Table of Contents

Part I: Background on Cyber Crime, Insider Threats, and ESM
Chapter One: Cyber Crime and Cyber Criminals
• About this Chapter
• Computer Dependence and Internet Growth
• The Shrinking Vulnerability Threat Window
• Motivations for Cyber Criminal Activity o Black Markets
• Hacker
• Script Kiddies
• Solitary Cyber Criminals and Exploit Writers for Hire
• Organized Crime
• Identity Thieves (Impersonation Fraudsters)
• Competitors
• Activist Groups, Nation-State Threats, and Terrorists
• Activists
• Nation-State Threats o China o France o Russia o United Kingdom o United States
• Terrorists
• Insiders
• Tools of the Trade o Application-Layer Exploits o Botnets o Buffer Overflows o Code Packing o Denial-of-service (DoS) Attacks o More Aggressive and Sophisticated Malware o Non-wired Attacks and Mobile Devices o Password-cracking o Phishing o Reconnaissance and Googledorks o Rootkits and Keyloggers o Social Engineering Attacks o Voice over IP (VoIP) Attacks o Zero-Day Exploits
• Summary Points
Chapter Two: Insider Threats
• Understanding Who the Insider Is
• Psychology of Insider Identification
• Insider Threat Examples from the Media
• Insider Threats from a Human Perspective o A Word on Policies
• Insider Threats from a Business Perspective o Risk
• Insider Threats from a Technical Perspective o Need-to-know o Least Privileges o Separation of Duties o Strong Authentication o Access Controls o Incident Detection and Incident Management
• Summary Points

Chapter Three: Enterprise Security Management (ESM)
• ESM in a Nutshell
• Key ESM Feature Requirements o Event Collection o Normalization o Categorization o Asset Information o Vulnerability Information o Zoning and Global Positioning System Data o Active Lists o Actors o Data Content o Correlation o Prioritization o Event and Response Time Reduction o Anomaly Detection o Pattern Discovery o Alerting o Case Management o Real-Time Analysis and Forensic Investigation o Visualization o High-level Dashboards o Detailed Visualization o Reporting o Remediation
• Return On Investment (ROI) and Return On Security Investment (ROSI)
• Alternatives to ESM
o Do Nothing o Custom In-house Solutions o Outsourcing and Co-sourcing
? Co-sourcing examples:
• Summary Points

Part II: Real Life Case Studies
Chapter Four: Imbalanced Security—A Singaporean Data Center
Chapter Five: Correlating Physical and Logical Security Events—A U.S. Government Organization
Chapter Six: Insider with a Conscience—An Austrian Retailer
Chapter Seven: Collaborative Threat—A Telecommunications Company in the U.S.
Chapter Eight: Outbreak from Within—A Financial Organization in the U.K.
Chapter Nine: Mixing Revenge and Passwords—A Utility Company in Brazil
Chapter Ten: Rapid Remediation—A University in the United States
Chapter Eleven: Suspicious Activity—A Consulting Company in Spain
Chapter Twelve: Insiders Abridged
• Malicious use of Medical Records
• Hosting Pirated Software
• Pod-Slurping
• Auctioning State Property
• Writing Code for another Company
• Outsourced Insiders
• Smuggling Gold in Rattus Norvegicus

Part III: The Extensibility of ESM
Chapter Thirteen: Establishing Chain-of-Custody Best Practices with ESM
• Disclaimer
• Monitoring and disclosure
• Provider Protection Exception
• Consent Exception
• Computer Trespasser Exception
• Court Order Exception
• Best Practices
• Canadian Best Evidence Rule
• Summary Points

Chapter Fourteen: Addressing Both Insider Threats and Sarbanes-Oxley with ESM
• A Primer on Sarbanes-Oxley
• Section 302: Corporate Responsibility for Financial Reports
• Section 404: Management Assessment of Internal Controls
• Separation of Duties
• Monitoring Interaction with Financial Processes
• Detecting Changes in Controls over Financial Systems
• Section 409: Real-time Issuer Disclosures
• Summary Points

Chapter Fifteen: Incident Management with ESM
• Incident Management Basics
• Improved Risk Management
• Improved Compliance
• Reduced Costs
• Current Challenges o Process o Organization o Technology
• Building an Incident Management Program o Defining Risk
• Five Steps to Risk Definition for Incident Management o Process o Training o Stakeholder Involvement o Remediation o Documentation
• Reporting and Metrics
• Summary Points

Chapter Sixteen: Insider Threat Questions and Answers
• Introduction
• Insider Threat Recap
• Question One - Employees o The Hiring Process o Reviews o Awareness o NIST 800-50
o Policies o Standards o Security Memorandum Example
• Question Two - Prevention
• Question Three – Asset Inventories
• Question Four – Log Collection o Security Application Logs o Operating System Log o Web Server Logs o NIST 800-92
• Question Five – Log Analysis
• Question Six - Specialized Insider Content
• Question Seven – Physical and Logical Security Convergence
• Question Eight – IT Governance o NIST 800-53
o Network Account Deletion maps to NIST 800-53 section AC-2
o Vulnerability Scanning maps to NIST 800-53 section RA-5
o Asset Creation maps to NIST 800-53 section CM-4
o Attacks and Suspicious Activity from Public Facing Assets maps to NIST 800-53 section SC-14
o Traffic from Internal to External Assets maps to NIST 800-53 section SC-7
• Question Nine - Incident Response
• Question 10 – Must Haves

Appendix A—Examples of Cyber Crime Prosecutions