دسترسی نامحدود
برای کاربرانی که ثبت نام کرده اند
برای ارتباط با ما می توانید از طریق شماره موبایل زیر از طریق تماس و پیامک با ما در ارتباط باشید
در صورت عدم پاسخ گویی از طریق پیامک با پشتیبان در ارتباط باشید
برای کاربرانی که ثبت نام کرده اند
درصورت عدم همخوانی توضیحات با کتاب
از ساعت 7 صبح تا 10 شب
ویرایش: [1 ed.]
نویسندگان: Gregory C. Rasner
سری:
ISBN (شابک) : 111980955X, 9781119809555
ناشر: Wiley
سال نشر: 2021
تعداد صفحات: 480
[483]
زبان: English
فرمت فایل : PDF (درصورت درخواست کاربر به PDF، EPUB یا AZW3 تبدیل می شود)
حجم فایل: 6 Mb
در صورت تبدیل فایل کتاب Cybersecurity and Third-Party Risk: Third Party Threat Hunting به فرمت های PDF، EPUB، AZW3، MOBI و یا DJVU می توانید به پشتیبان اطلاع دهید تا فایل مورد نظر را تبدیل نمایند.
توجه داشته باشید کتاب امنیت سایبری و خطر شخص ثالث: شکار تهدید شخص ثالث نسخه زبان اصلی می باشد و کتاب ترجمه شده به فارسی نمی باشد. وبسایت اینترنشنال لایبرری ارائه دهنده کتاب های زبان اصلی می باشد و هیچ گونه کتاب ترجمه شده یا نوشته شده به فارسی را ارائه نمی دهد.
پس از نقضهای بزرگ در سازمانهای معروف از جمله Home Depot، Capital One، Equifax، Best Buy و بسیاری دیگر، CISOs، متخصصان امنیت سایبری و رهبران کسبوکار ساعتها و هزینههای بیشماری را صرف ارتقای امنیت سایبری خود کردهاند. پیشگیری از از دست دادن داده، کارگزار امنیتی Cloud Access، Intrusion Detection/Prevention، Zero Trust، Privileged Access Manager، و پروژهها و سیستمهای بیشماری دیگر خریداری و ادغام شدهاند تا از نقضها جلوگیری شود. و با این حال، اندازه و تعداد دفعات نقض همچنان در حال رشد است. ضربه زننده واقعی: بسیاری از این نقض های بزرگ در یک شخص ثالث رخ داده است. این شرکت ها، مانند بسیاری دیگر، هنوز به امنیت سایبری فروشندگان خود توجهی نکرده اند. اینها جریمه های مالی زیادی را به همراه داشت، اما زیان های شهرت اغلب بسیار زیاد بود. هم برای شرکت ها و هم برای کارکنانی که امنیت سایبری را در این شرکت ها اداره می کنند. و شصت درصد از شرکت ها اعتراف می کنند که بررسی امنیت سایبری کافی از فروشندگان را انجام نمی دهند. سی و سه درصد گزارش کردهاند که فرآیند بررسی امنیت سایبری موردی برای اشخاص ثالث ندارند. از آنجا که آنها داده های مشتری شما را دارند یا به شبکه شما متصل می شوند، اشخاص ثالث به گواهی فیزیکی کسب و کار شما تبدیل شده اند. دقت و مراقبت لازم در زمینه امنیت سایبری باید در رویکرد خود به این حوزه خطر تهاجمی تر باشد. دیگر برای انجام آن به عنوان یک تابع انطباق کافی نیست، بلکه باید فعال باشد و در زمان واقعی با امنیت سایبری شخص ثالث درگیر باشد. با این کتاب یاد خواهید گرفت که چگونه یک برنامه ریسک شخص ثالث با امنیت سایبری در سرلوحه ایجاد کنید، که تا حد زیادی خطر نفوذ از طرف شخص ثالث را کاهش می دهد. با استفاده از این برنامه برای رشد بلوغ، سازمان شما از حالت ارتجاعی به پیش بینی تبدیل می شود.
After large breaches at well-known organizations including Home Depot, Capital One, Equifax, Best Buy and many others, CISOs, Cybersecurity professionals and business leaders have spent countless hours and money upgrading their cybersecurity internally. Data Loss Prevention, Cloud Access Security Broker, Intrusion Detection/Prevention, Zero Trust, Privileged Access Manager, and countless other projects and systems have been purchased and integrated to head off breaches. And yet the size and frequency of breaches continue to grow. The real kicker: many of these major breaches occurred at a third-party. These companies, like too many others still, did not pay attention to the cybersecurity of their vendors. These caused large financial penalties, but the reputational losses were often enormous. Both for the companies and the personnel who ran the cybersecurity at these firms. And sixty percent of companies admit not performing adequate cybersecurity vetting of vendors. Thirty-three percent report they have none or ad-hoc cybersecurity vetting process for third parties. Because they have your customer data or connect to your network, third-parties have become physical attestations of your own business. Cybersecurity due diligence and due care must be more aggressive in their approach to this risk domain; it is no longer enough to perform it as a compliance function but must be active and engaged in real-time with third-party cybersecurity. With this book you will learn how to create a third party risk program with cybersecurity at the lead, greatly lowering the risk of a breach from a third party. By leveraging this program to grow its maturity your organization will go from being reactionary to predictive.
Cover Title Page Copyright Page (ISC) About the Author About the Technical Editor Acknowledgments Contents Foreword Introduction Who Will Benefit Most from This Book Special Features Chapter 1 What Is the Risk? The SolarWinds Supply-Chain Attack The VGCA Supply-Chain Attack The Zyxel Backdoor Attack Other Supply-Chain Attacks Problem Scope Compliance Does Not Equal Security Third-Party Breach Examples Third-Party Risk Management Cybersecurity and Third-Party Risk Cybersecurity Third-Party Risk as a Force Multiplier Conclusion Chapter 2 Cybersecurity Basics Cybersecurity Basics for Third-Party Risk Cybersecurity Frameworks Due Care and Due Diligence Cybercrime and Cybersecurity Types of Cyberattacks Analysis of a Breach The Third-Party Breach Timeline: Target Inside Look: Home Depot Breach Conclusion Chapter 3 What the COVID-19 Pandemic Did to Cybersecurity and Third-Party Risk The Pandemic Shutdown Timeline of the Pandemic Impact on Cybersecurity Post-Pandemic Changes and Trends Regulated Industries An Inside Look: P&N Bank SolarWinds Attack Update Conclusion Chapter 4 Third-Party Risk Management Third-Party Risk Management Frameworks ISO 27036:2013+ NIST 800-SP NIST 800-161 Revision 1: Upcoming Revision NISTIR 8272 Impact Analysis Tool for Interdependent Cyber Supply-Chain Risks The Cybersecurity and Third-Party Risk Program Management Kristina Conglomerate (KC) Enterprises KC Enterprises’ Cyber Third-Party Risk Program Inside Look: Marriott Conclusion Chapter 5 Onboarding Due Diligence Intake Data Privacy Cybersecurity Amount of Data Country Risk and Locations Connectivity Data Transfer Data Location Service-Level Agreement or Recovery Time Objective Fourth Parties Software Security KC Enterprises Intake/Inherent Risk Cybersecurity Questionnaire Cybersecurity in Request for Proposals Data Location Development Identity and Access Management Encryption Intrusion Detection/Prevention System Antivirus and Malware Data Segregation Data Loss Prevention Notification Security Audits Cybersecurity Third-Party Intake Data Security Intake Due Diligence Next Steps Ways to Become More Efficient Systems and Organization Controls Reports Chargebacks Go-Live Production Reviews Connectivity Cyber Reviews Inside Look: Ticketmaster and Fourth Parties Conclusion Chapter 6 Ongoing Due Diligence Low-Risk Vendor Ongoing Due Diligence Moderate-Risk Vendor Ongoing Due Diligence High-Risk Vendor Ongoing Due Diligence “Too Big to Care” A Note on Phishing Intake and Ongoing Cybersecurity Personnel Ransomware: A History and Future Asset Management Vulnerability and Patch Management 802.1x or Network Access Control (NAC) Inside Look: GE Breach Conclusion Chapter 7 On-site Due Diligence On-site Security Assessment Scheduling Phase Investigation Phase Assessment Phase On-site Questionnaire Reporting Phase Remediation Phase Virtual On-site Assessments On-site Cybersecurity Personnel On-site Due Diligence and the Intake Process Vendors Are Partners Consortiums and Due Diligence Conclusion Chapter 8 Continuous Monitoring What Is Continuous Monitoring? Vendor Security-Rating Tools Inside Look: Health Share of Oregon’s Breach Enhanced Continuous Monitoring Software Vulnerabilities/Patching Cadence Fourth-Party Risk Data Location Connectivity Security Production Deployment Continuous Monitoring Cybersecurity Personnel Third-Party Breaches and the Incident Process Third-Party Incident Management Inside Look: Uber’s Delayed Data Breach Reporting Inside Look: Nuance Breach Conclusion Chapter 9 Offboarding Access to Systems, Data, and Facilities Physical Access Return of Equipment Contract Deliverables and Ongoing Security Update the Vendor Profile Log Retention Inside Look: Morgan Stanley Decommissioning Process Misses Inside Look: Data Sanitization Conclusion Chapter 10 Securing the Cloud Why Is the Cloud So Risky? Introduction to NIST Service Models Vendor Cloud Security Reviews The Shared Responsibility Model Inside Look: Cloud Controls Matrix by the Cloud Security Alliance Security Advisor Reports as Patterns Inside Look: The Capital One Breach Conclusion Chapter 11 Cybersecurity and Legal Protections Legal Terms and Protections Cybersecurity Terms and Conditions Offshore Terms and Conditions Hosted/Cloud Terms and Conditions Privacy Terms and Conditions Inside Look: Heritage Valley Health vs. Nuance Conclusion Chapter 12 Software Due Diligence The Secure Software Development Lifecycle Lessons from SolarWinds and Critical Software Inside Look: Juniper On-Premises Software Cloud Software Open Web Application Security Project Explained OWASP Top 10 OWASP Web Security Testing Guide Open Source Software Software Composition Analysis Inside Look: Heartbleed Mobile Software Testing Mobile Applications Code Storage Conclusion Chapter 13 Network Due Diligence Third-Party Connections Personnel Physical Security Hardware Security Software Security Out-of-Band Security Cloud Connections Vendor Connectivity Lifecycle Management Zero Trust for Third Parties Internet of Things and Third Parties Trusted Platform Module and Secure Boot Inside Look: The Target Breach (2013) Conclusion Chapter 14 Offshore Third-Party Cybersecurity Risk Onboarding Offshore Vendors Ongoing Due Diligence for Offshore Vendors Physical Security Offboarding Due Diligence for Offshore Vendors Inside Look: A Reminder on Country Risk Country Risk KC’s Country Risk Conclusion Chapter 15 Transform to Predictive The Data Vendor Records Due Diligence Records Contract Language Risk Acceptances Continuous Monitoring Enhanced Continuous Monitoring How Data Is Stored Level Set A Mature to Predictive Approach The Predictive Approach at KC Enterprises Use Case #1: Early Intervention Use Case #2: Red Vendors Use Case #3: Reporting Conclusion Chapter 16 Conclusion Advanced Persistent Threats Are the New Danger Cybersecurity Third-Party Risk Index EULA