Welcome to cybersecurity leadership and management course. Today we will be discussing cybersecurity actionable goals and metrics and we'll talk about two use cases. My name is Cicero Chimbonda and I am your instructor for this course. Cybersecurity actionable goals and metrics use case study. In this course, we will be discussing what are actionable goals and metrics, provide an overview. Then we will talk about two use cases. One is going to be a user awareness program and then the second one will be identity access management. Let's get started. Let's talk about cybersecurity, actionable goals and metrics, overview. When we're talking about cybersecurity goals and metrics, the objective is having goals and metrics basically that strengthen the organization security posture. And in doing so you want to have KPIs. These KPIs will show how your security gains visibility. So you're going to have indicators that show the visibility of your security. You want to have indicators that promote the risk within your organization. You want to have metrics, key performance metrics that show and builds the trust of your organization, basically your regulatory obligations. These are meeting your compliance rules and making sure you're aligned with your compliance officer as you are showing these KPIs. And lastly, you want to show that there is stability, KPIs that shows the increased resilience. So again, the goal of your key performance indicators is to show the strengthening of your security posture. The KRIs, you want to show how you are reducing the risk exposure. These are the goals, you want to have metrics that show for example confidentiality, how you're exposed in your confidentiality. So you want to put countermeasures like least privilege or encryption or ciphers so that you reduce the risk. You want to show that your integrity is that, make sure that there's no non-repudiation, that there is no digital signatures compromised. You have write once, read many, and these are warm disks. Again, these are showing that the risks are exposed. Therefore you have countermeasures to strengthen your risk, to strengthen your posture, therefore reducing your risk. And lastly, you want to show that there is no risk to your availability. Again, business continuity planning, high availability, making sure that you are protected from DDoS attacks. And these are your goals is to reduce your risk exposure by showing your KRIs. Organization strategy, regulatory obligation, operational excellence. That's what the cybersecurity information, I'm sorry the chief information security officer wants to demonstrate to governance. That there is a strategy that's aligned, that you're meeting your regulatory obligations, and that you are showing operational excellence. And then in tying that to information security is the assurance that the data is confidential, that there is integrity, and there is availability. And therefore communicating that security, trust, and stability, STS. Let's continue on, looking at a use case for user awareness program. Preventing insider threats are really the top five attacks as we look at a use case. These are the top five, the insider threats that are in the industry in 2020. You have phishing or vishing attacks when it comes to users. And phishing is where you have social engineering through email where they're trying to get a user to either take action. Or vishing is a voice social engineering attack where you're trying to get a user to act upon an action. Weak and careless passwords. Again, these are ways that insider threats have been attacked where users are using weak or carelessly loosed with their passwords. Where users are violating corporate policies, they're not following the policies, they're bypassing. This is a vulnerability in the process. Where you're looking at disgruntled employees or having disgruntled behaviors such as retaliation. These are insider threat attacks. And lastly, exfiltration of sensitive data, where privileges have been given to specific roles and they're using those privileges to exfiltrate sensitive data. So how do you mitigate these types of attacks? Well, with user awareness program. The way you want to approach your user awareness program is by, first of all having a survey. This is where you interview compliance, the technology departments, security department, human resources, the business units to come up with the appropriate training, developing the appropriate training program. You can use this with vendors or internally. And then once you develop the training and you execute the training, you want to make sure you test at every level of your user awareness. This could be with phishing, testing, it could be with firm elements or computer based training. But you want to test your employees to make sure they're getting that training that you provided. Then you provide the reports and KPIs or KRIs to the board, to the stakeholders, compliance, even publishing to your clients to show that you have a program. And then lastly, you want to analyze your data for improvement and adding countermeasures. And so there comes the cycle for your user awareness program. Your successful metrics around your program involves of having quantitative, like for example training participation, how many participated, what were the grades, who finished? Those kind of reports. You want to have qualitative, were the participants satisfied? Having some kind of qualitative survey around your program. You want to have quantitative amount on your return of investment, is the dollar amounts that you're investing in your user program benefiting your company? Is there a return of investment? This will be in dollars and cents. And lastly, having qualitative in the training effectiveness. This will show, for example, how effective or relevant is the user awareness. The number of attendees, prevent average costs, attendees that you can basically measure and have some of kind of metric that's qualitative on your training effectiveness. Another use case is identity access management. Identity access management is how you manage your user access to your network. These are the top attacks in IAM. You have password harvesting attacks, this is where the bad actors use tools or even social engineering as you'll see to harvest passwords. You have unnecessary escalated privileges, where administrators are giving access to users with levels that they don't need. You're having third-party access to sensitive data. There is social engineering, as mentioned earlier, to get credentials. And lastly having inactive accounts that exist in your database. So how do you mitigate this with IAM? Well, the IAM program have four blocks, authentication, authorization, user management, and central user repository. The user must verify the identity before being granted, this is authentication. And the authentication mechanisms usually want to answer these questions. You want to have what you know, for example passwords. You want to have who you are, for example biometrics, this is who you are, your fingerprints, eye retina. You want to know where you are, for example geo-authentication, IP address, or having a geo-authentication. What you have, for example, if you have a mobile device or a key fob sending a key token to what you have. And what you do, for example, capture, or writing, or guessing different pictures, that's what you do. So these are ways of authenticating a user. And then once you have the authentication of a user you have to authorize, this is the level of access. Maybe a roles-based access control, RBAC is a practical. And then you have user management. This is the ability for these administrators to manage the users, for example, using the users to have access to systems, devices, applications, storage systems, the networks, or cloud based. This is the user management process. And then lastly, a central user repository. You want to have an identity streamlined centralized IAM, functioning provisioning or deprovisioning. This is like active directory or single sign on. Again, these are the core components of the identity access management tools. So implementing countermeasures, you want to have things like multi-factor authentication, MFA, so that you mitigate the breaching of these attacks. You want to have a roles-based or least privilege access. Again, this is way to mitigate and you have countermeasures. Deleting inactive accounts, usually you don't want to keep an account longer than certainly 90 days. Some companies, 30 days, 60, 45 days. But whatever that is, you don't want to have long living accounts where if it's compromised, then it can be used. And then lastly, having minimized frequency of access of critical enterprise systems by third parties. Again, these are use cases of how to mitigate identity access management attacks. This concludes this course and thank you and we'll see you in the next course.
