
- Information Operations (IO).
- Information Operations and their supporting capabilities.
- Defensive Information Operations.
- Net-centric warfare.
- Cyberspace and national security.
- Hackers, Spies, or Hybrid Warfare?
- The Gerasimov’s Doctrine- Case Studies.
- Espionage, Intelligence.
- Political, Economic, Military Intelligence.
- Competitive Intelligence vs. Economic or Industrial Espionage.
- From UK, MI5.
- From UK SIS, MI6.
- From UK, Centre for the Protection of National Infrastructure (CPNI).
- Counterintelligence (CI).
- Cyber Espionage.
- case studies.
- Strategic counterintelligence.
- The Ten Commandments of Counterintelligence (from James M. Olson that served in the Directorate of Operations of the CIA) that apply in Cybersecurity.
- Gentlemen don’t read each other’s mail.
Part 4: Defense
- Cyber Hygiene.
- The U.S. National Institute of Standards and Technology Cybersecurity
- Framework (NIST CSF).
- The Functions:
- internal stakeholders and executive and management teams.
- The Framework Implementation Tiers (“Tiers”).
- From Partial (Tier 1) to Adaptive (Tier 4).
- The Framework Profile.
- Coordination of Framework Implementation.
- Establishing or Improving a Cybersecurity Program.
- Methodology to Protect Privacy and Civil Liberties.
- Governance of cybersecurity risk.
- Awareness and training measures.
- Penetration Testing.
- Guidance from the Securities and Exchange Commission (SEC), Division of Corporation Finance, regarding disclosure obligations relating to cybersecurity risks and cyber incidents.
- The new international standards for cyber security after Regulation (EU) 2016/679 (General Data Protection Regulation).
Part 5: The future
- The attribution problem.
- The second attribution problem.
- Plausible deniability.
- Misinformation, disinformation, deception, fabrication.
- Disinformation management.
- ENISA, Disinformation operations in cyber-space.
- ENISA, Active Defense and Offensive Countermeasures.
Five-days or 35 training hours.
Official exam and courseware are included.w