Presentation Title
Presentation Subtitle
Presenter, contact info, etc.
Is This Webinar Right for You?
 Are you thinking about joining the IT
security industry?
 Are you new to the IT security industry?
 Are you an IT security industry veteran with
experience in just one or two areas?
 Are you looking to expand your overall IT
security industry knowledge?
If the answer is “yes” to any of these
questions, this webinar is for you!
Over 3,000 Cybersecurity Vendors
Security Spending Outpaces IT Spending
2023 Forecasted IT Spending Growth: +2.4%
2023 Forecasted IT Security Spending Growth: +11.3%
Learning Objectives






Useful vocabulary terms and buzz words
Five types of cyberthreat actors
Modern cyberthreats and tactics
Categories of cybersecurity defenses
Common IT security job roles
Security industry ecosystem
Learning a New
Vocabulary
Let’s Expand Your Vocabulary!
Security Lingo
Buzz words & phrases
Defense in depth
Bring Your Own Device (BYOD)
Vulnerabilities, patches & exploits
Shadow IT
CVE & CVSS scores
DevSecOps
Attack surface & security posture
Internet of Things (IoT)
NOCs vs. SOCs
Operational Technology (OT)
False positives vs. false negatives
Zero Trust Network Access
Defense in Depth
Term frequently used to
describe a policy of
implementing multiple
layers of security controls
(defenses) throughout a
computer network
Vulnerabilities, Patches & Exploits
Vulnerability
 Security flaw found in software or an OS
Patch
 A software update designed to correct a vulnerability
 “Patch Tuesday” is the second Tuesday of each month when Microsoft
announces availability of new patches
Exploit
 Noun: Malware designed to take advantage of an unpatched vulnerability
 Verb: The act of malware taking advantage of an unpatched vulnerability
CVEs & CVSS Scores
Common Vulnerabilities and Exposures (CVE)
 Catalog of known security vulnerabilities and exposures
 Sponsored by U.S. Computer Emergency Readiness Team (US-CERT),
under U.S. Department of Homeland Security
 Maintained by (non-profit) MITRE Corporation
 Each vulnerability assigned a CVE number (CVE-2023-0001)
Common Vulnerability Scoring System (CVSS)
 Open industry framework for rating CVEs by severity
 Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9) and Critical (9.0-10.0)
Registered CVEs by Year
Data source: https://www.cvedetails.com/browse-by-date.php
Most Vulnerabilities Are Not Exploited
93% of vulns
not exploited!
Source: IBM X-Force Red
Few Vulnerabilities Are Critical
Source: IBM X-Force Red
Top 20 Vendor Vulnerabilities
(January 1, 1999 to March 11, 2023)
Rank
Vendor
Products
Vulns
Vulns by
Product
Rank
Vendor
Products
Vulns
Vulns by
Product
1
Microsoft
738
9,362
13
11
Opensuse
60
3,139
52
2
Oracle
1,031
9,053
9
12
Linux
25
3,117
125
3
Debian
111
8,189
74
13
Mozilla
36
2,513
70
4
Google
145
8,183
56
14
Netapp
348
1,943
6
5
Apple
144
6,040
42
15
Apache
321
1,895
6
6
IBM
1,389
5,610
4
16
HP
15,169
1,840
<1
7
Redhat
473
4,831
10
17
Sun
206
1,530
7
8
Fedoraproject
22
4,438
202
18
Adobe
169
1,484
9
9
Cisco
6,071
4,390
1
19
Jenkins
588
1,373
2
10
Canonical
49
3,983
81
20
SAP
380
1,258
3
Full and updated statistics can be found at https://www.cvedetails.com/top-50-vendors.php
NOCs vs. SOCs
Network Operations Center (NOC)
 Operational monitoring of network infrastructure and services
 Ensures the availability and performance of the network
Security Operations Center (SOC)
 Security monitoring of network
infrastructure and services
 Ensures the security of the network
False Positive vs. False Negative
False Positive
 Incorrectly classifying a good
file (or message) as bad
 Often results in “headaches”
False Negative
 Incorrectly classifying a bad
file (or message) as good
 Can be a “company killer” if
goes undetected
Bring Your Own Device (BYOD)
 Policy allowing employees to use their
own mobile devices to access
company applications and data
 Improves worker productivity and job
satisfaction
 Dramatically increases a company’s
attack surface as employees may not
keep up with patching device
vulnerabilities
Shadow IT
 Term used to describe the use of IT
solutions to conduct business without
approval – and often without
knowledge – of the IT department
– Box / Dropbox / Google Drive
– Google Docs / Sheets
 Introduces IT security risks
– Expanded attack surface
– Risk of data loss
DevSecOps
 Paradigm shift / culture change building security into the application
development process
 Increases speed of deploying applications and updates
 Improves interpersonal relations between DevOps and SecOps
 Leverages a set of application security testing tools
Internet of Things (IoT)
 Ability for objects to transfer data over a
network without human intervention
 Examples of business “things”
– Copy machine
– VoIP phone
– Video conferencing system
– Medical devices
 Potential for threat actors to compromise
“things” in the workplace
Operational Technology (OT)
 Hardware and software designed to detect or
cause physical changes in physical devices
(e.g., valves, pumps) within critical infrastructure
 Critical infrastructure examples:
– Oil refineries
– Power / nuclear plants
– Water treatment facilities
 Common OT terminology
– Supervisory control and data acquisition (SCADA)
– Industrial control system (ICS)
– Programmable logic controller (PLC)
Zero Trust Network Access (ZTNA)
 “Never trust, always verify”
– Created by John Kindervag, formerly with Forrester
– No longer assume that persons, systems, or services operating from within
the security perimeter are trusted
– Instead, “everything” and “everyone” must be
verified before granting access
 Key technology components
– Two-/multi-factor authentication (2FA/MFA)
– Endpoint security / device validation
– Firewall micro-segmentation
– Real-time monitoring
Recognizing Our Cyber
Adversaries
Types of Threat Actors





Organized crime
Nation state threat actors
Insider threats
Hacktivists
Hobbyists
Source: Verizon 2023 Data Breach Investigations Report
Organized Crime
 Motivated by financial gain
 Committers of ransomware
attacks and data breaches
 Sell stolen data to the highest
bidder on the dark web
Nation State Threat Actors
 State-funded, politically motivated
 Sample cyber attacks
– China: Theft of Lockheed Martin’s F-35
blueprints (2009)
– North Korea: Sony breach in response to
“The Interview” (2015)
– Russia: Attacks against NATO countries
following Ukraine invasion (2022-23)
– United States: Stuxnet attack targeting
Iranian nuclear centrifuges (2010)
Insider Threats
 Malicious current or former
employee or contractor
 Motivations may include
retribution, financial gain,
espionage, or whistleblowing
Edward Snowden,
Former NSA employee
Hacktivists
 Self-funded, politically or socially motivated
 Practice “hacktivism”
 Sample cyber attacks:
– Killnet & Passion Group: Pro-Russia hacktivists
committing DDoS attacks against NATO countries
– Anonymous: Published Donald Trump’s Social
Security Number and cell number
– The Impact Team: Published member list of
Ashley Madison dating website
Hobbyists
 Hacking for entertainment
 May operate as individuals or groups
– Lulzsec: Leaked names of 73,000 XFactor contestants; Posted fake PBS
story claiming Tupac Shakur and
Biggie Smalls were alive and living in
New Zealand
– AntiSec: Defaced Panda Security
websites to protest LulzSec arrests
Charged Lulzsec Hackers
Sentences: 20-32 months
Surveying the
Cyberthreat Landscape
Malware
 Derived from “malicious
software”
 Umbrella term for many
types of file-based
cyberthreats
 Hundreds of thousands of
new malware variants
launched per day
Ransomware
 Malware that encrypts access to
infected system and/or data until user
pays ransom (in Bitcoin)
 Often coupled with additional threats
– Threat to publish stolen data on internet
– Threat to notify press or customers
about breach
– Threat to commit a DDoS attack
 Paying the ransom does not guarantee
restored access to your system or data
Phishing & Spear-phishing
Phishing
 Opportunistic email attack against “everyone”
Spear-phishing
 Targeted attack against a
specific employee at a
specific company
 Often the first step of an
advanced persistent
threat (APT)
Drive-by Downloads
 Opportunistic, web-based attack
 User’s host is infected simply by
visiting the website
 No need to click on anything to
become infected by malware
Web Application Attacks
 Custom web applications are particularly
vulnerable to common programming errors
 Sample OWASP Top 10 attacks
– SQL injection attack
– Cross-site scripting (XSS) attack
– Broken authentication attack
 Approximately one-third of CVEs are
mapped to OWASP Top 10
 Connect to owasp.org to learn more
Zero-day Attacks
 Malware that exploits a publicly unknown vulnerability
 Particularly dangerous against signature-based defenses
 Comprise less than 1% of CVEs annually
Advanced Persistent Threats (APTs)
 Sophisticated attack against a targeted organization
 Often starts with spear-phishing attack with customized malware
 APTs often take 200+ days before mission is completed
Exploring Common
Security Defenses
Common Security Product Categories
Parent Category
Sample Products / Technologies
Application Security
WAF, API Security, RASP, SAST, DAST, IAST
Attack Surface
Management
VA, VM, SCM, Penetration Testing
Cloud Security
CASB, SASE
Data Security
FIM, FAM, DAM, Database Firewall
Digital Forensics
DRP, DFIR
Endpoint Security
EPP, EDR, Deception, DLP
Frameworks
ZTNA, XDR
Governance, Risk &
Compliance (GRC)
TPRM, Security Scorecards, Supply Chain Risk
Management
Common Security Product Categories, cont.
Parent Category
Sample Products / Technologies
Identity & Access
Management (IAM)
MFA/2FA, Active Directory Security,
Passwordless Authentication
IoT Security
IoS Vulnerability / Threat Detection
Mobile Security
MAM, MDM
Network Security
NGFW, UTM, IDS, IPS, SEG, SWG, NAC, NDR,
DDoS Prevention, DLP
Security Management &
Operations
SIEM, SOAR, Network Forensics, PAM
Threat Intelligence
TIP, Threat Intelligence Subscriptions
Threat Detection /
Prevention
Sandboxing, Security Analytics, UEBA,
Common Security Service Categories
Parent Category
Sample Services
Bug Bounty
Zero-day Vulnerability Discovery
Cybersecurity Training &
Certification
CISSP, CCSP, CGRC, CC, CSSLP, SSCP,
Security Awareness Training, Phishing Simulation
Platform
Managed Security
Services
MDR, MSSP, MXDR, MSP
Security Awareness
Training
Live in-person, live online & pre-recorded training
Common IT Security
Job Roles
Common IT Security Job Roles
Chief Information Security Officer (CISO)
 Head of information security
VP / Director / Manager
 Heads up a security division, department, or team
Security Architect
 Responsible for designing security architecture
 Typically signs off on major security product acquisitions
 Communicates with network operations to ensure security
infrastructure changes don’t impact network availability
Common IT Security Job Roles, cont.
Security Administrator
 Responsible for installing, configuring, and
maintain security infrastructure
Security Analyst
 Works in SOC monitoring security tools for
potential incidents
Incident Responder
 Validates and remediates security incidents
Compliance Auditor
 Generates reports associated with
regulatory compliance (e.g., PCI, HIPAA)
Shortfall of IT Security
Personnel
Organizations Experiencing an
IT Security Skills Shortage
Source: 2023 Cyberthreat Defense Report, CyberEdge Group
Security Industry
Ecosystem
Popular IT Security Conferences









RSA Conference (US)
Black Hat Conference (US, Europe & Japan)
DEF CON (US)
Gartner Security & Risk Management Summit
(US, UK)
ISC2 Security Congress (US)
InfoSec World (US)
HIMSS Global Health Conference (US)
Infosecurity Europe (UK)
EDUCAUSE (US)
Popular IT Security Networking Groups
Popular IT Security Publications
Useful IT Security Industry Reports
Questions?