1.1.1 What Is Cybersecurity?
Cybersecurity is the ongoing effort to protect individuals, organizations and governments
from digital attacks by protecting networked systems and data from unauthorized use or
harm.
Personal
On a personal level, you need to safeguard your identity, your data, and your computing
devices.
Organizational
At an organizational level, it is everyone’s responsibility to protect the organization’s
reputation, data and customers.
Government
As more digital information is being gathered and shared, its protection becomes even more
vital at the government level, where national security, economic stability and the safety and
wellbeing of citizens are at stake.
1.1.2 Protecting Your Personal Data
Personal data is any information that can be used to identify you, and it can exist both offline
and online.
Offline identity
Your offline identity is the real-life persona that you present on a daily basis at home, at
school or at work. As a result, family and friends know details about your personal life,
including your full name, age and address.
It’s important not to overlook the importance of securing your offline identity. Identity thieves
can easily steal your data from right under your nose when you’re not looking!
Online identity
Your online identity is not just a name. It’s who you are and how you present yourself to
others online. It includes the username or alias you use for your online accounts, as well as
the social identity you establish and portray on online communities and websites.
You should take care to limit the amount of personal information you reveal through your
online identity.
1.1.4 Your Data - Personal data describes any information about you, including your name,
social security number, driver license number, date and place of birth, your mother’s maiden
name, and even pictures or messages that you exchange with family and friends.
Cybercriminals can use this sensitive information to identify and impersonate you, infringing
on your privacy and potentially causing serious damage to your reputation.
Medical records - Every time you visit the doctor, personal information regarding your
physical and mental health and wellbeing is added to your electronic health records (EHRs).
Since the majority of these records are saved online, you need to be aware of the medical
information that you share.
And these records go beyond the bounds of the doctor’s office. For example, many fitness
trackers collect large amounts of clinical data such as your heart rate, blood pressure and
blood sugar levels, which is transferred, stored and displayed via the cloud. Therefore, you
should consider this data to be part of your medical records.
Education records - Educational records contain information about your academic
qualifications and achievements. However, these records may also include your contact
information, attendance records, disciplinary reports, health and immunization records as
well as any special education records including individualized education programs (IEPs).
Employment and financial records - Employment data can be valuable to hackers if they can
gather information on your past employment, or even your current performance reviews.
Your financial records may include information about your income and expenditure. Your tax
records may include paychecks, credit card statements, your credit rating and your bank
account details. All of this data, if not safeguarded properly, can compromise your privacy
and enable cybercriminals to use your information for their own gain.
1.1.7 Smart Devices - Consider how often you use your computing devices to access your
personal data. Unless you have chosen to receive paper statements, you probably access
digital copies of bank account statements via your bank’s website. And when paying a bill,
it’s highly likely that you’ve transferred the required funds via a mobile banking app.
But besides allowing you to access your information, computing devices can now also
generate information about you.
Wearable technologies such as smartwatches and activity trackers collect your data for
clinical research, patient health monitoring, and fitness and wellbeing tracking. As the global
fitness tracker market grows, so also does the risk to your personal data.
It might seem that information available online is free. But is privacy the price we pay for this
digital convenience?
For example, social media companies generate the majority of their income by selling
targeted advertising based on customer data that has been mined using algorithms or
formulas. Of course, these companies will argue that they are not ‘selling’ customer data, but
‘sharing’ customer data with their marketing partners.
You can make up your own mind!
1.1.9 Identity Theft - Not content with stealing your money for short-term financial gain,
cybercriminals are invested in the long-term gain of identity theft. Select the cards for two
examples of how they might do this.
Medical theft - Rising medical costs have led to an increase in medical identity theft, with
cybercriminals stealing medical insurance to use the benefits for themselves. Where this
happens, any medical procedures carried out in your name will then be saved in your
medical records.
Banking - Stealing private data can help cybercriminals access bank accounts, credit cards,
social profiles and other online accounts. Armed with this information, an identity thief could
file a fake tax return and collect the refund. They could even take out loans in your name and
ruin your credit rating (and your life as well).
1.1.10 Who Else Wants My Data?
It’s not just criminals who seek your personal data.
Your Internet service provider (ISP)
Your ISP tracks your online activity and, in some countries, they can sell this data to
advertisers for a profit.
In certain circumstances, ISPs may be legally required to share your information with
government surveillance agencies or authorities.
Advertisers
Targeted advertising is part of the Internet experience. Advertisers monitor and track your
online activities such as shopping habits and personal preferences and send targeted ads
your way.
Search engines and social media platforms
These platforms gather information about your gender, geolocation, phone number and
political and religious ideologies based on your search histories and online identity. This
information is then sold to advertisers for a profit.
Websites you visit
Websites use cookies to track your activities in order to provide a more personalized
experience. But this leaves a data trail that is linked to your online identity that can often end
up in the hands of advertisers!
1.2.1 Types of Organizational Data
1.2.1.1 Traditional Data
Traditional data is typically generated and maintained by all organizations, big and small. It
includes the following:



Transactional data such as details relating to buying and selling, production activities
and basic organizational operations such as any information used to make
employment decisions.
Intellectual property such as patents, trademarks and new product plans, which
allows an organization to gain economic advantage over its competitors. This
information is often considered a trade secret and losing it could prove disastrous for
the future of a company.
Financial data such as income statements, balance sheets and cash flow statements,
which provide insight into the health of a company.
1.2.1.2 Internet of Things (IoT) and Big Data
IoT is a large network of physical objects, such as sensors, software and other equipment.
All of these ‘things’ are connected to the Internet, with the ability to collect and share data.
And given that storage options are expanding through the cloud and virtualization, it’s no
surprise that the emergence of IoT has led to an exponential growth in data, creating a new
area of interest in technology and business called 'Big Data.'
1.2.2 The Cube - The McCumber Cube is a model framework created by John McCumber in
1991 to help organizations establish and evaluate information security initiatives by
considering all of the related factors that impact them. This security model has three
dimensions:
1. The foundational principles for protecting information systems.
2. The protection of information in each of its possible states.
3. The security measures used to protect data.


Confidentiality is a set of rules that prevents sensitive information from being
disclosed to unauthorized people, resources and processes. Methods to ensure
confidentiality include data encryption, identity proofing and two factor authentication.
Integrity ensures that system information or processes are protected from intentional
or accidental modification. One way to ensure integrity is to use a hash function or
checksum.

Availability means that authorized users are able to access systems and data when
and where needed and those that do not meet established conditions, are not. This
can be achieved by maintaining equipment, performing hardware repairs, keeping
operating systems and software up to date, and creating backups.

Processing refers to data that is being used to perform an operation such as updating
a database record (data in process).
Storage refers to data stored in memory or on a permanent storage device such as a
hard drive, solid-state drive or USB drive (data at rest).
Transmission refers to data traveling between information systems (data in transit).





Awareness, training and education are the measures put in place by an organization
to ensure that users are knowledgeable about potential security threats and the
actions they can take to protect information systems.
Technology refers to the software- and hardware-based solutions designed to protect
information systems such as firewalls, which continuously monitor your network in
search of possible malicious incidents.
Policy and procedure refers to the administrative controls that provide a foundation
for how an organization implements information assurance, such as incident
response plans and best practice guidelines.
1.2.4 Is This for Real?
Yes, phishing is very common and often works. For example, in August 2020, elite gaming
brand Razer experienced a data breach which exposed the personal information of
approximately 100,000 customers.
A security consultant discovered that a cloud cluster (a group of linked servers providing
data storage, databases, networking, and software through the Internet), was misconfigured
and exposed a segment of Razer’s infrastructure to the public Internet, resulting in a data
leak.
It took Razer more than three weeks to secure the cloud instance from public access, during
which time cybercriminals had access to customer information that could have been used in
social engineering and fraud attacks, like the one you uncovered just now.
Organizations therefore need to take a proactive approach to cloud security to ensure that
sensitive data is secured.
1.2.5 Data Security Breaches
The implications of a data security breach are severe, but they are becoming all too
common.
The Persirai botnet - In 2017, an Internet of Things (IoT) botnet, Persirai, targeted over 1,000
different models of Internet Protocol (IP) cameras, accessing open ports to inject a
command that forced the cameras to connect to a site which installed malware on them.
Once the malware was downloaded and executed, it deleted itself and was therefore able to
run in memory to avoid detection.
Over 122,000 of these cameras from several different manufacturers were hijacked and
used to carry out distributed denial-of-service (DDoS) attacks, without the knowledge of their
owners. A DDoS attack occurs when multiple devices infected with malware flood the
resources of a targeted system.
The IoT is connecting more and more devices, creating more opportunities for
cybercriminals to attack.
Equifax Inc. - In September 2017, Equifax, a consumer credit reporting agency in the United
States, publicly announced a data breach event: Attackers had been able to exploit a
vulnerability in its web application software to gain access to the sensitive personal data of
millions of customers.
In response to this breach, Equifax established a dedicated website that allowed Equifax
customers to determine if their information was compromised. However, instead of using a
subdomain of equifax.com, the company set up a new domain name, which allowed
cybercriminals to create unauthorized websites with similar names. These websites were
used to try and trick customers into providing personal information.
Attackers could use this information to assume a customer’s identity. In such cases, it would
be very difficult for the customer to prove otherwise, given that the hacker is also privy to
their personal information.
1.2.6 Consequences of a Security Breach
These examples show that the potential consequences of a security breach can be severe.
Reputational damage - A security breach can have a negative long-term impact on an
organization’s reputation that has taken years to build. Customers, particularly those who
have been adversely affected by the breach, will need to be notified and may seek
compensation and/or turn to a reliable and secure competitor. Employees may also choose
to leave in light of a scandal.
Depending on the severity of a breach, it can take a long time to repair an organization’s
Vandalism - A hacker or hacking group may vandalize an organization’s website by posting
untrue information. They might even just make a few minor edits to your organization’s
phone number or address, which can be trickier to detect.
In either case, online vandalism can portray unprofessionalism and have a negative impact
on your organization’s reputation and credibility.
Theft - A data breach often involves an incident where sensitive personal data has been
stolen. Cybercriminals can make this information public or exploit it to steal an individual’s
money and/or identity.
Loss of revenue - The financial impact of a security breach can be devastating. For example,
hackers can take down an organization’s website, preventing it from doing business online. A
loss of customer information may impede company growth and expansion. It may demand
further investment in an organization’s security infrastructure. And let’s not forget that
organizations may face large fines or penalties if they do not protect online data.
Damaged intellectual property - A security breach could also have a devastating impact on
the competitiveness of an organization, particularly if hackers are able to get their hands on
confidential documents, trade secrets and intellectual property.
1.3.6 Key Takeaways
A security breach is an incident that results in unauthorized access to data, applications,
services or devices, exposing private information that attackers can use for financial gain or
other advantages.
But there are many ways to protect yourself and your organization. It’s important to be aware
of common cyber threats and remain vigilant so that you don’t become the next victim.
1.4 Cyber Attackers
Attackers are individuals or groups who attempt to exploit vulnerability for personal or
financial gain. As we’ve already seen, they are interested in everything, from credit cards to
product designs!
1.4.1 Types of Attackers
Let’s look at some of the main types of cyber attackers who’ll try anything to get their hands
on our information. They are often categorized as white hat, gray hat or black hat attackers.
Amateurs
The term 'script kiddies' emerged in the 1990s and refers to amateur or inexperienced
hackers who use existing tools or instructions found on the Internet to launch attacks. Some
script kiddies are just curious, others are trying to demonstrate their skills and cause harm.
While script kiddies may use basic tools, their attacks can still have devastating
consequences.
Hackers
This group of attackers break into computer systems or networks to gain access. Depending
on the intent of their break in, they can be classified as white, gray or black hat hackers.



White hat attackers break into networks or computer systems to identify any
weaknesses so that the security of a system or network can be improved. These
break-ins are done with prior permission and any results are reported back to the
owner.
Gray hat attackers may set out to find vulnerabilities in a system but they will only
report their findings to the owners of a system if doing so coincides with their agenda.
Or they might even publish details about the vulnerability on the internet so that other
attackers can exploit it.
Black hat attackers take advantage of any vulnerability for illegal personal, financial
or political gain.
Organized hackers
These attackers include organizations of cyber criminals, hacktivists, terrorists and statesponsored hackers. They are usually highly sophisticated and organized, and may even
provide cybercrime as a service to other criminals.
Hacktivists make political statements to create awareness about issues that are important to
them.
State-sponsored attackers gather intelligence or commit sabotage on behalf of their
government. They are usually highly trained and well-funded and their attacks are focused
on specific goals that are beneficial to their government.
1.4.3 Internal and External Threats
Cyber attacks can originate from within an organization as well as from outside of it.
Internal
Employees, contract staff or trusted partners can accidentally or intentionally:




mishandle confidential data
facilitate outside attacks by connecting infected USB media into the organization’s
computer system
invite malware onto the organization’s network by clicking on malicious emails or
websites
threaten the operations of internal servers or network infrastructure devices.
External
Amateurs or skilled attackers outside of the organization can:



exploit vulnerabilities in the network
gain unauthorized access to computing devices
use social engineering to gain unauthorized access to organizational data.
1.5 Cyberwarfare
Cyberwarfare, as its name suggests, is the use of technology to penetrate and attack
another nation’s computer systems and networks in an effort to cause damage or disrupt
services, such as shutting down a power grid.
You know when it comes to security news, it's always puzzling what gets reported. As
viewers of this show, you know there's a very regular rhythm of security issues that are
always bubbling just below the surface and it takes something truly profound to grab the
public's attention. Well, one new threat making the rounds did have the right mix of
ingredients last summer. Stuxnet. I mean it makes sense, right? Computer attacks, nuclear
power, foreign governments, sabotage, spy versus spy. But how much of it is real? Enough
to say it's a sign of the times.
Now as all good threats, the details will continue to evolve, but I do think that there are five
items worth paying attention to here.
The first one, non-trivial distribution. Primarily spread via USB sticks. Think non-Internet
connected systems that then propagate by escalating privilege levels through zero day
exploits, notable for the fact that true zeros are special and they're only valuable for a short
period of time. Very expensive, very hard to come by.
The next one, sophistication. This is an intelligent worm. Initially targeting Windows
computers, where it even installs its own drivers using a stolen but legitimate certificate. The
offending certificate gets revoked of course, but then another one gets added within 24
hours.
Our third point, modular coding. This thing can get new tires while still on the road. Multiple
control servers. First in Malaysia, then Denmark, now more, including peer-to-peer. In fact,
when two run into each other, they compare versions and make sure that they're both
updated.
Fourth point, unique targeting. Windows is just the intermediary, the friend of the friend.
Stuxnet is looking for a particular model of PLC. That's programmable logic controller, which
is technically not SCADA as it's often reported. These are small imbedded industrial control
systems that run all sorts of automated processes, from factories to oil refineries to nuclear
power plants. Stuxnet will leverage the vulnerability in the controller software to reach in and
change very specific bits of data. Shut things off. Don't grease a bearing for 10 minutes.
Don't sound an alarm. This is really unique knowledge. Respectable coding skills that imply
a higher level of patience of good funding resources.
Our final point, motive. Stuxnet does not perform... excuse me. It does not threaten. It
performs sabotage. Really has no criminal focus. Does not spread indiscriminately or steal
credit card information or login credentials. It does not recruit systems into a botnet. It targets
infrastructure, our most essential necessities like power, water, safety and much, much
more. You know these are older systems. Very established. Generally run with the mentality
of hey, if it ain't broke, don't fix it. These things don't get watched over and patched by
technical handlers who understand these kind of things. Not yet anyway. So stay tuned. This
one is not done. We all have a lot to learn and somebody is working hard to teach us.
1.5.2 The Purpose of Cyberwarfare
The main reason for resorting to cyberwarfare is to gain advantage over adversaries,
whether they are nations or competitors.
To gather compromised information and/or defense secrets
A nation or international organization can engage in cyberwarfare in order to steal defense
secrets and gather information about technology that will help narrow the gaps in its
industries and military capabilities.
Furthermore, compromised sensitive data can give attackers leverage to blackmail
personnel within a foreign government.
To impact another nation’s infrastructure
Besides industrial and military espionage, a nation can continuously invade another nation’s
infrastructure in order to cause disruption and chaos.
For example, a cyber attack could shut down the power grid of a major city. Consider the
consequences if this were to happen; roads would be congested, the exchange of goods
and services would be halted, patients would not be able to get the care they would need if
an emergency occurred, access to the internet would be interrupted. By shutting down a
power grid, a cyber attack could have a huge impact on the everyday life of ordinary citizens.
Cyberwarfare can destabilize a nation, disrupt its commerce, and cause its citizens to lose
faith and confidence in their government without the attacker ever physically setting foot in
the targeted country.
2.1.1 Types of Malware
Cybercriminals use many different types of malicious software, or malware, to carry out their
activities. Malware is any code that can be used to steal data, bypass access controls, or
cause harm to or compromise a system. Knowing what the different types are and how they
spread is key to containing and removing them.
Spyware - Designed to track and spy on you, spyware monitors your online activity and can
log every key you press on your keyboard, as well as capture almost any of your data,
including sensitive personal information such as your online banking details. Spyware does
this by modifying the security settings on your devices.
It often bundles itself with legitimate software or Trojan horses.
Adware - Adware is often installed with some versions of software and is designed to
automatically deliver advertisements to a user, most often on a web browser. You know it
when you see it! It’s hard to ignore when you’re faced with constant pop-up ads on your
screen.
It is common for adware to come with spyware.
Backdoor - This type of malware is used to gain unauthorized access by bypassing the
normal authentication procedures to access a system. As a result, hackers can gain remote
access to resources within an application and issue remote system commands.
A backdoor works in the background and is difficult to detect.
Ransomware - This malware is designed to hold a computer system or the data it contains
captive until a payment is made. Ransomware usually works by encrypting your data so that
you can’t access it.
Some versions of ransomware can take advantage of specific system vulnerabilities to lock it
down. Ransomware is often spread through phishing emails that encourage you to download
a malicious attachment or through a software vulnerability.
Scareware - This is a type of malware that uses 'scare’ tactics to trick you into taking a
specific action. Scareware mainly consists of operating system style windows that pop up to
warn you that your system is at risk and needs to run a specific program for it to return to
normal operation.
If you agree to execute the specific program, your system will become infected with
malware.
Rootkit - This malware is designed to modify the operating system to create a backdoor,
which attackers can then use to access your computer remotely. Most rootkits take
advantage of software vulnerabilities to gain access to resources that normally shouldn’t be
accessible (privilege escalation) and modify system files.
Rootkits can also modify system forensics and monitoring tools, making them very hard to
detect. In most cases, a computer infected by a rootkit has to be wiped and any required
software reinstalled.
Virus - A virus is a type of computer program that, when executed, replicates and attaches
itself to other executable files, such as a document, by inserting its own code. Most viruses
require end-user interaction to initiate activation and can be written to act on a specific date
or time.
Viruses can be relatively harmless, such as those that display a funny image. Or they can be
destructive, such as those that modify or delete data.
Viruses can also be programmed to mutate in order to avoid detection. Most viruses are
spread by USB drives, optical disks, network shares or email.
Trojan horse - This malware carries out malicious operations by masking its true intent. It
might appear legitimate but is, in fact, very dangerous. Trojans exploit your user privileges
and are most often found in image files, audio files or games.
Unlike viruses, Trojans do not self-replicate but act as a decoy to sneak malicious software
past unsuspecting users.
Worms - This is a type of malware that replicates itself in order to spread from one computer
to another. Unlike a virus, which requires a host program to run, worms can run by
themselves. Other than the initial infection of the host, they do not require user participation
and can spread very quickly over the network.
Worms share similar patterns: They exploit system vulnerabilities, they have a way to
propagate themselves, and they all contain malicious code (payload) to cause damage to
computer systems or networks.
Worms are responsible for some of the most devastating attacks on the Internet. In 2001,
the Code Red worm had infected over 300,000 servers in just 19 hours.
2.1.2 Symptoms of Malware
So now you know about the different kinds of malware. But what do you think their
symptoms might be?
Take a pause and see what you can come up with, and when you’re ready, select the image
to reveal some possible answers.
Regardless of the type of malware a system has been infected with, there are some
common symptoms to look out for. These include:









an increase in central processing unit (CPU) usage, which slows down your device
your computer freezing or crashing often
a decrease in your web browsing speed
unexplainable problems with your network connections
modified or deleted files
the presence of unknown files, programs or desktop icons
unknown processes running
programs turning off or reconfiguring themselves
emails being sent without your knowledge or consent.
2.2 Methods of Infiltration
2.2.1 Social Engineering
Social engineering is the manipulation of people into performing actions or divulging
confidential information. Social engineers often rely on people’s willingness to be helpful, but
they also prey on their weaknesses. For example, an attacker will call an authorized
employee with an urgent problem that requires immediate network access and appeal to the
employee’s vanity or greed or invoke authority by using name-dropping techniques in order
to gain this access.
Pretexting
This is when an attacker calls an individual and lies to them in an attempt to gain access to
privileged data.
For example, pretending to need a person’s personal or financial data in order to confirm
their identity.
Tailgating
This is when an attacker quickly follows an authorized person into a secure, physical
location.
Something for something (quid pro quo)
This is when an attacker requests personal information from a person in exchange for
something, like a free gift.
2.2.2 Denial-of-Service
Denial-of-Service (DoS) attacks are a type of network attack that is relatively simple to carry
out, even by an unskilled attacker. A DoS attack results in some sort of interruption of
network service to users, devices or applications.
Overwhelming quantity of traffic
This is when a network, host or application is sent an enormous amount of data at a rate
which it cannot handle. This causes a slowdown in transmission or response, or the device
or service to crash.
Maliciously formatted packets
A packet is a collection of data that flows between a source and a receiver computer or
application over a network, such as the Internet. When a maliciously formatted packet is
sent, the receiver will be unable to handle it.
For example, if an attacker forwards packets containing errors or improperly formatted
packets that cannot be identified by an application, this will cause the receiving device to run
very slowly or crash.
2.2.3 Distributed DoS
A Distributed DoS (DDoS) attack is similar to a DoS attack but originates from multiple,
coordinated sources. For example:
An attacker builds a network (botnet) of infected hosts called zombies, which are controlled
by handler systems.
The zombie computers will constantly scan and infect more hosts, creating more and more
zombies.
When ready, the hacker will instruct the handler systems to make the botnet of zombies
carry out a DDoS attack.
2.2.4 Botnet
A bot computer is typically infected by visiting an unsafe website or opening an infected
email attachment or infected media file. A botnet is a group of bots, connected through the
Internet, that can be controlled by a malicious individual or group. It can have tens of
thousands, or even hundreds of thousands, of bots that are typically controlled through a
command and control server.
These bots can be activated to distribute malware, launch DDoS attacks, distribute spam
email, or execute brute-force password attacks. Cybercriminals will often rent out botnets to
third parties for nefarious purposes.
Many organizations. like Cisco, force network activities through botnet traffic filters to identify
any botnet locations.
1. Infected bots try to communicate with a command and control host on the Internet.
2. The Cisco Firewall botnet filter is a feature that detects traffic coming from devices
infected with the malicious botnet code.
3. The cloud-based Cisco Security Intelligence Operations (SIO) service pushes down
updated filters to the firewall that match traffic from new known botnets.
4. Alerts go out to Cisco’s internal security team to notify them about the infected
devices that are generating malicious traffic so that they can prevent, mitigate and
remedy these.
2.2.5 On-Path Attacks
On-path attackers intercept or modify communications between two devices, such as a web
browser and a web server, either to collect information from or to impersonate one of the
devices.
This type of attack is also referred to as a man-in-the-middle or man-in-the-mobile attack.
A MitM attack happens when a cybercriminal takes control of a device without the user’s
knowledge. With this level of access, an attacker can intercept and capture user information
before it is sent to its intended destination. These types of attacks are often used to steal
financial information.
There are many types of malware that possess MitM attack capabilities.
A variation of man-in-middle, MitMo is a type of attack used to take control over a user’s
mobile device. When infected, the mobile device is instructed to exfiltrate user-sensitive
information and send it to the attackers. ZeuS is one example of a malware package with
MitMo capabilities. It allows attackers to quietly capture two-step verification SMS messages
that are sent to users.
2.2.6 SEO Poisoning
You’ve probably heard of search engine optimization or SEO which, in simple terms, is about
improving an organization’s website so that it gains greater visibility in search engine results.
So what do you think SEO poisoning might be? Take a moment to consider this and when
you’re ready, select the image to find out if you were right!
Search engines such as Google work by presenting a list of web pages to users based on
their search query. These web pages are ranked according to the relevancy of their content.
While many legitimate companies specialize in optimizing websites to better position them,
attackers take advantage of popular search terms and use SEO to push malicious sites
higher up the ranks of search results. This technique is called SEO poisoning.
The most common goal of SEO poisoning is to increase traffic to malicious sites that may
host malware or attempt social engineering.
2.2.8 Password Attacks
Entering a username and password is one of the most popular forms of authenticating to a
web site. Therefore, uncovering your password is an easy way for cybercriminals to gain
access to your most valuable information.
Password spraying - This technique attempts to gain access to a system by ‘spraying’ a few
commonly used passwords across a large number of accounts. For example, a
cybercriminal uses 'Password123' with many usernames before trying again with a second
commonly-used password, such as ‘qwerty.’
This technique allows the perpetrator to remain undetected as they avoid frequent account
lockouts.
Dictionary attacks - A hacker systematically tries every word in a dictionary or a list of
commonly used words as a password in an attempt to break into a password-protected
account.
Brute-force attacks - The simplest and most commonly used way of gaining access to a
password-protected site, brute-force attacks see an attacker using all possible combinations
of letters, numbers and symbols in the password space until they get it right.
Rainbow attacks - Passwords in a computer system are not stored as plain text, but as
hashed values (numerical values that uniquely identify data). A rainbow table is a large
dictionary of precomputed hashes and the passwords from which they were calculated.
Unlike a brute-force attack that has to calculate each hash, a rainbow attack compares the
hash of a password with those stored in the rainbow table. When an attacker finds a match,
they identify the password used to create the hash.
Traffic interception - Plain text or unencrypted passwords can be easily read by other
humans and machines by intercepting communications.
If you store a password in clear, readable text, anyone who has access to your account or
device, whether authorized or unauthorized, can read it.
2.2.10 Advanced Persistent Threats
Attackers also achieve infiltration through advanced persistent threats (APTs) — a multiphase, long term, stealthy and advanced operation against a specific target. For these
reasons, an individual attacker often lacks the skill set, resources or persistence to perform
APTs.
Due to the complexity and the skill level required to carry out such an attack, an APT is
usually well-funded and typically targets organizations or nations for business or political
reasons.
Its main purpose is to deploy customized malware on one or more of the target’s systems
and remain there undetected.
2.3 Security Vulnerability and Exploits
Security vulnerabilities are any kind of software or hardware defect. A program written to
take advantage of a known vulnerability is referred to as an exploit. A cybercriminal can use
an exploit against a vulnerability to carry out an attack, the goal of which is to gain access to
a system, the data it hosts or a specific resource.
2.3.1 Hardware Vulnerabilities
Hardware vulnerabilities are most often the result of hardware design flaws. For example,
the type of memory called RAM basically consists of lots of capacitors (a component which
can hold an electrical charge) installed very close to one another. However, it was soon
discovered that, due to their close proximity, changes applied to one of these capacitors
could influence neighbor capacitors. Based on this design flaw, an exploit called
Rowhammer was created. By repeatedly accessing (hammering) a row of memory, the
Rowhammer exploit triggers electrical interferences that eventually corrupt the data stored
inside the RAM.
Meltdown and Spectre - Google security researchers discovered Meltdown and Spectre, two
hardware vulnerabilities that affect almost all central processing units (CPUs) released since
1995 within desktops, laptops, servers, smartphones, smart devices and cloud services.
Attackers exploiting these vulnerabilities can read all memory from a given system
(Meltdown), as well as data handled by other applications (Spectre). The Meltdown and
Spectre vulnerability exploitations are referred to as side-channel attacks (information is
gained from the implementation of a computer system). They have the ability to compromise
large amounts of memory data because the attacks can be run multiple times on a system
with very little possibility of a crash or other error.
Hardware vulnerabilities are specific to device models and are not generally exploited
through random compromising attempts. While hardware exploits are more common in
highly targeted attacks, traditional malware protection and good physical security are
sufficient protection for the everyday user.
2.3.2 Software Vulnerabilities
Software vulnerabilities are usually introduced by errors in the operating system or
application code.
Select the logo to find out more about the SYNful Knock vulnerability discovered in Cisco
Internetwork Operating System (IOS) in 2015.
The SYNful Knock vulnerability allowed attackers to gain control of enterprise-grade routers,
such as the legacy Cisco ISR routers, from which they could monitor all network
communication and infect other network devices.
This vulnerability was introduced into the system when an altered IOS version was installed
on the routers. To avoid this, you should always verify the integrity of the downloaded IOS
image and limit the physical access of such equipment to authorized personnel only.
2.3.3 Categorizing Software Vulnerabilities
Most software security vulnerabilities fall into several main categories.
Buffer overflow - Buffers are memory areas allocated to an application. A vulnerability occurs
when data is written beyond the limits of a buffer. By changing data beyond the boundaries
of a buffer, the application can access memory allocated to other processes. This can lead to
a system crash or data compromise, or provide escalation of privileges.
Non-validated input - Programs often require data input, but this incoming data could have
malicious content, designed to force the program to behave in an unintended way.
For example, consider a program that receives an image for processing. A malicious user
could craft an image file with invalid image dimensions. The maliciously crafted dimensions
could force the program to allocate buffers of incorrect and unexpected sizes.
Race conditions - This vulnerability describes a situation where the output of an event
depends on ordered or timed outputs. A race condition becomes a source of vulnerability
when the required ordered or timed events do not occur in the correct order or at the proper
time.
Weaknesses in security practices - Systems and sensitive data can be protected through
techniques such as authentication, authorization and encryption. Developers should stick to
using security techniques and libraries that have already been created, tested and verified
and should not attempt to create their own security algorithms. These will only likely
introduce new vulnerabilities.
Access control problems - Access control is the process of controlling who does what and
ranges from managing physical access to equipment to dictating who has access to a
resource, such as a file, and what they can do with it, such as read or change the file. Many
security vulnerabilities are created by the improper use of access controls.
Nearly all access controls and security practices can be overcome if an attacker has physical
access to target equipment. For example, no matter the permission settings on a file, a
hacker can bypass the operating system and read the data directly off the disk. Therefore, to
protect the machine and the data it contains, physical access must be restricted, and
encryption techniques must be used to protect data from being stolen or corrupted.
2.3.4 Software Updates
The goal of software updates is to stay current and avoid exploitation of vulnerabilities.
Microsoft, Apple and other operating system producers release patches and updates almost
every day and applications such as web browsers, mobile apps and web servers are often
updated by the companies or organizations responsible for them.
Despite the fact that organizations put a lot of effort into finding and patching software
vulnerabilities, new vulnerabilities are discovered regularly. That’s why some organizations
use third party security researchers who specialize in finding vulnerabilities in software, or
actually invest in their own penetration testing teams dedicated to search, find and patch
software vulnerabilities before they can get exploited.
Google’s Project Zero is a great example of this practice. After discovering a number of
vulnerabilities in various software used by end users, Google formed a permanent team
dedicated to finding software vulnerabilities. You can find out more about Google’s security
research here.
2.4 The Cybersecurity Landscape
2.4.1 Cryptocurrency
Cryptocurrency is digital money that can be used to buy goods and services, using strong
encryption techniques to secure online transactions. Banks, governments and even
companies like Microsoft and AT&T are very aware of its importance and are jumping on the
cryptocurrency bandwagon!
Cryptocurrency owners keep their money in encrypted, virtual ‘wallets.’ When a transaction
takes place between the owners of two digital wallets, the details are recorded in a
decentralized, electronic ledger or blockchain system. This means it is carried out with a
degree of anonymity and is self-managed, with no interference from third parties such as
central banks or government entities.
Approximately every ten minutes, special computers collect data about the latest
cryptocurrency transactions, turning them into mathematical puzzles to maintain
confidentiality.
These transactions are then verified through a technical and highly complex process known
as ‘mining.’ This step typically involves an army of ‘miners’ working on high-end PCs to solve
mathematical puzzles and authenticate transactions.
Once verified, the ledger is updated and electronically copied and disseminated worldwide to
anyone belonging to the blockchain network, effectively completing a transaction.
2.4.2 Cryptojacking
Cryptojacking is an emerging threat that hides on a user’s computer, mobile phone, tablet,
laptop or server, using that machine’s resources to 'mine’ cryptocurrencies without the user's
consent or knowledge.
Many victims of cryptojacking didn’t even know they’d been hacked until it was too late!
4.1.3 Firewalls
In computer networking, a firewall is designed to control or filter which communications are
allowed in and which are allowed out of a device or network. A firewall can be installed on a
single computer with the purpose of protecting that one computer (host-based firewall) or it
can be a standalone network device that protects an entire network of computers and all of
the host devices on that network (network-based firewall).
As computer and network attacks have become more sophisticated, new types of firewalls
have been developed, which serve different purposes.
Network layer firewall
This filters communications based on source and destination IP addresses.
Transport layer firewall
Filters communications based on source and destination data ports, as well as connection
states.
Application layer firewall
Filters communications based on an application, program or service.
Context aware layer firewall
Filters communications based on the user, device, role, application type and threat profile.
Proxy server
Filters web content requests like URLs, domain names and media types.
Reverse proxy server
Placed in front of web servers, reverse proxy servers protect, hide, offload and distribute
access to web servers.
Network address translation (NAT) firewall
This firewall hides or masquerades the private addresses of network hosts.
Host-based firewall
Filters ports and system service calls on a single computer operating system.
4.1.5 Port Scanning
In networking, each application running on a device is assigned an identifier called a port
number. This port number is used on both ends of the transmission so that the right data is
passed to the correct application. Port scanning is a process of probing a computer, server
or other network host for open ports. It can be used maliciously as a reconnaissance tool to
identify the operating system and services running on a computer or host, or it can be used
harmlessly by a network administrator to verify network security policies on the network.
Download and launch a port scanning tool like Zenmap. Enter the IP address of your
computer, choose a default scanning profile and press ‘scan.’
The scan will report any services that are running, such as web or email services, and their
port numbers.
The scan will also report one of the following responses:
1. ‘Open’ or ‘Accepted’ means that the port or service running on the computer can be
accessed by other network devices.
2. ‘Closed,’ ‘Denied’ or ‘Not Listening’ means that the port or service is not running on
the computer and therefore cannot be exploited.
3. ‘Filtered,’ ‘Dropped’ or ‘Blocked’ means that access to the port or service is blocked
by a firewall and therefore it cannot be exploited.
To execute a port scan from outside of your network, you will need to run it against your
firewall or router’s public IP address.
Enter the query ‘what is my IP address?’ into a search engine such as Google to find out this
information.
Go to the Nmap Online Port Scanner, enter your public IP address in the input box and press
‘Quick Nmap Scan.’ If the response is open for ports 21, 22, 25, 80, 443 or 3389 then most
likely, port forwarding has been enabled on your router or firewall and you are running
servers on your private network.
4.1.7 Intrusion Detection and Prevention Systems
Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) are security
measures deployed on a network to detect and prevent malicious activities.
An IDS can either be a dedicated network device or one of several tools in a server, firewall
or even a host computer operating system, such as Windows or Linux, that scans data
against a database of rules or attack signatures, looking for malicious traffic.
If a match is detected, the IDS will log the detection and create an alert for a network
administrator. It will not take action and therefore it will not prevent attacks from happening.
The job of the IDS is to detect, log and report.
The scanning performed by the IDS slows down the network (known as latency). To prevent
network delay, an IDS is usually placed offline, separate from regular network traffic. Data is
copied or mirrored by a switch and then forwarded to the IDS for offline detection.
An IPS can block or deny traffic based on a positive rule or signature match. One of the most
well-known IPS/IDS systems is Snort. The commercial version of Snort is Cisco’s Sourcefire.
Sourcefire can perform real-time traffic and port analysis, logging, content searching and
matching, as well as detect probes, attacks and execute port scans. It also integrates with
other third-party tools for reporting, performance and log analysis.
4.1.8 Real-Time Detection
Many organizations today are unable to detect attacks until days or even months after they
occur.
Detecting attacks in real time requires actively scanning for attacks using firewall and
IDS/IPS network devices. Next generation client and server malware detection with
connections to online global threat centers must also be used. Today, active scanning
devices and software must detect network anomalies using context-based analysis and
behavior detection.
DDoS is one of the biggest attack threats requiring real-time detection and response. For
many organizations, regularly occurring DDoS attacks cripple Internet servers and network
availability. These attacks are extremely difficult to defend against because the attacks
originate from hundreds, even thousands, of zombie hosts, and the attacks appear as
legitimate traffic.
4.1.9 Protecting Against Malware
An icon with three persons connected to four icons that represent the benefits of Cisco's
Threat Grid
One way of defending against zero-day attacks and advanced persistent threats (APTs) is to
use an enterprise-level advanced malware detection solution, like Cisco’s Advanced
Malware Protection (AMP) Threat Grid.
This is client/server software that can be deployed on host endpoints, as a standalone server
or on other network security devices. It analyzes millions of files and correlates them against
hundreds of millions of other analyzed malware artifacts for behaviors that reveal an APT.
This approach provides a global view of malware attacks, campaigns and their distribution.
Secure Operations Center team
The Threat Grid allows the Cisco Secure Operations Center team to gather more accurate,
actionable data.
Incidence Response team
The Incidence Response team therefore has access to forensically sound information from
which it can more quickly analyze and understand suspicious behaviors.
Threat Intelligence team
Using this analysis, the Threat Intelligence team can proactively improve the organization’s
security infrastructure.
Security Infrastructure Engineering team
Overall, the Security Infrastructure Engineering team is able to consume and act on threat
information faster, often in an automated way.
4.1.10 Security Best Practices
Many national and professional organizations have published lists of security best practices.
Some of the most helpful guidelines are found in organizational repositories such as the
National Institute of Standards and Technology (NIST) Computer Security Resource Center.
Perform a risk assessment
Knowing and understanding the value of what you are protecting will help to justify security
expenditures.
Create a security policy
Create a policy that clearly outlines the organization’s rules, job roles, and responsibilities
and expectations for employees.
Physical security measures
Restrict access to networking closets and server locations, as well as fire suppression.
Human resources security measures
Background checks should be completed for all employees.
Perform and test backups
Back up information regularly and test data recovery from backups.
Maintain security patches and updates
Regularly update server, client and network device operating systems and programs.
Employ access controls
Configure user roles and privilege levels as well as strong user authentication.
Regularly test incident response
Employ an incident response team and test emergency response scenarios.
Implement a network monitoring, analytics and management tool
Choose a security monitoring solution that integrates with other technologies.
Implement network security devices
Use next generation routers, firewalls and other security appliances.
Implement a comprehensive endpoint security solution
Use enterprise level antimalware and antivirus software.
Educate users
Provide training to employees in security procedures.
One of the most widely known and respected organizations for cybersecurity training is the
SANS Institute. Click here to learn more about SANS and the types of training and
certifications they offer.
Encrypt data
Encrypt all sensitive organizational data, including email.
4.2.1 Behavior-Based Security
Behavior-based security is a form of threat detection that involves capturing and analyzing
the flow of communication between a user on the local network and a local or remote
destination. Any changes in normal patterns of behavior are regarded as anomalies, and
may indicate an attack.
Honeypots
A honeypot is a behavior-based detection tool that lures the attacker in by appealing to their
predicted pattern of malicious behavior. Once the attacker is inside the honeypot, the
network administrator can capture, log and analyze their behavior so that they can build a
better defense.
Cisco’s Cyber Threat Defense Solution Architecture
This security architecture uses behavior-based detection and indicators to provide greater
visibility, context and control. The aim is to know who is carrying out the attack, what type of
attack they are performing and where, when and how the attack is taking place. This security
architecture uses many security technologies to achieve this goal.
4.2.2. NetFlow
NetFlow technology is used to gather information about data flowing through a network,
including who and what devices are in the network, and when and how users and devices
access the network.
NetFlow is an important component in behavior-based detection and analysis. Switches,
routers and firewalls equipped with NetFlow can report information about data entering,
leaving and traveling through the network.
This information is sent to NetFlow collectors that collect, store and analyze NetFlow data,
which can be used to establish baseline behaviors on more than 90 attributes, such as
source and destination IP address.
4.2.3 Penetration Testing
Penetration testing, commonly known as pen testing, is the act of assessing a computer
system, network or organization for security vulnerabilities. A pen test seeks to breach
systems, people, processes and code to uncover vulnerabilities which could be exploited.
This information is then used to improve the system’s defenses to ensure that it is better
able to withstand cyber attacks in the future.
Step 1: Planning
The pen tester gathers as much information as possible about a target system or network, its
potential vulnerabilities and exploits to use against it. This involves conducting passive or
active reconnaissance (footprinting) and vulnerability research.
Step 2: Scanning
The pen tester carries out active reconnaissance to probe a target system or network and
identify potential weaknesses which, if exploited, could give an attacker access. Active
reconnaissance may include:
port scanning to identify potential access points into a target system
vulnerability scanning to identify potential exploitable vulnerabilities of a particular target
establishing an active connection to a target (enumeration) to identify the user account,
system account and admin account.
Step 3: Gaining access
The pen tester will attempt to gain access to a target system and sniff network traffic, using
various methods to exploit the system including:
launching an exploit with a payload onto the system
breaching physical barriers to assets
social engineering
exploiting website vulnerabilities
exploiting software and hardware vulnerabilities or misconfigurations
breaching access controls security
cracking weak encrypted Wi-Fi.
Step 4: Maintaining access
The pen tester will maintain access to the target to find out what data and systems are
vulnerable to exploitation. It is important that they remain undetected, typically using
backdoors, Trojan horses, rootkits and other covert channels to hide their presence.
When this infrastructure is in place, the pen tester will then proceed to gather the data that
they consider valuable.
Step 5: Analysis and reporting
The pen tester will provide feedback via a report that recommends updates to products,
policies and training to improve an organization’s security.
4.2.5 Impact Reduction
While most organizations today are aware of common security threats and put considerable
effort into preventing them, no set of security practices is foolproof. Therefore, organizations
must be prepared to contain the damage if a security breach occurs. And they must act fast!
Communicate the issue
Communication creates transparency, which is critical in this type of situation.
Internally, all employees should be informed and a clear call to action communicated.
Externally, all clients should be informed through direct communication and official
announcements.
Be sincere and accountable
Respond to the breach in an honest and genuine way, taking responsibility where the
organization is at fault.
Provide the details
Be open and explain why the breach took place and what information was compromised.
Organizations are generally expected to take care of any client costs associated with identity
theft services required as a result of a security breach.
Find the cause
Take steps to understand what caused and facilitated the breach. This may involve hiring
forensics experts to research and find out the details.
Apply lessons learned
Make sure that any lessons learned from forensic investigations are applied to prevent
similar breaches from happening in the future.
Check, and check again
Attackers will often attempt to leave a backdoor to facilitate future breaches. To prevent this
from happening, make sure that all systems are clean, no backdoors are installed and
nothing else has been compromised.
Educate!
Raise awareness, train and educate employees, partners and clients on how to prevent
future breaches.
4.2.6 What Is Risk Management?
Risk management is the formal process of continuously identifying and assessing risk in an
effort to reduce the impact of threats and vulnerabilities. You cannot eliminate risk completely
but you can determine acceptable levels by weighing up the impact of a threat with the cost
of implementing controls to mitigate it. The cost of a control should never be more than the
value of the asset you are protecting.
Frame the risk
Identify the threats that increase risk. Threats may include processes, products, attacks,
potential failure or disruption of services, negative perception of an organization’s reputation,
potential legal liability or loss of intellectual property.
Assess the risk
Determine the severity that each threat poses. For example, some threats may have the
potential to bring an entire organization to a standstill, while other threats may be only minor
inconveniences. Risk can be prioritized by assessing financial impact (a quantitative
analysis) or scaled impact on an organization's operation (a qualitative analysis).
Respond to the risk
Develop an action plan to reduce overall organization risk exposure, detailing where risk can
be eliminated, mitigated, transferred or accepted.
Monitor the risk
Continuously review any risk reduced through elimination, mitigation or transfer actions.
Remember, not all risks can be eliminated, so you will need to closely monitor any threats
that have been accepted.
4.3.1 Cisco's CSIRT
The US-CERT, CERT-EU, FIRST, APCERT and the CERT Division of the Software
Engineering Institute at Carnegie Mellon University logos
Many large organizations have a Computer Security Incident Response Team (CSIRT) to
receive, review and respond to computer security incident reports. Cisco CSIRT goes a step
further and provides proactive threat assessment, mitigation planning, incident trend analysis
and security architecture review in an effort to prevent security incidents from happening.
Cisco’s CSIRT takes a proactive approach, collaborating with the Forum of Incident
Response and Security Teams (FIRST), the National Safety Information Exchange (NSIE),
the Defense Security Information Exchange (DSIE) and the DNS Operations Analysis and
Research Center (DNS-OARC) to ensure we stay up-to-date with new developments.
There are several national and public CSIRT organizations, like the CERT Division of the
Software Engineering Institute at Carnegie Mellon University, that are available to help
organizations and national CSIRTs to develop, operate and improve their incident
management capabilities.
4.3.2 Security Playbook
One of the best ways to prepare for a security breach is to prevent it. Organizations should
provide guidance on:
how to identify the cybersecurity risk to systems, assets, data and capabilities
the implementation of safeguards and personnel training
a flexible response plan that minimizes the impact and damage in the event of a security
breach
security measures and processes that need to be put in place in the aftermath of a security
breach.
All this information should be compiled into a security playbook.
A security playbook is a collection of repeatable queries or reports that outline a
standardized process for incident detection and response. Ideally, a security playbook
should:
highlight how to identify and automate the response to common threats such as the
detection of malware-infected machines, suspicious network activity or irregular
authentication attempts.
describe and clearly define inbound and outbound traffic.
provide summary information including trends, statistics and counts.
provide usable and quick access to key statistics and metrics.
correlate events across all relevant data sources.
4.3.3 Tools for Incident Detection and Prevention
There are a range of tools used to detect and prevent security incidents.
A Security Information and Event Management (SIEM) system collects and analyzes security
alerts, logs and other real-time and historical data from security devices on the network to
facilitate early detection of cyber attacks.
A Data Loss Prevention (DLP) system is designed to stop sensitive data from being stolen
from or escaping a network. It monitors and protects data in three different states: data in
use (data being accessed by a user), data in motion (data traveling through the network) and
data at rest (data stored in a computer network or device).
An IPS can block or deny traffic based on a positive rule or signature match.
An IDS scans data against a database of rules or attack signatures, looking for malicious
traffic.
A DLP system is designed to stop sensitive data from being stolen from or escaping a
network.
A SIEM system collects and analyzes security alerts, logs and other real-time and historical
data from security devices on the network.
5.1.1 Legal Issues in Cybersecurity
In order to protect against attacks, cybersecurity professionals must have the same skills as
the attackers. However, cybersecurity professionals use their skills within the bounds of the
law.
Personal legal issues
At work or home, you may have the opportunity and skills to hack another person’s computer
or network. But there is an old saying, 'Just because you can does not mean you should.'
Most hacks leave tracks, which can be traced back to you.
Cybersecurity professionals develop many skills, which can be used positively or illegally.
There is always a huge demand for those who choose to put their cyber skills to good use
within legal bounds.
Corporate legal issues
Most countries have cybersecurity laws in place, which businesses and organizations must
abide by.
In some cases, if you break cybersecurity laws while doing your job, the organization may be
punished and you could lose your job. In other cases, you could be prosecuted, fined and
possibly sentenced.
In general, if you are unsure whether an action or behavior might be illegal, assume that it is
illegal and do not do it. Always check with the legal or HR department in the organization.
International law and cybersecurity
International cybersecurity law is a constantly evolving field. Cyber attacks take place in
cyberspace, an electronic space created, maintained and owned by both the public and
private entities. There are no traditional geographic boundaries in cyberspace. To further
complicate issues, it is much easier to mask the source of a attack in cyberwarfare than in
conventional warfare.
The global society is still debating how best to deal with cyberspace. Country practice, opinio
juris (a sense on behalf of a country that it is bound to the law in question) and any treaties
drafted will shape international cybersecurity law.
Ethics Decision Tree
5.2.2 Professional Certifications
Cybersecurity certifications are a great way for you to verify your skills and knowledge and
can also boost your career.
Cisco Certified Support Technician (CCST) Cybersecurity
This is an entry-level certification for newcomers who are preparing to start their career in
the cybersecurity field. It is aimed at high school and early college students as well as those
interested in a career change. This certificate does not expire or require periodic
recertification.
CompTIA Security+
This is an entry-level security certification that meets the U.S. Department of Defense
Directive 8570.01-M requirements, which is an important item for anyone looking to work in
IT security for the federal government.
EC Council Certified Ethical Hacker (CEH)
This certification tests your understanding and knowledge of how to look for weaknesses
and vulnerabilities in target systems using the same knowledge and tools as a malicious
hacker but in a lawful and legitimate manner.
ISC2 Certified Information Systems Security Professional (CISSP)
This is the most recognizable and popular security certification. In order to take the exam,
you need to have at least five years of relevant industry experience.
Cisco Certified CyberOps Associate
This certification validates the skills required of associate-level cybersecurity analysts within
security operations centers.
5.2.3 Cybersecurity Career Pathways
CyberSeek is a tool that provides detailed data about supply and demand in the
cybersecurity job market to help close the cybersecurity skills gap. Click here to view the
interactive career pathway which shows the range of jobs in cybersecurity, as well as
detailed information about the salaries, credentials and skill sets associated with each
aqujob.