References

Risk Management

Every action or decision comes with a level of risk, and that's perfectly fine. The key is understanding these risks and taking the ones we can afford. This art is called Risk Management.

• Computer Security Resource Center (CSRC) at US NIST The Computer Security Resource Center (CSRC) has information on many of NIST's cybersecurity- and information security-related projects, publications, news and events. CSRC supports people and organisations in government, industry, and academia—both in the U.S. and internationally.
  • NIST Risk Management Framework
  • NIST Guide for Conducting Risk Assessments (NIST SP 800-30)
  • NIST Guide for Developing Security Plans for Federal Information Systems (NIST SP 800-18)
  • NIST Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39)
• Institute of Directors New Zealand - Cyber risk practice guide
• MITRE ATT&CK Framework

Privacy

• US NIST Privacy Framework The NIST Privacy Framework is a voluntary tool developed to help organisations identify and manage privacy risks to build innovative products and services while protecting individuals’ privacy.
  • Detailed Framework (PDF)
  • Core Framework: PDF / XLSX / DOCX
  • Data Protection and Privacy Legislation Worldwide | UNCTAD
• New Zealand
  • Office of the Privacy Commissioner
  • Office of the Privacy Commissioner | Privacy Act 2020
  • Office of the Privacy Commissioner | Your privacy responsibilities
  • Office of the Privacy Commissioner | Codes of practice
  • Office of the Privacy Commissioner | E-Learning
  • Office of the Privacy Commissioner | NotifyUs - For organisations to report privacy breaches
  • Office of the Privacy Commissioner | AskUS
  • Government Chief Privacy Officer (GCPO)
  • Privacy | NZ Digital government
  • Manage a privacy programme
  • Assess privacy risk
  • Privacy incidents and breaches
  • Privacy Maturity Assessment Framework (PMAF) and self-assessments
  • Data Protection and Use Policy (DPUP)
  • Privacy organisations
  • Data privacy - data.govt.nz (for Govt)
  • Privacy law - Consumer NZ (for public)
  • Privacy Act | Consumer Protection (for public)
  • NZ Health Information Privacy Code 2020
  • Office of the Privacy Commissioner | Health Privacy Toolkit
• Australia
  • The Privacy Act - Home (oaic.gov.au)
• Europe
  • General Data Protection Regulation (GDPR) – Official Legal Text (gdpr-info.eu)
  • Office of the Privacy Commissioner | GDPR resources
• USA
  • California Consumer Privacy Act (CCPA)

Cyber Security

• US Cybersecurity & Infrastructure Security Agency (CISA)

  CISA has a lot of excellent material. Here are some of the highlights.

  • CISA Cyber Essentials Starter Kit
  • CISA Cyber Essentials Toolkits

This is a set of modules designed to break down the CISA Cyber Essentials into bite-sized actions for IT and C-suite leadership.

• Computer Security Resource Center (CSRC) at US NIST

  The Computer Security Resource Center (CSRC) has information on many of NIST's cybersecurity- and information security-related projects, publications, news and events. CSRC supports people and organisations in government, industry, and academia—both in the U.S. and internationally.

  • The NIST Cybersecurity Framework 2.0 (Draft)

This is the public draft of the NIST CSF 2.0, which replaces version 1.1, a widely used cybersecurity framework.

Incident Response

• Institute of Directors New Zealand - Cyber incident response executive checklist

Reporting

• Institute of Directors New Zealand - Reporting cybersecurity to boards

Industry Reports

Useful industry reports

• World Economic Forum - Global Cybersecurity Outlook 2023
  • Cyberattackers are more likely to focus on business disruption and reputational damage. These are the top two concerns among respondents.
• Verizon - 2023 Data Breach Investigation Report (DBIR): PDF
  • The three primary ways in which attackers access an organization are stolen credentials, by far, phishing and exploitation of vulnerabilities.
• CERT NZ - Quarterly Reports
  • Cyber Security Insights 2022Q3
  • Cyber Security Insights 2022Q2
  • Cyber Security Insights 2022Q1
• Verizon - 2022 Data Breach Investigation Report (DBIR): PDF
  • 82% of breaches involved the human element. Whether it is the Use of stolen credentials, Phishing, Misuse, or simply an Error, people continue to play a very large role in incidents and breaches alike.

Verizon - 2021 Data Breach Investigation Report (DBIR): PDF

New Zealand and Oversea's Govt

• CERT NZ
• Office of the Privacy Commissioner
  • Office of the Privacy Commissioner | E-Learning
• NZ Information Security Manual (NZISM)
• NZ Protective Security Requirements (PSR)
• Government Chief Information Security Officer (GCISO)
  • including the GCSB - NZ Information Security Manual (NZISM)
• National Cyber Security Centre (NCSC)
  • NCSC - Guidance
• NZ Digital Government - Privacy, security and risk guidance
• DIA's Risk Assessment Process
• Overseas
  • Home Page | CISA
  • https://www.ncsc.gov.uk

New Zealand Laws

• Data Protection and Privacy
  • Privacy Act 2020
• Cybercrime
  • Crime act 1961
  • Film, Videos, and Publications Classifications Act 1993
  • Search and surveillance Act 2012
  • Mutual Assistance in Criminal Matters Act 1992
• Commerce
  • Commerce and Commercial Law Act 2017
• Consumer Protection
  • Fair Trading Act, as amended in 2013
  • Consumer Guarantees Act

Privacy

• Data Protection and Privacy Legislation Worldwide | UNCTAD
• New Zealand
  • Office of the Privacy Commissioner
  • Office of the Privacy Commissioner | Privacy Act 2020
  • Office of the Privacy Commissioner | Your privacy responsibilities
  • Office of the Privacy Commissioner | Codes of practice
  • Office of the Privacy Commissioner | E-Learning
  • Office of the Privacy Commissioner | NotifyUs - For organisations to report privacy breaches
  • Office of the Privacy Commissioner | AskUS
  • Government Chief Privacy Officer (GCPO)
  • Privacy | NZ Digital government
  • Manage a privacy programme
  • Assess privacy risk
  • Privacy incidents and breaches
  • Privacy Maturity Assessment Framework (PMAF) and self-assessments
  • Data Protection and Use Policy (DPUP)
  • Privacy organisations
  • Data privacy - data.govt.nz (for Govt)
  • Privacy law - Consumer NZ (for public)
  • Privacy Act | Consumer Protection (for public)
  • NZ Health Information Privacy Code 2020
  • Office of the Privacy Commissioner | Health Privacy Toolkit
• Australia
  • The Privacy Act - Home (oaic.gov.au)
• Europe
  • General Data Protection Regulation (GDPR) – Official Legal Text (gdpr-info.eu)
  • Office of the Privacy Commissioner | GDPR resources
• USA
  • California Consumer Privacy Act (CCPA)

Threat Intelligence

• M365 Defender Threat Analytics (https://security.microsoft.com/threatanalytics3
• https://www.cert.govt.nz/
• https://www.privacy.org.nz/
• https://www.cisecurity.org/resources/?type=advisory
• https://www.cisa.gov/uscert/ncas
• https://isc.sans.edu/
• Also the relevant vendors' security notices, depending on the software/hardware we use (e.g. cisco,, fortinet,...). This is especially important for anything exposed publicly (e.g. VPN, Firewall, routers, proxy, web services...).

For digging

• Defender / Sentinel have some good tools (you need the E5 license for Defender from memory)
• https://talosintelligence.com/
• https://abuse.ch/
• https://otx.alienvault.com/

Vendors

• Microsoft Security Response Center
• Microsoft Security
• Azure Security
• Microsoft Azure Well-Architected Framework
• Architecting Cloud Native .NET Applications for Azure
• Microsoft 365 Enterprise architecture design principles

News, Blogs and Podcasts

• Risky Business (podcast and weekly news)
• The Unsupervised Learning Podcast
• Security Weekly
• The Hacker News
• Troy Hunt
• Bleeping Computer
• ThreatPost

Good Practice

• OWASP Top Ten
  • The OWASP Top 10 is the reference standard for the most critical web application security risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing your software development culture focused on producing secure code.
• OWASP Top Ten for API Security
  • API Security focuses on strategies and solutions to understand and mitigate the unique vulnerabilities and security risks of Application Programming Interfaces (APIs).
• OWASP Cheat Sheet Series
  • The OWASP Cheat Sheet Series project provides a set of concise good practice guides for application developers and defenders to follow.
• Azure security best practices and patterns
• Azure Security recommendations - a reference guide

Tools

• OWASP ZAP
  • The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by a dedicated international team of volunteers. Great for pentesters, devs, QA, and CI/CD integration.
• OWASP Dependency-Check
  • Dependency-Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies.
• OWASP Dependency-Track
  • Intelligent Component Analysis platform that allows organisations to identify and reduce risk in the software supply chain.
• OWASP OWTF
  • Offensive Web Testing Framework (OWTF), is an OWASP+PTES focused try to unite great tools and make pen testing more efficient
• CISA Free Cybersecurity Services and Tools
  • This living repository includes cybersecurity services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community.

Training

• OWASP Juice Shop
  • Probably the most modern and sophisticated insecure web application for security trainings, awareness demos and CTFs. Also great voluntary guinea pig for your security tools and DevSecOps pipelines!
• OWASP Security Shepherd
  • OWASP Security Shepherd is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skillset to security expert status.
• OWASP Security Knowledge Framework
  • The OWASP Security Knowledge Framework is an open source web application that explains secure coding principles in multiple programming languages. The goal of OWASP-SKF is to help you learn and integrate security by design in your software development and build applications that are secure by design.
• AttackIQ Academy
  • In free courses taught by cybersecurity practitioners at the cutting edge of the field, students gain realistic, hands-on experience in building a threat-informed defense to improve cybersecurity effectiveness. AttackIQ Academy includes foundational, intermediate, and advanced courses in operationalizing MITRE ATT&CK®, Uniting Threat and Risk Management with NIST 800-53 and ATT&CK, Purple Teaming, and Breach and Attack Simulation, among others. Detailed learning paths guide students as they achieve course badges and certifications. AttackIQ Academy is part of the Informed Defender Community and is provided as a public service.

Testing and Frameworks

• OWASP Web Security Testing Guide
  • The Web Security Testing Guide (WSTG) Project produces the premier cybersecurity testing resource for web application developers and security professionals.
• OWASP Mobile Security Testing Guide
  • The OWASP Mobile Security Testing Guide project consists of a series of documents that establish a security standard for mobile apps and a comprehensive testing guide that covers the processes, techniques, and tools used during a mobile app security test, as well as an exhaustive set of test cases that enables testers to deliver consistent and complete results.
• OWASP Software Assurance Maturity Model (SAMM)
  • A Software Assurance Maturity Model (SAMM) that provides an effective and measurable way for all types of organisations to analyse and improve their software security posture.
• OWASP DevSecOps Maturity Model (DSOMM)
  • The DevSecOps Maturity Model shows security measures which should be applied when using DevOps strategies and how these can be prioritized, and measure the current posture.
• OWASP Application Security Verification Standard
  • The OWASP Application Security Verification Standard (ASVS) Project is a framework of security requirements that focus on defining the security controls required when designing, developing and testing modern web applications and web services.
• OWASP Security Knowledge Framework
  • The OWASP Security Knowledge Framework is an open source web application that explains secure coding principles in multiple programming languages. The goal of OWASP-SKF is to help you learn and integrate security by design in your software development and build applications that are secure by design.