It is important to understand what is important to your organization in order to properly protect the organization from potential threats. The information security professional must look beyond just information technology and take a look at the organization they work for and understand its concerns.

The information security professional must understand documents such as the corporate mission and vision statements. These documents answer questions such as:

• What does the organization do?
  • Do you make car tires, or do you provide services to the elderly?
• Who are the organization's customers?
  • Who receives your services?
• Who is the organization?
  • What is the organizational culture? How does the organization want to be viewed?
  • Who are your third-party partners within your business structure?
    • Use Target, Home Depot...

We can start the conversation around who wants your information by first beginning to define the hacker. A hacker is someone who has the knowledge and skills necessary to circumvent the security controls or detect and exploit vulnerabilities in an information system.

A black hat hacker is an individual who compromises a computer system with malicious intent and without the permission of the owner of the information system. These individuals are engaged in criminal activities and are the ones that are behind the technical implementation and proliferation of cybercrime that we have seen grow across the world. The term black hat hacker was pulled from western films where the criminal in the...

As it relates to information security, a vulnerability is a weakness in a piece of technology (workstation, server, router, IOT, software, cloud, and so on), or a process (operational or management) that lessens the ability to provide assurance that the information system is secure.

In order to properly assess a vulnerability, three aspects of the vulnerability must be taken into account:

• Is the information system susceptible to a given flaw?
  • Millions of vulnerabilities exist. You must ascertain if your information system:
    • Meets the criteria where the vulnerability exists to include the specific version identified by the vendor
    • For example, version 1.01 of a piece of software may be vulnerable to an exploit, while version 1.02 is not

• Can an attacker access the information system in order to take advantage of the flaw?
  • Depending...

It is very important to note that many of the things that cause an all-hands-on-deck situation relate to how an enterprise information system is managed. If an enterprise information system is not regularly patched, then this leads to an all-hands-on-deck situation.

Vulnerability management is the process of:

• Identifying vulnerabilities that are applicable to your information system:
  • Vulnerabilities can be identified through the use of enterprise vulnerability management tools such as Nessus
  • Additionally, the information security professional should be reading information security blogs and should be subscribed to the security sites for the vendors that they use
• Triaging vulnerabilities that are applicable to your information system:
  • The information security professional must determine the risk that a given vulnerability presents to the organization...

In this chapter, we covered the modern threat landscape so that we can better support:

• The development of our information security program
• Support business/mission goals and objectives
• Develop countermeasures that defend against modern threats

We discussed:

• How to determine what is important to your organization
• Potential threats to your organization
• Types of hackers/adversaries
• Methods used by the hacker/adversary
• Methods of conducting training and awareness as it relates to threats

In the next chapter, we will discuss the activities necessary to establish an enterprise-wide information security program focusing on policies, procedures, standards, and guidelines.