Making Sense Of Cybersecurity 1 Converted Thomas Kranz

Making Sense Of Cybersecurity 1 Converted Thomas
Kranz download
https://ebookbell.com/product/making-sense-of-
cybersecurity-1-converted-thomas-kranz-52220970
Explore and download more ebooks at ebookbell.com

Here are some recommended products that we believe you will be
interested in. You can click the link to download.
Making Sense Of Cybersecurity 1st Edition Thomas Kranz
https://ebookbell.com/product/making-sense-of-cybersecurity-1st-
edition-thomas-kranz-46963954
Making Sense Of Cybersecurity Thomas Kranz
https://ebookbell.com/product/making-sense-of-cybersecurity-thomas-
kranz-56640414
Making Sense Of Evidencebased Practice For Nursing Debra Evans
https://ebookbell.com/product/making-sense-of-evidencebased-practice-
for-nursing-debra-evans-45743408
Making Sense Of Evidencebased Practice For Nursing An Introduction To
Quantitative And Qualitative Research And Systematic Reviews 1st
Edition Debra Evans
https://ebookbell.com/product/making-sense-of-evidencebased-practice-
for-nursing-an-introduction-to-quantitative-and-qualitative-research-
and-systematic-reviews-1st-edition-debra-evans-46074056

Making Sense Of The Ecg With Cases For Self Assessment 2nd 2nd Andrew
R Houghton
https://ebookbell.com/product/making-sense-of-the-ecg-with-cases-for-
self-assessment-2nd-2nd-andrew-r-houghton-46318592
Making Sense Of Mathematics For Teaching Grades 35 Juli K Dixon
https://ebookbell.com/product/making-sense-of-mathematics-for-
teaching-grades-35-juli-k-dixon-46518716
Making Sense Of Ai Our Algorithmic World Anthony Elliott
https://ebookbell.com/product/making-sense-of-ai-our-algorithmic-
world-anthony-elliott-46707794
Making Sense Of Public Opinion American Discourses About Immigration
And Social Programs Claudia Strauss
https://ebookbell.com/product/making-sense-of-public-opinion-american-
discourses-about-immigration-and-social-programs-claudia-
strauss-46757708
Making Sense Of The Future Rick Szostak
https://ebookbell.com/product/making-sense-of-the-future-rick-
szostak-47360764

Making Sense of Cybersecurity
THOMAS KRANZ
FOREWORD BY NAZ MARKUTA
To comment go to liveBook
Manning
Shelter Island

For more information on this and other Manning titles go to
www.manning.com

Copyright
For online information and ordering of these and other
Manning books, please visit www.manning.com. The
publisher offers discounts on these books when ordered in
quantity.
For more information, please contact
Special Sales Department
Manning Publications Co.
20 Baldwin Road
PO Box 761
Shelter Island, NY 11964
Email: orders@manning.com
©2022 by Manning Publications Co. All rights
reserved.
No part of this publication may be reproduced, stored in a
retrieval system, or transmitted, in any form or by means
electronic, mechanical, photocopying, or otherwise, without
prior written permission of the publisher.
Many of the designations used by manufacturers and sellers
to distinguish their products are claimed as trademarks.
Where those designations appear in the book, and Manning
Publications was aware of a trademark claim, the
designations have been printed in initial caps or all caps.
♾ Recognizing the importance of preserving what has been
written, it is Manning’s policy to have the books we publish
printed on acid-free paper, and we exert our best efforts to

that end. Recognizing also our responsibility to conserve the
resources of our planet, Manning books are printed on
paper that is at least 15 percent recycled and processed
without the use of elemental chlorine.
Manning Publications Co.
20 Baldwin Road Technical
PO Box 761
Shelter Island, NY 11964
Development editor: Doug Rudder
Technical development editor: Tanya Wilke
Review editor: Ivan Martinović, Adriana Sabo
Production editor: Kathleen Rossland
Copy editor: Michele Mitchell
Proofreader: Melody Dolab
Technical proofreader: Alain Couniot
Typesetter: Dennis Dalinnik
Cover designer: Marija Tudor
ISBN: 978161728004

dedication
For Emms, who made it all possible.

contents
front matter
foreword
preface
acknowledgments
about this book
about the author
about the cover illustration
1 Cybersecurity and hackers
1.1 Cybersecurity: How it has evolved
1.2 Why should you care about cybersecurity?
1.3 Who is the ideal reader for this book?
1.4 How does hacking—and defending—work?
1.5 What will you learn in this book?
1.6 What we won’t cover
Denial-of-service attacks
Encryption
1.7 What tools do you need to get started?
2 Cybersecurity: Everyone’s problem
2.1 Keeping it simple
2.2 Impacts of a security breach
2.3 Objectives of a cybersecurity strategy
Applying what we’ve learned so far
2.4 Supporting our strategy: Building a patching policy

CVEs are used to coordinate all information around a specific bug, and a
CVSS score is used to rate how serious it is
Building a patching policy
2.5 A culture of security
2.6 How ready are you?
Part 1
3 Understanding hackers
3.1 Who are the hackers?
Black hat
Grey hat
White hat
3.2 Where do they come from?
Black hat hacker: Alberto Gonzalez
Grey hat hacker: Sabu and the Anonymous collective
White hat hacker: Mudge
The hacker mindset
3.3 What are hackers capable of?
The bad guys: Black hats
The middle ground: Grey hats
The good guys: White hats
3.4 Working through a real-life problem: How do hackers
think?
Breaking a financial services website
Combining the hacker mindset with the OODA loop
4 External attacks
4.1 How do hackers get in?
Home setup
Corporate network
4.2 Data injection attacks

SQLi
Cross-site scripting
4.3 Malware: Viruses, Trojans, and ransomware
Viruses
Trojans
Ransomware
Protection
4.4 Dodgy Wi-Fi
Defenses
4.5 Mobile phones, SMS, and 5G
Malware
IMEI cloning
SMS spoofing
Problems with 5G
Keeping safe
5 Tricking our way in: Social engineering
5.1 The weakest link: People
5.2 Malicious USB
USB devices with malware
BadUSB: USB devices that attack your laptop and phone
Evil maid attacks
5.3 Targeted attacks: Phishing
5.4 Credential theft and passwords
Store passwords more securely
Make it easier to use unique, complex passwords
Stop relying on just a password to protect your accounts
5.5 Building access cards
6 Internal attacks
6.1 What happens after they get in?
6.2 Gaining more control: Privilege escalation

6.3 Data theft
Advanced persistent threat
Making money from stolen financial details
Making money from ID theft
6.4 Insider threats
6.5 “Blast radius”: Limiting the damage
AI, machine learning, behavioral analysis, and snake oil
6.6 Building your castle: Defense in depth
Perimeter security: Build a wall
Zero trust: The attackers are everywhere
7 The Dark Web: Where is stolen data traded?
7.1 What is the Dark Web?
TOR
I2P
Freenet
7.2 How to access the Dark Web
Precautions
7.3 How is the Dark Web used?
Illegal weapons
Illegal drugs
Hackers for hire
Hacktivism
Evading censorship
Making money from stolen data
Bitcoin
Part 2
8 Understanding risk
8.1 Issues vs. vulnerabilities vs. threats vs. risks
8.2 How likely is a hack?

8.3 How bad will it be?
Common Vulnerability Scoring System
CVE Vector
Making things personal
8.4 A simple model to measure risk
8.5 How do I measure and communicate this?
Page 1: Our security matrix
Page 2: Our vulnerabilities
Page 3: Our security roadmap
Page 4: Information and actions
9 Testing your systems
9.1 How are vulnerabilities discovered?
An attacker has exploited a vulnerability
A stranger has found what they think is a vulnerability
A vendor has released a security advisory
9.2 Vulnerability management
Vulnerability life cycle management
Vulnerability scanning workflow
9.3 Break your own stuff: Penetration testing
Defining the scope
Carrying out the test
The report
9.4 Getting expert help: Bug bounties
9.5 Breaking in: Physical penetration testing
Why is physical penetration testing not carried out?
Why does physical penetration testing matter?
What should a physical penetration test cover?
9.6 Red teams and blue teams
Red team
Blue team

Other “colors of the rainbow” teams
Keeping your staff
10 Inside the security operations center
10.1 Know what’s happening: Logging and monitoring
Logging
Monitoring
10.2 Dealing with attacks: Incident response
10.3 Keeping track of everything: Security and Information
Event Management
10.4 Gaining intelligence: Data feeds
11 Protecting the people
11.1 Don’t play the blame game
11.2 MFA
11.3 Protecting from ransomware
Make sure everyone has antimalware software installed
Make it easy to install legitimate software
Backups
11.4 Education and support
Regular email newsletters
Lunchtime talks
Security concierge or security champion
Live exercises
12 After the hack
12.1 Responding to a breach
Asset ownership
Business continuity process
Data/system restore
PR/media communications
Internal notification/communication groups

Customer communications policy
Cyber insurance policies
Legal team involvement/advice
Law enforcement engagement policy
Country-specific data controller communications
12.2 Where to get help?
Cyber insurance providers
Legal teams
Law enforcement agencies
Country-specific data controller organizations
Hosting providers
12.3 What to do next?
12.4 Lessons learned
index

front matter
foreword
As a cybersecurity researcher, it’s my job to try to
understand how a specific technology works, try to find
ways to break it, and find ways to fix it or prevent attacks
from happening. Even before starting my professional
career, I was involved in various hacking activities or
“hobbies,” some of which were not legal and came with
consequences.
I first met the author, Tom Kranz, in London during my first
face-to-face interview with a consulting company. He
eventually became my line manager. Tom has a way of
simplifying complex problems into bite-sized chunks,
making them easier to digest and implement.
When it comes to technology and cybersecurity, most
people don’t really think about how things work; they only
care that it works. This lack of diligent preparation makes it
almost impossible to keep information secure and opens the
door for security breaches. Making Sense of Cybersecurity
guides readers through what it takes to identify real-world
threats and create strategies to combat them.
Understanding how attackers think and act, knowing what
to protect, and devising defenses against attacks are vital

to protecting our data, assets, and businesses. This book
provides a great introduction to the fascinating (and
entertaining) world of cybersecurity.
—Naz Markuta
Cybersecurity Researcher
preface
I started out in the 80s as a 10-year-old armed with a BBC
Micro, a modem, and illicit access to British Telecom’s
Prestel system. The tools have changed since then, but not
much else has.
Technology has always fascinated me since those early days
in the home computing revolution. My summer job turned
into full-time employment as a PC and network support
engineer back in the heady days of Novell Netware and
Lotus cc:Mail. Finding out how stuff worked was difficult:
you had to pay a lot of money to get technical manuals, and
even more money to license the software. Hunting on
bulletin board systems (BBSs) and early FTP sites for text
files and trading with other knowledge-starved acolytes
became a way of life. Stumbling on Phrack and 2600 ezines
was a revelation.
I spent most of the late 90s building, protecting, and
breaking into SUN Microsystems and Silicon Graphics UNIX
systems, getting involved in the fledgling internet and high-
end, high-performance computing. I deployed early

intrusion detection systems (IDSs) to protect the systems
I’d designed and built from people like me, and Marcus J.
Ranum (firewall and security guru) scared the hell out of me
by calling out of the blue from the US to see what I thought
of his Network Flight Recorder product.
I’ve always gone where the technology was cool, the people
fun, and the problems tough. Consequently, I’ve been
involved in some amazing things: a stint at Lucent Labs in
the UK was fascinating (getting an email from Dennis
Ritchie was like getting a benediction from the Pope),
working at various gambling start-ups was hilarious, and
I’ve been able to do cool things like design and build a fault-
tolerant system that was used daily by a third of the UK
population.
The emergence of PDAs, and then mobile phones, was a
real game-changer. War dialing with a Palm III PDA and
modem, tucked into the false ceiling of an office, soon led
to usable, powerful, portable computing from Nokia’s
Communicator phones.
The technology has improved in leaps and bounds, even if
the innovative giants that got us here are no longer with us.
I saved up £100 to buy a 32 MB—yes, that’s megabytes—
memory expansion I had to hand-solder for my BBC Micro.
And my mobile phone now has a 512 GB memory card
that’s the size of my fingernail.
At the same time, the fundamentals—the basics of what
makes everything around us work—have been abstracted
and hidden. While computers have become easier to use,

they’ve been deliberately made more difficult to
understand. And that’s a problem, because the security
issues we had almost 40 years ago (weak passwords, badly
written software, poorly protected systems) are still present
today.
I’ve enjoyed a long and endlessly entertaining career
building interesting things, breaking them, and then trying
to protect them from someone else breaking them. That’s
been distilled down into the book you’re now reading, and I
hope you have as much fun learning about this as I did.
acknowledgments
Writing a book is a great deal of hard work, and not just for
me. An amazing group of people have helped behind the
scenes to produce this fabulous tome you now read.
Thanks to Emma, who has been patient and supportive
while I’ve been putting this book together.
Mick Sheppard, Steve Cargill, Jeff Dunham, Naz Markuta,
and Orson Mosley have been bad and good influences in
equal measures, as good friends should be. Thank you for
putting up with my antics over the years; I wouldn’t be
where I am today without you all.
The team at Manning deserves a special mention: Mike
Stephens, for taking on a book that was a bit different; and
Deborah Bailey, Heidi Nobles, and Doug Rudder have been
tireless, patient, and enormously helpful and supportive

editors. I’m glad I was able to give you a few laughs as the
book took shape. A special thanks to Naz Markuta for kindly
writing the foreword and to Alain Couniot for his thorough
(and thoroughly helpful) technical proofreading. Behind
them stands the rest of the Manning team, without whom
you wouldn’t be reading this now; they have all been
amazing.
I’d also like to thank the reviewers who took the time to
read my manuscript at various stages during its
development and who provided invaluable feedback: Alex
Saez, Amit Lamba, Andi Schabus, Chad Davis, Craig Smith,
Deniz Vehbi, Derek Hampton, Desmond Horsley, Deshuang
Tang, Eric Cantuba, Ethien Daniel Salinas Domínguez,
Fernando Bernardino, Frankie Thomas-Hockey, George
Onofrei, Gustavo Velasco-Hernandez, Henrik Kramselund
Jereminsen, Hilde Van Gysel, Hugo Sousa, Iyabo Sindiku,
Jean-Baptiste Bang Nteme, Jens Hansen, Josiah Dykstra,
Karthikeyarajan Rajendran, Leonardo Anastasia, Mikael
Byström, Milorad Imbra, Najeeb Arif, Neil Croll, Peter
Sellars, Pethuru Raj, Pierluigi Riti, Ranjit Sahai, Ravi
Prakash Giri, Roman Zhuzha, Ron Cranston, Satej Sahu,
Scott Hurst, Stanley Anozie, Sujith Surendranathan, Sune
Lomholt, Thomas Fischer, Veena Garapaty, William Mitchell,
and Zoheb Ainapore.
Lastly, a big shout out to the groups, personalities, heroes,
and villains of the hacking scene, from its formative years in
the 80s to the industry-defining juggernaut it has now
become. We’ve lost some things, gained some others, but

security will always have its rough edges—and that’s the
way it should be.
about this book
Making Sense of Cybersecurity was written to demystify
cybersecurity for you. It begins by focusing on the
attackers: how they think, their motivations, and their most
common and popular attacks. The second half deals with
the defenders: armed with the knowledge of how the
attackers work, you’ll learn the best approaches to
successful defense and how to recover from the inevitable
breach.
Who should read this book
Making Sense of Cybersecurity is for anyone who is
interested in learning more about cybersecurity but doesn’t
necessarily have a security or technology background. While
there are a number of excellent books aimed at experienced
cybersecurity professionals, this book brings together
foundational concepts for the attack, defense, and
management of cybersecurity in a clear, easy-to-read style
that will benefit project managers, developers, team leads,
and managers interested in knowing more about
cybersecurity.
How this book is organized: A roadmap

The first two chapters of the book introduce core concepts
about cybersecurity, strategies, and vulnerabilities. Then the
book is divided into two sections, covering 10 chapters. Part
1 covers how to think like the bad guys, explaining their
motivations and methods:
Chapter 3 discusses the different classifications of
hackers in the industry, as well as their motivations and
mindsets, with some examples of (in)famous figures
from across the spectrum.
Chapter 4 describes the most common external attacks,
from data injection and malware to dodgy Wi-Fi and
mobile networks.
Chapter 5 continues the theme of how attacks work by
diving into social engineering.
Chapter 6 then looks at the other side of the coin: what
attackers do once they are inside your organization and
how to spot and deal with inside attackers.
Chapter 7 wraps up part 1 by looking at where
attackers go to sell and trade their illicit data hauls: the
Dark Web.
Part 2 explains how to think like the good guys and looks at
building out successful defenses against the attacks from
part 1:
Chapter 8 dives into a commonly misunderstood but
important area of cybersecurity: risk management.

Chapter 9 discusses how to test your own systems and
discover vulnerabilities, covering penetration testing,
bug bounty programs, and dedicated hacking teams.
Chapter 10 builds on chapters 8 and 9 by describing
how security operations work, covering the key areas of
monitoring, alerting, and incident response.
Chapter 11 describes how to protect our most valuable
asset—and biggest danger—our people.
Chapter 12 ends the book by looking at what to do after
the inevitable hack: how to recover, whom to get help
from, and how to improve for the next attack.
While you can dip in and out of chapters based on interest,
you’ll get the most out of the book by reading part 1 first.
Understanding how attackers think and how their most
successful and common attacks work is a prerequisite to
being able to build out effective defenses. Part 2 can then
be tackled in any order, based on the reader’s particular
needs.
liveBook discussion forum
Purchase of Making Sense of Cybersecurity includes free
access to liveBook, Manning’s online reading platform. Using
liveBook’s exclusive discussion features, you can attach
comments to the book globally or to specific sections or
paragraphs. It’s easy to make notes for yourself, ask and
answer technical questions, and receive help from the
author and other users. To access the forum, go to
https://livebook.manning.com/book/making-sense-of-

cybersecurity/discussion. You can also learn more about
Manning’s forums and the rules of conduct at
https://livebook.manning.com/discussion.
Manning’s commitment to our readers is to provide a venue
where a meaningful dialogue between individual readers
and between readers and the author can take place. It is
not a commitment to any specific amount of participation on
the part of the author, whose contribution to the forum
remains voluntary (and unpaid). We suggest you try asking
the author some challenging questions lest his interest
stray! The forum and the archives of previous discussions
will be accessible from the publisher’s website as long as
the book is in print.
about the author

Tom Kranz is a cybersecurity consultant who helps
organizations understand and address cybersecurity threats
and issues. Tom’s career has spanned 30 years as a
cybersecurity and IT consultant. After a successful career
helping UK government departments and private-sector
clients (including Betfair, Accenture, Sainsburys, Fidelity
International, and Toyota), Tom now advises and supports
organizations on their cybersecurity strategy and
challenges.

Tom lives with his partner in Italy, where they rehabilitate
their collection of rescue dogs and cats, as well as manage
their many opinionated ducks, some angry goats, and a
cuddly wild boar.
about the cover illustration
The figure on the cover of Making Sense of Cybersecurity is
“Bavarois,” or “Bavarian,” from a collection by Jacques
Grasset de Saint-Sauveur, published in 1788. Each
illustration is finely drawn and colored by hand.
In those days, it was easy to identify where people lived
and what their trade or station in life was just by their
dress. Manning celebrates the inventiveness and initiative of
the computer business with book covers based on the rich
diversity of regional culture centuries ago, brought back to
life by pictures from collections such as this one.

1 Cybersecurity and hackers
This chapter covers
What cybersecurity is
The ideal reader for this book
What is and isn’t possible with cybersecurity
A mental model for approaching cybersecurity
What you will learn in this book and what we won’t be covering
Warwick Castle, in England, sits on a cliff overlooking the
river Avon, in rural Warwickshire. Built by William the
Conqueror in 1068, it’s been updated and enlarged over the
centuries.
Castles have a simple job: to serve as obvious, strong
defenses, protecting valuable assets. Giant stone purses,
castles also naturally became centers of commerce, meeting
places for merchants and decision makers—places of power
and wealth.
The problem is that a castle is not subtle; a castle is a giant
marker saying, “Here’s where the good stuff is!” The
defenders have to be constantly vigilant, and attacks can
come from anywhere and at any time. You can’t just move
your castle to a new location after it’s been attacked a few
times.

The defenders have to be successful every single time. One
failure on their part means the castle falls. Attackers, on the
other hand, can try as many times as possible to get in;
they just need to be successful once.
This constant vigilance defines cybersecurity. Our businesses
are online around the clock, with valuable assets (data) used
for commerce, communication, and decision making.
Warwick Castle changed radically over the years in response
to new methods of attack. As attackers tried digging under
the walls, lighting the castle on fire, chucking big rocks at it,
and blasting it with cannons, the castle was changed and
updated to continue protecting its occupants and their
assets.
This determined adaptability is key to developing a
cybersecurity strategy. We work out who attacks us and
how, and then change our defenses to keep us secure.
There is no such thing as perfect security; there is only
better security. Warwick Castle survived because the
occupants were constantly refining it to provide better
security. This book will teach the mindset and techniques we
need to build our own Warwick Castles, helping us defend
against the new types of attackers we face.
1.1 Cybersecurity: How it has evolved
In the 80s, a film called WarGames first brought hacking to
the attention of the general public. Back then, many systems

didn’t have passwords and could be directly accessed via the
phone line using a modem. In the UK, Robert Schifreen and
Stephen Gold demonstrated how easy it was to break into a
national system called Prestel, leading to the introduction of
the 1990 Computer Misuse Act.
In the United States, in the middle of increasing Cold War
hysteria, WarGames prompted authorities to sit up and take
notice. Hackers were headlines, laws were passed, systems
were locked down, and hackers started going to jail. Bruce
Sterling’s book The Hacker Crackdown is an excellent and
entertaining account of those exciting times.
We’ve moved on from WarGames and the threat of a hacker
starting nuclear war. Stealing money and information
remains as popular as it was back then, but now attackers
can control cars and interfere with and damage industrial
systems, and rogue tweets can tank the stock market.
As computers and technology have become more complex
and embedded in more aspects of our lives, the threats from
poor cybersecurity have changed as well.
The one constant truth is that everyone will be hacked at
some point. There is no such thing as perfect security, and it
is impossible to be completely secure. How many of these
incidents have you read about, or experienced yourself?
Bogus charges on our credit cards
Accidentally getting a virus on our computer from
downloaded software or music

Having to freeze an account and get a new card from the
bank after our card details were stolen in a big data
breach
But how much worse can hacks get?
Let’s look at an example that had a real financial impact.
How about crashing the stock market with false information?
Back in 2013, Syrian hackers managed to gain control of the
Associated Press’s Twitter account. The hackers tweeted that
the US president, Barack Obama, had been injured in an
explosion at the White House—shocking news that was seen
by the AP account’s 2 million followers, and retweeted over
1,500 times. The markets reacted immediately, with the
Dow crashing 150 points, wiping out $136 billion in equity
market value. The impact was short lived, however; it took
less than 10 minutes for a retraction and confirmation that it
was a hoax. Once the tweet was confirmed as bogus, the
Dow recovered back to its original position.
How about something really fun, such as remotely taking
control of a car? Back in 2015, researchers Charlie Miller and
Chris Valasek did exactly this with a Jeep Cherokee. They
found a vulnerability in the Jeep’s entertainment software
and were able to come up with a way to remotely take
control of the car’s various computers and systems.
Famously, they brought the car to a complete halt on the
highway, with Wired journalist Andy Greenberg inside,
frantically flooring the accelerator pedal to try and keep
speed up. Fiat Chrysler Automobiles (FCA, the owner of Jeep
at the time) quickly developed a patch and issued a recall
notice.

The following year, at the Black Hat security conference in
Las Vegas, Miller and Valasek showed how they could now
control the steering and brakes as well. This time they
needed a laptop that was physically in the car and
connected; but now, with the tiny size of computers, it
would be possible to hide a miniature computer in a
compromised car and remotely control it.
These examples seem like they’ve come straight out of an
outrageous Hollywood hacking film like Swordfish, but
they’re just examples of people trying to get computers to
do something unexpected. No matter how good our security
is, we will all struggle in the face of a determined, hostile
nation’s hacking teams.
What good cybersecurity can do, though, is give you a better
chance to defend against the easy, common attacks, to
make it more difficult for hackers to get in, to make it easier
to spot them once they’re in, and to make it easier for you
to recover.
1.2 Why should you care about
cybersecurity?
Today, everyone—everyone—will get hacked. Defense is
hard, as the various inhabitants of Warwick Castle found
over the centuries. Larger, more grandiose castles fell, but
Warwick survived.

As technology becomes more deeply embedded in our lives,
it becomes both more complex and more hidden. We carry
around mobile phones with the computing power and
complexity of supercomputers from less than 20 years ago.
The batteries we use in our laptops have processors in them
and run their own software.
Our cars are complex networks of computers, with most of
the major functions—engine management, braking, even
putting the power down on the road—controlled by
computers (even my old Fiat Panda 4x4 has a few
computers hidden away). Technology controls and manages
all aspects of our personal and professional lives: our
employment history, our finances, our communications, our
governments.
Like the defenders of Warwick Castle, we cannot defend
ourselves and the things we value unless we understand
how the attackers work. How can our technology be abused?
Where is it unsafe? Is that relevant to me personally? Will it
affect my job, my project, my company?
Nothing is perfectly secure, but armed with this knowledge,
we can provide ourselves with better security to better
protect ourselves.
1.3 Who is the ideal reader for this
book?

You don’t have to be involved in cybersecurity, have any
security knowledge, or even work in IT. You’ve read about
security breaches, hacking, and cybersecurity in the
mainstream press. You’ve read—and seen—that bad people
are doing scary things with technology.
How much of that is hype, made up for the headlines and
the article clicks? Can hackers really do all that? How can
they be stopped? What if it happens to me?
You want to understand the real-world threats to you and
your work and what you can do to protect yourself, your
code, your project, and your business.
Team leaders, project managers, executives, and developers
—if you work with or are affected by IT and computers—then
cybersecurity, understanding how and why hackers work, is
going to be important to you.
1.4 How does hacking—and defending
—work?
Obviously, the detailed work of cybersecurity can be
technical and complex; cybersecurity is a very wide field,
and we have entire teams of experts working together to
manage our defenses. We’ll talk about the specifics
throughout this book so that you’ll have a working
understanding of what these teams are working on and why.
But to understand how attackers and defenders think, the

best way to approach cybersecurity is to use a process called
the OODA loop.
The OODA (Observe, Orient, Decide, Act) loop was
developed by a clever chap named John Boyd in the US
Airforce. He was tasked with working out why US Airforce
pilots were losing dogfights, despite having superior
technology and better training, and this is what he came up
with (figure 1.1).

Figure 1.1 The OODA loop
The OODA loop is a powerful tool to help us. We don’t have
to be dogfighting with enemy jets; we can be defending
against a hack attack, and the process remains the same.
I was working for a large financial services organization
when we came under attack. Thousands of computers
around the world were sending requests to the web servers,
asking for random pages from a trading website. Normally,
the organization would see a few thousand requests per
minute—and their infrastructure was built to cope with that
load. What I was seeing, though, was hundreds of thousands
of requests a minute. Their website kept crashing under the
load, and no website, no trading. This was costing them
money.
Once I had an idea of what was happening, I had a crisis
meeting with the heads of the various IT teams. We needed
to work out how to respond in order to stop, or at least slow
down, the attack.
This is where the OODA loop came in handy. Here’s the
thought process used (figure 1.2).

Figure 1.2 Using the OODA loop to respond to an attack
Breaking it down into more detail:
Observe—The volume of random web server requests is
overwhelming the web servers and they are crashing.
Orient—Is there a pattern to the requests? Do the
requests themselves have any common identifying
information?

Decide—Can we configure our firewalls to spot these
requests and then block them?
Act—Let’s set a timeframe for analysis of the attacks (in
this case, an hour), and if that’s successful, then another
timeframe for changing the firewall configuration.
Using the OODA loop in this way gives us a quick and easy
way to understand what is happening, respond, and then
reevaluate.
In this case, the requests were all being logged on the web
servers. I found that each request contained a specific string
of text left there by the automated tool that attackers were
using to launch the attack. The network team then
reconfigured the firewalls to block any request that
contained that text pattern.
This took less than 45 minutes, and once the firewalls were
updated, the attacks were stopped successfully. This gave
the teams breathing space to restart the crashed web
servers and fix other bits of infrastructure that had crashed
as well. Now that we knew what to look for, I was able to
share that information with the hosting company that
provided our connectivity. They were able to block all of
those malicious requests from entering any of their networks
and reported back that after a few hours, the attackers had
given up and turned off the attack.
Good, effective cybersecurity is all about using the OODA
loop and its feedback to improve our defenses in a relevant,
proportional way.

1.5 What will you learn in this book?
Hacking is a mindset, a way of looking at things and
wondering “What happens if I do this?” Like technology,
hacking is neither bad nor good; the techniques we use for
breaking into a system are the same ones we need to know
in order to protect that system.
Robert Morris was a student at Cornell University in 1988.
He wanted to write a program that would check other
computers on the network for a handful of known security
flaws in common services. This sort of program was called a
worm—it would infect one system, then springboard from
there to another, and another. Morris wrote the worm so that
it would check to see if a system was already infected, but
he was worried about mistakes, so he made one of his own
—a big one. Randomly, the worm would infect a system,
regardless of whether a copy was already running.
Morris’s worm was hugely successful in mapping out how
many systems had the security flaws—too successful. The
worm rampaged across the internet, infecting tens of
thousands of key computers. Worse still, because of Morris’s
programming error, multiple copies of the worm kept re-
infecting these computers, slowing them to a crawl.
The internet was much smaller back then, and having to
shut down large chunks of it for days while systems were
patched and disinfected caused a huge disruption. Morris
was swiftly arrested, and after appeal received 400 hours of
community service and a $10,050 fine. The Government

Accountability Office in the United States estimated the cost
of cleaning up to run into millions of dollars.
The icing on the cake? Morris’s dad was chief scientist at the
National Computer Security Center, a division of the National
Security Agency (NSA), the secretive US spy agency.
I’m going to show you how hackers think by using the most
common, effective, and easy attacks that I see happening
time and again, simple security flaws that are easily fixed—
like the ones Morris exploited with his worm. Once we know
how and why the attackers work, we can start to put in
place relevant, proportional defenses, leveraging models like
the OODA loop to make sure what we’re doing is actually
working.
What you’ll learn is not just how to defend yourself against
these common attacks, but also to build on that
understanding to start thinking like a hacker. What if you
were Robert Morris? How would you try to check the security
of hundreds of computers on the network? Once you start
thinking like a hacker, you can anticipate and defend against
their attacks. That hacker mindset is the key skill that will
help you improve your security everywhere. As the well-
known security guru Yoda said, “Named must be your fear,
before banish it you can.”
1.6 What we won’t cover
Cybersecurity is a broad and deep topic that covers
everything from programming and hardware to behavioral

analysis. There are a couple of common security topics that
we deliberately won’t cover, though.
1.6.1 Denial-of-service attacks
Denial of service (DoS) and distributed denial of service
(DDoS) attacks are types of attacks that overwhelm a server
with requests until it is unable to respond. A DoS attack uses
a handful of machines to overwhelm a server. A DDoS attack
uses many thousands of compromised computers in the
attack.
Think of how busy your favorite coffee shop gets. Imagine
what happens if I ask 50, 100, or even 200 people to show
up and try to order coffee. You wouldn’t be able to even get
in, let alone order a decent espresso. This is what a DoS
attack is.
Although they used to be popular, with most people
migrating their services to the cloud, DoS attacks are
becoming less successful. Internet service providers (ISPs)
and cloud service providers (CSPs) have also invested
heavily in technology that mitigates the effects of a DoS
attack.
Thanks to this, we’re seeing far fewer DoS attacks, and their
relevance and impact is waning. As these attacks are dealt
with by cloud providers and ISPs, there’s not much we can
do about them, so we’ll pass over DoS attacks.
1.6.2 Encryption

Encryption is the process of taking data, converting it to
meaningless numbers and letters to secure it, and then
converting this back to meaningful data.
We hear a lot about encryption for online banking and
instant messaging. Let’s quickly look at how encryption is
used for a banking app in your phone in figure 1.3.
Figure 1.3 How encryption is used to protect transmitted data in
a mobile banking application. Note that, at some point, the
sensitive data at both ends must be unencrypted.

Your data—your bank details, account balance, and so on—is
in clear text on your phone. Then, your banking app
encrypts the data to transfer it to the bank’s application
servers. Once there, the data is decrypted—turned back into
plain text.
Encryption is a well-understood and mature technology. For
decades, it’s been good enough to defeat attempts to break
it by state actors and well-funded adversaries, and it’s
constantly being refined and improved in the face of these
attacks.
As an attacker, it’s much easier and quicker for me to try
and attack your phone or the bank’s servers than it is to try
and attack the encryption mechanism. The data is in plain
text on your phone and on the server, and that’s much
easier to try and grab.
There is already a host of excellent books out there that
specialize in understanding encryption and cryptographic
attacks, but that is an advanced topic with an extra-heavy
serving of complex mathematics. This book is focused on the
most common attacks, so we’ll skip encryption. But later on,
in chapter 5, we’ll look at encryption’s close cousin—hashing
—as a way of protecting and securing passwords and
credentials.
If you’re interested in learning more about encryption and
the complex mathematics behind it, I can highly recommend
reading Cryptography Engineering by Bruce Schneier et al.
(Wiley, 2010) and Applied Cryptography, also by Bruce
Schneier (Wiley, 2015).

1.7 What tools do you need to get
started?
You need a computer, an internet connection, and a curious
mind. It doesn’t get much easier than that.
Later on in the book, I’ll show you how to download and
install tools to access the Dark Web, and we’ll take a look at
some nifty, inexpensive hardware to protect against USB
attacks. Let’s get started!
Summary
Threats from poor cybersecurity have increased as
computers and technology have become more complex
and integrated into our lives.
Good cybersecurity can provide a better chance of
defending against common attacks, make it more
difficult for hackers to succeed, make it easier to identify
when they’re in, and help you recover from an attack.
The OODA loop provides a powerful method to defend
against attacks.
Effective cybersecurity entails using the OODA loop and
the feedback gained from it to enhance our defenses in a
relevant, proportional, and sustainable way.

2 Cybersecurity: Everyone’s problem
This chapter covers
Developing a list of organizational assets that hackers might
target
Building a profile of potential attackers based on your assets
Evaluating your existing defenses
Using the three pillars of a successful cybersecurity strategy
(relevant, proportional, and sustainable)
Using CVE details and CVSS to understand and prioritize newly
discovered security issues
Everyone will get hacked. No matter how great your
defenses are or how well prepared you are, it’s a matter of
when, not if. It happens to us all. Companies can spend
millions of dollars on security tools and technologies and still
end up in the news for a massive data breach. The important
thing, then, is to be prepared for the hack and be able to
respond and recover quickly. I want to help you achieve this
through better security, and this chapter is all about
understanding and building the fundamental skills and
concepts you’ll need.
In chapter 1, we walked through some real-world impacts of
a security breach. Now we’ll look at what underpins a
successful cybersecurity strategy and what its objectives
should be. Building on that, we’ll learn how to communicate,

measure, and patch vulnerabilities, which will then feed into
sustaining a culture of security in your organization. Finally,
we’ll finish up by working through an exercise to see how
prepared you are and how to start building your own
security strategy.
By the end of this chapter, you’ll be able to use these skills
to assess your security, as well as the security of your
project, team, or even entire company.
2.1 Keeping it simple
There’s a lot of fluff out there, and entire companies are
devoted to not only selling a security framework, but then
selling you consultancy to understand and use it, the classic
“steal your watch to tell the time” consultant approach. I
worked with a client who was undertaking a billion-dollar
modernization project, where a team of consultants was
trying to sell the program leadership on a strategy revolving
around equations to measure risks. They weren’t making
much progress. I left behind algebra at school, and I can’t
think of anyone who’d want to revisit it when dealing with
hacking and digital transformation.
We can cut through the noise, though, and boil everything
down to the three factors of cybersecurity (see figure 2.1).

Figure 2.1 Three factors of cybersecurity. These three questions
—and their answers—are the cornerstone of any successful
cybersecurity strategy.
These three factors are the simplest and fastest way to
understand your current situation:
What assets do you have? What valuables do you have
that you want to protect? Customer data? Source code?
Confidential business data?
Who would want to attack you? This builds on the first
question—who would want to steal your assets? Why
would they want to take them, and what would they do
with them?

What defenses do you have? Now that we have a good
idea of what we want to protect and from whom, we
need to look at what things we already have in place to
protect them. Are we using antivirus software? Do we
have firewalls to filter malicious data? Do we have a
dedicated security team protecting our IT? Are we using
unique passwords on our different accounts?
Each of the three factors builds on the previous one. As we
work our way around the loop, answering each question, we
build up a picture of what we need to protect and where the
gaps are in that protection.
Let’s walk through two large-scale data breaches from the
last few years and see how we can apply these three factors
to model and understand the two very different responses to
these attacks.
2.2 Impacts of a security breach
Having a sensible security strategy makes the difference
between being devastated by a hack or moving on from just
another business disruption. In 2017, Equifax (the credit
scoring and reporting company) came clean about a data
breach they had suffered some months earlier.
The data that was stolen was pretty comprehensive: 146
million names, birth dates, and social security numbers; 99
million addresses; 209,000 payment card details; 38,000
drivers’ licenses; and 3,200 passports—a field day for

identity thieves, from a company that sells, among other
things, identity theft protection.
The root cause was a vulnerability in the Apache Struts
software framework that some of Equifax’s applications
used. The vulnerability—and its patch—were disclosed in
March 2017. Equifax failed to fix the problem and was
breached in July of that year. Although they first noticed it
and announced the breach in September 2017, they didn’t
know the full extent of the data that had been taken until
much later.
Equifax’s problem wasn’t just with a software vulnerability in
Apache Struts; what also helped the hackers was an
insecure network design, inadequate encryption of
personally identifiable information, and an ineffective ability
to detect the data breach. Not only did this make it easier
for the hackers to get in, it also meant that Equifax took
almost a year—with outside help—to discover the full impact
of the breach. They literally didn’t know what the hackers
had taken.
The fallout for Equifax was severe. For months after the
announcement, their systems kept crashing due to the
volume of people trying to log on to check and freeze their
credit files.
The US Federal Trade Commission (FTC) agreed to a
settlement in 2019 with Equifax after a raft of lawsuits
against the company. Equifax ultimately ended up paying
$300 million to a fund for victim compensation, $175 million
to the US states and territories in the FTC agreement, and

$100 million to the Consumer Financial Protection Bureau
(CFPB).
In December 2018, Quora—the “question and answer”
website—suffered a data breach. Almost 100 million user
accounts had their information taken, which included users’
names, email addresses, encrypted passwords, questions
they had asked, and answers they had written.
The breach happened on a Friday, and on Monday, Quora
issued a statement to the press and all users detailing the
full extent of the breach. They confirmed password
information was secure, as it had been encrypted, but
enforced a site-wide password reset for users just to be
safe.
The insecure database server that was the cause of the
breach had been patched and secured by the time of
Monday’s announcement. By May 2019, Quora was valued at
$2 billion as a company and was finalizing a $60 million
investment round.
Two huge headline-making hacks, with similar amounts of
data, and two very different outcomes. The Equifax saga is
still dragging on, and they have had to pay $575 million in
financial penalties, while Quora continues to gain users and
revenue. Why the disparity? Let’s revisit our three factors of
cybersecurity (see figure 2.2).

Random documents with unrelated
content Scribd suggests to you:

PLEASE READ THIS BEFORE YOU DISTRIBUTE OR USE THIS WORK
To protect the Project Gutenberg™ mission of promoting the free
distribution of electronic works, by using or distributing this work (or
any other work associated in any way with the phrase “Project
Gutenberg”), you agree to comply with all the terms of the Full
Project Gutenberg™ License available with this file or online at
www.gutenberg.org/license.
Section 1. General Terms of Use and
Redistributing Project Gutenberg™
electronic works
1.A. By reading or using any part of this Project Gutenberg™
electronic work, you indicate that you have read, understand, agree
to and accept all the terms of this license and intellectual property
(trademark/copyright) agreement. If you do not agree to abide by all
the terms of this agreement, you must cease using and return or
destroy all copies of Project Gutenberg™ electronic works in your
possession. If you paid a fee for obtaining a copy of or access to a
Project Gutenberg™ electronic work and you do not agree to be
bound by the terms of this agreement, you may obtain a refund
from the person or entity to whom you paid the fee as set forth in
paragraph 1.E.8.
1.B. “Project Gutenberg” is a registered trademark. It may only be
used on or associated in any way with an electronic work by people
who agree to be bound by the terms of this agreement. There are a
few things that you can do with most Project Gutenberg™ electronic
works even without complying with the full terms of this agreement.
See paragraph 1.C below. There are a lot of things you can do with
Project Gutenberg™ electronic works if you follow the terms of this
agreement and help preserve free future access to Project
Gutenberg™ electronic works. See paragraph 1.E below.

1.C. The Project Gutenberg Literary Archive Foundation (“the
Foundation” or PGLAF), owns a compilation copyright in the
collection of Project Gutenberg™ electronic works. Nearly all the
individual works in the collection are in the public domain in the
United States. If an individual work is unprotected by copyright law
in the United States and you are located in the United States, we do
not claim a right to prevent you from copying, distributing,
performing, displaying or creating derivative works based on the
work as long as all references to Project Gutenberg are removed. Of
course, we hope that you will support the Project Gutenberg™
mission of promoting free access to electronic works by freely
sharing Project Gutenberg™ works in compliance with the terms of
this agreement for keeping the Project Gutenberg™ name associated
with the work. You can easily comply with the terms of this
agreement by keeping this work in the same format with its attached
full Project Gutenberg™ License when you share it without charge
with others.
1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside the
United States, check the laws of your country in addition to the
terms of this agreement before downloading, copying, displaying,
performing, distributing or creating derivative works based on this
work or any other Project Gutenberg™ work. The Foundation makes
no representations concerning the copyright status of any work in
any country other than the United States.
1.E. Unless you have removed all references to Project Gutenberg:
1.E.1. The following sentence, with active links to, or other
immediate access to, the full Project Gutenberg™ License must
appear prominently whenever any copy of a Project Gutenberg™
work (any work on which the phrase “Project Gutenberg” appears,
or with which the phrase “Project Gutenberg” is associated) is
accessed, displayed, performed, viewed, copied or distributed:

This eBook is for the use of anyone anywhere in the United
States and most other parts of the world at no cost and with
almost no restrictions whatsoever. You may copy it, give it away
or re-use it under the terms of the Project Gutenberg License
included with this eBook or online at www.gutenberg.org. If you
are not located in the United States, you will have to check the
laws of the country where you are located before using this
eBook.
1.E.2. If an individual Project Gutenberg™ electronic work is derived
from texts not protected by U.S. copyright law (does not contain a
notice indicating that it is posted with permission of the copyright
holder), the work can be copied and distributed to anyone in the
United States without paying any fees or charges. If you are
redistributing or providing access to a work with the phrase “Project
Gutenberg” associated with or appearing on the work, you must
comply either with the requirements of paragraphs 1.E.1 through
1.E.7 or obtain permission for the use of the work and the Project
Gutenberg™ trademark as set forth in paragraphs 1.E.8 or 1.E.9.
1.E.3. If an individual Project Gutenberg™ electronic work is posted
with the permission of the copyright holder, your use and distribution
must comply with both paragraphs 1.E.1 through 1.E.7 and any
additional terms imposed by the copyright holder. Additional terms
will be linked to the Project Gutenberg™ License for all works posted
with the permission of the copyright holder found at the beginning
of this work.
1.E.4. Do not unlink or detach or remove the full Project
Gutenberg™ License terms from this work, or any files containing a
part of this work or any other work associated with Project
Gutenberg™.
1.E.5. Do not copy, display, perform, distribute or redistribute this
electronic work, or any part of this electronic work, without
prominently displaying the sentence set forth in paragraph 1.E.1

with active links or immediate access to the full terms of the Project
Gutenberg™ License.
1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if you
provide access to or distribute copies of a Project Gutenberg™ work
in a format other than “Plain Vanilla ASCII” or other format used in
the official version posted on the official Project Gutenberg™ website
(www.gutenberg.org), you must, at no additional cost, fee or
expense to the user, provide a copy, a means of exporting a copy, or
a means of obtaining a copy upon request, of the work in its original
“Plain Vanilla ASCII” or other form. Any alternate format must
include the full Project Gutenberg™ License as specified in
paragraph 1.E.1.
1.E.7. Do not charge a fee for access to, viewing, displaying,
performing, copying or distributing any Project Gutenberg™ works
unless you comply with paragraph 1.E.8 or 1.E.9.
1.E.8. You may charge a reasonable fee for copies of or providing
access to or distributing Project Gutenberg™ electronic works
provided that:
• You pay a royalty fee of 20% of the gross profits you derive
from the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information

about donations to the Project Gutenberg Literary Archive
Foundation.”
• You provide a full refund of any money paid by a user who
notifies you in writing (or by e-mail) within 30 days of receipt
that s/he does not agree to the terms of the full Project
Gutenberg™ License. You must require such a user to return or
destroy all copies of the works possessed in a physical medium
and discontinue all use of and all access to other copies of
Project Gutenberg™ works.
• You provide, in accordance with paragraph 1.F.3, a full refund of
any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.
• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.
1.E.9. If you wish to charge a fee or distribute a Project Gutenberg™
electronic work or group of works on different terms than are set
forth in this agreement, you must obtain permission in writing from
the Project Gutenberg Literary Archive Foundation, the manager of
the Project Gutenberg™ trademark. Contact the Foundation as set
forth in Section 3 below.
1.F.
1.F.1. Project Gutenberg volunteers and employees expend
considerable effort to identify, do copyright research on, transcribe
and proofread works not protected by U.S. copyright law in creating
the Project Gutenberg™ collection. Despite these efforts, Project
Gutenberg™ electronic works, and the medium on which they may
be stored, may contain “Defects,” such as, but not limited to,
incomplete, inaccurate or corrupt data, transcription errors, a
copyright or other intellectual property infringement, a defective or

damaged disk or other medium, a computer virus, or computer
codes that damage or cannot be read by your equipment.
1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES - Except for
the “Right of Replacement or Refund” described in paragraph 1.F.3,
the Project Gutenberg Literary Archive Foundation, the owner of the
Project Gutenberg™ trademark, and any other party distributing a
Project Gutenberg™ electronic work under this agreement, disclaim
all liability to you for damages, costs and expenses, including legal
fees. YOU AGREE THAT YOU HAVE NO REMEDIES FOR
NEGLIGENCE, STRICT LIABILITY, BREACH OF WARRANTY OR
BREACH OF CONTRACT EXCEPT THOSE PROVIDED IN PARAGRAPH
1.F.3. YOU AGREE THAT THE FOUNDATION, THE TRADEMARK
OWNER, AND ANY DISTRIBUTOR UNDER THIS AGREEMENT WILL
NOT BE LIABLE TO YOU FOR ACTUAL, DIRECT, INDIRECT,
CONSEQUENTIAL, PUNITIVE OR INCIDENTAL DAMAGES EVEN IF
YOU GIVE NOTICE OF THE POSSIBILITY OF SUCH DAMAGE.
1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If you
discover a defect in this electronic work within 90 days of receiving
it, you can receive a refund of the money (if any) you paid for it by
sending a written explanation to the person you received the work
from. If you received the work on a physical medium, you must
return the medium with your written explanation. The person or
entity that provided you with the defective work may elect to provide
a replacement copy in lieu of a refund. If you received the work
electronically, the person or entity providing it to you may choose to
give you a second opportunity to receive the work electronically in
lieu of a refund. If the second copy is also defective, you may
demand a refund in writing without further opportunities to fix the
problem.
1.F.4. Except for the limited right of replacement or refund set forth
in paragraph 1.F.3, this work is provided to you ‘AS-IS’, WITH NO
OTHER WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED,

INCLUDING BUT NOT LIMITED TO WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR ANY PURPOSE.
1.F.5. Some states do not allow disclaimers of certain implied
warranties or the exclusion or limitation of certain types of damages.
If any disclaimer or limitation set forth in this agreement violates the
law of the state applicable to this agreement, the agreement shall be
interpreted to make the maximum disclaimer or limitation permitted
by the applicable state law. The invalidity or unenforceability of any
provision of this agreement shall not void the remaining provisions.
1.F.6. INDEMNITY - You agree to indemnify and hold the Foundation,
the trademark owner, any agent or employee of the Foundation,
anyone providing copies of Project Gutenberg™ electronic works in
accordance with this agreement, and any volunteers associated with
the production, promotion and distribution of Project Gutenberg™
electronic works, harmless from all liability, costs and expenses,
including legal fees, that arise directly or indirectly from any of the
following which you do or cause to occur: (a) distribution of this or
any Project Gutenberg™ work, (b) alteration, modification, or
additions or deletions to any Project Gutenberg™ work, and (c) any
Defect you cause.
Section 2. Information about the Mission
of Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of
electronic works in formats readable by the widest variety of
computers including obsolete, old, middle-aged and new computers.
It exists because of the efforts of hundreds of volunteers and
donations from people in all walks of life.
Volunteers and financial support to provide volunteers with the
assistance they need are critical to reaching Project Gutenberg™’s
goals and ensuring that the Project Gutenberg™ collection will

remain freely available for generations to come. In 2001, the Project
Gutenberg Literary Archive Foundation was created to provide a
secure and permanent future for Project Gutenberg™ and future
generations. To learn more about the Project Gutenberg Literary
Archive Foundation and how your efforts and donations can help,
see Sections 3 and 4 and the Foundation information page at
www.gutenberg.org.
Section 3. Information about the Project
Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a non-profit
501(c)(3) educational corporation organized under the laws of the
state of Mississippi and granted tax exempt status by the Internal
Revenue Service. The Foundation’s EIN or federal tax identification
number is 64-6221541. Contributions to the Project Gutenberg
Literary Archive Foundation are tax deductible to the full extent
permitted by U.S. federal laws and your state’s laws.
The Foundation’s business office is located at 809 North 1500 West,
Salt Lake City, UT 84116, (801) 596-1887. Email contact links and up
to date contact information can be found at the Foundation’s website
and official page at www.gutenberg.org/contact
Section 4. Information about Donations to
the Project Gutenberg Literary Archive
Foundation
Project Gutenberg™ depends upon and cannot survive without
widespread public support and donations to carry out its mission of
increasing the number of public domain and licensed works that can
be freely distributed in machine-readable form accessible by the
widest array of equipment including outdated equipment. Many

small donations ($1 to $5,000) are particularly important to
maintaining tax exempt status with the IRS.
The Foundation is committed to complying with the laws regulating
charities and charitable donations in all 50 states of the United
States. Compliance requirements are not uniform and it takes a
considerable effort, much paperwork and many fees to meet and
keep up with these requirements. We do not solicit donations in
locations where we have not received written confirmation of
compliance. To SEND DONATIONS or determine the status of
compliance for any particular state visit www.gutenberg.org/donate.
While we cannot and do not solicit contributions from states where
we have not met the solicitation requirements, we know of no
prohibition against accepting unsolicited donations from donors in
such states who approach us with offers to donate.
International donations are gratefully accepted, but we cannot make
any statements concerning tax treatment of donations received from
outside the United States. U.S. laws alone swamp our small staff.
Please check the Project Gutenberg web pages for current donation
methods and addresses. Donations are accepted in a number of
other ways including checks, online payments and credit card
donations. To donate, please visit: www.gutenberg.org/donate.
Section 5. General Information About
Project Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project
Gutenberg™ concept of a library of electronic works that could be
freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose network of
volunteer support.

Project Gutenberg™ eBooks are often created from several printed
editions, all of which are confirmed as not protected by copyright in
the U.S. unless a copyright notice is included. Thus, we do not
necessarily keep eBooks in compliance with any particular paper
edition.
Most people start at our website which has the main PG search
facility: www.gutenberg.org.
This website includes information about Project Gutenberg™,
including how to make donations to the Project Gutenberg Literary
Archive Foundation, how to help produce our new eBooks, and how
to subscribe to our email newsletter to hear about new eBooks.

Welcome to our website – the perfect destination for book lovers and
knowledge seekers. We believe that every book holds a new world,
offering opportunities for learning, discovery, and personal growth.
That’s why we are dedicated to bringing you a diverse collection of
books, ranging from classic literature and specialized publications to
self-development guides and children's books.
More than just a book-buying platform, we strive to be a bridge
connecting you with timeless cultural and intellectual values. With an
elegant, user-friendly interface and a smart search system, you can
quickly find the books that best suit your interests. Additionally,
our special promotions and home delivery services help you save time
and fully enjoy the joy of reading.
Join us on a journey of knowledge exploration, passion nurturing, and
personal growth every day!
ebookbell.com

Making Sense Of Cybersecurity 1 Converted Thomas Kranz

More Related Content

Similar to Making Sense Of Cybersecurity 1 Converted Thomas Kranz (20)

Recently uploaded (20)

Making Sense Of Cybersecurity 1 Converted Thomas Kranz