Refining the PoinTER “human firewall” pentesting framework

PurposePenetration tests have become a valuable tool in the cyber security defence strategy, in terms of detecting vulnerabilities. Although penetration testing has traditionally focused on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyber-attacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper we reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. In this paper, we propose improvements to refine our framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny.MethodologyWe conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet our requirements to have an ethical human pentesting framework, we compiled a list of ethical principles from the research literature which we used to filter out techniques deemed unethical.FindingsDrawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, we propose the refined GDPR compliant and privacy respecting PoinTER Framework. The list of ethical principles, we suggest, could also inform ethical technical pentests.OriginalityPrevious work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature

Cybersecurity by executive order

This report explores the details of the Obama Administration\u27s executive order on cybersecurity, breaking down the challenges, criticisms, and successes of the effort to date, before offering clear lessons from the US experience that can be applied to the Australian context. Summary: On 12 February 2014 the United States National Institute of Standards & Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity, the flagship accomplishment of the Obama Administration’s 2013 cybersecurity Executive Order. Just weeks before the White House announced its executive order, the then Australian Prime Minister Julia Gillard made an equally exciting declaration introducing the Australian Cyber Security Centre (ACSC). One year on, the contrast between the two efforts is stark. The United States and Australia share a common interests in developing a robust partnership between the government and private sector to develop whole-of-system cybersecurity. To move beyond political optics, the ACSC must embrace existing best practices, commit to meaningful public-private partnerships, and set a pragmatic strategy moving forward. The Obama Administration’s efforts, while far from perfect, offer critical lessons that the Australian government can adopt and adapt to ensure that the ACSC is a successful endeavour and critical infrastructure cybersecurity is improved. This Strategic Insight report explores the details of the executive order, breaking down the challenges, criticisms, and successes of the effort to date, before offering clear lessons from the US experience that can be applied to the Australian context

Cyber Babel: Finding the Lingua Franca in Cybersecurity Regulation

Cybersecurity regulations have proliferated over the past few years as the significance of the threat has drawn more attention. With breaches making headlines, the public and their representatives are imposing requirements on those that hold sensitive data with renewed vigor. As high-value targets that hold large amounts of sensitive data, financial institutions are among the most heavily regulated. Regulations are necessary. However, regulations also come with costs that impact both large and small companies, their customers, and local, national, and international economies. As the regulations have proliferated so have those costs. The regulations will inevitably and justifiably diverge where different governments view the needs of their citizens differently. However, that should not prevent regulators from recognizing areas of agreement. This Note examines the regulatory regimes governing the data and cybersecurity practices of financial institutions implemented by the Securities and Exchange Commission, the New York Department of Financial Services, and the General Data Protection Regulations of the European Union to identify areas where requirements overlap, with the goal of suggesting implementations that promote consistency, clarity, and cost reduction

Greater Washington Works: IT and Health Careers with Promise

The Greater Washington Workforce Development Collaborative, an initiative of The Community Foundation for the National Capital Region, has partnered with JPMorgan Chase & Co. to develop new a research report, Greater Washington Works: IT and Health Careers with Promise, released today. The report focuses on how our region can address the skills gap and lift more of our neighbors out of poverty through careers in IT and Healthcare.With over 70% of net new jobs requiring post-secondary education and training, the Washington regional economy continues to be highly knowledge-based. Local employers, however, face challenges in finding skilled workers. Nearly 800,000 individuals in our region have no education past high school, highlighting a skills gap that has the potential to undermine our region's global economic competitiveness.Further, while it is encouraging that our regional unemployment rate has improved to pre-Great Recession levels, many of our neighbors are still struggling to make ends meet. Our region can count 100,000 additional residents living below the Federal poverty level since 2009. African American or Latino workers in the region are three times more likely to earn an income below the poverty level. Addressing our region's race, ethnicity, and gender-based income inequality is a critical challenge for our region to tackle if we want to ensure that all in our region have a fair shot for prosperity

The future of Cybersecurity in Italy: Strategic focus area

This volume has been created as a continuation of the previous one, with the aim of outlining a set of focus areas and actions that the Italian Nation research community considers essential. The book touches many aspects of cyber security, ranging from the definition of the infrastructure and controls needed to organize cyberdefence to the actions and technologies to be developed to be better protected, from the identification of the main technologies to be defended to the proposal of a set of horizontal actions for training, awareness raising, and risk management

The CPTPP and Digital Trade: Embracing E-Commerce Opportunities for SMEs in Japan and Canada

One of the most innovative features of the CPTPP is its material on digital trade, especially its chapter on e-commerce which contains a number of provisions aimed at enhancing this vital sector of the economy by eliminating distortive trade barriers such as restrictions on data transfer and data localization requirements. Such provisions should be important to the CPTPP’s two largest parties: Canada and Japan, both of which are highly advanced economies seeking to enhance their digital trade capacity across the Pacific Rim. This paper explores the main features of the CPTPP concerning digital trade from the perspective of Small and Medium Sized Enterprises (SMEs) in Canada and Japan. Such businesses have a poor track record of e-commerce uptake and may be disadvantaged relative to their larger competitors which enjoy dominance in the online marketplace. Whether or not the CPTPP will assist these businesses while striking the right balance between an open internet and safeguarding of issues such as privacy is a matter of some debate

Strategies for Implementing Successful IT Security Systems in Small Businesses

Owners of small businesses who do not adequately protect business data are at high risk for a cyber attack. As data breaches against small businesses have increased, it has become a growing source of concern for consumers who rely on owners of small businesses to protect their data from data breaches. Grounded in general systems theory and routine activity approach, the focus of this qualitative multiple case study was to explore strategies used by owners of small businesses to protect confidential company data from cyber attacks. The process used for collecting data involved semistructured face-to-face interviews with 5 owners of small businesses in Florida, as well as a review of company documents that were relevant to strategies used by owners of small businesses to protect confidential company data from cyber attacks. The thematic analysis of the interview transcripts revealed 4 themes for protecting business data against cyber attacks, which are security information management strategy, organizational strategy, consistent security policy, and cybersecurity risk management strategy. A key finding is that owners of small businesses could develop an organizational strategy by incorporating procedures used to protect from and respond to cyber attacks. The implications for positive social change include the potential to increase customers’ confidence and businesses’ economic growth, as well as stimulate the socioeconomic lifecycle, resulting in potential employment gains for residents within the communities

Between Hype and Understatement: Reassessing Cyber Risks as a Security Strategy

Most of the actions that fall under the trilogy of cyber crime, terrorism,and war exploit pre-existing weaknesses in the underlying technology.Because these vulnerabilities that exist in the network are not themselvesillegal, they tend to be overlooked in the debate on cyber security. A UKreport on the cost of cyber crime illustrates this approach. Its authors chose to exclude from their analysis the costs in anticipation of cyber crime, such as insurance costs and the costs of purchasing anti-virus software on the basis that "these are likely to be factored into normal day-to-day expenditures for the Government, businesses, and individuals. This article contends if these costs had been quantified and integrated into the cost of cyber crime, then the analysis would have revealed that what matters is not so much cyber crime, but the fertile terrain of vulnerabilities that unleash a range of possibilities to whomever wishes to exploit them. By downplaying the vulnerabilities, the threats represented by cyber war, cyber terrorism, and cyber crime are conversely inflated. Therefore, reassessing risk as a strategy for security in cyberspace must include acknowledgment of understated vulnerabilities, as well as a better distributed knowledge about the nature and character of the overhyped threats of cyber crime, cyber terrorism, and cyber war