Cyber Security: How You Can Protect Your Company’s Assets with a Few Simple Steps 网络安全:如何通过几个简单的步骤保护公司的资产
With weekly and even daily news of data breaches and hacks, it’s important to remember that cyber security is everyone’s responsibility. In fact, October has been dedicated as致力于 National Cyber Security Awareness Month for this very reason. It’s important to be vigilant in protecting not only the equipment and networks we knowingly use everyday, but also the many unacknowledged connections that come with using Internet of Things (IoT) devices in our daily lives.
“What’s not being said about cyber security is how much of a difference people can make in just by taking some simple steps,” says David Herman, President of Raffetto Herman Strategic Communications. In this article, we’ll discuss the current cyber threat landscape and how you can defend yourself, your team, and your company. Experts share tips for how you can protect your cyber assets, whether big or small, and you’ll also find resources to create a cyber security plan.
每周甚至每天都有数据泄露和黑客的新闻,记住网络安全是每个人的责任是很重要的。事实上,10月被定为国家网络安全宣传月正是出于这个原因。重要的是要保持警惕,不仅要保护我们每天故意使用的设备和网络,还要保护使用物联网带来的许多未被承认的连接(物联网)设备在我们日常生活中的应用。
Raffetto Herman Strategic Communications的总裁David Herman说:“关于网络安全,人们只需要采取一些简单的步骤就能带来多大的改变,这一点还没有被提及。”在本文中,我们将讨论当前的网络威胁形势,以及您如何保护自己、团队和公司。专家分享了如何保护您的网络资产(无论大小)的技巧,您还可以找到创建网络安全计划的资源。
What Is Cyber Security All About? 什么是网络安全?
Cyber security is the processes and methods that secure computer devices, networks, and data and information against attack, theft, misdirection, misuse, or disruption. Cyber security’s purview extends to considerations of the nature and source of threats and the infrastructure beyond an internal network. The cyber security field also covers issues surrounding public computer policy including network policy, cyber threat awareness, and threat information sharing.
网络安全是保护计算机设备、网络、数据和信息免受攻击、盗窃、误导、滥用或破坏的过程和方法。网络安全的范围延伸到对威胁的性质和来源以及内部网络以外的基础设施的考虑。网络安全领域还包括公共计算机政策的相关问题,包括网络政策、网络威胁意识和威胁信息共享。
Cyber security is a superset超集 for many aspects of security, including network security. However, network security focuses on protecting the internal data and infrastructure基础设施 of a small or enterprise-sized企业级 organization, and manages access control, passwords, firewalls, scans, and antivirus防病毒 software. Cyber security also encompasses包含 the following aspects:
网络安全是包括网络安全在内的许多方面安全的超集。然而,网络安全侧重于保护小型或企业级组织的内部数据和基础设施,并管理访问控制、密码、防火墙、扫描和防病毒软件。网络安全还包括以下几个方面:
Application Security: An effort to build robust security features into applications, especially those that are available through the internet.
Information Security (InfoSec): The processes, policies, and tools that secure digital and nondigital data and information from attack and misuse.
Operational Security (OPSEC): The goal of OPSEC is to identify and determine methods to protect assets. Operational security usually consists of five steps: identify assets, identify threats, determine vulnerabilities, assess risks, and invoke countermeasures.
Disaster Recovery and Business Continuity: Disaster recovery anticipates security events and provides a plan for recovering assets and resuming business.
Enduser Education: Good cyber security practice empowers every member of an organization to recognize and resist security threats.
应用程序安全性:努力在应用程序中构建强大的安全特性,特别是那些通过互联网可用的应用程序。
信息安全(InfoSec):保护数字和非数字数据和信息免受攻击和滥用的过程、策略和工具。
业务安全(业务安全保护):OPSEC的目标是识别和确定保护资产的方法。操作安全通常包括五个步骤:识别资产、识别威胁、确定漏洞、评估风险和调用对策。
灾难恢复和业务连续性:灾难恢复可预测安全事件,并提供恢复资产和恢复业务的计划。
最终用户教育:良好的网络安全实践使组织的每个成员都能够识别和抵御安全威胁。
What Is Computer Security? 什么是计算机安全?
Cyber security has a few synonyms, computer security and IT security, which may sound more approachable for non-technical people. The goal of computer security is to protect hardware, software, and the data they store and transmit from potential damage, disruption, or misappropriated use.
网络安全有几个同义词,计算机安全和IT安全,对于非技术人员来说可能听起来更平易近人。计算机安全的目标是保护硬件、软件以及它们存储和传输的数据免受潜在的破坏、中断或滥用。
Why Is It Important to Have Cyber Security? 为什么网络安全很重要?
Everything is digitized and online, from banking to maintaining friendships. Cyber security concerns have moved beyond protecting traditional desktop computers and server farms and the confidential or personal identifying information (PII) they contain. Security must protect millions of smart devices that perform every activity, from remotely adjusting the temperature in your office to changing traffic signals to ensuring water flows through mains at a steady rate.
The integration综合 of digital and information technology is increasing at home, work, and even in public infrastructure. As government cyber security sites note, hackers (whether amateurs or organized criminals) want to deny, destroy, degrade, and disrupt our networks.
一切都是数字化和在线的,从银行业务到维持友谊。网络安全问题已经超越了保护传统的台式电脑和服务器群以及它们所包含的机密或个人身份信息(PII)。安全必须保护执行各种活动的数以百万计的智能设备,从远程调节办公室的温度到改变交通信号灯,再到确保水以稳定的速度通过主管道。
数字和信息技术的整合在家庭、工作、甚至公共基础设施中越来越多。正如政府网络安全网站所指出的那样,黑客(无论是业余爱好者还是有组织的犯罪分子)想要否认、破坏、降级和扰乱我们的网络。
Threats are evolving and escalating in their sophistication and the amount of damage they can inflict when implemented. As technology consultant and President of Raffetto Herman Strategic Communications David Herman warns, “There are bad actors and they’re going to go after big things.”
威胁正在演变和升级,其复杂性和实施时可能造成的破坏程度不断增加。正如技术顾问兼Raffetto Herman战略传播公司总裁David Herman所警告的那样,“有一些坏的行为者,他们会去追求大的东西。”
Stephen Gates, Chief Research Intelligence Analyst at Zenedge, says the recent and frequent attacks should capture our attention. “This is a wake-up call for anybody that stores PII data. They must protect their web applications with good, sound web application technologies,” he advises. Proper protection involves more than firewalls and antivirus software. Gates believes it’s about protecting our actual web applications from exposure to hackers.
Zenedge首席研究情报分析师Stephen Gates表示,最近频繁发生的攻击应该引起我们的注意。“这对任何存储PII数据的人来说都是一个警钟。他们必须用良好的、健全的网络应用程序技术来保护他们的网络应用程序,”他建议。适当的保护涉及的不仅仅是防火墙和防病毒软件。盖茨认为,这是为了保护我们实际的网络应用程序不被黑客。
There’s no sign that threats and crime will end soon because it’s a lucrative full-time job for hackers. “They’re not wearing hoodies, sitting in grandma’s basement hacking,” says Gates. “These guys drive Mercedes, have private jets, wear Armani suits, and basically are living a wonderful lucrative life by being criminals. How are you going to change that?”
没有迹象表明威胁和犯罪会很快结束,因为这对黑客来说是一份赚钱的全职工作。“他们没有穿连帽衫,坐在祖母的地下室里黑客,”盖茨说。“这些人开着奔驰,有私人飞机,穿着阿玛尼西装,基本上是通过犯罪过着非常赚钱的生活。你要怎么改变这一点?”
The Bot Armageddon 机器人大决战
If massive credit card thefts and epidemics of ransomware aren’t frightening enough, Gates foresees another threat on the horizon: The invasion of the botnets. Bots are small applications that automate tasks (such as a food ordering app for a restaurant). Hackers can turn internet-enabled devices, such as baby monitors, thermostats, cameras, or smartphones into bot networks. “Now the bots will attack on the instruction of the bot master,” explains Gates. A bot’s goal is to tumble passwords or spread ransomware. Using mass amounts of devices can amplify the power of the attack.
“It’s one attack with a hundred thousand or a million devices hacking simultaneously,” warns Gates. And it’s looming. “This bot problem is going to be out of control within the next three or four years.”
如果大规模的信用卡盗窃和勒索软件的流行还不够可怕的话,盖茨还预见到了另一个即将到来的威胁:僵尸网络的入侵。机器人是自动执行任务的小型应用程序(例如餐厅的订餐应用程序)。黑客可以将具备互联网功能的设备(如婴儿监视器、恒温器、摄像头或智能手机)转变为僵尸网络。“现在机器人会根据机器人主人的指令进行攻击,”解释了盖茨的行为。机器人的目标是破解密码或传播勒索软件。使用大量的设备可以扩大攻击的力量。
盖茨警告说:“这是一次攻击,同时有十万或一百万台设备被黑客入侵。”而且已经迫在眉睫了。“这个机器人程序问题将在未来三四年内失控。”
Cyber Security: More than a Threat 网络安全:不仅仅是威胁
Despite a deep threat landscape, a strong element of naivety persists in the world. As Herman says, you don’t heed the hurricane warnings if you’ve never lived through a hurricane. Indeed, it’s not until you’re personally affected by a cyber security breach that you become more acutely aware of its potential. Herman explains that this mindset still exists among some smaller organizations - a sense of security by obscurity. He illustrates this sentiment: “We’re a small firm, nobody really knows about us. There’s not a big threat, so I’m not worried.”
In companies, CEOs and other C-level executives often set the tone to view security as an IT problem. When so many departments in an organization are networked and control sensitive data, cyber security becomes the entire team’s responsibility.
In addition to the mayhem and disruption that breaches and denial of service attacks cause, organizations may be held accountable for cyber security - especially if it’s a company that stores data or works with a business’ sensitive information. If the company has not enacted strong cyber security systems, auditors may sanction them, making it difficult to retain or attract new business. If your organization functions in a highly regulated industry, such as banking or healthcare, you may be subject to severe sanctions and penalties for data breaches. When dealing with countries outside the U.S., there may be specific times for reporting breaches.
尽管面临着严重的威胁,但世界上仍然存在着一种强烈的天真因素。正如赫尔曼所说,如果你从未经历过飓风,你就不会注意到飓风警告。事实上,直到你个人受到网络安全漏洞的影响,你才会更加敏锐地意识到它的潜力。赫尔曼解释说,这种心态在一些较小的组织中仍然存在——默默无闻带来的安全感。他阐述了这一观点:“我们是一家小公司,没人知道我们。没有太大的威胁,所以我不担心。”
在公司中,首席执行官和其他C级管理人员通常将安全性视为IT问题。当组织中如此多的部门联网并控制敏感数据时,网络安全就成为整个团队的责任。
除了破坏和拒绝服务攻击造成的破坏和中断,组织可能会被追究网络安全的责任——特别是如果它是一家存储数据或与企业的敏感信息合作的公司。如果公司没有制定强有力的网络安全系统,审计人员可能会对其进行制裁,从而难以保留或吸引新业务。如果您的组织处于高度监管的行业,例如银行或医疗保健行业,您可能会因数据泄露而受到严厉的制裁和处罚。在与美国以外的国家/地区打交道时,可能会有报告违规行为的特定时间。
What Systems Are at Risk of Cyber Security Attack? 哪些系统面临网络安全攻击风险?
We live in a computer-operated, networked world, and as such almost every aspect of our lives can potentially be affected by a cyber attack. Below is a list of some common security breaches that you should be wary of:
我们生活在一个由计算机操作的网络世界中,因此我们生活的方方面面都可能受到网络攻击的潜在影响。下面列出了一些常见的安全漏洞,您应该警惕这些漏洞:
Conventional Crimes: Computers and the internet support all traditional forms of maliciousness and avarice, including bank and other fraud and intellectual property theft.
Remote Mayhem: With IoT, someone can spy on you, unlock your doors, steal your information, or miscalculate your medicine dosages.
Financial Theft: A black market exists among people who are comfortable stealing your present and future. They will take your credit card numbers, social security numbers, your addresses and other contact information, your children’s information, and even your retirement account details.
Your Water, Your Electricity, Your Phone: Much of our infrastructure is already online. Utilities, telecommunications systems, water treatment, gas, first responder communications and other linked tools, smart meters reporting electrical usage, and nuclear facilities. Imagine if every street light at an intersection in your town simultaneously turned to red - how would that affect traffic? The RFID systems on access badges and even in documentation, such as chips in passports, can all be cloned.
Reputation Ruin: Exploitation of cyber vulnerabilities for crimes can ruin the reputations and public trust of companies, government agencies, and even individuals, especially when they could have done a better job to protect networks and data. Businesses run the risk of customer and shareholder lawsuits, compliance audits, and even sanctions.
Flight Frights: Aviation navigation, air control systems, and radio communications all run the risk of attack through malware or malfunction if electrical systems are attacked.
Mobile Mayhem: In your smart car, hackers can potentially start the engine, tamper with the braking and seatbelt tensioning, cause the car to accelerate and run off the road, and then eavesdrop through the audio system.
Bot Armies: All your consumer devices are mini-computers that can be hijacked to do a hackers bidding. That includes your remote-controlled thermostat, your GPS, your smartwatch, your smart refrigerator, your voice-operated personal assistants that select your radio station, your video-enabled doorbell, and your dog monitor. If they aren’t spying on you, they could manipulated without your knowledge to break into databases or spread malware.
传统犯罪:计算机和互联网支持所有传统形式的恶意和贪婪,包括银行和其他欺诈以及知识产权盗窃。
远程混乱:通过物联网,有人可以监视您、打开您的门、窃取您的信息或错误计算您的药物剂量。
金融盗窃:黑市存在于那些乐于窃取您的现在和未来的人之中。 他们会获取您的信用卡号、社会保障号、地址和其他联系信息、您孩子的信息,甚至您的退休账户详细信息。
您的水、电、电话:我们的大部分基础设施已经联网。 公用事业、电信系统、水处理、天然气、急救人员通信和其他链接工具、报告用电量的智能电表以及核设施。 想象一下,如果您所在城镇十字路口的所有路灯同时变成红色 - 这会对交通产生怎样的影响? 门禁卡上的 RFID 系统,甚至护照芯片等文档中的 RFID 系统,都可以被克隆。
声誉受损:利用网络漏洞进行犯罪可能会损害公司、政府机构甚至个人的声誉和公众信任,尤其是当他们本可以更好地保护网络和数据时。 企业面临着客户和股东诉讼、合规审计甚至制裁的风险。
飞行恐惧:航空导航、空中控制系统和无线电通信都面临着受到恶意软件攻击的风险,或者如果电气系统受到攻击,就会出现故障。
移动混乱:在您的智能汽车中,黑客可能会启动发动机,篡改制动和安全带张紧,导致汽车加速并冲出道路,然后通过音频系统进行窃听。
机器人大军:您的所有消费设备都是微型计算机,可以被劫持以执行黑客的出价。 其中包括遥控恒温器、GPS、智能手表、智能冰箱、选择广播电台的语音操作个人助理、支持视频的门铃和狗监视器。 如果他们没有监视您,他们可能会在您不知情的情况下进行操纵,闯入数据库或传播恶意软件。
Governmental Agencies Concerned With Cyber Attacks 关注网络攻击的政府机构
In the U.S., the Computer Fraud and Abuse Act and the Cybersecurity Act of 2015 is the law that officially prohibits misuse of computers and online fraud. In May of 2017, the White House released a Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure. Many governmental organizations within the U.S. deal with cyber security although, as David Herman suggests, the efforts can seem disparate. “There’s not just this one, plain English, public speaking list of here’s the things to do,” he says. “If you do searches, you’ll find government resources about vulnerabilities and things to do, but I think that the government hasn’t done a good job of consolidating it in a way that is approachable for most people.”
在美国,《计算机欺诈与滥用法案》和《2015年网络安全法案》是正式禁止滥用计算机和在线欺诈的法律。2017年5月,白宫发布了一项关于加强联邦网络和关键基础设施网络安全的总统行政命令。美国国内的许多政府组织都在处理网络安全问题,但正如David Herman所指出的那样,这些努力看起来是完全不同的。他说:“公开演讲时,要做的事情并不只有一个简单的英语清单。”“如果你进行搜索,你会发现政府关于漏洞和要做的事情的资源,但我认为政府并没有以一种大多数人都能接受的方式做好巩固工作。”
Stephen Gates echoes Herman’s sentiment that the government isn’t making a concerted effort. “Everybody’s sort of talking about it, but not really moving forward with anything,” Gates says.
These are some of the government agencies who focus on devices, networks, and cyber crime:
斯蒂芬·盖茨赞同赫尔曼的观点,认为政府并没有做出一致的努力。“每个人都在谈论这件事,但并没有真正取得任何进展,”盖茨说。
以下是一些专注于设备、网络和网络犯罪的政府机构:
.
Department of Homeland Security: National Cyber Security Division
FBI, National White Collar Crime Center, Internet Crime Complaint Center, IC3 (where private citizens and companies report ID theft and other breaches)
United States Department of Justice
United States Cyber Command of the US Strategic Command
Federal Communications Commission (FCC)
Food and Drug Administration (FDA)
US-CERT, the United States Computer Emergency Readiness Team (operates the National Cyber Awareness System with alerts primarily intended for computer experts)
The U.S. Department of Energy, Office of Electricity Delivery and Energy Reliability
国土安全部:国家网络安全司
联邦调查局、国家白领犯罪中心、互联网犯罪投诉中心、IC3(公民和公司报告身份盗窃和其他违规行为的地方)
美国司法部
美国战略司令部的美国网络司令部
美国联邦通信委员会(FCC)
美国食品药品监督管理局(FDA)
US-CERT,美国计算机应急准备小组(操作国家网络感知系统,主要为计算机专家提供警报)
美国能源部电力输送和能源可靠性办公室
Computer crime is borderless and nationless and it can appear to happen here, there, everywhere, and nowhere, with source points and affected locations changing at the drop of a coin. Assigning local police to handle these incidents can be difficult. Cyber Emergency Response Teams (CERTs) exist in many other countries to watch for threats, but there are few uniform international laws or extradition treaties. Wherever cybercriminals are found, often the local law is not strong enough to bring the accused to trial, let alone justice.
计算机犯罪是无国界和无国籍的,它似乎发生在这里,那里,任何地方,任何地方,来源点和受影响的地点在硬币的滴滴变化。指派当地警察处理这些事件可能很困难。许多其他国家都有网络应急响应小组(CERT),以监视威胁,但几乎没有统一的国际法或引渡条约。无论在哪里发现网络罪犯,通常当地法律都不足以将被告绳之以法,更不用说伸张正义了。
Civilian Efforts Against Cyber Threats 应对网络威胁的民间努力
Newly-hatched in early 2017, the not-for-profit Cyber Threat Alliance (CTA), aims to improve intelligence sharing for companies involved in cyber security, to protect the internet from hacking, and to prevent exploiting software. Founding groups include major software and cyber security companies including Cisco, Intel, Symantec, Palo Alto Networks, Fortinet, and Check Point Software Technologies, with former special assistant and cyber security advisor to President Barack Obama, Michael Daniel as its President.
2017年初新成立的非营利网络威胁联盟(CTA)旨在改善涉及网络安全的公司的情报共享,保护互联网免受黑客,并防止利用软件。创始集团包括主要软件和网络安全公司,包括思科(Cisco)、英特尔(Intel)、赛门铁克(Symantec)、帕洛阿尔托网络(Palo Alto Networks)、Fortinet和Check Point Software Technologies,前总统巴拉克·奥巴马(Barack Obama)的特别助理和网络安全顾问迈克尔·丹尼尔(Michael Daniel)担任该公司的总裁。
How Are Systems Attacked? 系统是如何被攻击的?
Even a few years ago, a computer security event usually involved unauthorized access to a facility or a laptop unintentionally left in a taxi. Now threats come from the outside:
即使在几年前,一个计算机安全事件通常涉及未经授权的访问一个设施或笔记本电脑无意中留在出租车上。现在威胁来自外部
Vulnerabilities: Weaknesses that exist in the design of software, its implementation, or the installation of equipment. These weaknesses become exploits in the hands of attackers who leverage vulnerabilities for malign purposes. Although one or several individuals may benefit from cyber attacks, probing for vulnerabilities itself is usually automated.
Backdoors: A way into a system or program that circumvents the authorization process. Backdoors may be included intentionally for maintenance.
Denial of Service Attacks: This type of attack renders computers or networks inaccessible to users. Forms of attack include repeatedly mangling an individual’s password so they are locked out of a system or overloading a system so it cannot respond. A distributed denial of service attack comes from multiple IP addresses, making it more complicated for a firewall to shut out malign calls and allow in legitimate users.
Direct-access Attacks: Attackers may gain unauthorized access to a laptop to add malware, but attacks can also spread through other devices. Camcorders and storage devices, for example, directly access computer memory for high-speed transfers, which make them vectors for worms, keyloggers, and other malware.
Eavesdropping: The surreptitious conversation monitoring, whether by listening in on a room, tapping into a landline or cell phone, or intercepting an email.
Spoofing: The act of pretending to be something or someone you are not in order to gain access to sensitive information. You can spoof people or equipment, such as spoofing email addresses to distribute spam or spoofing caller IDs on VoIP networks.
Tampering: The act of modifying devices, such as installing surveillance capability on a router or installing a rootkit, with software that permits access to parts of a computer that are usually inaccessible.
Privilege Escalation: A user with some privileges can give themselves heightened privileges, including potentially superuser access to the entire system.
Phishing: This is an attempt to acquire sensitive information by pretending to represent a legitimate organization or person, often someone of authority. Culprits send instant messages and emails to a swath of victims in the hope that some will bite.
Ransomware: A method that locks data systems or individual devices. Ransomware may be installed through a phishing scam.
Clickjacking: Through hijacking webpage links or user clicks, clickjacking redirects a user to a page that spoofs a legitimate page, often to collect sensitive information.
Social Engineering: A sophisticated elevation of phishing wherein attackers use web pages, email, and even phone calls to pose as authority figures or friendly agents to acquire sensitive personal or company data. Social engineering often involves research on an individual through social media so that they can leverage the victim’s lifestyle, work, and interests. Examples can include an email under the name of a CFO asking for HR records, or a message requesting money from a “grandchild.” Other examples include emailing invoices under the guise of a legitimate vendor in order to secure payment into the accounts of thieves.
Botnet: A network of private computers, including portable devices that are surreptitiously controlled as a group to propagate spam or break passwords.
漏洞:软件设计、实施或设备安装中存在的弱点。 这些弱点成为攻击者利用漏洞进行恶意目的的漏洞。 尽管一个或几个人可能会从网络攻击中受益,但漏洞本身的探测通常是自动化的。
后门:绕过授权过程进入系统或程序的方式。 可能会故意包含后门以进行维护。
拒绝服务攻击:这种类型的攻击使用户无法访问计算机或网络。 攻击形式包括反复修改个人密码,使他们被锁定在系统之外,或使系统超载,使其无法响应。 分布式拒绝服务攻击来自多个 IP 地址,这使得防火墙阻止恶意呼叫并允许合法用户进入变得更加复杂。
直接访问攻击:攻击者可能会未经授权访问笔记本电脑以添加恶意软件,但攻击也可以通过其他设备传播。 例如,摄像机和存储设备直接访问计算机内存以进行高速传输,这使得它们成为蠕虫、键盘记录器和其他恶意软件的传播媒介。
窃听:秘密对话监控,无论是通过窃听房间、窃听固定电话或手机,还是拦截电子邮件。
欺骗:为了获取敏感信息而冒充他人的行为。 您可以欺骗人员或设备,例如欺骗电子邮件地址以分发垃圾邮件或在 VoIP 网络上欺骗呼叫者 ID。
篡改:使用允许访问通常无法访问的计算机部分的软件来修改设备的行为,例如在路由器上安装监视功能或安装 rootkit。
权限升级:具有某些权限的用户可以授予自己更高的权限,包括对整个系统的潜在超级用户访问权限。
网络钓鱼:这是一种通过假装代表合法组织或个人(通常是权威人士)来获取敏感信息的尝试。 犯罪分子向大量受害者发送即时消息和电子邮件,希望其中一些人会上钩。
勒索软件:一种锁定数据系统或单个设备的方法。 勒索软件可能通过网络钓鱼诈骗安装。
点击劫持:通过劫持网页链接或用户点击,点击劫持将用户重定向到欺骗合法页面的页面,通常是为了收集敏感信息。
社会工程:网络钓鱼的一种复杂升级,攻击者使用网页、电子邮件甚至电话冒充权威人物或友好代理人来获取敏感的个人或公司数据。 社会工程通常涉及通过社交媒体对个人进行研究,以便他们能够利用受害者的生活方式、工作和兴趣。 例如,以首席财务官名义发送的一封电子邮件,要求提供人力资源记录,或者一条向“孙子”索要资金的消息。 其他例子包括以合法供应商的名义通过电子邮件发送发票,以确保付款进入窃贼的账户。
僵尸网络:由私人计算机组成的网络,包括作为一个组进行秘密控制的便携式设备,以传播垃圾邮件或破解密码。
What Is A Cyber Policy? 什么是网络政策?
A cyber policy is relevant at many levels in our society. On a national level, cyber policy governs how we approach questions of data privacy, personal privacy, freedom of speech, security, access to the internet, and commodification of the internet. On a local or private level, an organization’s cyber policy guides how employees, contractors, and visitors use its computers and network assets. The policy precisely describes those assets, appropriate and acceptable use, potential threats against the devices and network, and how the organization will defend against threats, contain and repel threats, and repair any damage.
网络政策在我们社会的许多层面都是相关的。在国家层面上,网络政策管理着我们如何处理数据隐私、个人隐私、言论自由、安全、互联网接入和互联网商品化等问题。在本地或私人层面上,组织的网络政策指导员工、承包商和访客如何使用其计算机和网络资产。该策略精确地描述了这些资产、适当的和可接受的用途、针对设备和网络的潜在威胁,以及组织将如何防御威胁、遏制和击退威胁以及修复任何损害。
Several government agencies concerned with cyber security offer useful policy tools. The FCC’s online Cyber Planner helps you build a template for the particular needs of your organization’s cyber plan. The FCC also provides a background guide, the FCC Small Biz Cyber Planning Guide, with 45-pages of advice on computer security training, facility security, and links to publications and pertinent government agencies. Another resource from the Financial Industry Regulatory Authority (FINRA) is the Excel-based Small Firm Cybersecurity Checklist.
The National Institute of Standards and Technology (NIST) offers a Cyber Incident Response Plan, which includes a detailed guide and a one-page checklist for preparing for major security incidents.
几个与网络安全有关的政府机构提供了有用的政策工具。FCC的在线网络计划帮助您为您的组织的网络计划的特定需求建立一个模板。FCC还提供了一个背景指南,即FCC小型BIZ网络规划指南,提供了45页关于计算机安全培训、设施安全以及出版物和相关政府机构的建议。金融业监管局(FINRA)的另一个资源是基于Excel的小公司网络安全检查表。
美国国家标准与技术研究所(NIST)提供了一个网络事件响应计划,其中包括一个详细的指南和一页的清单,用于准备重大安全事件。
Cyber Security Frameworks 网络安全框架
At a high level, federal agencies and non-governmental organizations (NGOs) create policy frameworks to describe best practices for cyber management and cyber security, and to guide organizations in compliance with regulations.
在高层次上,联邦机构和非政府组织(NGO)创建政策框架来描述网络管理和网络安全的最佳实践,并指导组织遵守法规。
NIST Framework: The NIST Framework for Improving Critical Infrastructure Cybersecurity describes activities grouped around five core functions - identify, detect, protect, respond, and recover - to promote cybersecurity. The NIST framework draws from other frameworks and standards, including ISO 27000, Information Technology Security, and ISO 31000 Risk Management. The NIST framework is also available as an Excel document.
ISO/IEC 27000: The ISO 27000 series of standards governs information security.
COBIT: Control Objectives for Information and Related Technology, created by the Information Systems Audit and Control Association, known by its acronym, ISACA, provides a framework for management and governance of enterprise information technology. Its specifications demonstrate compliance with data and IT components of Sarbanes Oxley.
SSAE-16: The Statement on Standards for Attestation Engagements (SSAE)-16 provides a framework for allowing companies to communicate their cyber security effectiveness with certified public accountant auditors and others.
NIST框架:NIST改善关键基础设施网络安全框架描述了围绕五个核心功能——识别、检测、保护、响应和恢复——来促进网络安全的活动。NIST框架借鉴了其他框架和标准,包括ISO 27000、信息技术安全和ISO 31000风险管理。NIST框架也以Excel文档的形式提供。
ISO/IEC 27000:ISO 27000系列标准管理信息安全。
COBIT:由信息系统审计和控制协会(简称ISACA)创建的信息和相关技术控制目标为企业信息技术的管理和治理提供了一个框架。其规格说明符合Sarbanes Oxley的数据和IT组件。
SSAE-16:认证业务标准声明(SSAE)-16提供了一个框架,允许公司与注册会计师审计师和其他人沟通其网络安全有效性。
While frameworks describe a theoretical model for the types of things an organization should include in a cyber policy, growth and improvement are described through a cyber security maturity model. A cyber security maturity model document provides a view into the level of sophistication of an organization’s approach to cyber security and provides a roadmap for enhancement.
Even IT security professionals can find frameworks daunting reading (the NIST Cybersecurity framework is 66 pages). If your company is subject to compliance audits, security consultants suggest leveraging managed security services. Doing so may remove considerable effort and worry from your shoulders as you attempt to secure and prove security for your establishment.
虽然框架描述了一个组织应该在网络政策中包括的事物类型的理论模型,但通过网络安全成熟度模型来描述增长和改进。网络安全成熟度模型文档提供了一个组织网络安全方法复杂程度的视图,并提供了增强的路线图。
即使是IT安全专业人员也会发现框架令人生畏(NIST的网络安全框架有66页)。如果您的公司需要接受合规性审计,安全顾问建议您利用托管安全服务。这样做可以消除你的巨大努力和忧虑,因为你试图确保和证明你的机构的安全。
Cyber Security Disasters and What We Can Learn from Them 网络安全灾难和我们可以从中学到什么
Sadly, revelations of data breaches or serious intrusion attempts seem to be a weekly, if not daily, occurrence. Examples of notable hacks focusing on assorted targets include the following:
可悲的是,数据泄露或严重的入侵企图似乎是每周,如果不是每天,发生。针对各类目标的著名黑客的例子包括:
Robert Morris and the First Computer Worm: One of the world’s first computer worms was hatched in 1988 by a Cornell University graduate student, Robert Morris. With only around 50,000 plus workstations and mainframes in existence at the time, the problem revealed itself one day, November 2. Computer processes slowed while the worm clogged devices with multiple processes and copied itself to other devices. The result of the attack was the impetus to create CERT, Computer Emergency Readiness Team, at MIT.
Rome Laboratory: In 1994, two hackers (both under the age of 25 at the time) used a sniffer program to gain access to a U.S. Air Force R&D facility Deploying Trojan Horses. Masquerading as Roma employees in order to cover their tracks, the hackers were able to deploy over a hundred intrusions into the facility to steal data. During the attack, the Trojan Horses also gained access to other networked facilities in the U.S. Department of Defense (DoD) and civilian computers.
Target and Home Depot: Between 2013 and 2014, a vulnerability in point-of-sale devices at the two stores provided a way for hackers to steal customer credit card data. Home Depot had allegedly received warnings about a possible attack that could have been prevented by installing antivirus upgrades.
Robert Morris和第一个计算机蠕虫:世界上第一个计算机蠕虫之一是由康奈尔大学的研究生Robert Morris在1988年孵化出来的。由于当时只有大约5万多台工作站和主机,问题在11月2日的一天暴露了出来。计算机进程变慢,而蠕虫阻塞了具有多个进程的设备,并将自身复制到其他设备。攻击的结果是推动创建CERT,计算机应急准备小组,在麻省理工学院。
罗马实验室:1994年,两名黑客(当时都不到25岁)使用嗅探器程序进入了美国空军的研发设施部署特洛伊木马。为了掩盖自己的行踪,这些黑客伪装成罗马公司的员工,对该设施进行了一百多次入侵,以窃取数据。在攻击过程中,特洛伊木马还进入了美国国防部(DoD)的其他网络设施和民用计算机。
Target和家得宝:在2013年和2014年之间,这两家商店的销售点设备的漏洞为黑客窃取客户信用卡数据提供了途径。据称,家得宝收到了关于可能的攻击的警告,而这些警告本可以通过安装杀毒升级来阻止。
A Cybersecurity Ventures 2016 report estimates the costs of hacks to banks, corporations, and individual victims at as much as six trillion within a few years. Cybercrime prevention itself is a growing business, an IDC report estimates the worldwide security technology market will surpass $100 billion by 2020.
网络安全风险投资公司2016年的一份报告估计,在几年内,黑客对银行、企业和个人受害者造成的损失高达6万亿美元。网络犯罪预防本身是一个不断增长的业务,IDC的一份报告估计,到2020年,全球安全技术市场将超过1000亿美元。
Why Do People Hack? 人们为什么要黑客?
In the beginning, hackers often broke into systems and stole data for the thrill of it. Often, they claimed they were searching for evidence of conspiracies, and to show weaknesses in system security. Hackers sometimes work for local, national, or international interests. Today, people hack mainly because of avarice: Stealing credit card numbers, social security numbers, and holding networks ransome pays.
Why people choose to hack, what they want, and how they will attack is studied through threat modelling. Security analysts in an organization study the software an organization uses to evaluate threat points, and also record the specifics of actual security events and how they were mitigated so the organization can improve cyber security defenses.
在开始的时候,黑客经常闯入系统并窃取数据以获得快感。通常,他们声称他们是在寻找阴谋的证据,并显示系统安全性的弱点。黑客有时为地方、国家或国际利益工作。今天,人们黑客主要是因为贪婪:窃取信用卡号码,社会安全号码,并持有网络勒索支付。
人们为什么选择黑客,他们想要什么,以及他们将如何攻击是通过威胁建模研究。组织中的安全分析师研究组织用于评估威胁点的软件,并记录实际安全事件的细节以及如何缓解这些事件,以便组织能够改进网络安全防御。
To combat cyber crime, we simply need to toughen up. As Gates urges,“We have to make it so difficult and time consuming, and they’ll [hackers] eventually see that it took them a 1,000 hours to make 10 dollars.”
That may actually be easier than it sounds. The majority of successful attacks result not from exploiting unknown vulnerabilities, known as zero-day events, but by taking advantage of known problems that remain unpatched. In fact, as the Department of Homeland Security reported, eighty percent of attacks leverage known vulnerabilities and configuration management setting weaknesses.
为了打击网络犯罪,我们只需要变得更坚强。正如盖茨所敦促的那样,“我们必须让它变得如此困难和耗时,他们(黑客)最终会看到,他们花了1000个小时才赚了10美元。”
这实际上可能比听起来更容易。大多数成功的攻击不是利用未知的漏洞(称为零日事件),而是利用未打补丁的已知问题。事实上,正如国土安全部的报告,百分之八十的攻击利用已知的漏洞和配置管理设置的弱点。
Tips to Promote Cyber Security 促进网络安全的要诀
Take comfort in the fact that most successful attacks leverage known vulnerabilities that you can easily eliminate with patches, up-to-date infrastructure (such as firewalls and other equipment), and good configuration management. Beyond good IT practices, however, organizations also must foster an information security culture. Employees can easily think of cyber security as the purview of management and the IT department. In fact, management and IT need to lead their team members in taking responsibility for cyber hygiene.
As individuals, we have to protect ourselves. “Assume your information has been stolen, and now you’ve just got to have your guard up,” advises Gates. Part of that includes regularly monitoring your credit report.
He also stresses the importance of implementing 2FA, or two-factor identification, for every online account that offers it. With two-factor identification, you access a web application or even a device, with not only a username and password, but also with a third separate piece of information (usually a code sent to an email account or phone), which you enter to gain access. This added layer of protection helps in cases of stolen usernames; thieves still cannot get into your account. “2FA makes a lot of sense for every single consumer,” says Gates.
请放心,大多数成功的攻击都会利用已知的漏洞,您可以通过补丁、最新的基础设施(例如防火墙和其他设备)以及良好的配置管理轻松消除这些漏洞。 然而,除了良好的 IT 实践之外,组织还必须培育信息安全文化。 员工很容易将网络安全视为管理层和 IT 部门的职责范围。 事实上,管理层和 IT 需要引导其团队成员承担网络卫生的责任。
作为个人,我们必须保护自己。 “假设你的信息被盗了,现在你必须提高警惕,”盖茨建议道。 其中一部分包括定期监控您的信用报告。
他还强调了为每个提供 2FA(双因素身份验证)的在线帐户实施 2FA 的重要性。 通过双因素身份验证,您不仅可以使用用户名和密码,还可以使用第三条单独的信息(通常是发送到电子邮件帐户或电话的代码)来访问网络应用程序甚至设备,您输入的信息 获得访问权限。 这种额外的保护层有助于防止用户名被盗; 小偷仍然无法进入您的帐户。 “2FA 对每个消费者来说都意义重大,”盖茨说。
You can prevent many intrusions, breaches, and the spread of malware simply by guarding how you handle email and act on nefarious requests. Below are some situations you might encounter and tips on how to handle them.
只需保护您处理电子邮件的方式和处理恶意请求的方式,您就可以防止许多入侵、违规和恶意软件的传播。下是您可能遇到的一些情况以及如何处理这些情况的提示。
A terse email appears from the address of someone you recognize, your cousin or your boss, with a generic link such as, “Look at this video.” Don’t look at this video, delete the email.
Someone who says they’re a recruiter informs you via email that they have the perfect opening for you. Then they ask to meet on Google hangouts, and their email address is a Hotmail account. They ask for sensitive information, like your social security number, through email, and inform you that $200 will start the hiring process for you. Run away!
The site administrator at your bank sends you a message requesting that you send them your password. No you don’t!
Your CFO just asked for information on everyone in your company’s payroll. There are safer ways to share sensitive information within your company. Remember, if something seems questionable, pick-up the phone to verify the request. The CFO probably has other ways of accessing that data.
You receive a random email request from your bank, the IRS, your company administering your retirement plan, the Social Security Administration, or any other institution, offering you a link to their “website” and asking for personal information. Before responding, type the web address of the institution into your browser to verify that the source is legitimate before clicking on the link. These institutions typically send actual mail for these requests.
If you work in the accounts payable department and receive an email from a known vendor directing you to pay them on their new site, think twice and verify with the vendor before you transfer.
一封简短的电子邮件出现在你认识的某个人的地址中,比如你的堂兄弟或你的老板,带有一个普通的链接,比如“看看这个视频”。不要看这个视频,删除电子邮件。
有人自称是招聘人员,通过电子邮件通知你,他们有一个完美的职位空缺。然后他们要求在谷歌环聊上见面,他们的电子邮件地址是Hotmail帐户。他们通过电子邮件询问敏感信息,比如你的社会保障号码,并通知你200美元就可以开始招聘程序。跑啊!
银行的站点管理员向您发送一条消息,要求您将密码发送给他们。不,你不知道!
你的首席财务官刚刚询问了你公司所有员工的工资单信息。在公司内部分享敏感信息有更安全的方式。记住,如果事情看起来可疑,拿起电话来验证请求。首席财务官可能有其他方法来访问这些数据。
您收到一个随机的电子邮件请求从您的银行,国税局,您的公司管理您的退休计划,社会保障局,或任何其他机构,为您提供一个链接到他们的“网站”,并要求个人信息。在响应之前,请在浏览器中键入机构的网址,以验证来源是否合法,然后再单击链接。这些机构通常为这些请求发送实际邮件。
如果你在应付账款部门工作,并收到一封来自已知供应商的电子邮件,指示你在他们的新网站上支付他们,请三思而后行,并在转移之前与供应商核实。
Practical Cyber Security Tips You Can Implement Now
Although the risks of unsecured devices and networks are daunting, implementing strong security practices doesn’t have to be.
您现在就可以实施的实用网络安全提示
尽管不安全设备和网络的风险令人生畏,但实现强大的安全实践并非必须如此。
Install Patches: Software updates aren’t pushed out just to share cool new features. Patches close vulnerabilities. “Over the years, I’ve seen company after company and person after person not taking advantage of updates,” says Herman. “That makes a difference. Updates shut down a lot of bugs.” That holds true for updating system software on cell phones, too. Herman advises, “We should leverage the free tools they provide us to close threats down ourselves.”
Practice Password Discipline: Password security is no longer derived from complexity, but from length. If you need to remember many long passwords, use a locker tool.
Leverage Traditional and New Antivirus Software: Schedule deep scans and when in doubt, use quick scans.
Educate the Team: “There’s a huge human element to risk associated with cyber security,” Herman says. Through education comes a heightened vigilance. Use experts to help your employees become “cyber defense warriors.”
Consider Managed Services: Rather than maintaining your own servers, including patches and hardware, consider cloud-based work platforms, storage options, file-sharing, and cyber threat protection. Managed well, cloud-based protection systems offer around-the-cloud monitoring for your network infrastructure, and also regularly investigate new threats and implement solutions.
Keep Cyber Security Resources at Hand: Herman suggests having a resource on speed dial so that you can reach out the moment you suspect a breach.
Promote a Culture of Forgiveness: Companies must cultivate an environment that encourages honesty with regards to cyber security problems. “If you click on a wrong link, be open and honest about it before it causes damage for the whole team,” advises Herman. And, don’t be afraid to shut down that device the moment you suspect something might be wrong.
安装修补程序:软件更新的推出不仅仅是为了分享很酷的新功能。补丁关闭漏洞。“多年来,我看到一个又一个公司和一个又一个人没有利用更新,”赫尔曼说。“那就不一样了。更新关闭了很多错误。”更新手机上的系统软件也是如此。Herman建议,“我们应该利用他们提供的免费工具来关闭我们自己的威胁。”
练习密码纪律:密码安全不再取决于复杂性,而是取决于长度。如果您需要记住许多长密码,请使用储物柜工具。
利用传统和新型防病毒软件:安排深度扫描,如果有疑问,请使用快速扫描。
培训团队:"与网络安全相关的风险中存在着巨大的人为因素,"Herman说。通过教育提高警惕性。利用专家帮助您的员工成为“网络防御战士”。
考虑托管服务:与其维护自己的服务器(包括补丁和硬件),不如考虑基于云的工作平台、存储选项、文件共享和网络威胁防护。基于云的保护系统管理良好,可为您的网络基础设施提供全云监控,并定期调查新威胁并实施解决方案。
将网络安全资源放在手边:赫尔曼建议在快速拨号上设置一个资源,这样当你怀疑有违规行为时,你就可以联系到他们。
促进宽恕文化:公司必须培养一种鼓励诚实对待网络安全问题的环境。“如果你点击了一个错误的链接,在它对整个团队造成伤害之前,你要开诚布公,”赫尔曼建议道。而且,不要害怕关闭该设备的那一刻,你怀疑可能有什么不对劲。
Practical Aspects of Cyber Security
In addition to developing and distributing a cyber security policy, there are plenty of things you can do to start protecting your digital work assets:
网络安全的实践方面
除了制定和分发网络安全策略外,您还可以做很多事情来开始保护您的数字工作资产:
Protect physical access
Create an information security culture
Protect your network and equipment from injections and intrusions
Work by the following principles: Security by design, unit testing, principle of least privilege, defense in depth, audit trails, and full disclosure
An intact system can be described by its confidentiality, integrity, and availability. Security architecture describes how defense and countermeasures are situated to ensure system solidity. Some of these efforts that also play a role in network security include the following:Firewalls
Intrusion detection (machine learning for persistent threats)
System access controls (reduces vulnerabilities, also 2FA, backups)
Cryptography
Detection response
Vulnerability managementAccess control
Hardware protection: Dongles, drive locks, disable USB ports, AES, thumbprint and other biometric, BlueTooth near field detection
Access-control list versus capability based security
保护物理访问
建立信息安全文化
保护您的网络和设备免受注入和入侵
遵循以下原则开展工作:安全设计、单元测试、最小权限原则、深度防御、审计跟踪和全面披露
一个完整的系统可以用它的机密性、完整性和可用性来描述。安全体系结构描述了如何设置防御和对策,以确保系统的可靠性。其中一些努力也在网络安全中发挥作用,包括以下内容:防火墙
入侵检测(针对持续威胁的机器学习)
系统访问控制(减少漏洞,2FA,备份)
密码使用法
检测响应
漏洞管理访问控制
硬件保护:加密狗,驱动器锁,禁用USB端口,AES,指纹和其他生物识别,蓝牙近场检测
访问控制列表与基于能力的安全性
Improving Cyber Security in Healthcare Organizations 提高医疗机构的网络安全性
As healthcare companies begin to leverage more technology resources to house their data, the threat of cyber attacks continues to be a growing problem. Cybersecurity methods are becoming more necessary to secure devices, networks, data, and information.
This is particularly important for healthcare organizations, which must remain HIPAA compliant and ensure that all personal health information (PHI) and other confidential information is secure and protected within their systems. Additionally, patient information and medical processes and procedures, if threatened or hacked, could result in life-threatening situations if any information is altered or deleted, meaning data must always remain protected.
To combat the growing issue of cyberattacks and improve the security of computer systems and critical data, healthcare companies need a powerful, real-time, and secure tool that will ensure the protection and safety of all information and processes.
Smartsheet is a work execution platform that enables healthcare companies to improve data safety, manage security processes, and keep privacy in check. Securely track and share confidential information with authorized users, mange control of user access, and increase visibility into who has access to what business-critical information, while meeting or exceeding all of HIPAA’s regulatory requirements. Rest assured that all of your valuable assets are encrypted and stored under strict security infrastructure, eliminating the threat of cyberattacks and data loss.
Interested in learning more about how Smartsheet can help you maximize your efforts? Discover Smartsheet for Healthcare.
随着医疗保健公司开始利用更多的技术资源来存储他们的数据,网络攻击的威胁仍然是一个日益严重的问题。网络安全方法越来越有必要保护设备、网络、数据和信息的安全。
这对于医疗机构来说尤其重要,因为医疗机构必须保持HIPAA合规性,并确保所有个人健康信息(PHI)和其他机密信息在其系统内得到安全保护。此外,如果患者信息和医疗流程和程序受到威胁或黑客,如果任何信息被更改或删除,可能会导致危及生命的情况,这意味着数据必须始终受到保护。
为了应对日益严重的网络攻击问题,提高计算机系统和关键数据的安全性,医疗保健公司需要一个强大的、实时的、安全的工具,以确保所有信息和流程的防护与安全。
Smartsheet是一个工作执行平台,使医疗保健公司能够提高数据安全性,管理安全流程,并保持隐私检查。安全跟踪并与授权用户共享机密信息,管理用户访问控制,并提高对谁可以访问哪些关键业务信息的可见性,同时满足甚至超过所有HIPAA的监管要求。请放心,您所有的宝贵资产都在严格的安全基础架构下进行加密和存储,消除了网络攻击和数据丢失的威胁。
有兴趣了解更多Smartsheet如何帮助您最大化您的努力吗?了解用于医疗保健的Smartsheet。
Talent Shortage and Training in Cyber Security 网络安全领域的人才短缺与培养
Some estimates suggest that over a million openings in cyber security exist, and that openings will triple by 2019. How can positions go unfilled when information technology so permeates our modern world?
Some articles emphasize that the approach to cyber security recruitment must change. Rather than viewing computer security as a silo within information technology, employers and job placement professionals should view it as a complementary endeavor. Organizations should consider leveraging the talents and skills of existing employees and supporting their ongoing training in cyber security. Companies may also improve their outreach to high schools and universities to encourage students to consider cyber security as a career path.
Gates suggests that much of the talent shortage can be mitigated through machine learning, a step on the path to artificial intelligence (AI). In machine learning, computers analyze data to determine patterns faster than humans can. Some cities, for example, already employ machine learning to monitor hundreds of street lights, parking meters, and cameras. In human-assisted machine learning, a person then corrects and guides the computer until the computer can recognize threats and anomalies on its own. “A machine can learn to detect things that it’s never seen before,” says Gates.
一些估计表明,在网络安全方面存在超过100万个空缺,到2019年,空缺将增加两倍。当信息技术如此渗透我们的现代世界时,职位怎么会空缺呢?
一些文章强调,网络安全招聘的方法必须改变。而不是将计算机安全视为信息技术中的一个筒仓,雇主和就业安置专业人士应该将其视为一个补充的努力。组织应该考虑利用现有员工的才能和技能,并支持他们正在进行的网络安全培训。公司还可以加强与高中和大学的联系,鼓励学生将网络安全作为职业发展道路。
盖茨认为,大部分人才短缺可以通过机器学习来缓解,这是迈向人工智能(AI)的一步。在机器学习中,计算机分析数据以比人类更快的速度确定模式。例如,一些城市已经采用机器学习来监控数百个路灯、停车计时器和摄像头。在人类辅助的机器学习中,一个人随后会纠正和引导计算机,直到计算机能够自己识别威胁和异常。“机器可以学会探测从未见过的事物,”盖茨说。
Training
Cyber security training is heavily represented through paid online cyber security degrees, often from Ivy League institutions, and also through massive open online courses (MOOCs). Courses are available in English, Italian, and Korean.
Curricula cover the spectrum of concerns, with cyber security for critical infrastructure, aviation, cryptocurrencies, IoT, information security, homeland security, domestic and foreign political considerations, in addition to hardware and programming topics.
培养
网络安全培训主要通过付费的在线网络安全学位(通常来自常春藤盟校)和大规模开放式在线课程(MOOC)进行。课程提供英语、意大利语和韩语。
课程涵盖了一系列令人关注的问题,包括关键基础设施的网络安全、航空、加密货币、物联网、信息安全、国土安全、国内外政治考虑,以及硬件和编程主题。
Potential cyber security students may consider qualifying for the CISSIP or Certified Information Systems Security Professional certificate. This coveted certification trains and tests candidates in the 10 security domains:
Access Control Systems and Methodology
Telecommunications and Network Security
Business Continuity Planning and Disaster Recovery Planning
Security Management Practices
Security Architecture and Models
Law, Investigation, and Ethics
Application and Systems Development Security
Cryptography
Computer Operations Security
Physical Security
潜在的网络安全学生可以考虑资格为CISSIP或注册信息系统安全专业证书。这一令人垂涎的认证在10个安全领域对候选人进行培训和测试:
访问控制系统和方法
电信与网络安全
业务连续性规划和灾难恢复规划
安全管理实践
安全体系结构和模型
法律、调查与伦理
应用程序和系统开发安全
密码使用法
计算机操作安全
物理安全
Roles
As the world is increasingly digitized and networked, organizations of all sizes and types will require computer security as an essential part of everyday business. Salaries for cyber security professionals compensate for the responsibility and intensive training involved. For example, the median salary for an information security officer is $90,000. Cyber security professionals can use their skills in a variety of roles:
角色
随着世界日益数字化和网络化,各种规模和类型的组织将需要计算机安全作为日常业务的重要组成部分。网络安全专业人员的工资补偿了所涉及的责任和密集培训。例如,信息安全官员的工资中位数是9万美元。网络安全专业人员可以在各种角色中使用他们的技能:
Security analyst
Security engineer
Security architect
Forensics investigator
Cybersecurity specialist
Security consultant/specialist/intelligence
安全分析员
安全工程师
安全架构师
法医调查员
网络安全专家
安全顾问/专家/情报
Improve Cyber Security with Smartsheet for IT & Ops 利用面向IT和运营的Smartsheet提高网络安全性
Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.
The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.
When teams have clarity into the work getting done, there’s no telling how much more they can accomplish in the same amount of time. Try Smartsheet for free, today.
Any articles, templates, or information provided by Smartsheet on the website are for reference only. While we strive to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the website or the information, articles, templates, or related graphics contained on the website. Any reliance you place on such information is therefore strictly at your own risk.
These templates are provided as samples only. These templates are in no way meant as legal or compliance advice. Users of these templates must determine what information is necessary and needed to accomplish their objectives.
借助专为满足团队需求而设计的灵活平台,并根据这些需求的变化进行调整,让您的员工能够超越自我。
Smartsheet平台让您可以随时随地轻松规划、捕获、管理和报告工作,帮助您的团队提高效率,完成更多工作。通过汇总报告、仪表板和自动化工作流,报告关键指标并实时了解工作情况,让您的团队保持联系并获得信息。
当团队对要完成的工作有清晰的认识时,没有人知道他们可以在相同的时间内完成更多的工作。立即免费试用Smartsheet。
Smartsheet在网站上提供的任何文章、模板或信息仅供参考。在我们努力保持信息的最新和正确的同时,我们没有对网站的完整性、准确性、可靠性、适宜性或可用性或网站上包含的信息、文章、模板或相关图形的完整性、准确性、可靠性、适宜性或可用性作出任何类型的明示或暗示的陈述或保证。因此,您对此类信息的任何依赖均由您自行承担风险。
这些模板仅作为示例提供。这些模板绝不意味着法律或合规建议。这些模板的用户必须确定什么信息是必要的,需要完成他们的目标。