While conducting my research for this (and the first edition of this) book, I have noted literally hundreds of cyber security incidents – some relatively trivial, some rather more serious. What has never ceased to amaze me is not that they keep happening, but that the same kinds of incident keep happening, and that some people do not appear to learn the lessons of others’ mistakes and occasionally even of their own.

In the 21st century, we are almost totally reliant upon information technology, and in particular the interconnectedness that allows us to conduct our lives more efficiently. We now regard access to the connected world as a basic utility along with gas, electricity and water. As business, commerce and government continue to place their services online, we have become increasingly dependent upon something that few people truly understand, and to which some for whatever reason are denied access.

It is an unfortunate fact that when the internet was developed (originally as the ARPANET¹), its main purpose was to enable information to be shared freely between institutions conducting research for the US Department of Defense (DoD), and because it was essentially a closed network, security within it was not even considered as a requirement. A consequence of this is that many of the protocols used over the internet are completely insecure, and until recently there has been a general reluctance among the software development community to build security into the protocols and applications that make use of it.

That aside, many of the underlying security issues in cyberspace are often caused by a lack of understanding of the risks of using cyberspace; by people who have not been adequately trained to do their job; who have not done it correctly; or who were simply unaware that there was anything for them to do in the first place. These issues affect everybody who uses cyberspace – in their personal as well as professional lives – at home, while travelling and at work.

When electronic equipment became a commodity product in the late 1960s and early 1970s, enthusiasts began to experiment with modifications – both to hardware and software – and they became known as ‘hackers’. Hacking then was a benign activity, intended to encourage learning and to find ways of improving the performance of electronic equipment, but as time progressed the term began to be used in a derogatory way for those who broke into other people’s computer resources.²

While there are laws, regulations and rules regarding the protection of physical and information assets, there are fewer that apply to virtual assets within cyberspace. However, in the realm of cyber security, there are some clear objectives:

• to protect the overall security of our activities in cyberspace;
• to plan for responding to disruptive incidents and to exercise those plans;
• to improve the awareness of cyberspace users;
• to share threat and vulnerability information relating to cyberspace;
• to recommend controls appropriate to the risks encountered;
• to address critical interdependencies within cyberspace.

Much of this work is already underway, but there is considerably more to do, and it is an ongoing exercise. In 2020, the UK’s National Crime Agency reported that there were an estimated 3.8 million cases of online fraud in the previous year – with the losses due to investment fraud totalling £338 million.³

The lesson – as many a security professional will tell you – is that if a well-resourced attacker really wants to break into your computer, read, steal or change your information, then they will almost certainly find a way of doing so. It may not be cheap or easy, it may involve using a mix of technology and human agents, but if they think it is worth it, you will find it very, very hard to stop them.

In 2014, FBI Director James Comey said, ‘There are those who’ve been hacked by the Chinese and those who don’t know they’ve been hacked by the Chinese.’⁴

We frequently take things at face value, especially in the online world. Why?

If a stranger approached you in a street and said, ‘I can do you a really good deal’, you would naturally be suspicious, but put the same words online, and people are falling over themselves to take up the offers.

The expression, ‘If it sounds too good to be true, it probably is’, is frequently quoted in the online world, but it’s amazing how many people cannot bear the thought of missing out on the possibility of getting something for nothing and end up either getting nothing or losing everything.

Criminals have always preyed upon human frailty and greed and will doubtless continue to do so until the end of time, but there are simple steps we can take to reduce the chance of becoming their victims, and to make their lives so difficult that they go hunting elsewhere.

Criminality does not respect national borders or trade barriers. It is still perhaps too early to tell whether the UK’s referendum vote to leave the European Union (EU) has resulted in negative impacts for the cyber security community, but we can say for sure that new vulnerabilities will surface at frequent intervals, new threats will arise, and that the world of cyberspace will continue to be populated by the good, the bad and the downright ugly.

We don’t really need to know in detail how the connected world works, no more than the driver of a car needs to understand the workings of the internal combustion engine, but hopefully this book will help to make its readers into better drivers.

Shortly before I began to update this book, Russia invaded Ukraine, and within days, members of the loosely coupled hacking group ‘Anonymous’ declared their intention to attack Russian government and military cyber assets, which they achieved with some degree of success.

This has given the cyber security community something of a dichotomy. While most of us would agree that the invasion was a bad thing, and that Anonymous might be able to influence matters in Ukraine’s favour, we should be conscious that attacks on a nation state’s government and military infrastructure would constitute an offence in (almost) any jurisdiction, unless of course the attack was undertaken as an act of aggression by one nation state against another.

It is therefore for the individual reader to decide for themselves whether this illegal/unlawful intervention represents well-intentioned ethical behaviour, or whether it is simply a group of cyber terrorists attempting to change the balance of power in the hope that their less respectable endeavours will pass unnoticed.

In March 2020, the UK government introduced a lockdown in an attempt to reduce the spread of Coronavirus, and this resulted in many organisations, not only in the UK but around the world, having to suddenly re-equip their information infrastructures to cope with significantly greater quantities of remote working than they might previously have undertaken.

Those organisations that already had experience of remote working were obliged not only to increase their internal network capacity, but also to ensure that those new to remote working were equipped with a suitable access mechanism, and that telephone calls could be re-routed to them. For those organisations that had never previously engaged in remote working, there was a very steep learning curve, coupled with the need to procure the required infrastructure from scratch, resulting in shortages of equipment and heavy demands on broadband providers (both at the organisation’s central network level and at the customers’ end points).

For both types of organisation, this placed increased pressure upon their cyber security capabilities, and in many cases meant that the cyber security infrastructure itself had to be managed remotely.

WHO SHOULD READ THIS BOOK?

The obvious answer to this is probably ‘anyone who has an interest in or concerns about cyber security’. It is aimed at both the public and private sectors and should have appeal to home users; students studying information security, computer science and other information technology-related subjects; and information security practitioners and their line managers, whether technical or not.

The aim is to inform the reader about the realities of cyber security, detailing the issues faced by both individuals and organisations, the likely targets of cyber-attacks, the vulnerabilities exhibited by an individual’s or an organisation’s assets and the impacts these attacks may cause; the kinds of threat we face; and how to go about protecting an individual’s or organisation’s assets against cyber-attacks.

WHAT EXACTLY DO WE MEAN BY CYBER?

Since this book deals with cyber security issues, we should begin by trying to define ‘cyber’.

The science fiction author William Gibson coined the term ‘cyberspace’ in a short story entitled Burning Chrome⁵ in 1982, but did not define it until two years later in his book Neuromancer,⁶ in which he describes it thus:

Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation … a graphic representation of data from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters, and constellations of data.

Bearing in mind that this predates the development in 1990 of the World Wide Web by Sir Tim Berners-Lee at the European Organization for Nuclear Research (CERN) by some six years, it is quite a startling piece of insight.

The UK National Security Strategy 2022⁷ offers this definition:

To many of us, cyberspace is the virtual world we experience when we go online to communicate, work and conduct everyday tasks. In technical terms, cyberspace is the interdependent network of information technology that includes the internet, telecommunications networks, computer systems and internet-connected devices. For the military, and when considering our efforts to counter threats in cyberspace, it is an operational domain, along with land, sea, air and space.

Perhaps the most meaningful definition can be found in the present-day definition of cyberspace from the International Organization for Standardization (ISO) of:

A complex environment resulting from the interaction of people, software, and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form.⁸

Cyber security therefore refers specifically to information security as applied to cyberspace, and in this respect it is slightly different from the wider concept of information security, which includes non-electronic information as well. It is sometimes also referred to as computer security or IT security. Again, the ISO standard has a simple definition for cyber security – ‘preservation of confidentiality, integrity and availability of information in the Cyberspace.’

It notes: ‘In addition, other properties, such as authenticity, accountability, non- repudiation, and reliability can also be involved.’⁹

Finally, the standard defines cybercrime as:

criminal activity where services or applications in the Cyberspace are used for or are the target of a crime, or where the Cyberspace is the source, tool, target, or place of a crime.¹⁰

While the first edition of this book was in its latter stages of production in mid-May 2017, the ‘WannaCry’ virus made an unwelcome appearance. News of the attack was not a great surprise, but the scale of it was – I, and many others, had expected it to have a considerably wider impact, and it is to the credit of the IT and security specialists around the world that its spread was limited and dealt with so quickly, although a great many people had a thoroughly frustrating and exhausting weekend. Threats such as viruses and ransomware are covered in detail in Chapter 5 of this book, and methods of preventing and/or dealing with them are covered in Chapters 8 and 9.

Let us hope that the lessons have been learned from ‘WannaCry’: that out-of-support software is replaced, patches are applied and the recommendations in this book are followed. It is not a question of if another attack occurs, but when; and when it does, it may well be far more aggressive.

OVERVIEW OF THIS BOOK

While there is a logical (I hope) layout to this book, although this may be helpful it is not necessary to read through it sequentially – the reader should feel free to dip in and out of chapters in any order they wish.

The chapters are organised as follows:

Part I – Cyber security issues

Chapter 1 – Introduction – what cyber security is all about, and a summary of the expectations of individuals and organisations who would be affected by a cyber-attack.

Chapter 2 – The big issues, including privacy and security (and privacy versus security), confidentiality, integrity, availability, non-repudiation, big data and data aggregation and the likely vulnerabilities that could allow an attack to be successfully conducted.

Chapter 3 – Cyber targets, including finance organisations, commercial businesses, critical infrastructure, manufacturing, academia and research organisations, industrial control systems and government and military targets.

Chapter 4 – Cyber vulnerabilities and impacts, including policy, process and procedure vulnerabilities, technical vulnerabilities, people-related vulnerabilities, physical and environmental vulnerabilities; personal impacts and organisational impacts.

Chapter 5 – Cyber threats, including types of attacker, types of attack, the motivations for and the benefits of launching an attack, the risks involved in doing so, and how attacks typically are conducted.

Part II – Cyber security solutions

Chapter 6 – A brief overview of information risk management, including identifying assets, risk identification, analysis and evaluation, and options for risk treatment.

Chapter 7 – The benefits of business continuity and disaster recovery.

Chapter 8 – Steps that can be taken by both individuals and corporate users to improve their cyber security.

Chapter 9 – Additional steps that can be taken by organisations, including cyber security policies and operational actions.

Chapter 10 – How users can be made aware of cyber security risks, and how training may be required for those more closely involved in securing the organisation.

Chapter 11 – Information sharing, including the information available to assist in the management of cyber security issues.

Appendices

Appendix A – Standards

• ISO/IEC 27000 series standards
• Other relevant ISO standards
• Business continuity standards
• National Institute of Standards and Technology (NIST) standards

Appendix B – Good practice guidelines

• General cyber security advice
• UK government cyber security advice

Appendix C – Cyber security law

• UK law
• EU directives and regulations

Appendix D – Training and qualifications

Appendix E – Links to other useful organisations

Appendix F – Further reading

Appendix G – Abbreviations and glossary

1. For an excellent description of how the ARPANET/internet began, read Where Wizards Stay Up Late by Katie Hafner and Matthew Lyon (New York: Touchstone, 1998). An Audible version was available at the time of writing.

2. An early example of this can be found in The Cuckoo’s Egg by Clifford Stoll (London: Pan Books, 1991). Note: this may be out of print, but an Audible version was available at the time of writing.

3. See www.nationalcrimeagency.gov.uk/who-we-are/publications/437-national-strategic-assessment-of-serious-and-organised-crime-2020/file

4. See https://www.businessinsider.com/fbi-director-china-has-hacked-every-big-us-company-2014-10?r=US&IR=T

5. William Gibson (1995) Burning Chrome. New York: Harper Voyager, New edition.

6. William Gibson (2015) Neuromancer. New York: Harper Voyager, New edition.

7. See National Cyber Strategy 2022 (HTML) – https://www.gov.uk/government/publications/national-cyber-strategy-2022/national-cyber-security-strategy-2022

8. See ISO/IEC 27032:2012 p. 4.

9. Ibid.

10. Ibid.