Course 1(Foundations of Cybersecurity)

Cybersecurity (also known as security) is the practice of ensuring confidentiality, integrity, and
availability of information by protecting networks, devices, and data from unauthorized access. In this
reading, you'll be introduced to some key terms used in the cybersecurity profession. Then, you'll be
provided with a resource that's useful for staying informed about changes to cybersecurity terminology.

There are many terms and concepts that are important for security professionals to know. Being familiar
with them can help you better identify the threats that can harm organizations and people alike. A
security analyst or cybersecurity analyst focuses on monitoring networks for breaches. They also help
develop strategies to secure an organization and research information technology (IT) security trends to
remain alert and informed about potential threats. Additionally, an analyst works to prevent incidents in
order for analysts to effectively do these types of tasks they need to develop Knowledge of the following
key concepts

• Compliance is the process of adhering to internal standards and external regulations and enables
organizations to avoid fines, audits and security breaches,

• Security frameworks are guidelines used for building plans to help mugate risks and threats to data
and privacy.

• Security controls are safeguards designed to reduce specific security risks. They are used with security
frameworks to establish a strong security posture.

• Security posture is an organization's ability to manage its defense of critical assets and data and react
to change. A strong security posture leads to lower risk for the organization.

• Threat: Any circumstance or event that can negatively impact assets

• A threat actor, or malicious emo attacker, is any person or group who presents a security risk. This risk
can relate to computers, applications, networks, and data.

• An internal threat can be a current or former employee, an external vendor, or a trusted partner who
poses a security risk. At times, an internal threat is accidental. For example, an employee who
accidentally clicks on a malicious email link would be considered an accidental threat. Other times, the
internal threat actor intentionally engages in risky activities, such as unauthorized data access.

• Network security is the practice of keeping an organization's network infrastructure secure from
unauthorized access. This includes data, services, systems, and devices that are stored in an
organization's network.
• Cloud security is the process of ensuring that assets stored in the cloud are properly configured, or set
up correctly, and access to those assets is limited to authorized users. The cloud is a network made up of
a collection of servers or computers that store resources and data in remote physical locations known as
data centers that can be accessed via the internet. Cloud security is a growing subfield of cybersecurity
that specifically focuses on the protection of data, applications, and infrastructure in the cloud.

• Programming is a process that can be used to create a specific set of instructions.

• Personally identifiable information (PII): Any Information used to infer an individual's identity.

• Sensitive personally identifiable information (SPI): A specific type of PII that falls under stricter
handling guidelines.

#Security analyst transferable skills;

• Communication

•Collaboration

• Analysis

•Problem solving

#Security analyst technical skills

•Programming languages

•Security incident and event management (SIEM) tools

•Computer forensics

# Computer virus:-Malicious code written to interfere with computer operations and cause damage to
data and software

# Phishing:- Phishing is the use of digital communications to trick people into revealing sensitive data or
deploying malicious software.

Some of the most common types of phishing attacks today include:

1 Business Email Compromise (BEC): A threat actor sends an email message that seems to be from a
known source to make a seemingly legitimate request for information, in order to obtain a financial
advantage.
2 Spear phishing: A malicious email attack that targets a specific user or group of users. The email seems
to originate from a trusted source.

3 Whaling: A form of spear phishing. Threat actors target company executives to gain access to sensitive
data.

4 Vishing: The exploitation of electronic voice communication to obtain sensitive information or to

impersonate a known source.

5 Smishing: The use of text messages to trick users, in order to obtain sensitive information or to
impersonate a known source.

# Malware:- Malware is software designed to harm devices or networks. There are many types of
malware. The primary purpose of malware is to obtain money, or in some cases, an intelligence
advantage that can be used against a person, an organization, or a territory.

Some of the most common types of malware attacks today include:

1 Viruses: Malicious code written to interfere with computer operations and cause damage to data,
software, and hardware. A virus attaches itself to programs or documents, on a computer. It then
spreads and infects one or more computers in a network.

2 Worms: Malware that can duplicate and spread itself across systems on its own.

3 Ransomware: A malicious attack where threat actors encrypt an organization's data and demand
payment to restore access.

4 Spyware: Malware that's used to gather and sell information without consent. Spyware can be used to
access devices. This allows threat actors to collect personal data, such as private emails, texts, voice and
image recordings, and locations.

# Social Engineering:- Social engineering is a manipulation technique that exploits human error to gain
private information, access, or valuables. Human error is usually a result of trusting someone without
question. It's the mission of a threat actor, acting as a social engineer, to create an environment of false
trust and lies to exploit as many people as possible.

Some of the most common types of social engineering attacks today include:

1 Social media phishing: A threat actor collects detailed information about their target from social media
sites. Then, they initiate an attack.

2 Watering hole attack: A threat actor attacks a website frequently visited by a specific group of users.

3 USB baiting: A threat actor strategically leaves a malware USB stick for an employee to find and install,
to unknowingly infect a network,
4 Physical social engineering: A threat actor impersonates an employee, customer, or vendor to obtain
unauthorized access to a physical location.

Social engineering principles:- Social engineering is incredibly effective. This is because people are
generally trusting and conditioned to respect authority. The number of social engineering attacks is
increasing with every new social media application that allows public access to people's data. Although
sharing personal data-such as your location or photos-can be convenient, it's also a risk.

Reasons why social engineering attacks are effective include:

1 Authority: Threat actors impersonate individuals with power. This is because people, in general, have
been conditioned to respect and follow authority figures.

2 Intimidation: Threat actors use bullying tactics. This includes persuading and intimidating victims into
doing what they're told.

3 Consensus/Social proof: Because people sometimes do things that they believe many others are doing,
threat actors use others' trust to pretend they are legitimate. For example, a threat actor might try to
gain access to private data by telling an employee that other people at the company have given them
access to that data in the past.

4 Scarcity: A tactic used to imply that goods or services are in limited supply.

5 Familiarity: Threat actors establish a fake emotional connection with users that can be exploited.

6 Trust: Threat actors establish an emotional relationship with users that can be exploited over time.
They use this relationship to develop trust and gain personal information.

7 Urgency: A threat actor persuades others to respond quickly and without questioning.

Attack types:-

1 Password attack:- A password attack is an attempt to access password-secured devices, systems,

networks, or data. Some forms of password attacks that you'll learn about later in the certificate
program are!

* Brute force

* Rainbow table

Password attacks fall under the communication and network security domain.

2 Physical attack:- A physical attack in a security incident that affects not only digital but also physical
environments where the incident is deployed. Some forms of physical attacks are:

Malicious USB cable

 Malicious flash drive

Card cloning and skimming

Physical attacks fall under the asset security domain.

3 Adversarial artificial intelligence:- Adversarial artificial intelligence is a technique that manipulates

artificial intelligence and machine learning technology to conduct attacks more efficiently. Adversarial
artificial intelligence falls under both the communication and network security and the identity and
access management domains.

4 Supply-chain attack: - A supply-chain attack targets systems, applications, hardware, and/or software
to locate a vulnerability where malware can be deployed. Because every item sold undergoes a process
that involves third parties, this means that the security breach can occur at any point in the supply chain.
These attacks are costly because they can affect multiple organizations and the individuals who work for
them. Supply chain attacks fall under the security and risk management, security architecture and
engineering, and security operations domains.

5 Cryptographic attack:- A cryptographic attack affects secure forms of communication between a

sender and intended recipient. Some forms of cryptographic attacks are:

*Birthday

*Collision

*Downgrade

Cryptographic attacks fall under the communication and network security domain.

Threat actor types:-

1 Advanced persistent threats:- Advanced persistent threats (APTS) have significant expertise accessing
an organization's network without authorization. APTs tend to research their targets (eg, large
corporations or government entities) in advance and can remain undetected for an extended period of
time. Their intentions and motivations can include:

* Damaging critical Infrastructure, such as the power grid and natural resources

* Gaining access to intellectual property, such as trade secrets or patents

2 Insider threats:- Insider threats abuse their authorized access to obtain data that may harm an
organization. Their intentions and motivations can include:

* Sabotage

* Corruption
* Espionage

* Unauthorized data access or leaks

3 Hacktivists:- Hacktivists are threat actors that are driven by a political agenda. They abuse digital
technology to accomplish their goals, which may include:

* Demonstrations

* Propaganda

* Social change campaigns

* Fame

3 A hacker is any person or group who uses computers to gain unauthorized access to data. They can be
beginner or advanced technology professionals who use their sills for a variety of reasons. There are
three main categories of hackers:-

Authorized hackers are also called ethical hackers. They follow a code of ethics and adhere to the
law to conduct organizational risk evaluations. They are motivated to safeguard people and
organizations from malicious threat actors.

Semi-authorized hackers are considered researchers. They search for vulnerabilities but don't take
advantage of the vulnerabilities they find

Unauthorized hackers are also called unethical hackers. They are malicious threat actors who do not
follow or respect the law. Their goal is to collect and sell confidential data for financial gain.

Note: There are multiple hacker types that fall into one or more of these three categories.

New and unskilled threat, actors have various goals, including

To learn and enhance their hacking skills

To seek revenge

To exploit security weaknesses by using existing malware, programming scripts, and other tactics

Other types of hackers are not motivated by any particular agenda other than completing the job they
were contracted to do. These types of hackers can be considered unethical or ethical hackers. They have
been known to work on both illegal and legal tasks for pay There are also hackers who consider them as
vigilantes. Their main goal is to protect the world from unethical hackers

Security frameworks Guidelines used for building plans to help mitigate risk and threats to data and
privacy. Purpose of security frameworks
* Protecting PII

* Securing financial information

* Identifying security weaknesses

* Managing organizational risks

* Aligning security with business goals

Components of security frameworks:-

1. Identifying and documenting security goals

2. Setting guidelines to achieve security goals

3. Implementing security processes

4. Monitoring and communicating results

Security controls:::--

Safeguards designed to reduce specific security risks

CIA triad:- A foundational model that helps inform how organizations consider risk when setting up
systems and security policies

NIST Cybersecurity Framework (CSF):- A voluntary framework that consists of standards, guidelines, and
best practices to manage cybersecurity risk Controls, frameworks, and compliance.

The confidentiality, integrity, and availability (CIA) triad is a model that helps inform how organizations
consider risk when setting up systems and security policies.

CIA are the three foundational principles used by cybersecurity professionals to establish appropriate
controls that mitigate threats, risks, and vulnerabilities.

The National Institute of Standards and Technology (NIST) is a US-based agency that develops multiple
voluntary compliance frameworks that organizations worldwide can use to help manage risk. The more
aligned an organization is with compliance, the lower the risk Examples of frameworks that were
introduced previously include the NIST Cybersecurity Framework (CSF) and the NIST Risk Management
Framework (PMF)

Note: Specifications and guidelines can change depending on the type of organization you work for.

In addition to the NIST CSE and NIST RMF, there are several other controls, frameworks, and compliance
standards that it is important for security professionals to be familiar with to help keep organizations
and the people they serve safe.
The Federal Energy Regulatory Commission-North American Electric Reliability Corporation (FERC-HERC)
FERC-NERC is a regulation that applies to organizations that work with electricity or that are involved
with the US and North American power grid. These types of organizations have an obligation to prepare
for, mitigate, and report any potential security incident that can negatively affect the power grid. They
are also legally required to adhere to the Critical Infrastructure Protection (CIP) Reliability Standards
defined by the FERC The Federal Risk and Authorization Management Program (FedRAMP)

FedRAMP is a US federal government program that standardizes security assessment, authorization,

monitoring, and handling of cloud services and product offerings. Its purpose is to provide consistency
across the govemment sector and third-party cloud providers.

Center for Internet Security (CIS):- CIS is a nonprofit with multiple areas of emphasis. It provides a set of
controls that can be used to safeguard systems and networks against attacks. Its purpose is to help
organizations establish a better plan of defense. CIS also provides actionable controls that security
professionals may follow if a security incident occurs.

General Data Protection Regulation (GDPR):- GDPR is a European Union (EU) general data regulation
that protects the processing of EU, residents' data and their right to privacy in and out of EU. territory.
For example, if an organization is not being transparent about the data they are holding about an EU
citizen and why they are holding that data, this is an infringement that can result in a fine to the
organization. Additionally, if a breach occurs and an EU citizen's data is compromised, they must be
informed. The affected organization has 72 hours to notify the EU. citizen about the breach.

Payment Card Industry Data Security Standard (PCI DSS):- PCI DSS is an international security standard
meant to ensure that organizations storing, accepting processing, and transmitting credit card
information do so in a secure environment. The objective of this compliance standard is to reduce credit
card fraud.

The Health Insurance Portability and Accountability Act (HIPAA):- HIPAA is a US federal law established
in 1996 to protect patients' health information. This law prohibits patient Information from being shared
without their consent. It is governed by three rules

1. Privacy

2. Security

3. Breach notification

Organizations that store patient data have a legal obligation to inform patients of a breach because if
patients'

Protected Health Information (PHI) is exposed, it can lead to identity theft and insurance fraud. PHI
relates to the past, present, or future physical or mental health or condition of an individual, whether
it's a plan of care or payments for care. Along with understanding HIPAA as a law, security professionals
also need to be familiar with the Health Information Trust Alliance (HITRUST), which is a security
framework and assurance program that helps institutions meet HIPAA compliance.

International Organization for Standardization (ISO):- ISO was created to establish international
standards related to technology, manufacturing, and management across borders. It helps organizations
improve their processes and procedures for staff retention, planning, waste, and services

System and Organizations Controls (SOC type 1, 50C type 2):- The American Institute of Certified Public
Accountants (AICPA) auditing standards board developed this standard. The SOCI and SOC2 are a series
of reports that focus on an organization's user access policies at different organizational levels such as:

* Associate

* Supervisor

* Manager

* Executive

* Vendor

* Others

They are used to assess an organization's financial compliance and levels of risk. They also cover
confidentiality,privacy, integrity, availability, security, and overall data safety. Control failures in these
areas can lead to fraud.

Pro tip: There are a number of regulations that are frequently revised. You are encouraged to keep up-
to-date with changes and explore more frameworks, controls, and compliance. Two suggestions to
research: the Gramm-Leach Bliley Act and the Sarbanes-Oxley Act.

United States Presidential Executive Order 14028

On May 12, 2021, President Joe Biden released an executive order related to improving the nation's
cybersecurity to remediate the increase in threat actor activity. Remediation efforts are directed toward
federal agencies and third parties with ties to U.S. critical infrastructure. For additional information,
review the Executan Order on Improving the Nation's Cybersecurity. Ethical concepts that guide
cybersecurity decisions

Confidentiality means that only authorized users can access specific assets or data. Confidentiality as it
relates to professional ethics means that there needs to be a high level of respect for privacy to
safeguard private assets and data.

Privacy protection means safeguarding personal information from unauthorized use. Personally
identifiable information (PII) and sensitive personally identifiable information (SPI) are types of personal
data that can cause people harm if they are stolen. Pll data is any information used to infer an
individual's identity, like their name and phone number. SPII data is a specific type of Pll that falls under
stricter handling guidelines, including social security numbers and credit card numbers. To effectively
safeguard Pll and SPII data, security professionals hold an ethical obligation to secure private
information, identify security vulnerabilities, manage organizational risks, and align security with
business goals.

Laws are rules that are recognized by a community and enforced by a governing entity. As a security
professional, you will have an ethical obligation to protect your organization, its internal infrastructure,
and the people involved with the organization. As an example, consider the Health Insurance Portability
and Accountability Act (HIPAA), which is a US federal law established to protect pabenti health
information, also known as PHI, ar protected health information. This law prohibits patent information
from being shared without their consent. So, as a security professional, you might help ensure that the
organization you work for adheres to both its legal and ethical obligation to inform patients of a breach
if their health care data is exposed.

Asset: An item perceived as having value to an organization

Availability: The idea that data is accessible to those who are authorized to access it

Compliance: The process of adhering to Internal standards and external regulations

Confidentiality: The idea that only authorized users can access specific assets or data

National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF): A voluntary
framework that consists of standards, guidelines, and best practices to manage cybersecurity risk

Open Web Application Security Project (OWASP): A non-profit organization focused on improving
software security

Protected health information (PHI): Information that relates to the past, present, or future physical or
mental health or condition of an individual Security architecture: A type of security design composed of
multiple components, such as tools and processes, that are used to protect an organization from risks
and external threats

Security controls: Safeguards designed to reduce specific security risks

Security ethics: Guidelines for making appropriate decisions as a security professional Security
frameworks: Guidelines used for building plans to help mitigate risk and threats to data and privacy

Security governance: Practices that help support, define, and direct security efforts of an organization

Log -A record of events that occur within an organization's systems

Security Information and Event Management (SIEM) tool:- An application that collects and analyzes log
data to monitor critical activities in an organization Security information and event management (SIEM)
tools. A SIEM tool is an application that collects and analyzes log data to monitor critical activities in an
organization. A log is a record of events that occur within an organization's systems. Depending on the
amount of data you're working with, it could take hours or days to filter through log data on your own.
SIEM tools reduce the amount of data an analyst must review by providing alerts for specific types of
threats, risks, and vulnerabilities.

SIEM tools provide a series of dashboards that visually organize data into categories, allowing users to
select the data they wish to analyze. Different SIEM tools have different dashboard types that display
the information you have access to.

SIEM tools also come with different hosting options, including on-premise and cloud. Organizations may
choose one hosting option over another based on a security team member's expertise. For example,
because a cloud-hosted version tends to be easier to set up, use, and maintain than an on-premise
version, a less experienced security team may choose this option for their organization.

Network protocol analyzers (packet sniffers):- A network protocol analyzer, also known as a packet
sniffer, is a tool designed to capture and analyze data traffic in a network. This means that the tool
keeps a record of all the data that a computer within an organization's network encounters. Later in the
program, you'll have an opportunity to practice using some common network protocol analyzer (packet
sniffer) tools.

Playbooks: - A playbook is a manual that provides details about any operational action, such as how to
respond to a security incident. Organizations usually have multiple playbooks documenting processes
and procedures for their teams to follow. Playbooks vary from one organization to the next, but they all
have a similar purpose: To guide analysts through a series of steps to complete specific security-related
tasks.

For example, consider the following scenario: You are working as a security analyst for an incident
response firm. You are given a case involving a small medical practice that has suffered a security breach.
Your job is to help with the forensic investigation and provide evidence to a cybersecurity insurance
company. They will then use your investigative findings to determine whether the medical practice will
receive their insurance payout.

In this scenario, playbooks would outline the specific actions you need to take to conduct the
investigation. Playbooks also help ensure that you are following proper protocols and procedures. When
working on a forensic case, there are two playbooks you might follow:

1 The first type of playbook you might consult is called the chain of custody playbook. Chain of custody
is the process of documenting evidence possession and control during an incident lifecycle. As a security
analyst involved in a forensic analysis, you will work with the computer data that was breached. You and
the forensic team will also need to document who, what, where, and why you have the collected
evidence. The evidence is your responsibility while it is in your possession. Evidence must be kept safe
and tracked. Every time evidence is moved, it should be reported. This allows all parties involved to
know exactly where the evidence is at all times.
2 The second playbook your team might use is called the protecting and preserving evidence playbook.
Protecting and preserving evidence is the process of properly working with fragile and volatile digital
evidence. As a security analyst, understanding what fragile and volatile digital evidence is, along with
why there is a procedure, is critical. As you follow this playbook, you will consult the order of volatility,
which is a sequence outlining the order of data that must be preserved from first to last. It prioritizes
volatile data, which is data that may be lost if the device in question powers off, regardless of the reason.
While conducting an investigation, improper management of digital evidence can compromise and alter
that evidence. When evidence is improperly managed during an investigation, it can no longer be used.
For this reason, the first priority in any investigation is to properly preserve the data. You can preserve
the data by making copies and conducting your investigation using those copies.

Programming:-

Programming is a process that can be used to create a specific set of instructions for a computer to
execute tasks. Security analysts use programming languages, such as Python, to execute automation.
Automation is the use of technology to reduce human and manual effort in performing common and
repetitive tasks. Automation also helps reduce the risk of human error.

Another programming language used by analysts is called Structured Query Language (SQL). SQL is used
to create, interact with, and request information from a database. A database is an organized collection
of information or data. There can be millions of data points in a database. A data point is a specific piece
of information.

Operating systems:- An operating system is the interface between computer hardware and the user.
Linux, macOS, and Windows are operating systems. They each offer different functionality and user
experiences.

Linux as an open-source operating system. Open source means that the code is available to the public
and allows people to make contributions to improve the software. Linux is not a programming language;
however, it does involve the use of a command line within the operating system. A command is an
instruction telling the computer to do something. A command-line interface is a text-based user
interface that uses commands to interact with the computer.

Web vulnerability:- A web vulnerability is malicious code or behavior that's used to take advantage of
coding flaws in a web application. Vulnerable web applications can be exploited by threat actors,
allowing unauthorized access, data theft, and malware deployment.

Antivirus software:- Antivirus software is a software program used to prevent, detect, and eliminate
malware and viruses. It is also called anti-malware. Depending on the type of antivirus software, it can
scan the memory of a device to find patterns that indicate the presence of malware.

Intrusion detection system:- An intrusion detection system (IDS) is an application that monitors system
activity and alerts on possible intrusions. The system scans and analyzes network packets, which carry
small amounts of data through a network. The small amount of data makes the detection process easier
for an IDS to identify potential threats to sensitive data. Other occurrences an IDS might detect can
include theft and unauthorized access.

Encryption: - Encryption is the process of converting data from a readable format to a cryptographically
encoded format. Cryptographic encoding means converting plaintext into secure ciphertext. Plaintext is
unencrypted information and secure ciphertext is the result of encryption. A cryptographic form of code
is used to communicate in secret and prevent unauthorized, unapproved access to data, programs, or
devices.

Note: Encoding and encryption serve different purposes. Encoding uses a public conversion algorithm to
enable systems that use different data representations to share information. Encryption makes data
unreadable and difficult to decode for an unauthorized user; its main goal is to ensure confidentiality of
private data.

Penetration testing:- Penetration testing, also called pen testing, is the act of participating in a
simulated attack that helps identify vulnerabilities in systems, networks, websites, applications, and
processes. It is a thorough risk assessment that can evaluate and identify external and internal threats as
well as weaknesses.

Order of volatility: A sequence outlining the order of data that must be preserved from first to last
 Course 2(Play It Safe: Manage Security Risks)

# CISSP Security domains cybersecurity analysts need to know

Domain one: Security and risk management

All organizations must develop their security posture. Security posture is an organization’s ability to
manage its defense of critical assets and data and react to change. Elements of the security and risk
management domain that impact an organization's security posture include:

* Security goals and objectives

* Risk mitigation processes

* Compliance

* Business continuity plans

* Legal regulations

* Professional and organizational ethics

Information security, or InfoSec, is also related to this domain and refers to a set of processes
established to secure information. An organization may use playbooks and implement training as a part
of their security and risk management program, based on their needs and perceived risk. There are
many InfoSec design processes, such as:

* Incident response

* Vulnerability management

* Application security

* Cloud security

* Infrastructure security

As an example, a security team may need to alter how personally identifiable information (PII) is treated
in order to adhere to the European Union's General Data Protection Regulation (GDPR).

Domain two: Asset security

Asset security involves managing the cybersecurity processes of organizational assets, including the
storage, maintenance, retention, and destruction of physical and virtual data. Because the loss or theft
of assets can expose an organization and increase the level of risk, keeping track of assets and the data
they hold is essential. Conducting a security impact analysis, establishing a recovery plan, and managing
data exposure will depend on the level of risk associated with each asset. Security analysts may need to
store, maintain, and retain data by creating backups to ensure they are able to restore the environment
if a security incident places the organization’s data at risk.

Domain three: Security architecture and engineering

This domain focuses on managing data security. Ensuring effective tools, systems, and processes are in
place helps protect an organization’s assets and data. Security architects and engineers create these
processes.

One important aspect of this domain is the concept of shared responsibility. Shared responsibility means
all individuals involved take an active role in lowering risk during the design of a security system.
Additional design principles related to this domain, which are discussed later in the program, include:

* Threat modeling

* Least privilege

* Defense in depth

* Fail securely

* Separation of duties

* Keep it simple
* Zero trust

* Trust but verify

An example of managing data is the use of a security information and event management (SIEM) tool to
monitor for flags related to unusual login or user activity that could indicate a threat actor is attempting
to access private data.

Domain four: Communication and network security

This domain focuses on managing and securing physical networks and wireless communications. This
includes on-site, remote, and cloud communications.

Organizations with remote, hybrid, and on-site work environments must ensure data remains secure,
but managing external connections to make certain that remote workers are securely accessing an
organization’s networks is a challenge. Designing network security controls—such as restricted network
access—can help protect users and ensure an organization’s network remains secure when employees
travel or work outside of the main office.

Domain five: Identity and access management

The identity and access management (IAM) domain focuses on keeping data secure. It does this by
ensuring user identities are trusted and authenticated and that access to physical and logical assets is
authorized. This helps prevent unauthorized users, while allowing authorized users to perform their
tasks.

Essentially, IAM uses what is referred to as the principle of least privilege, which is the concept of
granting only the minimal access and authorization required to complete a task. As an example, a
cybersecurity analyst might be asked to ensure that customer service representatives can only view the
private data of a customer, such as their phone number, while working to resolve the customer's issue;
then remove access when the customer's issue is resolved.

Domain six: Security assessment and testing

The security assessment and testing domain focuses on identifying and mitigating risks, threats, and
vulnerabilities. Security assessments help organizations determine whether their internal systems are
secure or at risk. Organizations might employ penetration testers, often referred to as “pen testers,” to
find vulnerabilities that could be exploited by a threat actor.

This domain suggests that organizations conduct security control testing, as well as collect and analyze
data. Additionally, it emphasizes the importance of conducting security audits to monitor for and reduce
the probability of a data breach. To contribute to these types of tasks, cybersecurity professionals may
be tasked with auditing user permissions to validate that users have the correct levels of access to
internal systems.
Domain seven: Security operations

The security operations domain focuses on the investigation of a potential data breach and the
implementation of preventative measures after a security incident has occurred. This includes using
strategies, processes, and tools such as:

* Training and awareness

* Reporting and documentation

* Intrusion detection and prevention

* SIEM tools

* Log management

* Incident management

* Playbooks

* Post-breach forensics

* Reflecting on lessons learned

The cybersecurity professionals involved in this domain work as a team to manage, prevent, and
investigate threats, risks, and vulnerabilities. These individuals are trained to handle active attacks, such
as large amounts of data being accessed from an organization's internal network, outside of normal
working hours. Once a threat is identified, the team works diligently to keep private data and
information safe from threat actors.

Domain eight: Software development security

The software development security domain is focused on using secure programming practices and
guidelines to create secure applications. Having secure applications helps deliver secure and reliable
services, which helps protect organizations and their users.

Security must be incorporated into each element of the software development life cycle, from design
and development to testing and release. To achieve security, the software development process must
have security in mind at each step. Security cannot be an afterthought.

Performing application security tests can help ensure vulnerabilities are identified and mitigated
accordingly. Having a system in place to test the programming conventions, software executables, and
security measures embedded in the software is necessary. Having quality assurance and pen tester
professionals ensure the software has met security and performance standards is also an essential part
of the software development process. For example, an entry-level analyst working for a pharmaceutical
company might be asked to make sure encryption is properly configured for a new medical device that
will store private patient data.
Risk management

A primary goal of organizations is to protect assets. An asset is an item perceived as having value to an
organization. Assets can be digital or physical. Examples of digital assets include the personal
information of employees, clients, or vendors, such as:

* Social Security Numbers (SSNs), or unique national identification numbers assigned to individuals

* Dates of birth

* Bank account numbers

* Mailing addresses

Examples of physical assets include:

* Payment kiosks

* Servers

* Desktop computers

* Office spaces

Some common strategies used to manage risks include:

Acceptance: Accepting a risk to avoid disrupting business continuity

Avoidance: Creating a plan to avoid the risk altogether

Transference: Transferring risk to a third party to manage

Mitigation: Lessening the impact of a known risk

Additionally, organizations implement risk management processes based on widely accepted

frameworks to help protect digital and physical assets from various threats, risks, and vulnerabilities.
Examples of frameworks commonly used in the cybersecurity industry include the National Institute of
Standards and Technology Risk Management Framework (NIST RMF) and Health Information Trust
Alliance (HITRUST).

Following are some common types of threats, risks, and vulnerabilities you’ll help organizations manage
as a security professional.

Today’s most common threats, risks, and vulnerabilities

Threats
A threat is any circumstance or event that can negatively impact assets. As an entry-level security
analyst, your job is to help defend the organization’s assets from inside and outside threats. Therefore,
understanding common types of threats is important to an analyst’s daily work. As a reminder, common
threats include:

1 Insider threats: Staff members or vendors abuse their authorized access to obtain data that may harm
an organization.

2 Advanced persistent threats (APTs): A threat actor maintains unauthorized access to a system for an
extended period of time.

Risks

A risk is anything that can impact the confidentiality, integrity, or availability of an asset. A basic formula
for determining the level of risk is that risk equals the likelihood of a threat. One way to think about this
is that a risk is being late to work and threats are traffic, an accident, a flat tire, etc.

There are different factors that can affect the likelihood of a risk to an organization’s assets, including:

External risk: Anything outside the organization that has the potential to harm organizational assets,
such as threat actors attempting to gain access to private information

Internal risk: A current or former employee, vendor, or trusted partner who poses a security risk

Legacy systems: Old systems that might not be accounted for or updated, but can still impact assets,
such as workstations or old mainframe systems. For example, an organization might have an old vending
machine that takes credit card payments or a workstation that is still connected to the legacy accounting
system.

Multiparty risk: Outsourcing work to third-party vendors can give them access to intellectual property,
such as trade secrets, software designs, and inventions.

Software compliance/licensing: Software that is not updated or in compliance, or patches that are not
installed in a timely manner

Note: The OWASP’s common attack types list contains three new risks for the years 2017 to 2021:
insecure design, software and data integrity failures, and server-side request forgery. This update
emphasizes the fact that security is a constantly evolving field. It also demonstrates the importance of
staying up to date on current threat actor tactics and techniques, so you can be better prepared to
manage these types of risks.
Vulnerabilities

A vulnerability is a weakness that can be exploited by a threat. Therefore, organizations need to

regularly inspect for vulnerabilities within their systems. Some vulnerabilities include:

* ProxyLogon: A pre-authenticated vulnerability that affects the Microsoft Exchange server. This means
a threat actor can complete a user authentication process to deploy malicious code from a remote
location.

* ZeroLogon: A vulnerability in Microsoft’s Netlogon authentication protocol. An authentication

protocol is a way to verify a person's identity. Netlogon is a service that ensures a user’s identity before
allowing access to a website's location.

* Log4Shell: Allows attackers to run Java code on someone else’s computer or leak sensitive information.
It does this by enabling a remote attacker to take control of devices connected to the internet and run
malicious code.

* PetitPotam: Affects Windows New Technology Local Area Network (LAN) Manager (NTLM). It is a theft
technique that allows a LAN-based attacker to initiate an authentication request.
* Security logging and monitoring failures: Insufficient logging and monitoring capabilities that result in
attackers exploiting vulnerabilities without the organization knowing it

* Server-side request forgery: Allows attackers to manipulate a server-side application into accessing
and updating backend resources. It can also allow threat actors to steal data.

NIST Risk Management Framework RMF:- The Risk Management Framework provides a process that
integrates security, privacy, and cyber supply chain risk management activities into the system
development life cycle. The risk-based approach to control selection and specification considers
 effectiveness, efficiency, and constraints due to applicable laws, directives, Executive Orders, policies,
standards, or regulations. Managing organizational risk is paramount to effective information security
and privacy programs; the RMF approach can be applied to new and legacy systems, any type of system
or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.

Prepare Essential activities to prepare the organization to manage security and privacy risks

Categorize Categorize the system and information processed, stored, and transmitted based on an impact analysis

Select Select the set of NIST SP 800-53 controls to protect the system based on risk assessment(s)

Implement Implement the controls and document how controls are deployed

Assess Assess to determine if the controls are in place, operating as intended, and producing the desired results

Authorize Senior official makes a risk-based decision to authorize the system (to operate)

Monitor Continuously monitor control implementation and risks to the system

Terms and definitions from Course 2, Week 1

Assess: The fifth step of the NIST RMF that means to determine if established controls are implemented
correctly

Authorize: The sixth step of the NIST RMF that refers to being accountable for the security and privacy
risks that may exist in an organization

Business continuity: An organization's ability to maintain their everyday productivity by establishing risk
disaster recovery plans

Categorize: The second step of the NIST RMF that is used to develop risk management processes and
tasks

External threat: Anything outside the organization that has the potential to harm organizational assets

Implement: The fourth step of the NIST RMF that means to implement security and privacy plans for an
organization

Internal threat: A current or former employee, external vendor, or trusted partner who poses a security
risk

Monitor: The seventh step of the NIST RMF that means be aware of how systems are operating

Prepare: The first step of the NIST RMF related to activities that are necessary to manage security and
privacy risks before a breach occurs

Ransomware: A malicious attack where threat actors encrypt an organization’s data and demand
payment to restore access

Risk: Anything that can impact the confidentiality, integrity, or availability of an asset

Risk mitigation: The process of having the right procedures and rules in place to quickly reduce the
impact of a risk like a breach

Security posture: An organization’s ability to manage its defense of critical assets and data and react to
change

Select: The third step of the NIST RMF that means to choose, customize, and capture documentation of
the controls that protect an organization

Shared responsibility: The idea that all individuals within an organization take an active role in lowering
risk and maintaining both physical and virtual security

Social engineering: A manipulation technique that exploits human error to gain private information,
access, or valuables

Vulnerability: A weakness that can be exploited by a threat

The relationship between frameworks and controls

Previously, you learned how organizations use security frameworks and controls to protect against
threats, risks, and vulnerabilities. This included discussions about the National Institute of Standards and
Technology’s (NIST’s) Risk Management Framework (RMF) and Cybersecurity Framework (CSF), as well
as the confidentiality, integrity, and availability (CIA) triad. In this reading, you will further explore
security frameworks and controls and how they are used together to help mitigate organizational risk.

Security frameworks are guidelines used for building plans to help mitigate risk and threats to data and
privacy. Frameworks support organizations’ ability to adhere to compliance laws and regulations. For
example, the healthcare industry uses frameworks to comply with the United States’ Health Insurance
Portability and Accountability Act (HIPAA), which requires that medical professionals keep patient
information safe.

Security controls are safeguards designed to reduce specific security risks. Security controls are the
measures organizations use to lower risk and threats to data and privacy. For example, a control that
can be used alongside frameworks to ensure a hospital remains compliant with HIPAA is requiring that
patients use multi-factor authentication (MFA) to access their medical records. Using a measure like
MFA to validate someone’s identity is one way to help mitigate potential risks and threats to private
data.

Specific frameworks and controls

There are many different frameworks and controls that organizations can use to remain compliant with
regulations and achieve their security goals. Frameworks covered in this reading are the Cyber Threat
Framework (CTF) and the International Organization for Standardization/International Electrotechnical
Commission (ISO/IEC) 27001. Several common security controls, used alongside these types of
frameworks, are also explained.

1 Cyber Threat Framework (CTF)

According to the Office of the Director of National Intelligence, the CTF was developed by the U.S.
government to provide “a common language for describing and communicating information about cyber
threat activity.” By providing a common language to communicate information about threat activity, the
CTF helps cybersecurity professionals analyze and share information more efficiently. This allows
organizations to improve their response to the constantly evolving cybersecurity landscape and threat
actors' many tactics and techniques.

2 International Organization for Standardization/International Electrotechnical Commission (ISO/IEC)

27001

An internationally recognized and used framework is ISO/IEC 27001. The ISO 27000 family of standards
enables organizations of all sectors and sizes to manage the security of assets, such as financial
information, intellectual property, employee data, and information entrusted to third parties. This
framework outlines requirements for an information security management system, best practices, and
controls that support an organization’s ability to manage risks. Although the ISO/IEC 27001 framework
does not require the use of specific controls, it does provide a collection of controls that organizations
can use to improve their security posture.
Controls

Controls are used alongside frameworks to reduce the possibility and impact of a security threat, risk, or
vulnerability. Controls can be physical, technical, and administrative and are typically used to prevent,
detect, or correct security issues.

Examples of physical controls:

* Gates, fences, and locks

* Security guards

* Closed-circuit television (CCTV), surveillance cameras, and motion detectors

* Access cards or badges to enter office spaces

Examples of technical controls:

* Firewalls

* MFA

* Antivirus software

Examples of administrative controls:

* Separation of duties

* Authorization

* Asset classification

The CIA triad for analysts

The CIA triad is a model that helps inform how organizations consider risk when setting up systems and
security policies. It is made up of three elements that cybersecurity analysts and organizations work
toward upholding: confidentiality, integrity, and availability. Maintaining an acceptable level of risk and
ensuring systems and policies are designed with these elements in mind helps establish a successful
security posture, which refers to an organization’s ability to manage its defense of critical assets and
data and react to change.

Confidentiality is the idea that only authorized users can access specific assets or data. In an
organization, confidentiality can be enhanced through the implementation of design principles, such as
the principle of least privilege. The principle of least privilege limits users' access to only the information
they need to complete work-related tasks. Limiting access is one way of maintaining the confidentiality
and security of private data.

Integrity is the idea that the data is verifiably correct, authentic, and reliable. Having protocols in place
to verify the authenticity of data is essential. One way to verify data integrity is through cryptography,
which is used to transform data so unauthorized parties cannot read or tamper with it (NIST, 2022).
Another example of how an organization might implement integrity is by enabling encryption, which is
the process of converting data from a readable format to an encoded format. It can be used to prevent
access to data, such as messages on an organization's internal chat platform.

Availability is the idea that data is accessible to those who are authorized to use it. When a system
adheres to both availability and confidentiality principles, data can be used when needed. In the
workplace, this could mean that the organization allows remote employees to access its internal
network to perform their jobs. It’s worth noting that access to data on the internal network is still
limited, depending on what type of access employees need to do their jobs. If, for example, an
employee works in the organization’s accounting department, they might need access to corporate
accounts but not data related to ongoing development projects.

Security principles

In the workplace, security principles are embedded in your daily tasks. Whether you are analyzing logs,
monitoring a security information and event (SIEM) dashboard, or using a vulnerability scanner, you will
use these principles in some way. Previously, you were introduced to several OWASP security principles.
These included:

1 Minimize attack surface area: Attack surface refers to all the potential vulnerabilities a threat actor
could exploit.

2 Principle of least privilege: Users have the least amount of access required to perform their everyday
tasks.

3 Defense in depth: Organizations should have varying security controls that mitigate risks and threats.

4 Separation of duties: Critical actions should rely on multiple people, each of whom follow the principle
of least privilege.

5 Keep security simple: Avoid unnecessarily complicated solutions. Complexity makes security difficult.

6 Fix security issues correctly: When security incidents occur, identify the root cause, contain the impact,
identify vulnerabilities, and conduct tests to ensure that remediation is successful.

Security audits:- A security audit is a review of an organization's security controls, policies, and
procedures against a set of expectations. Audits are independent reviews that evaluate whether an
organization is meeting internal and external criteria. Internal criteria include outlined policies,
procedures, and best practices. External criteria include regulatory compliance, laws, and federal
regulations.

Additionally, a security audit can be used to assess an organization's established security controls. As a
reminder, security controls are safeguards designed to reduce specific security risks.

Audits help ensure that security checks are made (i.e., daily monitoring of security information and
event management dashboards), to identify threats, risks, and vulnerabilities. This helps maintain an
organization’s security posture. And, if there are security issues, a remediation process must be in place.
# Goals and objectives of an audit

The goal of an audit is to ensure an organization's information technology (IT) practices are meeting
industry and organizational standards. The objective is to identify and address areas of remediation and
growth. Audits provide direction and clarity by identifying what the current failures are and developing a
plan to correct them.

Security audits must be performed to safeguard data and avoid penalties and fines from governmental
agencies. The frequency of audits is dependent on local laws and federal compliance regulations.

# Factors that affect audits

1 Industry type

2 Organization size

3 Ties to the applicable government regulations

4 A business’s geographical location

5 A business decision to adhere to a specific regulatory compliance

Control categories
Controls within cybersecurity are grouped into three main categories:

1 Administrative/Managerial controls address the human component of cybersecurity. These controls

include policies and procedures that define how an organization manages data and clearly defines
employee responsibilities, including their role in protecting the organization. While administrative
controls are typically policy based, the enforcement of those policies may require the use of technical or
physical controls.
2 Technical controls consist of solutions such as firewalls, intrusion detection systems (IDS), intrusion
prevention systems (IPS), audio visual (AV) products, encryption, etc. Technical controls can be used in a
number of ways to meet organizational goals and objectives.
3 Physical controls include door locks, cabinet locks, surveillance cameras, badge readers, etc. They are
used to limit physical access to physical assets by unauthorized personnel.

Control types
There are five types of controls:

1 Preventative
2 Corrective
3 Detective
4 Deterrent
5 Compensating
These controls work together to provide defense in depth and protect assets. Preventative controls are
designed to prevent an incident from occurring in the first place. Corrective controls are used to restore
an asset after an incident. Detective controls are implemented to determine whether an incident has
occurred or is in progress. Deterrent controls are designed to discourage attacks. And, finally,
compensating controls are used to fortify the security of an asset when the current controls aren’t
enough to adequately protect the asset.

Review the following charts for specific details about each type of control and its purpose.

Administrative Controls

Control Name Control Control Purpose

Type

Least Privilege Preventative Reduce risk and overall impact of malicious insider or
compromised accounts

Disaster recovery Corrective Provide business continuity

plans

Password policies Preventative Reduce likelihood of account compromise through brute force or
dictionary attack techniques

Access control Preventative Bolster confidentiality and integrity by defining which groups can
policies access or modify data

Account Preventative Managing account lifecycle, reducing attack surface, and limiting
management overall impact from disgruntled former employees and default
policies account usage

Separation of Preventative Reduce risk and overall impact of malicious insider or

duties compromised accounts

Technical Controls

Control Name Control Control Purpose

Type

Firewall Preventative To filter unwanted or malicious traffic from entering

the network

IDS/IPS Detective To detect and prevent anomalous traffic that

matches a signature or rule
Encryption Deterrent Provide confidentiality to sensitive information

Backups Corrective Restore/recover from an event

Password management Preventative Reduce password fatigue

Antivirus (AV) software Corrective Detect and quarantine known threats

Manual monitoring, Preventative Necessary to identify and manage threats, risks, or

maintenance, and intervention vulnerabilities to out-of-date systems

Physical Controls

Control Name Control Type Control Purpose

Time-controlled safe Deterrent Reduce attack surface and overall impact from
physical threats

Adequate lighting Deterrent Deter threats by limiting “hiding” places

Closed-circuit Preventative/Detective Closed circuit television is both a preventative and

television (CCTV) detective control because it’s presence can reduce risk
of certain types of events from occurring, and can be
used after an event to inform on event conditions

Locking cabinets (for Preventative Bolster integrity by preventing unauthorized

network gear) personnel and other individuals from physically
accessing or modifying network infrastructure gear

Signage indicating Deterrent Deter certain types of threats by making the likelihood
alarm service of a successful attack seem low
provider

Locks Deterrent/Preventative Bolster integrity by deterring and preventing

unauthorized personnel, individuals from physically
accessing assets

Fire detection and Detective/Preventative Detect fire in physical location and prevent damage to
prevention (fire physical assets such as inventory, servers, etc.
alarm, sprinkler
system, etc.)

Current SIEM solutions :- A SIEM tool is an application that collects and analyzes log data to monitor
critical activities in an organization. SIEM tools offer real-time monitoring and tracking of security event
logs. The data is then used to conduct a thorough analysis of any potential security threat, risk, or
vulnerability identified. SIEM tools have many dashboard options. Each dashboard option helps
cybersecurity team members manage and monitor organizational data. However, currently, SIEM tools
require human interaction for analysis of security events.

The future of SIEM tools:-As cybersecurity continues to evolve, the need for cloud functionality has
increased. SIEM tools have and continue to evolve to function in cloud-hosted and cloud-native
environments. Cloud-hosted SIEM tools are operated by vendors who are responsible for maintaining
and managing the infrastructure required to use the tools. Cloud-hosted tools are simply accessed
through the internet and are an ideal solution for organizations that don’t want to invest in creating and
maintaining their own infrastructure.

Similar to cloud-hosted SIEM tools, cloud-native SIEM tools are also fully maintained and managed by
vendors and accessed through the internet. However, cloud-native tools are designed to take full
advantage of cloud computing capabilities, such as availability, flexibility, and scalability.

Yet, the evolution of SIEM tools is expected to continue in order to accommodate the changing nature
of technology, as well as new threat actor tactics and techniques. For example, consider the current
development of interconnected devices with access to the internet, known as the Internet of Things
(IoT). The more interconnected devices there are, the larger the cybersecurity attack surface and the
amount of data that threat actors can exploit. The diversity of attacks and data that require special
attention is expected to grow significantly. Additionally, as artificial intelligence (AI) and machine
learning (ML) technology continues to progress, SIEM capabilities will be enhanced to better identify
threat-related terminology, dashboard visualization, and data storage functionality.

The implementation of automation will also help security teams respond faster to possible incidents,
performing many actions without waiting for a human response. Security orchestration, automation,
and response (SOAR) is a collection of applications, tools, and workflows that uses automation to
respond to security events. Essentially, this means that handling common security-related incidents with
the use of SIEM tools is expected to become a more streamlined process requiring less manual
intervention. This frees up security analysts to handle more complex and uncommon incidents that,
consequently, can’t be automated with a SOAR. Nevertheless, the expectation is for cybersecurity-
related platforms to communicate and interact with one another. Although the technology allowing
interconnected systems and devices to communicate with each other exists, it is still a work in progress.

Open-source tools:- Open-source tools are often free to use and can be user friendly. The objective of
open-source tools is to provide users with software that is built by the public in a collaborative way,
which can result in the software being more secure. Additionally, open-source tools allow for more
customization by users, resulting in a variety of new services built from the same open-source software
package.

Software engineers create open-source projects to improve software and make it available for anyone
to use, as long as the specified license is respected. The source code for open-source projects is readily
available to users, as well as the training material that accompanies them. Having these sources readily
available allows users to modify and improve project materials.
Proprietary tools:- Proprietary tools are developed and owned by a person or company, and users
typically pay a fee for usage and training. The owners of proprietary tools are the only ones who can
access and modify the source code. This means that users generally need to wait for updates to be made
to the software, and at times they might need to pay a fee for those updates. Proprietary software
generally allows users to modify a limited number of features to meet individual and organizational
needs. Examples of proprietary tools include Splunk® and Chronicle SIEM tools.

Common misconceptions

There is a common misconception that open-source tools are less effective and not as safe to use as
proprietary tools. However, developers have been creating open-source materials for years that have
become industry standards. Although it is true that threat actors have attempted to manipulate open-
source tools, because these tools are open source it is actually harder for people with malicious intent to
successfully cause harm. The wide exposure and immediate access to the source code by well-
intentioned and informed users and professionals makes it less likely for issues to occur, because they
can fix issues as soon as they’re identified.

Examples of open-source tools

In security, there are many tools in use that are open-source and commonly available. Two examples are
Linux and Suricata.

Linux:- Linux is an open-source operating system that is widely used. It allows you to tailor the operating
system to your needs using a command-line interface. An operating system is the interface between
computer hardware and the user. It’s used to communicate with the hardware of a computer and
manage software applications.

There are multiple versions of Linux that exist to accomplish specific tasks. Linux and its command-line
interface will be discussed in detail, later in the certificate program.

Suricata:- Suricata is an open-source network analysis and threat detection software. Network analysis
and threat detection software is used to inspect network traffic to identify suspicious behavior and
generate network data logs. The detection software finds activity across users, computers, or Internet
Protocol (IP) addresses to help uncover potential threats, risks, or vulnerabilities.

Suricata was developed by the Open Information Security Foundation (OISF). OISF is dedicated to
maintaining open-source use of the Suricata project to ensure it’s free and publicly available. Suricata is
widely used in the public and private sector, and it integrates with many SIEM tools and other security
tools. Suricata will also be discussed in greater detail later in the program.

Splunk:- Splunk offers different SIEM tool options: Splunk® Enterprise and Splunk® Cloud. Both allow you
to review an organization's data on dashboards. This helps security professionals manage an
organization's internal infrastructure by collecting, searching, monitoring, and analyzing log data from
multiple sources to obtain full visibility into an organization’s everyday operations.

Review the following Splunk dashboards and their purposes:

Security posture dashboard:- The security posture dashboard is designed for security operations centers
(SOCs). It displays the last 24 hours of an organization’s notable security-related events and trends and
allows security professionals to determine if security infrastructure and policies are performing as
designed. Security analysts can use this dashboard to monitor and investigate potential threats in real
time, such as suspicious network activity originating from a specific IP address.

Executive summary dashboard:- The executive summary dashboard analyzes and monitors the overall
health of the organization over time. This helps security teams improve security measures that reduce
risk. Security analysts might use this dashboard to provide high-level insights to stakeholders, such as
generating a summary of security incidents and trends over a specific period of time.

Incident review dashboard :- The incident review dashboard allows analysts to identify suspicious
patterns that can occur in the event of an incident. It assists by highlighting higher risk items that need
immediate review by an analyst. This dashboard can be very helpful because it provides a visual timeline
of the events leading up to an incident.

Risk analysis dashboard :- The risk analysis dashboard helps analysts identify risk for each risk object
(e.g., a specific user, a computer, or an IP address). It shows changes in risk-related activity or behavior,
such as a user logging in outside of normal working hours or unusually high network traffic from a
specific computer. A security analyst might use this dashboard to analyze the potential impact of
vulnerabilities in critical assets, which helps analysts prioritize their risk mitigation efforts.

Chronicle:- Chronicle is a cloud-native SIEM tool from Google that retains, analyzes, and searches log
data to identify potential security threats, risks, and vulnerabilities. Chronicle allows you to collect and
analyze log data according to:

1 A specific asset

2 A domain name

3 A user

4 An IP address

Chronicle provides multiple dashboards that help analysts monitor an organization’s logs, create filters
and alerts, and track suspicious domain names.

Review the following Chronicle dashboards and their purposes:

Enterprise insights dashboard

The enterprise insights dashboard highlights recent alerts. It identifies suspicious domain names in logs,
known as indicators of compromise (IOCs). Each result is labeled with a confidence score to indicate the
likelihood of a threat. It also provides a severity level that indicates the significance of each threat to the
organization. A security analyst might use this dashboard to monitor login or data access attempts
related to a critical asset—like an application or system—from unusual locations or devices.

Data ingestion and health dashboard

The data ingestion and health dashboard shows the number of event logs, log sources, and success rates
of data being processed into Chronicle. A security analyst might use this dashboard to ensure that log
sources are correctly configured and that logs are received without error. This helps ensure that log
related issues are addressed so that the security team has access to the log data they need.

IOC matches dashboard

The IOC matches dashboard indicates the top threats, risks, and vulnerabilities to the organization.
Security professionals use this dashboard to observe domain names, IP addresses, and device IOCs over
time in order to identify trends. This information is then used to direct the security team’s focus to the
highest priority threats. For example, security analysts can use this dashboard to search for additional
activity associated with an alert, such as a suspicious user login from an unusual geographic location.

Main dashboard

The main dashboard displays a high-level summary of information related to the organization’s data
ingestion, alerting, and event activity over time. Security professionals can use this dashboard to access
a timeline of security events—such as a spike in failed login attempts— to identify threat trends across
log sources, devices, IP addresses, and physical locations.

Rule detections dashboard

The rule detections dashboard provides statistics related to incidents with the highest occurrences,
severities, and detections over time. Security analysts can use this dashboard to access a list of all the
alerts triggered by a specific detection rule, such as a rule designed to alert whenever a user opens a
known malicious attachment from an email. Analysts then use those statistics to help manage recurring
incidents and establish mitigation tactics to reduce an organization's level of risk.

User sign in overview dashboard

The user sign in overview dashboard provides information about user access behavior across the
organization. Security analysts can use this dashboard to access a list of all user sign-in events to identify
unusual user activity, such as a user signing in from multiple locations at the same time. This information
is then used to help mitigate threats, risks, and vulnerabilities to user accounts and the organization’s
applications

Terms and definitions from Course 2, Week 3

Chronicle: A cloud-native tool designed to retain, analyze, and search data

Incident response: An organization’s quick attempt to identify an attack, contain the damage, and
correct the effects of a security breach

Log: A record of events that occur within an organization’s systems

Metrics: Key technical attributes such as response time, availability, and failure rate, which are used to
assess the performance of a software application

Operating system (OS): The interface between computer hardware and the user

Playbook: A manual that provides details about any operational action

Security information and event management (SIEM): An application that collects and analyzes log data
to monitor critical activities in an organization

Security orchestration, automation, and response (SOAR): A collection of applications, tools, and
workflows that use automation to respond to security events

Splunk Cloud: A cloud-hosted tool used to collect, search, and monitor log data

Splunk Enterprise: A self-hosted tool used to retain, analyze, and search an organization's log data to
provide security information and alerts in real-time

Playbooks

Playbooks are accompanied by a strategy. The strategy outlines expectations of team members who are
assigned a task, and some playbooks also list the individuals responsible. The outlined expectations are
accompanied by a plan. The plan dictates how the specific task outlined in the playbook must be
completed.

Playbooks should be treated as living documents, which means that they are frequently updated by
security team members to address industry changes and new threats. Playbooks are generally managed
as a collaborative effort, since security team members have different levels of expertise.

Updates are often made if:

1 A failure is identified, such as an oversight in the outlined policies and procedures, or in the playbook
itself.

2 There is a change in industry standards, such as changes in laws or regulatory compliance.

3 The cybersecurity landscape changes due to evolving threat actor tactics and techniques.

Types of playbooks

Playbooks sometimes cover specific incidents and vulnerabilities. These might include ransomware,
vishing, business email compromise (BEC), and other attacks previously discussed. Incident and
vulnerability response playbooks are very common, but they are not the only types of playbooks
organizations develop.
Each organization has a different set of playbook tools, methodologies, protocols, and procedures that
they adhere to, and different individuals are involved at each step of the response process, depending
on the country they are in. For example, incident notification requirements from government-imposed
laws and regulations, along with compliance standards, affect the content in the playbooks. These
requirements are subject to change based on where the incident originated and the type of data
affected.

Incident and vulnerability response playbooks

Incident and vulnerability response playbooks are commonly used by entry-level cybersecurity
professionals. They are developed based on the goals outlined in an organization’s business continuity
plan. A business continuity plan is an established path forward allowing a business to recover and
continue to operate as normal, despite a disruption like a security breach.

These two types of playbooks are similar in that they both contain predefined and up-to-date lists of
steps to perform when responding to an incident. Following these steps is necessary to ensure that you,
as a security professional, are adhering to legal and organizational standards and protocols. These
playbooks also help minimize errors and ensure that important actions are performed within a specific
timeframe.

When an incident, threat, or vulnerability occurs or is identified, the level of risk to the organization
depends on the potential damage to its assets. A basic formula for determining the level of risk is that
risk equals the likelihood of a threat. For this reason, a sense of urgency is essential. Following the steps
outlined in playbooks is also important if any forensic task is being carried out. Mishandling data can
easily compromise forensic data, rendering it unusable.

Common steps included in incident and vulnerability playbooks include:

1 Preparation

2 Detection

3 Analysis

4 Containment

5 Eradication

6 Recovery from an incident

Additional steps include performing post-incident activities, and a coordination of efforts throughout
the investigation and incident and vulnerability response stages.

Playbooks, SIEM tools, and SOAR tools

Previously, you learned that security teams encounter threats, risks, vulnerabilities, and incidents on a
regular basis and that they follow playbooks to address security-related issues. In this reading, you will
learn more about playbooks, including how they are used in security information and event
management (SIEM) and security orchestration, automation, and response (SOAR).

Playbooks and SIEM tools

Playbooks are used by cybersecurity teams in the event of an incident. Playbooks help security teams
respond to incidents by ensuring that a consistent list of actions are followed in a prescribed way,
regardless of who is working on the case. Playbooks can be very detailed and may include flow charts
and tables to clarify what actions to take and in which order. Playbooks are also used for recovery
procedures in the event of a ransomware attack. Different types of security incidents have their own
playbooks that detail who should take what action and when.

Playbooks are generally used alongside SIEM tools. If, for example, unusual user behavior is flagged by a
SIEM tool, a playbook provides analysts with instructions about how to address the issue.

Playbooks and SOAR tools

Playbooks are also used with SOAR tools. SOAR tools are similar to SIEM tools in that they are used for
threat monitoring. SOAR is a piece of software used to automate repetitive tasks generated by tools
such as a SIEM or managed detection and response (MDR). For example, if a user attempts to log into
their computer too many times with the wrong password, a SOAR would automatically block their
account to stop a possible intrusion. Then, analysts would refer to a playbook to take steps to resolve
the issue.

Network components, devices, and diagrams

Once you have a foundational understanding of network architecture, sometimes referred to as network
design, you will learn about security vulnerabilities inherent in all networks and how malicious actors
attempt to exploit them. In this reading, you will review network devices and connections and
investigate a simple network diagram similar to those used every day by network security professionals.
Essential tasks of a security analyst include setting up the tools, devices, and protocols used to observe
and secure network traffic.

Devices on a network

Network devices are the devices that maintain information and services for users of a network. These
devices connect over wired and wireless connections. After establishing a connection to the network,
the devices send data packets. The data packets provide information about the source and the
destination of the data.
Devices and desktop computers

Most internet users are familiar with everyday devices, such as personal computers, laptops, mobile
phones, and tablets. Each device and desktop computer has a unique MAC address and IP address,
which identify it on the network, and a network interface that sends and receives data packets. These
devices can connect to the network via a hard wire or a wireless connection.

Firewalls

A firewall is a network security device that monitors traffic to or from your network. Firewalls can also
restrict specific incoming and outgoing network traffic. The organization configures the security rules.
Firewalls often reside between the secured and controlled internal network and the untrusted network
resources outside the organization, such as the internet.

Servers

Servers provide a service for other devices on the network. The devices that connect to a server are
called clients. The following graphic outlines this model, which is called the client-server model. In this
model, clients send requests to the server for information and services. The server performs the
requests for the clients. Common examples include DNS servers that perform domain name lookups for
internet sites, file servers that store and retrieve files from a database, and corporate mail servers that
organize mail for a company.
Hubs and switches

Hubs and switches both direct traffic on a local network. A hub is a device that provides a common point
of connection for all devices directly connected to it. Hubs additionally repeat all information out to all
ports. From a security perspective, this makes hubs vulnerable to eavesdropping. For this reason, hubs
are not used as often on modern networks; most organizations use switches instead.

A switch forwards packets between devices directly connected to it. It maintains a MAC address table
that matches MAC addresses of devices on the network to port numbers on the switch and forwards
incoming data packets according to the destination MAC address. Switches are a part of the data link
layer in the TCP/IP model.

Routers

Routers sit between networks and direct traffic, based on the IP address of the destination network. In
the TCP/IP model, routers are a part of the network layer. The IP address of the destination network is
contained in the IP header. The router reads the header information and forwards the packet to the
next router on the path to the destination. This continues until the packet reaches the destination
network. Routers can also include a firewall feature that allows or blocks incoming traffic based on
information in the transmission. This stops malicious traffic from entering the private network and
damaging the local area network.

Modems and wireless access points

Modems

Modems usually interface with an internet service provider (ISP). ISPs provide internet connectivity via
telephone lines or coaxial cables. Modems receive transmissions from the internet and translate them
into digital signals that can be understood by the devices on the network. Usually, modems connect to a
router that takes the decoded transmissions and sends them on to the local network.

Note: Enterprise networks used by large organizations to connect their users and devices often use
other broadband technologies to handle high-volume traffic, instead of using a modem.

Wireless access point

A wireless access point sends and receives digital signals over radio waves creating a wireless network.
Devices with wireless adapters connect to the access point using Wi-Fi. Wi-Fi refers to a set of standards
that are used by network devices to communicate wirelessly. Wireless access points and the devices
connected to them use Wi-Fi protocols to send data through radio waves where they are sent to routers
and switches and directed along the path to their final destination.

Using network diagrams as a security analyst

Network diagrams allow network administrators and security personnel to imagine the architecture and
design of their organization’s private network.

Network diagrams are topographical maps that show the devices on the network and how they connect.
Network diagrams use small representative graphics to portray each network device and dotted lines to
show how each device connects to the other. Security analysts use network diagrams to learn about
network architecture and how to design networks.

Cloud computing and software-defined networks

In this section of the course, you’ve been learning the basic architecture of networks. You’ve learned
about how physical network devices like workstations, servers, routers, and switches connect to each
other to create a network. Networks may cover small geographical areas, as is the case in a local area
network (LAN). Or they may span a large geographic area, like a city, state, or country, as is the case in a
wide area network (WAN). You also learned about cloud networks and how cloud computing has grown
in recent years.

In this reading, you will further examine the concepts of cloud computing and cloud networking. You’ll
learn about software-defined networks, virtualization tools, and the difference between a cloud server
and a web server. This reading will also cover the benefits of hosting networks in the cloud and why
cloud-hosting is beneficial for large organizations.

Computing processes in the cloud

Traditional networks are called on-premise networks, which means that all of the devices used for
network operations are kept at a physical location owned by the company, like in an office building, for
example. Cloud computing, however, refers to the practice of using remote servers, applications, and
network services that are hosted on the internet instead of at a physical location owned by the company.

A cloud service provider (CSP) is a company that offers cloud computing services. These companies own
large data centers in locations around the globe that house millions of servers. Data centers provide
technology services, such as storage, and compute at such a large scale that they can sell their services
to other companies for a fee. Companies can pay for the storage and services they need and consume
them through the CSP’s application programming interface (API) or web console.

CSPs provide three main categories of services:

Software as a service (SaaS) refers to software suites operated by the CSP that a company can use
remotely without hosting the software.

Infrastructure as a service (Iaas) refers to the use of virtual computer components offered by the CSP.
These include virtual containers and storage that are configured remotely through the CSP’s API or web
console. Cloud-compute and storage services can be used to operate existing applications and other
technology workloads without significant modifications. Existing applications can be modified to take
advantage of the availability, performance, and security features that are unique to cloud provider
services.

Platform as a service (PaaS) refers to tools that application developers can use to design custom
applications for their company. Custom applications are designed and accessed in the cloud and used for
a company’s specific business needs.
Hybrid cloud environments

When organizations use a CSP’s services in addition to their on-premise computers, networks, and
storage, it is referred to as a hybrid cloud environment. When organizations use more than one CSP, it is
called a multi-cloud environment. The vast majority of organizations use hybrid cloud environments to
reduce costs and maintain control over network resources.

Software-defined networks

CSPs offer networking tools similar to the physical devices that you have learned about in this section of
the course. Next, you’ll review software-defined networking in the cloud. Software-defined networks
(SDNs) are made up of virtual network devices and services. Just like CSPs provide virtual computers,
many SDNs also provide virtual switches, routers, firewalls, and more. Most modern network hardware
devices also support network virtualization and software-defined networking. This means that physical
switches and routers use software to perform packet routing. In the case of cloud networking, the SDN
tools are hosted on servers located at the CSP’s data center.

Benefits of cloud computing and software-defined networks

Three of the main reasons that cloud computing is so attractive to businesses are reliability, decreased
cost, and increased scalability.

Reliability

Reliability in cloud computing is based on how available cloud services and resources are, how secure
connections are, and how often the services are effectively running. Cloud computing allows employees
and customers to access the resources they need consistently and with minimal interruption.

Cost

Traditionally, companies have had to provide their own network infrastructure, at least for internet
connections. This meant there could be potentially significant upfront costs for companies. However,
because CSPs have such large data centers, they are able to offer virtual devices and services at a
fraction of the cost required for companies to install, patch, upgrade, and manage the components and
software themselves.

Scalability

Another challenge that companies face with traditional computing is scalability. When organizations
experience an increase in their business needs, they might be forced to buy more equipment and
software to keep up. But what if business decreases shortly after? They might no longer have the
business to justify the cost incurred by the upgraded components. CSPs reduce this risk by making it
easy to consume services in an elastic utility model as needed. This means that companies only pay for
what they need when they need It.
Changes can be made quickly through the CSPs, APIs, or web console—much more quickly than if
network technicians had to purchase their own hardware and set it up. For example, if a company needs
to protect against a threat to their network, web application firewalls (WAFs), intrusion
detection/protection systems (IDS/IPS), or L3/L4 firewalls can be configured quickly whenever necessary,
leading to better network performance and security.

VTCP/IP model

In this reading, you will build on what you have learned about the Transmission Control
Protocol/Internet Protocol (TCP/IP) model, consider the differences between the Open Systems
Interconnection (OSI) model and TCP/IP model, and learn how they’re related. Then, you’ll review each
layer of the TCP/IP model and go over common protocols used in each layer.

As a security professional, it's important that you understand the TCP/IP model because all
communication on a network is organized using network protocols. Network protocols are a language
that systems use to communicate with each other. In order for two network systems to successfully
communicate with each other, they need to use the same protocol. The two most common models
available are the TCP/IP and the OSI model. These models are a representative guideline of how
network communications work together and move throughout the network and the host. The examples
provided in this course will follow the TCP/IP model.

The TCP/IP model

The TCP/IP model is a framework used to visualize how data is organized and transmitted across a
network. This model helps network engineers and network security analysts conceptualize processes on
the network and communicate where disruptions or security threats occur.

The TCP/IP model has four layers: network access layer, internet layer, transport layer, and application
layer. When troubleshooting issues on the network, security professionals can analyze and deduce
which layer or layers an attack occurred based on what processes were involved in an incident.
Network access layer

The network access layer, sometimes called the data link layer, organizes sending and receiving data
frames within a single network. This layer corresponds to the physical hardware involved in network
transmission. Hubs, modems, cables, and wiring are all considered part of this layer. The address
resolution protocol (ARP) is part of the network access layer. ARP assists IP with directing data packets
on the same physical network by mapping IP addresses to MAC addresses on the same physical network.

Internet layer

The internet layer, sometimes referred to as the network layer, is responsible for ensuring the delivery
to the destination host, which potentially resides on a different network. The internet layer determines
which protocol is responsible for delivering the data packets. Here are some of the common protocols
that operate at the internet layer:

* Internet Protocol (IP). IP sends the data packets to the correct destination and relies on Transmission
Control Protocol/User Datagram Protocol (TCP/UDP) to deliver them to corresponding service. IP
packets allow communication between two networks. They are routed from the sending network to the
receiving network. It retransmits any data that is lost or corrupt.
* Internet Control Message Protocol (ICMP). ICMP shares error information and status updates of data
packets. This is useful for detecting and troubleshooting network errors. ICMP reports information
about packets that were dropped or disappeared in transit, issues with network connectivity, and
packets redirected to other routers.

Transport layer
The transport layer is responsible for reliably delivering data between two systems or networks. TCP
and UDP are the two transport protocols that occur at this layer.

Transmission Control Protocol

TCP ensures that data is reliably transmitted to the destination service. TCP contains the port number of
the intended destination service, which resides in the TCP header of an TCP/IP packet.

User Datagram Protocol

UDP is used by applications that are not concerned with reliability of the transmission. Data sent over
UDP is not tracked as extensively as data sent using TCP. Because UDP does not establish network
connections, it is used mostly for performance sensitive applications that operate in real time, such as
video streaming.

Application layer

The application layer in the TCP/IP model is similar to the application, presentation, and session layers
of the OSI model. The application layer is responsible for making network requests or responding to
requests. This layer defines which internet services and applications any user can access. Some common
protocols used on this layer are:
1 Hypertext transfer protocol (HTTP)

2 Simple mail transfer protocol (SMTP)

3 Secure shell (SSH)

4 File transfer protocol (FTP)

5 Domain name system (DNS)

Application layer protocols rely on underlying layers to transfer the data across the network.

TCP/IP model versus OSI model

The OSI visually organizes network protocols into different layers. Network professionals often use this
model to communicate with each other about potential sources of problems or security threats when
they occur.

The TCP/IP model combines multiple layers of the OSI model. There are many similarities between the
two models. Both models define standards for networking and divide the network communication
process into different layers. The TCP/IP model is a simplified version of the OSI model.

The OSI model

So far in this section of the course, you learned about the components of a network, network devices,
and how network communication occurs across a network.

All communication on a network is organized using network protocols. Previously, you learned about the
Transmission Control Protocol (TCP), which establishes connections between two devices, and the
Internet Protocol (IP), which is used for routing and addressing data packets as they travel between
devices on a network. This reading will continue to explore the seven layers of the Open Systems
Interconnection (OSI) model and the processes that occur at each layer. We will work backwards from
layer seven to layer one, going from the processes that involve the everyday network user to those that
involve the most basic networking components, like network cables and switches. This reading will also
review the main differences between the TCP/IP and OSI models.

The TCP/IP model vs. the OSI model

The TCP/IP model is a framework used to visualize how data is organized and transmitted across a
network. This model helps network engineers and network security analysts design the data network
and conceptualize processes on the network and communicate where disruptions or security threats
occur.

The TCP/IP model has four layers: network access layer, internet layer, transport layer, and application
layer. When analyzing network events, security professionals can determine what layer or layers an
attack occurred in based on what processes were involved in the incident.

The OSI model is a standardized concept that describes the seven layers computers use to communicate
and send data over the network. Network and security professionals often use this model to
communicate with each other about potential sources of problems or security threats when they occur.
Some organizations rely heavily on the TCP/IP model, while others prefer to use the OSI model. As a
security analyst, it’s important to be familiar with both models. Both the TCP/IP and OSI models are
useful for understanding how networks work.

Layer 7: Application layer

The application layer includes processes that directly involve the everyday user. This layer includes all of
the networking protocols that software applications use to connect a user to the internet. This
characteristic is the identifying feature of the application layer—user connection to the network via
applications and requests.

An example of a type of communication that happens at the application layer is using a web browser.
The internet browser uses HTTP or HTTPS to send and receive information from the website server. The
email application uses simple mail transfer protocol (SMTP) to send and receive email information. Also,
web browsers use the domain name system (DNS) protocol to translate website domain names into IP
addresses which identify the web server that hosts the information for the website.

Layer 6: Presentation layer

Functions at the presentation layer involve data translation and encryption for the network. This layer
adds to and replaces data with formats that can be understood by applications (layer 7) on both sending
and receiving systems. Formats at the user end may be different from those of the receiving system.
Processes at the presentation layer require the use of a standardized format.

Some formatting functions that occur at layer 6 include encryption, compression, and confirmation that
the character code set can be interpreted on the receiving system. One example of encryption that
takes place at this layer is SSL, which encrypts data between web servers and browsers as part of
websites with HTTPS.

Layer 5: Session layer

A session describes when a connection is established between two devices. An open session allows the
devices to communicate with each other. Session layer protocols occur to keep the session open while
data is being transferred and terminate the session once the transmission is complete.

The session layer is also responsible for activities such as authentication, reconnection, and setting
checkpoints during a data transfer. If a session is interrupted, checkpoints ensure that the transmission
picks up at the last session checkpoint when the connection resumes. Sessions include a request and
response between applications. Functions in the session layer respond to requests for service from
processes in the presentation layer (layer 6) and send requests for services to the transport layer (layer
4).

Layer 4: Transport layer

The transport layer is responsible for delivering data between devices. This layer also handles the speed
of data transfer, flow of the transfer, and breaking data down into smaller segments to make them
easier to transport. Segmentation is the process of dividing up a large data transmission into smaller
pieces that can be processed by the receiving system. These segments need to be reassembled at their
destination so they can be processed at the session layer (layer 5). The speed and rate of the
transmission also has to match the connection speed of the destination system. TCP and UDP are
transport layer protocols.

Layer 3: Network layer

The network layer oversees receiving the frames from the data link layer (layer 2) and delivers them to
the intended destination. The intended destination can be found based on the address that resides in
the frame of the data packets. Data packets allow communication between two networks. These
packets include IP addresses that tell routers where to send them. They are routed from the sending
network to the receiving network.

Layer 2: Data link layer

The data link layer organizes sending and receiving data packets within a single network. The data link
layer is home to switches on the local network and network interface cards on local devices.

Protocols like network control protocol (NCP), high-level data link control (HDLC), and synchronous data
link control protocol (SDLC) are used at the data link layer.

Layer 1: Physical layer

As the name suggests, the physical layer corresponds to the physical hardware involved in network
transmission. Hubs, modems, and the cables and wiring that connect them are all considered part of the
physical layer. To travel across an ethernet or coaxial cable, a data packet needs to be translated into a
stream of 0s and 1s. The stream of 0s and 1s are sent across the physical wiring and cables, received,
and then passed on to higher levels of the OSI model.

Components of network layer communication

In the reading about the OSI model, you learned about the seven layers of the OSI model that are used
to conceptualize the way data is transmitted across the internet. In this reading, you will learn more
about operations that take place at layer 3 of the OSI model: the network layer.

Operations at the network layer

Functions at the network layer organize the addressing and delivery of data packets across the network
and internet from the host device to the destination device. This includes directing the packets from one
router to another router across the internet, based on the internet protocol (IP) address of the
destination network. The destination IP address is contained within the header of each data packet. This
address will be stored for future routing purposes in routing tables along the packet’s path to its
destination.

All data packets include an IP address; this is referred to as an IP packet or datagram. A router uses the
IP address to route packets from network to network based on information contained in the IP header
of a data packet. Header information communicates more than just the address of the destination. It
also includes information such as the source IP address, the size of the packet, and which protocol will
be used for the data portion of the packet.

Format of an IPv4 packet

Next, you can review the format of an IP version 4 (IPv4) packet and review a detailed graphic of the
packet header. An IPv4 packet is made up of two sections, the header and the data:

* The size of the IP header ranges from 20 to 60 bytes. The header includes the IP routing information
that devices use to direct the packet. The format of an IP packet header is determined by the IPv4
protocol.

* The length of the data section of an IPv4 packet can vary greatly in size. However, the maximum
possible size of an IP packet is 65,536 bytes. It contains the message being transferred to the
transmission, like website information or email text.
There are 13 fields within the header of an IPv4 packet:

Version: The first 4-bit header tells receiving devices what protocol the packet is using. The packet used
in the illustration above is an IPv4 packet.

IP Header Length (HLEN): HLEN is the packet’s header length. This value indicates where the packet
header ends and the data segment begins.

Type of Service (ToS): Routers prioritize packets for delivery to maintain quality of service on the
network. The ToS field provides the router with this information.

Total Length: This field communicates the total length of the entire IP packet, including the header and
data. The maximum size of an IPv4 packet is 65,535 bytes.

Identification: For IPv4 packets that are larger than 65, 535 bytes, the packets are divided, or
fragmented, into smaller IP packets. The identification field provides a unique identifier for all the
fragments of the original IP packet so that they can be reassembled once they reach their destination.

Flags: This field provides the routing device with more information about whether the original packet
has been fragmented and if there are more fragments in transit.

Fragmentation Offset: The fragment offset field tells routing devices where in the original packet the
fragment belongs.

Time to Live (TTL): TTL prevents data packets from being forwarded by routers indefinitely. It contains a
counter that is set by the source. The counter is decremented by one as it passes through each router
along its path. When the TTL counter reaches zero, the router currently holding the packet will discard
the packet and return an ICMP Time Exceeded error message to the sender.

Protocol: The protocol field tells the receiving device which protocol will be used for the data portion of
the packet.

Header Checksum: The header checksum field contains a checksum that can be used to detect
corruption of the IP header in transit. Corrupted packets are discarded.

Source IP Address: The source IP address is the IPv4 address of the sending device.

Destination IP Address: The destination IP address is the IPv4 address of the destination device.

Options: The options field allows for security options to be applied to the packet if the HLEN value is
greater than five. The field communicates these options to the routing devices.

Difference between IPv4 and IPv6

In an earlier part of this course, you learned about the history of IP addressing. As the internet grew, it
became clear that all of the IPv4 addresses would eventually be depleted; this is called IPv4 address
exhaustion. At the time, no one had anticipated how many computing devices would need an IP address
in the future. IPv6 was developed to mitigate IPv4 address exhaustion and other related concerns.
One of the key differences between IPv4 and IPv6 is the length of the addresses. IPv4 addresses are
numeric, made of 4 bytes, and allow for up to 4.3 billion possible addresses. An example of an IPv4
address would be: 198.51.100.0. IPv6 addresses are hexadecimal, made up of 16 bytes, and allow for up
to 340 undecillion addresses (340 followed by 36 zeros). An example of an IPv6 address would be:
2002:0db8:0000:0000:0000:ff21:0023:1234.

There are also some differences in the layout of an IPv6 packet header. The IPv6 header format is much
simpler than IPv4. For example, the IPv4 Header includes the HLEN, Identification, and Flags fields,
whereas the IPv6 does not. The IPv6 header introduces different fields not included in IPv4 headers,
such as the Flow Label and Traffic Class.

There are some important security differences between IPv4 and IPv6. IPv6 offers more efficient routing
and eliminates private address collisions that can occur on IPv4 when two devices on the same network
are attempting to use the same address.

network protocols

A network protocol is a set of rules used by two or more devices on a network to describe the order of
delivery and the structure of data. Network protocols serve as instructions that come with the
information in the data packet. These instructions tell the receiving device what to do with the data.
Protocols are like a common language that allows devices all across the world to communicate with and
understand each other.

Even though network protocols perform an essential function in network communication, security
analysts should still understand their associated security implications. Some protocols have
vulnerabilities that malicious actors exploit. For example, a nefarious actor could use the Domain Name
System (DNS) protocol, which resolves web addresses to IP addresses, to divert traffic from a legitimate
website to a malicious website containing malware. You’ll learn more about this topic in upcoming
course materials.

Three categories of network protocols

Network protocols can be divided into three main categories: communication protocols, management
protocols, and security protocols. There are dozens of different network protocols, but you don’t need
to memorize all of them for an entry-level security analyst role. However, it’s important for you to know
the ones listed in this reading.

Communication protocols

Communication protocols govern the exchange of information in network transmission. They dictate
how the data is transmitted between devices and the timing of the communication. They also include
methods to recover data lost in transit. Here are a few of them.

* Transmission Control Protocol (TCP) is an internet communication protocol that allows two devices to
form a connection and stream data. TCP uses a three-way handshake process. First, the device sends a
synchronize (SYN) request to a server. Then the server responds with a SYN/ACK packet to acknowledge
receipt of the device's request. Once the server receives the final ACK packet from the device, a TCP
connection is established. In the TCP/IP model, TCP occurs at the transport layer.

* User Datagram Protocol (UDP) is a connectionless protocol that does not establish a connection
between devices before a transmission. This makes it less reliable than TCP. But it also means that it
works well for transmissions that need to get to their destination quickly. For example, one use of UDP is
for internet gaming transmissions. In the TCP/IP model, UDP occurs at the transport layer.

* Hypertext Transfer Protocol (HTTP) is an application layer protocol that provides a method of
communication between clients and website servers. HTTP uses port 80. HTTP is considered insecure, so
it is being replaced on most websites by a secure version, called HTTPS. However, there are still many
websites that use the insecure HTTP protocol. In the TCP/IP model, HTTP occurs at the application layer.

* Domain Name System (DNS) is a protocol that translates internet domain names into IP addresses.
When a client computer wishes to access a website domain using their internet browser, a query is sent
to a dedicated DNS server. The DNS server then looks up the IP address that corresponds to the website
domain. DNS normally uses UDP on port 53. However, if the DNS reply to a request is large, it will switch
to using the TCP protocol. In the TCP/IP model, DNS occurs at the application layer.

Management Protocols

The next category of network protocols is management protocols. Management protocols are used for
monitoring and managing activity on a network. They include protocols for error reporting and
optimizing performance on the network.

* Simple Network Management Protocol (SNMP) is a network protocol used for monitoring and
managing devices on a network. SNMP can reset a password on a network device or change its baseline
configuration. It can also send requests to network devices for a report on how much of the network’s
bandwidth is being used up. In the TCP/IP model, SNMP occurs at the application layer.

* Internet Control Message Protocol (ICMP) is an internet protocol used by devices to tell each other
about data transmission errors across the network. ICMP is used by a receiving device to send a report
to the sending device about the data transmission. ICMP is commonly used as a quick way to
troubleshoot network connectivity and latency by issuing the “ping” command on a Linux operating
system. In the TCP/IP model, ICMP occurs at the internet layer.

Security Protocols

Security protocols are network protocols that ensure that data is sent and received securely across a
network. Security protocols use encryption algorithms to protect data in transit. Below are some
common security protocols.

* Hypertext Transfer Protocol Secure (HTTPS) is a network protocol that provides a secure method of
communication between clients and website servers. HTTPS is a secure version of HTTP that uses secure
sockets layer/transport layer security (SSL/TLS) encryption on all transmissions so that malicious actors
cannot read the information contained. HTTPS uses port 443. In the TCP/IP model, HTTPS occurs at the
application layer.

* Secure File Transfer Protocol (SFTP) is a secure protocol used to transfer files from one device to
another over a network. SFTP uses secure shell (SSH), typically through TCP port 22. SSH uses Advanced
Encryption Standard (AES) and other types of encryption to ensure that unintended recipients cannot
intercept the transmissions. In the TCP/IP model, SFTP occurs at the application layer. SFTP is used often
with cloud storage. Every time a user uploads or downloads a file from cloud storage, the file is
transferred using the SFTP protocol.

Note: The encryption protocols mentioned do not conceal the source or destination IP address of
network traffic. This means a malicious actor can still learn some basic information about the network
traffic if they intercept it.

Network Address Translation

The devices on your local home or office network each have a private IP address that they use to
communicate directly with each other. In order for the devices with private IP addresses to
communicate with the public internet, they need to have a public IP address. Otherwise, responses will
not be routed correctly. Instead of having a dedicated public IP address for each of the devices on the
local network, the router can replace a private source IP address with its public IP address and perform
the reverse operation for responses. This process is known as Network Address Translation (NAT) and it
generally requires a router or firewall to be specifically configured to perform NAT. NAT is a part of layer
2 (internet layer) and layer 3 (transport layer) of the TCP/IP model.

Private IP Addresses Public IP Addresses

Private IP Addresses Public IP Addresses

Assigned by ISP and IANA

Assigned by network admins

Unique address in global internet

Unique only within private network

Costs to lease a public IP address

No cost to use

Address ranges:

Address ranges:

1.0.0.0-9.255.255.255

10.0.0.0-10.255.255.255

11.0.0.0-126.255.255.255

172.16.0.0-172.31.255.255

128.0.0.0-172.15.255.255

192.168.0.0-192.168.255.255

172.32.0.0-192.167.255.255
Private IP Addresses Public IP Addresses

192.169.0.0-233.255.255.255

Dynamic Host Control Protocol

Dynamic Host Control Protocol (DHCP) is in the management family of network protocols. DHCP is an
application layer protocol used on a network to configure devices. It assigns a unique IP address and
provides the addresses of the appropriate DNS server and default gateway for each device. DHCP
servers operate on UDP port 67 while DHCP clients operate on UDP port 68.

Address Resolution Protocol

By now, you are familiar with IP and MAC addresses. You’ve learned that each device on a network has
both an IP address that identifies it on the network and a MAC address that is unique to that network
interface. A device’s IP address may change over time, but its MAC address is permanent. Address
Resolution Protocol (ARP) is an internet layer protocol in the TCP/IP model used to translate the IP
addresses that are found in data packets into the MAC address of the hardware device.

Each device on the network performs ARP and keeps track of matching IP and MAC addresses in an ARP
cache. ARP does not have a specific port number.

Telnet

Telnet is an application layer protocol that allows a device to communicate with another device or
server. Telnet sends all information in clear text. It uses command line prompts to control another
device similar to secure shell (SSH), but Telnet is not as secure as SSH. Telnet can be used to connect to
local or remote devices and uses TCP port 23.

Secure shell

Secure shell protocol (SSH) is used to create a secure connection with a remote system. This application
layer protocol provides an alternative for secure authentication and encrypted communication. SSH
operates over the TCP port 22 and is a replacement for less secure protocols, such as Telnet.

Post office protocol

Post office protocol (POP) is an application layer (layer 4 of the TCP/IP model) protocol used to manage
and retrieve email from a mail server. Many organizations have a dedicated mail server on the network
that handles incoming and outgoing mail for users on the network. User devices will send requests to
the remote mail server and download email messages locally. If you have ever refreshed your email
application and had new emails populate in your inbox, you are experiencing POP and internet message
access protocol (IMAP) in action. Unencrypted, plaintext authentication uses TCP/UDP port 110 and
encrypted emails use Secure Sockets Layer/Transport Layer Security (SSL/TLS) over TCP/UDP port
995. When using POP, mail has to finish downloading on a local device before it can be read and it does
not allow a user to sync emails.

Internet Message Access Protocol (IMAP)

IMAP is used for incoming email. It downloads the headers of emails, but not the content. The content
remains on the email server, which allows users to access their email from multiple devices. IMAP uses
TCP port 143 for unencrypted email and TCP port 993 over the TLS protocol. Using IMAP allows users to
partially read email before it is finished downloading and to sync emails. However, IMAP is slower than
POP3.

Simple Mail Transfer Protocol

Simple Mail Transfer Protocol (SMTP) is used to transmit and route email from the sender to the
recipient’s address. SMTP works with Message Transfer Agent (MTA) software, which searches DNS
servers to resolve email addresses to IP addresses, to ensure emails reach their intended destination.
SMTP uses TCP/UDP port 25 for unencrypted emails and TCP/UDP port 587 using TLS for encrypted
emails. The TCP port 25 is often used by high-volume spam. SMTP helps to filter out spam by regulating
how many emails a source can send at a time.

Protocols and port numbers

Remember that port numbers are used by network devices to determine what should be done with the
information contained in each data packet once they reach their destination. Firewalls can filter out
unwanted traffic based on port numbers. For example, an organization may configure a firewall to only
allow access to TCP port 995 (POP3) by IP addresses belonging to the organization.

As a security analyst, you will need to know about many of the protocols and port numbers mentioned
in this course. They may be used to determine your technical knowledge in interviews, so it’s a good
idea to memorize them. You will also learn about new protocols on the job in a security position.

Protocol Port

UDP port 67 (servers)

DHCP
UDP port 68 (clients)

ARP none

Telnet TCP port 23

Protocol Port

SSH TCP port 22

TCP/UDP port 110 (unencrypted)

POP3
TCP/UDP port 995 (encrypted, SSL/TLS)

TCP port 143 (unencrypted)

IMAP
TCP port 993 (encrypted, SSL/TLS)

SMTP TCP/UDP port 587 (encrypted, TLS)

The evolution of wireless security protocols

In the early days of the internet, all internet communication happened across physical cables. It wasn’t
until the mid-1980s that authorities in the United States designated a spectrum of radio wave
frequencies that could be used without a license, so there was more opportunity for the internet to
expand.

In the late 1990s and early 2000s, technologies were developed to send and receive data over radio.
Today, users access wireless internet through laptops, smart phones, tablets, and desktops. Smart
devices, like thermostats, door locks, and security cameras, also use wireless internet to communicate
with each other and with services on the internet.
Introduction to wireless communication protocols

Many people today refer to wireless internet as Wi-Fi. Wi-Fi refers to a set of standards that define
communication for wireless LANs. Wi-Fi is a marketing term commissioned by the Wireless Ethernet
Compatibility Alliance (WECA). WECA has since renamed their organization Wi-Fi Alliance.

Wi-Fi standards and protocols are based on the 802.11 family of internet communication standards
determined by the Institute of Electrical and Electronics Engineers (IEEE). So, as a security analyst, you
might also see Wi-Fi referred to as IEEE 802.11.

Wi-Fi communications are secured by wireless networking protocols. Wireless security protocols have
evolved over the years, helping to identify and resolve vulnerabilities with more advanced wireless
technologies.

In this reading, you will learn about the evolution of wireless security protocols from WEP to WPA,
WPA2, and WPA3. You’ll also learn how the Wireless Application Protocol was used for mobile internet
communications.

Wired Equivalent Privacy

Wired equivalent privacy (WEP) is a wireless security protocol designed to provide users with the same
level of privacy on wireless network connections as they have on wired network connections. WEP was
developed in 1999 and is the oldest of the wireless security standards.

WEP is largely out of use today, but security analysts should still understand WEP in case they encounter
it. For example, a network router might have used WEP as the default security protocol and the network
administrator never changed it. Or, devices on a network might be too old to support newer Wi-Fi
security protocols. Nevertheless, a malicious actor could potentially break the WEP encryption, so it’s
now considered a high-risk security protocol.

Wi-Fi Protected Access

Wi-Fi Protected Access (WPA) was developed in 2003 to improve upon WEP, address the security issues
that it presented, and replace it. WPA was always intended to be a transitional measure so backwards
compatibility could be established with older hardware.
The flaws with WEP were in the protocol itself and how the encryption was used. WPA addressed this
weakness by using a protocol called Temporal Key Integrity Protocol (TKIP). WPA encryption algorithm
uses larger secret keys than WEPs, making it more difficult to guess the key by trial and error.

WPA also includes a message integrity check that includes a message authentication tag with each
transmission. If a malicious actor attempts to alter the transmission in any way or resend at another
time, WPA’s message integrity check will identify the attack and reject the transmission.

Despite the security improvements of WPA, it still has vulnerabilities. Malicious actors can use a key
reinstallation attack (or KRACK attack) to decrypt transmissions using WPA. Attackers can insert
themselves in the WPA authentication handshake process and insert a new encryption key instead of
the dynamic one assigned by WPA. If they set the new key to all zeros, it is as if the transmission is not
encrypted at all.

Because of this significant vulnerability, WPA was replaced with an updated version of the protocol
called WPA2.

WPA2 & WPA3

WPA2
The second version of Wi-Fi Protected Access—known as WPA2—was released in 2004. WPA2 improves
upon WPA by using the Advanced Encryption Standard (AES). WPA2 also improves upon WPA’s use of
TKIP. WPA2 uses the Counter Mode Cipher Block Chain Message Authentication Code Protocol (CCMP),
which provides encapsulation and ensures message authentication and integrity. Because of the
strength of WPA2, it is considered the security standard for all Wi-Fi transmissions today. WPA2, like its
predecessor, is vulnerable to KRACK attacks. This led to the development of WPA3 in 2018.

Personal
WPA2 personal mode is best suited for home networks for a variety of reasons. It is easy to implement,
initial setup takes less time for personal than enterprise version. The global passphrase for WPA2
personal version needs to be applied to each individual computer and access point in a network. This
makes it ideal for home networks, but unmanageable for organizations.

Enterprise
WPA2 enterprise mode works best for business applications. It provides the necessary security for
wireless networks in business settings. The initial setup is more complicated than WPA2 personal mode,
but enterprise mode offers individualized and centralized control over the Wi-Fi access to a business
network. This means that network administrators can grant or remove user access to a network at any
time. Users never have access to encryption keys, this prevents potential attackers from recovering
network keys on individual computers.

WPA3
WPA3 is a secure Wi-Fi protocol and is growing in usage as more WPA3 compatible devices are released.
These are the key differences between WPA2 and WPA3:
1 WPA3 addresses the authentication handshake vulnerability to KRACK attacks, which is present in
WPA2.

2 WPA3 uses Simultaneous Authentication of Equals (SAE), a password-authenticated, cipher-key-

sharing agreement. This prevents attackers from downloading data from wireless network connections
to their systems to attempt to decode it.

3 WPA3 has increased encryption to make passwords more secure by using 128-bit encryption, with
WPA3-Enterprise mode offering optional 192-bit encryption.

Subnetting and CIDR

Earlier in this course, you learned about network segmentation, a security technique that divides
networks into sections. A private network can be segmented to protect portions of the network from
the internet, which is an unsecured global network.

For example, you learned about the uncontrolled zone, the controlled zone, the demilitarized zone, and
the restricted zone. Feel free to review the video about security zones for a refresher on how network
segmentation can be used to add a layer of security to your organization’s network operations. Creating
security zones is one example of a networking strategy called subnetting.

Overview of subnetting

Subnetting is the subdivision of a network into logical groups called subnets. It works like a network
inside a network. Subnetting divides up a network address range into smaller subnets within the
network. These smaller subnets form based on the IP addresses and network mask of the devices on the
network. Subnetting creates a network of devices to function as their own network. This makes the
network more efficient and can also be used to create security zones. If devices on the same subnet
communicate with each other, the switch changes the transmissions to stay on the same subnet,
improving speed and efficiency of the communications.
Classless Inter-Domain Routing notation for subnetting

Classless Inter-Domain Routing (CIDR) is a method of assigning subnet masks to IP addresses to create a
subnet. Classless addressing replaces classful addressing. Classful addressing was used in the 1980s as a
system of grouping IP addresses into classes (Class A to Class E). Each class included a limited number of
IP addresses, which were depleted as the number of devices connecting to the internet outgrew the
classful range in the 1990s. Classless CIDR addressing expanded the number of available IPv4 addresses.

CIDR allows cybersecurity professionals to segment classful networks into smaller chunks. CIDR IP
addresses are formatted like IPv4 addresses, but they include a slash (“/’”) followed by a number at the
end of the address, This extra number is called the IP network prefix. For example, a regular IPv4
address uses the 198.51.100.0 format, whereas a CIDR IP address would include the IP network prefix at
the end of the address, 198.51.100.0/24. This CIDR address encompasses all IP addresses between
198.51.100.0 and 198.51.100.255. The system of CIDR addressing reduces the number of entries in
routing tables and provides more available IP addresses within networks. You can try converting CIDR to
IPv4 addresses and vice versa through an online conversion tool, like IPAddressGuide, for practice and to
better understand this concept.

Security benefits of subnetting

Subnetting allows network professionals and analysts to create a network within their own network
without requesting another network IP address from their internet service provider. This process uses
network bandwidth more efficiently and improves network performance. Subnetting is one component
of creating isolated subnetworks through physical isolation, routing configuration, and firewalls.

Virtual networks and privacy

This section of the course covered a lot of information about network operations. You reviewed the
fundamentals of network architecture and communication and can now use this knowledge as you learn
how to secure networks. Securing a private network requires maintaining the confidentiality of your
data and restricting access to authorized users.

In this reading, you will review several network security topics previously covered in the course,
including virtual private networks (VPNs), virtual local area networks (VLANs), proxy servers, firewalls,
tunneling, and security zones. You'll continue to learn more about these concepts and how they relate
to each other as you continue through the course.

By the end of this reading, you will understand the difference between VPN encryption and Wi-Fi
encryption, and you'll be able to differentiate between two common security protocols used with VPNs:
SSL/TLS and IPSec.

Common network protocols

Network protocols are used to direct traffic to the correct device and service depending on the kind of
communication being performed by the devices on the network. Protocols are the rules used by all
network devices that provide a mutually agreed upon foundation for how to transfer data across a
network.

There are three main categories of network protocols: communication protocols, management
protocols, and security protocols.

1 Communication protocols are used to establish connections between servers. Examples include TCP,
UDP, and Simple Mail Transfer Protocol (SMTP), which provides a framework for email communication.

2 Management protocols are used to troubleshoot network issues. One example is the Internet Control
Message Protocol (ICMP).

3 Security protocols provide encryption for data in transit. Examples include IPSec and SSL/TLS.

Some other commonly used protocols are:

* HyperText Transfer Protocol (HTTP). HTTP is an application layer communication protocol. This allows
the browser and the web server to communicate with one another.

* Domain Name System (DNS). DNS is an application layer protocol that translates, or maps, host names
to IP addresses.
* Address Resolution Protocol (ARP). ARP is a network layer communication protocol that maps IP
addresses to physical machines or a MAC address recognized on the local area network.

Wi-Fi

This section of the course also introduced various wireless security protocols, including WEP, WPA,
WPA2, and WPA3. WPA3 encrypts traffic with the Advanced Encryption Standard (AES) cipher as it
travels from your device to the wireless access point. WPA2 and WPA3 offer two modes: personal and
enterprise. Personal mode is best suited for home networks while enterprise mode is generally utilized
for business networks and applications.

Network security tools and practices

Firewalls

Previously, you learned that firewalls are network virtual appliances (NVAs) or hardware devices that
inspect and can filter network traffic before it’s permitted to enter the private network. Traditional
firewalls are configured with rules that tell it what types of data packets are allowed based on the port
number and IP address of the data packet.

There are two main categories of firewalls.

* Stateless: A class of firewall that operates based on predefined rules and does not keep track of
information from data packets

* Stateful: A class of firewall that keeps track of information passing through it and proactively filters
out threats. Unlike stateless firewalls, which require rules to be configured in two directions, a stateful
firewall only requires a rule in one direction. This is because it uses a "state table" to track connections,
so it can match return traffic to an existing session

* Next generation firewalls (NGFWs) are the most technologically advanced firewall protection. They
exceed the security offered by stateful firewalls because they include deep packet inspection (a kind of
packet sniffing that examines data packets and takes actions if threats exist) and intrusion prevention
features that detect security threats and notify firewall administrators. NGFWs can inspect traffic at the
application layer of the TCP/IP model and are typically application aware. Unlike traditional firewalls
that block traffic based on IP address and ports, NGFWs rules can be configured to block or allow traffic
based on the application. Some NGFWs have additional features like Malware Sandboxing, Network
Anti-Virus, and URL and DNS Filtering.

Proxy servers

A proxy server is another way to add security to your private network. Proxy servers utilize network
address translation (NAT) to serve as a barrier between clients on the network and external threats.
Forward proxies handle queries from internal clients when they access resources external to the
network. Reverse proxies function opposite of forward proxies; they handle requests from external
systems to services on the internal network. Some proxy servers can also be configured with rules, like a
firewall. For example, you can create filters to block websites identified as containing malware.

Virtual Private Networks (VPN)

A VPN is a service that encrypts data in transit and disguises your IP address. VPNs use a process called
encapsulation. Encapsulation wraps your encrypted data in an unencrypted data packet, which allows
your data to be sent across the public network while remaining anonymous. Enterprises and other
organizations use VPNs to help protect communications from users’ devices to corporate resources.
Some of these resources include connecting to servers or virtual machines that host business
applications. VPNs can also be used for personal use to increase personal privacy. They allow the user to
access the internet without anyone being able to read their personal information or access their private
IP address. Organizations are increasingly using a combination of VPN and SD-WAN capabilities to secure
their networks. A software-defined wide area network (SD-WAN) is a virtual WAN service that allows
organizations to securely connect users to applications across multiple locations and over large
geographical distances.

Terms and definitions from Course 3, Week 2

Address Resolution Protocol (ARP): A network protocol used to determine the MAC address of the next
router or device on the path

Cloud-based firewalls: Software firewalls that are hosted by the cloud service provider

Controlled zone: A subnet that protects the internal network from the uncontrolled zone

Domain Name System (DNS): A networking protocol that translates internet domain names into IP
addresses

Encapsulation: A process performed by a VPN service that protects your data by wrapping sensitive data
in other data packets

Firewall: A network security device that monitors traffic to or from your network

Forward proxy server: A server that regulates and restricts a person’s access to the internet

Hypertext Transfer Protocol (HTTP): An application layer protocol that provides a method of
communication between clients and website servers

Hypertext Transfer Protocol Secure (HTTPS): A network protocol that provides a secure method of
communication between clients and servers

IEEE 802.11 (Wi-Fi): A set of standards that define communication for wireless LANs

Network protocols: A set of rules used by two or more devices on a network to describe the order of
delivery of data and the structure of data

Network segmentation: A security technique that divides the network into segments

Port filtering: A firewall function that blocks or allows certain port numbers to limit unwanted
communication

Proxy server: A server that fulfills the requests of its clients by forwarding them to other servers

Reverse proxy server: A server that regulates and restricts the internet's access to an internal server

Secure File Transfer Protocol (SFTP): A secure protocol used to transfer files from one device to another
over a network

Secure shell (SSH): A security protocol used to create a shell with a remote system
Security zone: A segment of a company’s network that protects the internal network from the internet

Simple Network Management Protocol (SNMP): A network protocol used for monitoring and managing
devices on a network

Stateful: A class of firewall that keeps track of information passing through it and proactively filters out
threats

Stateless: A class of firewall that operates based on predefined rules and does not keep track of
information from data packets

Transmission Control Protocol (TCP): An internet communication protocol that allows two devices to
form a connection and stream data

Uncontrolled zone: The portion of the network outside the organization

Virtual private network (VPN): A network security service that changes your public IP address and
masks your virtual location so that you can keep your data private when you are using a public network
like the internet

Wi-Fi Protected Access (WPA): A wireless security protocol for devices to connect to the internet

Network interception attacks

Network interception attacks work by intercepting network traffic and stealing valuable
information or interfering with the transmission in some way.

Malicious actors can use hardware or software tools to capture and inspect data in transit. This
is referred to as packet sniffing. In addition to seeing information that they are not entitled to,
malicious actors can also intercept network traffic and alter it. These attacks can cause damage
to an organization’s network by inserting malicious code modifications or altering the message
and interrupting network operations. For example, an attacker can intercept a bank transfer
and change the account receiving the funds to one that the attacker controls.

Later in this course you will learn more about malicious packet sniffing, and other types of
network interception attacks: on-path attacks and replay attacks.

Backdoor attacks
A backdoor attack is another type of attack you will need to be aware of as a security analyst.
An organization may have a lot of security measures in place, including cameras, biometric
scans and access codes to keep employees from entering and exiting without being seen.
However, an employee might work around the security measures by finding a backdoor to the
building that is not as heavily monitored, allowing them to sneak out for the afternoon without
being seen.

In cybersecurity, backdoors are weaknesses intentionally left by programmers or system and

network administrators that bypass normal access control mechanisms. Backdoors are intended
to help programmers conduct troubleshooting or administrative tasks. However, backdoors can
also be installed by attackers after they’ve compromised an organization to ensure they have
persistent access.

Once the hacker has entered an insecure network through a backdoor, they can cause
extensive damage: installing malware, performing a denial of service (DoS) attack, stealing
private information or changing other security settings that leaves the system vulnerable to
other attacks. A DoS attack is an attack that targets a network or server and floods it with
network traffic.

Possible impacts on an organization

As you’ve learned already, network attacks can have a significant negative impact on an
organization. Let’s examine some potential consequences.

* Financial: When a system is taken offline with a DoS attack, or business operations are halted
or slowed down by some other tactic, they prevent a company from performing the tasks that
generate revenue. Depending on the size of an organization, interrupted operations can cost
millions of dollars. In addition, if a malicious actor gets access to the personal information of
the company’s clients or customers, the company may face heavy litigation and settlement
costs if customers seek legal recourse.

* Reputation: Attacks can also have a negative impact on the reputation of an organization. If it
becomes public knowledge that a company has experienced a cyber attack, the public may
become concerned about the security practices of the organization. They may stop trusting the
company with their personal information and choose a competitor to fulfill their needs.
* Public safety: If an attack occurs on a government network, this can potentially impact the
safety and welfare of the citizens of a country. In recent years, defense agencies across the
globe are investing heavily in combating cyber warfare tactics. If a malicious actor gained access
to a power grid, a public water system, or even a military defense communication system, the
public could face physical harm due to a network intrusion attack.

Read tcpdump logs

A network protocol analyzer, sometimes called a packet sniffer or a packet analyzer, is a tool designed to
capture and analyze data traffic within a network. They are commonly used as investigative tools to monitor
networks and identify suspicious activity. There are a wide variety of network protocol analyzers available,
but some of the most common analyzers include:

* SolarWinds NetFlow Traffic Analyzer

* ManageEngine OpManager

* Azure Network Watcher

* Wireshark

* tcpdump

This reading will focus exclusively on tcpdump, though you can apply what you learn here to many of the
other network protocol analyzers you'll use as a cybersecurity analyst to defend against any network
intrusions. In an upcoming activity, you’ll review a tcpdump data traffic log and identify a DoS attack to
practice these skills.

tcpdump
tcpdump is a command-line network protocol analyzer. It is popular, lightweight–meaning it uses little
memory and has a low CPU usage–and uses the open-source libpcap library. tcpdump is text based, meaning
all commands in tcpdump are executed in the terminal. It can also be installed on other Unix-based operating
systems, such as macOS®. It is preinstalled on many Linux distributions.

tcpdump provides a brief packet analysis and converts key information about network traffic into formats
easily read by humans. It prints information about each packet directly into your terminal. tcpdump also
displays the source IP address, destination IP addresses, and the port numbers being used in the
communications.

Interpreting output
tcpdump prints the output of the command as the sniffed packets in the command line, and optionally to a
log file, after a command is executed. The output of a packet capture contains many pieces of important
information about the network traffic.

Some information you receive from a packet capture includes:

* Timestamp: The output begins with the timestamp, formatted as hours, minutes, seconds, and fractions of
a second.

* Source IP: The packet’s origin is provided by its source IP address.

* Source port: This port number is where the packet originated.

* Destination IP: The destination IP address is where the packet is being transmitted to.

* Destination port: This port number is where the packet is being transmitted to.

Note: By default, tcpdump will attempt to resolve host addresses to hostnames. It'll also replace port
numbers with commonly associated services that use these ports.

Common uses
tcpdump and other network protocol analyzers are commonly used to capture and view network
communications and to collect statistics about the network, such as troubleshooting network performance
issues. They can also be used to:

* Establish a baseline for network traffic patterns and network utilization metrics.

* Detect and identify malicious traffic

* Create customized alerts to send the right notifications when network issues or security threats arise.

* Locate unauthorized instant messaging (IM), traffic, or wireless access points.

However, attackers can also use network protocol analyzers maliciously to gain information about a specific
network. For example, attackers can capture data packets that contain sensitive information, such as account
usernames and passwords. As a cybersecurity analyst, It’s important to understand the purpose and uses of
network protocol analyzers.

Real-life DDoS attack

Previously, you were introduced to Denial of Service (DoS) attacks. You also learned that volumetric
distributed DoS (DDoS) attacks overwhelm a network by sending unwanted data packets in such large
quantities that the servers become unable to service normal users. This can be detrimental to an organization.
When systems fail, organizations cannot meet their customers' needs. They often lose money, and in some
cases, incur other losses. An organization’s reputation may also suffer if news of a successful DDoS attack
reaches consumers, who then question the security of the organization.

In this reading you’ll learn about a 2016 DDoS attack against DNS servers that caused major outages at
multiple organizations that have millions of daily users.

A DDoS targeting a widely used DNS server

In previous videos, you learned about the function of a DNS server. As a review, DNS servers translate
website domain names into the IP address of the system that contains the information for the website. For
instance, if a user were to type in a website URL, a DNS server would translate that into a numeric IP address
that directs network traffic to the location of the website’s server.

On the day of the DDoS attack we are studying, many large companies were using a DNS service provider.
The service provider was hosting the DNS system for these companies. This meant that when internet users
typed in the URL of the website they wanted to access, their devices would be directed to the right place. On
October 21, 2016, the service provider was the victim of a DDoS attack.

Leading up to the attack

Before the attack on the service provider, a group of university students created a botnet. A botnet is a
collection of computers infected by malware that are under the control of a single threat actor, known as the
“bot-herder." Each computer in the botnet can be remotely controlled to send a data packet to a target
system. In a botnet attack, cyber criminals instruct all the bots on the botnet to send data packets to the
target system at the same time, resulting in a DDoS attack.

The group of university students posted the code for the botnet online so that it would be accessible to
thousands of internet users and authorities wouldn’t be able to trace the botnet back to the students. In
doing so, they made it possible for other malicious actors to learn the code to the botnet and control it
remotely. This included the cyber criminals who attacked the DNS service provider.

The day of attack

At 7:00 a.m. on the day of the attack, the botnet sent tens of millions of DNS requests to the service provider.
This overwhelmed the system and the DNS service shut down. This meant that all of the websites that used
the service provider could not be reached. When users tried to access various websites that used the service
provider, they were not directed to the website they typed in their browser. Outages for each web service
occurred all over North America and Europe.

The service provider’s systems were restored after only two hours of downtime. Although the cyber criminals
sent subsequent waves of botnet attacks, the DNS company was prepared and able to mitigate the impact.

***

In the previous course items, you learned how packet sniffing and IP spoofing are used in
network attacks. Because these attacks intercept data packets as they travel across the network,
they are called interception attacks.

This reading will introduce you to some specific attacks that use packet sniffing and IP spoofing.
You will learn how hackers use these tactics and how security analysts can counter the threat of
interception attacks.

A closer review of packet sniffing

As you learned in a previous video, packet sniffing is the practice of capturing and inspecting
data packets across a network. On a private network, data packets are directed to the matching
destination device on the network.

The device’s Network Interface Card (NIC) is a piece of hardware that connects the device to a
network. The NIC reads the data transmission, and if it contains the device’s MAC address, it
accepts the packet and sends it to the device to process the information based on the protocol.
This occurs in all standard network operations. However, a NIC can be set to promiscuous mode,
which means that it accepts all traffic on the network, even the packets that aren’t addressed
to the NIC’s device. You’ll learn more about NIC’s later in the program. Malicious actors might
use software like Wireshark to capture the data on a private network and store it for later use.
They can then use the personal information to their own advantage. Alternatively, they might
use the IP and MAC addresses of authorized users of the private network to perform IP
spoofing.

A closer review of IP spoofing

After a malicious actor has sniffed packets on the network, they can impersonate the IP and
MAC addresses of authorized devices to perform an IP spoofing attack. Firewalls can prevent IP
spoofing attacks by configuring it to refuse unauthorized IP packets and suspicious traffic. Next,
you’ll examine a few common IP spoofing attacks that are important to be familiar with as a
security analyst.

On-path attack
An on-path attack happens when a hacker intercepts the communication between two devices
or servers that have a trusted relationship. The transmission between these two trusted
network devices could contain valuable information like usernames and passwords that the
malicious actor can collect. An on-path attack is sometimes referred to as a meddler-in-the
middle attack because the hacker is hiding in the middle of communications between two
trusted parties.

Or, it could be that the intercepted transmission contains a DNS system look-up. You’ll recall
from an earlier video that a DNS server translates website domain names into IP addresses. If a
malicious actor intercepts a transmission containing a DNS lookup, they could spoof the DNS
response from the server and redirect a domain name to a different IP address, perhaps one
that contains malicious code or other threats. The most important way to protect against an
on-path attack is to encrypt your data in transit, e.g. using TLS.

Smurf attack
A smurf attack is a network attack that is performed when an attacker sniffs an authorized
user’s IP address and floods it with packets. Once the spoofed packet reaches the broadcast
address, it is sent to all of the devices and servers on the network.

In a smurf attack, IP spoofing is combined with another denial of service (DoS) technique to
flood the network with unwanted traffic. For example, the spoofed packet could include an
Internet Control Message Protocol (ICMP) ping. As you learned earlier, ICMP is used to
troubleshoot a network. But if too many ICMP messages are transmitted, the ICMP echo
responses overwhelm the servers on the network and they shut down. This creates a denial of
service and can bring an organization’s operations to a halt.

An important way to protect against a smurf attack is to use an advanced firewall that can
monitor any unusual traffic on the network. Most next generation firewalls (NGFW) include
features that detect network anomalies to ensure that oversized broadcasts are detected
before they have a chance to bring down the network.

DoS attack
As you’ve learned, once the malicious actor has sniffed the network traffic, they can
impersonate an authorized user. A Denial of Service attack is a class of attacks where the
attacker prevents the compromised system from performing legitimate activity or responding
to legitimate traffic. Unlike IP spoofing, however, the attacker will not receive a response from
the targeted host. Everything about the data packet is authorized including the IP address in the
header of the packet. In IP spoofing attacks, the malicious actor uses IP packets containing fake
IP addresses. The attackers keep sending IP packets containing fake IP addresses until the
network server crashes.

Pro Tip: Remember the principle of defense-in-depth. There isn’t one perfect strategy for
stopping each kind of attack. You can layer your defense by using multiple strategies. In this
case, using industry standard encryption will strengthen your security and help you defend
from DoS attacks on more than one level.

Terms and definitions from Course 3, Week 3

Active packet sniffing: A type of attack where data packets are manipulated in transit

Botnet: A collection of computers infected by malware that are under the control of a single
threat actor, known as the “bot-herder"

Denial of service (DoS) attack: An attack that targets a network or server and floods it with
network traffic
Distributed denial of service (DDoS) attack: A type of denial or service attack that uses multiple
devices or servers located in different locations to flood the target network with unwanted
traffic

Internet Control Message Protocol (ICMP): An internet protocol used by devices to tell each
other about data transmission errors across the network

Internet Control Message Protocol (ICMP) flood: A type of DoS attack performed by an
attacker repeatedly sending ICMP request packets to a network server

IP spoofing: A network attack performed when an attacker changes the source IP of a data
packet to impersonate an authorized system and gain access to a network

Network Interface Card (NIC): Hardware that connects computers to a network

On-path attack: An attack where a malicious actor places themselves in the middle of an
authorized connection and intercepts or alters the data in transit

Packet sniffing: The practice of capturing and inspecting data packets across a network

Passive packet sniffing: A type of attack where a malicious actor connects to a network hub
and looks at all traffic on the network

Ping of death: A type of DoS attack caused when a hacker pings a system by sending it an
oversized ICMP packet that is bigger than 64KB

Replay attack: A network attack performed when a malicious actor intercepts a data packet in
transit and delays it or repeats it at another time

Smurf attack: A network attack performed when an attacker sniffs an authorized user’s IP
address and floods it with ICMP packets

Synchronize (SYN) flood attack: A type of DoS attack that simulates a TCP/IP connection and
floods a server with SYN packets

Brute force attacks and OS hardening

In this reading, you’ll learn about brute force attacks. You’ll consider how vulnerabilities can be assessed
using virtual machines and sandboxes, and learn ways to prevent brute force attacks using a
combination of authentication measures. Implementing various OS hardening tasks can help prevent
brute force attacks. An attacker can use a brute force attack to gain access and compromise a network.

Usernames and passwords are among the most common and important security controls in place today.
They are used and enforced on everything that stores or accesses sensitive or private information, like
personal phones, computers, and restricted applications within an organization. However, a major issue
with relying on login credentials as a critical line of defense is that they’re vulnerable to being stolen and
guessed by malicious actors.

Brute force attacks

A brute force attack is a trial-and-error process of discovering private information. There are different
types of brute force attacks that malicious actors use to guess passwords, including:

1. Simple brute force attacks. When attackers try to guess a user's login credentials, it’s considered a
simple brute force attack. They might do this by entering any combination of usernames and passwords
that they can think of until they find the one that works.
2. Dictionary attacks use a similar technique. In dictionary attacks, attackers use a list of commonly used
passwords and stolen credentials from previous breaches to access a system. These are called
“dictionary” attacks because attackers originally used a list of words from the dictionary to guess the
passwords, before complex password rules became a common security practice.

Using brute force to access a system can be a tedious and time consuming process, especially when it’s
done manually. There are a range of tools attackers use to conduct their attacks.

Assessing vulnerabilities

Before a brute force attack or other cybersecurity incident occurs, companies can run a series of tests on
their network or web applications to assess vulnerabilities. Analysts can use virtual machines and
sandboxes to test suspicious files, check for vulnerabilities before an event occurs, or to simulate a
cybersecurity incident.

Virtual machines (VMs)

Virtual machines (VMs) are software versions of physical computers. VMs provide an additional layer of
security for an organization because they can be used to run code in an isolated environment,
preventing malicious code from affecting the rest of the computer or system. VMs can also be deleted
and replaced by a pristine image after testing malware.

VMs are useful when investigating potentially infected machines or running malware in a constrained
environment. Using a VM may prevent damage to your system in the event its tools are used improperly.
VMs also give you the ability to revert to a previous state. However, there are still some risks involved
with VMs. There’s still a small risk that a malicious program can escape virtualization and access the host
machine.

You can test and explore applications easily with VMs, and it’s easy to switch between different VMs
from your computer. This can also help in streamlining many security tasks.

Sandbox environments

A sandbox is a type of testing environment that allows you to execute software or programs separate
from your network. They are commonly used for testing patches, identifying and addressing bugs, or
detecting cybersecurity vulnerabilities. Sandboxes can also be used to evaluate suspicious software,
evaluate files containing malicious code, and simulate attack scenarios.

Sandboxes can be stand-alone physical computers that are not connected to a network; however, it is
often more time- and cost-effective to use software or cloud-based virtual machines as sandbox
environments. Note that some malware authors know how to write code to detect if the malware is
executed in a VM or sandbox environment. Attackers can program their malware to behave as harmless
software when run inside these types of testing environments.

Prevention measures

Some common measures organizations use to prevent brute force attacks and similar attacks from
occurring include:

* Salting and hashing: Hashing converts information into a unique value that can then be used to
determine its integrity. It is a one-way function, meaning it is impossible to decrypt and obtain the
original text. Salting adds random characters to hashed passwords. This increases the length and
complexity of hash values, making them more secure.

* Multi-factor authentication (MFA) and two-factor authentication (2FA): MFA is a security measure
which requires a user to verify their identity in two or more ways to access a system or network. This
verification happens using a combination of authentication factors: a username and password,
fingerprints, facial recognition, or a one-time password (OTP) sent to a phone number or email. 2FA is
similar to MFA, except it uses only two forms of verification.

* CAPTCHA and reCAPTCHA: CAPTCHA stands for Completely Automated Public Turing test to tell
Computers and Humans Apart. It asks users to complete a simple test that proves they are human. This
helps prevent software from trying to brute force a password. reCAPCHA is a free CAPTCHA service from
Google that helps protect websites from bots and malicious software.

* Password policies: Organizations use password policies to standardize good password practices
throughout the business. Policies can include guidelines on how complex a password should be, how
often users need to update passwords, and if there are limits to how many times a user can attempt to
log in before their account is suspended.

Network security applications

This section of the course covers the topic of network hardening and monitoring. Each device, tool, or
security strategy put in place by security analysts further protects—or hardens—the network until the
network owner is satisfied with the level of security. This approach of adding layers of security to a
network is referred to as defense in depth.

In this reading, you are going to learn about the role of four devices used to secure a network—firewalls,
intrusion detection systems, intrusion prevention systems, and security incident and event management
tools. Network security professionals have the choice to use any or all of these devices and tools
depending on the level of security that they hope to achieve.
This reading will discuss the benefits of layered security. Each tool mentioned is an additional layer of
defense that can incrementally harden a network, starting with the minimum level of security (provided
by just a firewall), to the highest level of security (provided by combining a firewall, an intrusion
detection and prevention device, and security event monitoring).

Take note of where each tool is located on the network. Each tool has its own place in the network’s
architecture. Security analysts are required to understand the network topologies shown in the
diagrams throughout this reading.

Firewall

So far in this course, you learned about stateless firewalls, stateful firewalls, and next-generation
firewalls (NGFWs), and the security advantages of each of them.

Most firewalls are similar in their basic functions. Firewalls allow or block traffic based on a set of rules.
As data packets enter a network, the packet header is inspected and allowed or denied based on its port
number. NGFWs are also able to inspect packet payloads. Each system should have its own firewall,
regardless of the network firewall.
Intrusion Detection System

An intrusion detection system (IDS) is an application that monitors system activity and alerts on
possible intrusions. An IDS alerts administrators based on the signature of malicious traffic.

The IDS is configured to detect known attacks. IDS systems often sniff data packets as they move across
the network and analyze them for the characteristics of known attacks. Some IDS systems review not
only for signatures of known attacks, but also for anomalies that could be the sign of malicious activity.
When the IDS discovers an anomaly, it sends an alert to the network administrator who can then
investigate further.

The limitations to IDS systems are that they can only scan for known attacks or obvious anomalies. New
and sophisticated attacks might not be caught. The other limitation is that the IDS doesn’t actually stop
the incoming traffic if it detects something awry. It’s up to the network administrator to catch the
malicious activity before it does anything damaging to the network.

When combined with a firewall, an IDS adds another layer of defense. The IDS is placed behind the
firewall and before entering the LAN, which allows the IDS to analyze data streams after network traffic
that is disallowed by the firewall has been filtered out. This is done to reduce noise in IDS alerts, also
referred to as false positives.

Intrusion Prevention System

An intrusion prevention system (IPS) is an application that monitors system activity for intrusive activity
and takes action to stop the activity. It offers even more protection than an IDS because it actively stops
anomalies when they are detected, unlike the IDS that simply reports the anomaly to a network
administrator.

An IPS searches for signatures of known attacks and data anomalies. An IPS reports the anomaly to
security analysts and blocks a specific sender or drops network packets that seem suspect.

The IPS (like an IDS) sits behind the firewall in the network architecture. This offers a high level of
security because risky data streams are disrupted before they even reach sensitive parts of the network.
However, one potential limitation is that it is inline: If it breaks, the connection between the private
network and the internet breaks. Another limitation of IPS is the possibility of false positives, which can
result in legitimate traffic getting dropped.

Full packet capture devices

Full packet capture devices can be incredibly useful for network administrators and security
professionals. These devices allow you to record and analyze all of the data that is transmitted over your
network. They also aid in investigating alerts created by an IDS.

Security Information and Event Management

A security information and event management system (SIEM) is an application that collects and
analyzes log data to monitor critical activities in an organization. SIEM tools work in real time to report
suspicious activity in a centralized dashboard. SIEM tools additionally analyze network log data sourced
from IDSs, IPSs, firewalls, VPNs, proxies, and DNS logs. SIEM tools are a way to aggregate security event
data so that it all appears in one place for security analysts to analyze. This is referred to as a single pane
of glass.

Below, you can review an example of a dashboard from Google Cloud’s SIEM tool, Chronicle. Chronicle is
a cloud-native tool designed to retain, analyze, and search data.
Splunk is another common SIEM tool. Splunk offers different SIEM tool options: Splunk Enterprise and
Splunk Cloud. Both options include detailed dashboards which help security professionals to review and
analyze an organization's data. There are also other similar SIEM tools available, and it's important for
security professionals to research the different tools to determine which one is most beneficial to the
organization.

A SIEM tool doesn’t replace the expertise of security analysts, or of the network- and system-hardening
activities covered in this course, but they’re used in combination with other security methods. Security
analysts often work in a Security Operations Center (SOC) where they can monitor the activity across the
network. They can then use their expertise and experience to determine how to respond to the
information on the dashboard and decide when the events meet the criteria to be escalated to oversight.

Key takeaways

Devices / Tools Advantages Disadvantages

A firewall allows or blocks traffic based on a set A firewall is only able to filter packets based on
Firewall
of rules. information provided in the header of the pack
Devices / Tools Advantages Disadvantages
An IDS can only scan for known attacks or obvi
Intrusion Detection An IDS detects and alerts admins about possible
anomalies; new and sophisticated attacks migh
System (IDS) intrusions, attacks, and other malicious traffic.
caught. It doesn’t actually stop the incoming tr
An IPS is an inline appliance. If it fails, the conn
Intrusion Prevention An IPS monitors system activity for intrusions
between the private network and the internet
System (IPS) and anomalies and takes action to stop them.
might detect false positives and block legitimat
A SIEM tool collects and analyzes log data from
Security Information A SIEM tool only reports on possible security is
multiple network machines. It aggregates
and Event Management does not take any actions to stop or prevent su
security events for monitoring in a central
(SIEM) events.
dashboard.
Each of these devices or tools cost money to purchase, install, and maintain. An organization might need
to hire additional personnel to monitor the security tools, as in the case of a SIEM. Decision-makers are
tasked with selecting the appropriate level of security based on cost and risk to the organization. You
will learn more about choosing levels of security later in the course.

Secure the cloud

Earlier in this course, you were introduced to cloud computing. Cloud computing is a model for allowing
convenient and on-demand network access to a shared pool of configurable computing resources. These
resources can be configured and released with minimal management effort or interaction with the
service provider.
Just like any other IT infrastructure, a cloud infrastructure needs to be secured. This reading will address
some main security considerations that are unique to the cloud and introduce you to the shared
responsibility model used for security in the cloud. Many organizations that use cloud resources and
infrastructure express concerns about the privacy of their data and resources. This concern is addressed
through cryptography and other additional security measures, which will be discussed later in this
course.

Cloud security considerations

Many organizations choose to use cloud services because of the ease of deployment, speed of
deployment, cost savings, and scalability of these options. Cloud computing presents unique security
challenges that cybersecurity analysts need to be aware of.

Identity access management

Identity access management (IAM) is a collection of processes and technologies that helps
organizations manage digital identities in their environment. This service also authorizes how users can
use different cloud resources. A common problem that organizations face when using the cloud is the
loose configuration of cloud user roles. An improperly configured user role increases risk by allowing
unauthorized users to have access to critical cloud operations.

Configuration

The number of available cloud services adds complexity to the network. Each service must be carefully
configured to meet security and compliance requirements. This presents a particular challenge when
organizations perform an initial migration into the cloud. When this change occurs on their network,
they must ensure that every process moved into the cloud has been configured correctly. If network
administrators and architects are not meticulous in correctly configuring the organization’s cloud
services, they could leave the network open to compromise. Misconfigured cloud services are a
common source of cloud security issues.

Attack surface

Cloud service providers (CSPs) offer numerous applications and services for organizations at a low cost.

Every service or application on a network carries its own set of risks and vulnerabilities and increases an
organization’s overall attack surface. An increased attack surface must be compensated for with
increased security measures.

Cloud networks that utilize many services introduce lots of entry points into an organization’s network.
However, if the network is designed correctly, utilizing several services does not introduce more entry
points into an organization’s network design. These entry points can be used to introduce malware onto
the network and pose other security vulnerabilities. It is important to note that CSPs often defer to more
secure options, and have undergone more scrutiny than a traditional on-premises network.

Zero-day attacks
Zero-day attacks are an important security consideration for organizations using cloud or traditional on-
premise network solutions. A zero day attack is an exploit that was previously unknown. CSPs are more
likely to know about a zero day attack occurring before a traditional IT organization does. CSPs have
ways of patching hypervisors and migrating workloads to other virtual machines. These methods ensure
the customers are not impacted by the attack. There are also several tools available for patching at the
operating system level that organizations can use.

Visibility and tracking

Network administrators have access to every data packet crossing the network with both on-premise
and cloud networks. They can sniff and inspect data packets to learn about network performance or to
check for possible threats and attacks.

This kind of visibility is also offered in the cloud through flow logs and tools, such as packet mirroring.
CSPs take responsibility for security in the cloud, but they do not allow the organizations that use their
infrastructure to monitor traffic on the CSP’s servers. Many CSPs offer strong security measures to
protect their infrastructure. Still, this situation might be a concern for organizations that are accustomed
to having full access to their network and operations. CSPs pay for third-party audits to verify how
secure a cloud network is and identify potential vulnerabilities. The audits can help organizations
identify whether any vulnerabilities originate from on-premise infrastructure and if there are any
compliance lapses from their CSP.

Things change fast in the cloud

CSPs are large organizations that work hard to stay up-to-date with technology advancements. For
organizations that are used to being in control of any adjustments made to their network, this can be a
potential challenge to keep up with. Cloud service updates can affect security considerations for the
organizations using them. For example, connection configurations might need to be changed based on
the CSP’s updates.

Organizations that use CSPs usually have to update their IT processes. It is possible for organizations to
continue following established best practices for changes, configurations, and other security
considerations. However, an organization might have to adopt a different approach in a way that aligns
with changes made by the CSP.

Cloud networking offers various options that might appear attractive to a small company—options that
they could never afford to build on their own premises. However, it is important to consider that each
service adds complexity to the security profile of the organization, and they will need security personnel
to monitor all of the cloud services.

Shared responsibility model

A commonly accepted cloud security principle is the shared responsibility model. The shared
responsibility model states that the CSP must take responsibility for security involving the cloud
infrastructure, including physical data centers, hypervisors, and host operating systems. The company
using the cloud service is responsible for the assets and processes that they store or operate in the cloud.
The shared responsibility model ensures that both the CSP and the users agree about where their
responsibility for security begins and ends. A problem occurs when organizations assume that the CSP is
taking care of security that they have not taken responsibility for. One example of this is cloud
applications and configurations. The CSP takes responsibility for securing the cloud, but it is the
organization’s responsibility to ensure that services are configured properly according to the security
requirements of their organization.

Terms and definitions from Course 3, Week 4

Baseline configuration (baseline image): A documented set of specifications within a system that is
used as a basis for future builds, releases, and updates

Hardware: The physical components of a computer

Multi-factor authentication (MFA): A security measure which requires a user to verify their identity in
two or more ways to access a system or network

Network log analysis: The process of examining network logs to identify events of interest

Operating system (OS): The interface between computer hardware and the user

Patch update: A software and operating system update that addresses security vulnerabilities within a
program or product

Penetration testing (pen test): A simulated attack that helps identify vulnerabilities in systems,
networks, websites, applications, and processes

Principle of least privilege: Access and authorization to information only last long enough to complete a
task

Security hardening: The process of strengthening a system to reduce its vulnerabilities and attack
surface

Security information and event management (SIEM): An application that collects and analyzes log data
to monitors critical activities for an organization

World-writable file: A file that can be altered by anyone in the world

Course 4
The command line in use
Previously, you explored graphical user interfaces (GUI) and command-line user interfaces (CLI). In this
reading, you’ll compare these two interfaces and learn more about how they’re used in cybersecurity.
CLI vs. GUI
A graphical user interface (GUI) is a user interface that uses icons on the screen to manage different tasks on
the computer. A command-line interface (CLI) is a text-based user interface that uses commands to interact
with the computer.

Display

One notable difference between these two interfaces is how they appear on the screen. A GUI has graphics
and icons, such as the icons on your desktop or taskbar for launching programs. In contrast, a CLI only has
text. It looks similar to lines of code.

Function

These two interfaces also differ in how they function. A GUI is an interface that only allows you to make one
request at a time. However, a CLI allows you to make multiple requests at a time.

Advantages of a CLI in cybersecurity

The choice between using a GUI or CLI is partly based on personal preference, but security analysts should be
able to use both interfaces. Using a CLI can provide certain advantages.

Efficiency

Some prefer the CLI because it can be used more quickly when you know how to manage this interface. For a
new user, a GUI might be more efficient because they’re easier for beginners to navigate.

Because a CLI can accept multiple requests at one time, it’s more powerful when you need to perform
multiple tasks efficiently. For example, if you had to create multiple new files in your system, you could
quickly perform this task in a CLI. If you were using a GUI, this could take much longer, because you have to
repeat the same steps for each new file.

History file

For security analysts, using the Linux CLI is helpful because it records a history file of all the commands and
actions in the CLI. If you were using a GUI, your actions are not necessarily saved in a history file.
For example, you might be in a situation where you’re responding to an incident using a playbook. The
playbook’s instructions require you to run a series of different commands. If you used a CLI, you’d be able to
go back to the history and ensure all of the commands were correctly used. This could be helpful if there
were issues using the playbook and you had to review the steps you performed in the command line.

Additionally, if you suspect an attacker has compromised your system, you might be able to trace their
actions using the history file.

Linux architecture explained

Understanding the Linux architecture is important for a security analyst. When you understand how a system
is organized, it makes it easier to understand how it functions. In this reading, you’ll learn more about the
individual components in the Linux architecture. A request to complete a task starts with the user and then
flows through applications, the shell, the Filesystem Hierarchy Standard, the kernel, and the hardware.

User
The user is the person interacting with a computer. They initiate and manage computer tasks. Linux is a
multi-user system, which means that multiple users can use the same resources at the same time.

Applications
An application is a program that performs a specific task. There are many different applications on your
computer. Some applications typically come pre-installed on your computer, such as calculators or calendars.
Other applications might have to be installed, such as some web browsers or email clients. In Linux, you'll
often use a package manager to install applications. A package manager is a tool that helps users install,
manage, and remove packages or applications. A package is a piece of software that can be combined with
other packages to form an application.

Shell
The shell is the command-line interpreter. Everything entered into the shell is text based. The shell allows
users to give commands to the kernel and receive responses from it. You can think of the shell as a translator
between you and your computer. The shell translates the commands you enter so that the computer can
perform the tasks you want.

Filesystem Hierarchy Standard (FHS)

The Filesystem Hierarchy Standard (FHS) is the component of the Linux OS that organizes data. It specifies
the location where data is stored in the operating system.

A directory is a file that organizes where other files are stored. Directories are sometimes called “folders,”
and they can contain files or other directories. The FHS defines how directories, directory contents, and other
storage is organized so the operating system knows where to find specific data.
Kernel
The kernel is the component of the Linux OS that manages processes and memory. It communicates with the
applications to route commands. The Linux kernel is unique to the Linux OS and is critical for allocating
resources in the system. The kernel controls all major functions of the hardware, which can help get tasks
expedited more efficiently.

Hardware
The hardware is the physical components of a computer. You might be familiar with some hardware
components, such as hard drives or CPUs. Hardware is categorized as either peripheral or internal.

Peripheral devices

Peripheral devices are hardware components that are attached and controlled by the computer system. They
are not core components needed to run the computer system. Peripheral devices can be added or removed
freely. Examples of peripheral devices include monitors, printers, the keyboard, and the mouse.

Internal hardware

Internal hardware are the components required to run the computer. Internal hardware includes a main
circuit board and all components attached to it. This main circuit board is also called the motherboard.
Internal hardware includes the following:

1. The Central Processing Unit (CPU) is a computer’s main processor, which is used to perform general
computing tasks on a computer. The CPU executes the instructions provided by programs, which enables
these programs to run.
2. Random Access Memory (RAM) is a hardware component used for short-term memory. It’s where data is
stored temporarily as you perform tasks on your computer. For example, if you’re writing a report on your
computer, the data needed for this is stored in RAM. After you’ve finished writing the report and closed
down that program, this data is deleted from RAM. Information in RAM cannot be accessed once the
computer has been turned off. The CPU takes the data from RAM to run programs.
3. The hard drive is a hardware component used for long-term memory. It’s where programs and files are
stored for the computer to access later. Information on the hard drive can be accessed even after a computer
has been turned off and on again. A computer can have multiple hard drives.

KALI LINUX ™
KALI LINUX ™ is an open-source distribution of Linux that is widely used in the security industry.
This is because KALI LINUX ™, which is Debian-based, is pre-installed with many useful tools for
penetration testing and digital forensics. A penetration test is a simulated attack that helps
identify vulnerabilities in systems, networks, websites, applications, and processes. Digital
forensics is the practice of collecting and analyzing data to determine what has happened after
an attack. These are key activities in the security industry.

However, KALI LINUX ™ is not the only Linux distribution that is used in cybersecurity.

Ubuntu
Ubuntu is an open-source, user-friendly distribution that is widely used in security and other
industries. It has both a command-line interface (CLI) and a graphical user interface (GUI).
Ubuntu is also Debian-derived and includes common applications by default. Users can also
download many more applications from a package manager, including security-focused tools.
Because of its wide use, Ubuntu has an especially large number of community resources to
support users.

Ubuntu is also widely used for cloud computing. As organizations migrate to cloud servers,
cybersecurity work may more regularly involve Ubuntu derivatives.

Parrot
Parrot is an open-source distribution that is commonly used for security. Similar to KALI LINUX
™, Parrot comes with pre-installed tools related to penetration testing and digital forensics. Like
both KALI LINUX ™ and Ubuntu, it is based on Debian.

Parrot is also considered to be a user-friendly Linux distribution. This is because it has a GUI
that many find easy to navigate. This is in addition to Parrot’s CLI.

Red Hat® Enterprise Linux®

Red Hat Enterprise Linux is a subscription-based distribution of Linux built for enterprise use.
Red Hat is not free, which is a major difference from the previously mentioned distributions.
Because it’s built and supported for enterprise use, Red Hat also offers a dedicated support
team for customers to call about issues.

CentOS
CentOS is an open-source distribution that is closely related to Red Hat. It uses source code
published by Red Hat to provide a similar platform. However, CentOS does not offer the same
enterprise support that Red Hat provides and is supported through the community.

Resources for completing Linux labs

This course features hands-on lab activities where you'll have the opportunity to practice Linux commands in
the terminal. You’ll use a platform called Qwiklabs to complete these labs. In this reading, you’ll learn how to
use Qwiklabs.

How to use Qwiklabs

Launching Qwiklabs

When you select a lab, you start from a Coursera page. You will need to click Launch App on that page. After
you click Launch App, a new tab will open with a Qwiklabs page that contains instructions for that particular
lab.

Start Lab button

On the Qwiklabs page, you must click Start Lab to open a temporary terminal. The instructions for the lab will
move to the right side of the screen.

Read the instructions and complete all the tasks in the lab by entering commands in the terminal.

Note: It may take a moment for the terminal to start.

Lab control dialog box

After you click Start Lab, the lab control dialog box opens. It contains the End Lab button, the timer, and the
Open Linux Console button.

You can hide or unhide the dialog box by clicking the following icon in the red box:

The timer

The timer starts when the terminal has loaded. The timer keeps track of the amount of time you have left to
complete a lab. The timer counts down until it reaches 00:00:00. When it does, your temporary terminal and
resources are deleted.
You will have ample time to complete the labs. But, stay focused on completing the tasks to ensure you use
your time well.

Open Linux Console button

When you click the button to Open Linux Console, the terminal opens in a new browser window:

Use this feature if you want a full-screen view of the terminal. You can close this window at any time. Closing
the window does not end your lab, and you can continue working in the terminal in the original tab.

Check progress

You can check your progress by clicking Check my progress at the end of each task.

If you haven’t yet completed a task, you’ll receive hints on what you must do to complete it.

You can click Check my progress whenever you want to check the completion status of a task or receive a
hint.

Using copy/paste commands

The first time you try to use copy or paste keyboard shortcuts (such as CTRL + C), you’ll receive a pop-up
requesting permission to use your device’s clipboard: “googlecoursera.qwiklabs.com wants to see text and
images copied to the clipboard.” Please click Allow if you would like to be able to use these shortcuts in the
Qwiklabs platform. If you choose not to allow Qwiklabs access to your clipboard, you cannot use keyboard
shortcuts but you can still complete the lab.

Code block

Certain steps may include a code block. Click the copy button to copy the code provided and then paste it
into the terminal.
To paste code or other text content that you have copied from the instructions into the terminal, activate the
terminal by clicking anywhere inside it. The terminal is active when the cursor in the terminal changes from a
static empty outline to a flashing solid block.

Once the terminal is active, use the keyboard shortcut CTRL + V (hold down the CTRL key and press the V key)
to insert the copied text into the terminal at the location of the flashing cursor.

Scrolling

In certain situations, you may want to scroll within the terminal window. To do so, use the scroll wheel on
your mouse or the touchpad of your computer.

End Lab button

Finally, click End Lab when you’ve completed the tasks in the lab.

Note: Don't click End Lab until you're finished; you'll lose access to the work you've done throughout the lab.

Tracking progress on Coursera

If you complete a lab but your progress hasn’t been tracked on Coursera, you may need to refresh the page
for your progress to be registered. Once you complete the lab and refresh the page, the green check mark
should appear.

Terms and definitions from Course 4, Week 2

Application: A program that performs a specific task
CentOS: An open-source distribution that is closely related to Red Hat

Central Processing Unit (CPU): A computer’s main processor, which is used to perform general
computing tasks on a computer

Command: An instruction telling the computer to do something

Digital forensics: The practice of collecting and analyzing data to determine what has happened
after an attack

Directory: A file that organizes where other files are stored

Distributions: The different versions of Linux

File path: The location of a file or directory

Filesystem Hierarchy Standard (FHS): The component of the Linux OS that organizes data

Graphical user interface (GUI): A user interface that uses icons on the screen to manage
different tasks on the computer

Hard drive: A hardware component used for long-term memory

Hardware: The physical components of a computer

Internal hardware: The components required to run the computer

Kali Linux ™: An open-source distribution of Linux that is widely used in the security industry

Kernel: The component of the Linux OS that manages processes and memory

Linux: An open source operating system

Package: A piece of software that can be combined with other packages to form an application

Package manager: A tool that helps users install, manage, and remove packages or applications

Parrot: An open-source distribution that is commonly used for security

Penetration test (pen test): A simulated attack that helps identify vulnerabilities in systems,
networks, websites, applications, and processes

Peripheral devices: Hardware components that are attached and controlled by the computer
system
Random Access Memory (RAM): A hardware component used for short-term memory

Red Hat® Enterprise Linux® (also referred to simply as Red Hat in this course): A subscription-
based distribution of Linux built for enterprise use

Shell: The command-line interpreter

Standard error: An error message returned by the OS through the shell

Standard input: Information received by the OS via the command line

Standard output: Information returned by the OS through the shell

String data: Data consisting of an ordered sequence of characters

Ubuntu: An open-source, user-friendly distribution that is widely used in security and other
industries

User: The person interacting with a computer

Navigate Linux and read file content

In this reading, you’ll review how to navigate the file system using Linux commands in Bash. You’ll further
explore the organization of the Linux Filesystem Hierarchy Standard, review several common Linux
commands for navigation and reading file content, and learn a couple of new commands.

Filesystem Hierarchy Standard (FHS)

Previously, you learned that the Filesystem Hierarchy Standard (FHS) is the component of Linux that
organizes data. The FHS is important because it defines how directories, directory contents, and other
storage is organized in the operating system.

This diagram illustrates the hierarchy of relationships under the FHS:

Under the FHS, a file’s location can be described by a file path. A file path is the location of a file or directory.
In the file path, the different levels of the hierarchy are separated by a forward slash ( /).
Root directory

The root directory is the highest-level directory in Linux, and it’s always represented with a forward slash
(/). All subdirectories branch off the root directory. Subdirectories can continue branching out to as many
levels as necessary.

Standard FHS directories

Directly below the root directory, you’ll find standard FHS directories. In the diagram, home, bin, and etc are
standard FHS directories. Here are a few examples of what standard directories contain:

1 /home: Each user in the system gets their own home directory.

2 /bin: This directory stands for “binary” and contains binary files and other executables. Executables are files
that contain a series of commands a computer needs to follow to run programs and perform other functions.

3 /etc: This directory stores the system’s configuration files.

4 /tmp: This directory stores many temporary files. The /tmp directory is commonly used by attackers
because anyone in the system can modify data in these files.

5 /mnt: This directory stands for “mount” and stores media, such as USB drives and hard drives.

Pro Tip: You can use the man hier command to learn more about the FHS and its standard directories.

User-specific subdirectories

Under home are subdirectories for specific users. In the diagram, these users are analyst and analyst2. Each
user has their own personal subdirectories, such as projects, logs, or reports.

Note: When the path leads to a subdirectory below the user’s home directory, the user’s home directory can
be represented as the tilde (~). For example, /home/analyst/logs can also be represented as ~/logs.

You can navigate to specific subdirectories using their absolute or relative file paths. The absolute file path is
the full file path, which starts from the root. For example, /home/analyst/projects is an absolute file path. The
relative file path is the file path that starts from a user's current directory.

Note: Relative file paths can use a dot (.) to represent the current directory, or two dots (..) to represent the
parent of the current directory. An example of a relative file path could be ../projects.

Key commands for navigating the file system

The following Linux commands can be used to navigate the file system: pwd, ls, and cd.

pwd
The pwd command prints the working directory to the screen. Or in other words, it returns the directory that
you’re currently in.

The output gives you the absolute path to this directory. For example, if you’re in your home directory and
your username is analyst, entering pwd returns /home/analyst.

Pro Tip: To learn what your username is, use the whoami command. The whoami command returns the
username of the current user. For example, if your username is analyst, entering whoami returns analyst.

ls

The ls command displays the names of the files and directories in the current working directory. For example,
in the video, ls returned directories such as logs, and a file called updates.txt.

Note: If you want to return the contents of a directory that’s not your current working directory, you can add
an argument after ls with the absolute or relative file path to the desired directory. For example, if you’re in
the /home/analyst directory but want to list the contents of its projects subdirectory, you can enter ls
/home/analyst/projects or just ls projects.

cd

The cd command navigates between directories. When you need to change directories, you should use this
command.

To navigate to a subdirectory of the current directory, you can add an argument after cd with the
subdirectory name. For example, if you’re in the /home/analyst directory and want to navigate to its projects
subdirectory, you can enter cd projects.

You can also navigate to any specific directory by entering the absolute file path. For example, if you’re in
/home/analyst/projects, entering cd /home/analyst/logs changes your current directory to
/home/analyst/logs.

Pro Tip: You can use the relative file path and enter cd .. to go up one level in the file structure. For example,
if the current directory is /home/analyst/projects, entering cd .. would change your working directory to
/home/analyst.

Common commands for reading file content

The following Linux commands are useful for reading file content: cat, head, tail, and less.

cat

The cat command displays the content of a file. For example, entering cat updates.txt returns everything in
the updates.txt file.

head
The head command displays just the beginning of a file, by default 10 lines. The head command can be useful
when you want to know the basic contents of a file but don’t need the full contents. Entering head
updates.txt returns only the first 10 lines of the updates.txt file.

Pro Tip: If you want to change the number of lines returned by head, you can specify the number of lines by
including -n. For example, if you only want to display the first five lines of the updates.txt file, enter head -n 5
updates.txt.

tail

The tail command does the opposite of head. This command can be used to display just the end of a file, by
default 10 lines. Entering tail updates.txt returns only the last 10 lines of the updates.txt file.

Pro Tip: You can use tail to read the most recent information in a log file.

less

The less command returns the content of a file one page at a time. For example, entering less updates.txt
changes the terminal window to display the contents of updates.txt one page at a time. This allows you to
easily move forward and backward through the content.

Once you’ve accessed your content with the less command, you can use several keyboard controls to move
through the file:

1 Space bar: Move forward one page

2 b: Move back one page

3 Down arrow: Move forward one line

4 Up arrow: Move back one line

5 q: Quit and return to the previous terminal window

Filtering for information

You previously explored how filtering for information is an important skill for security analysts.
Filtering is selecting data that match a certain condition. For example, if you had a virus in your
system that only affected the .txt files, you could use filtering to find these files quickly. Filtering
allows you to search based on specific criteria, such as file extension or a string of text.
grep
The grep command searches a specified file and returns all lines in the file containing a specified
string. The grep command commonly takes two arguments: a specific string to search for and a
specific file to search through.

For example, entering grep OS updates.txt returns all lines containing OS in the updates.txt file. In
this example, OS is the specific string to search for, and updates.txt is the specific file to search
through.

Piping
The pipe command is accessed using the pipe character ( |). Piping sends the standard output of
one command as standard input to another command for further processing. As a reminder,
standard output is information returned by the OS through the shell, and standard input is
information received by the OS via the command line.

The pipe character (|) is located in various places on a keyboard. On many keyboards, it’s
located on the same key as the backslash character (\). On some keyboards, the | can look
different and have a small space through the middle of the line. If you can’t find the |, search
online for its location on your particular keyboard.

When used with grep, the pipe can help you find directories and files containing a specific word
in their names. For example, ls /home/analyst/reports | grep users returns the file and directory
names in the reports directory that contain users. Before the pipe, ls indicates to list the names of
the files and directories in reports. Then, it sends this output to the command after the pipe. In
this case, grep users returns all of the file or directory names containing users from the input it
received.

Note: Piping is a general form of redirection in Linux and can be used for multiple tasks other
than filtering. You can think of piping as a general tool that you can use whenever you want the
output of one command to become the input of another command.

find
The find command searches for directories and files that meet specified criteria. There’s a wide
range of criteria that can be specified with find. For example, you can search for files and
directories that

* Contain a specific string in the name,

* Are a certain file size, or

* Were last modified within a certain time frame.

When using find, the first argument after find indicates where to start searching. For example,
entering find /home/analyst/projects searches for everything starting at the projects directory.

After this first argument, you need to indicate your criteria for the search. If you don’t include a
specific search criteria with your second argument, your search will likely return a lot of
directories and files.

Specifying criteria involves options. Options modify the behavior of a command and commonly
begin with a hyphen (-).

-name and -iname

One key criteria analysts might use with find is to find file or directory names that contain a
specific string. The specific string you’re searching for must be entered in quotes after the -name
or -iname options. The difference between these two options is that -name is case-sensitive, and -
iname is not.

For example, you might want to find all files in the projects directory that contain the word “log”
in the file name. To do this, you’d enter find /home/analyst/projects -name "*log*". You could also
enter find /home/analyst/projects -iname "*log*".

In these examples, the output would be all files in the projects directory that contain log
surrounded by zero or more characters. The "*log*" portion of the command is the search
criteria that indicates to search for the string “log”. When -name is the option, files with names
that include Log or LOG, for example, wouldn’t be returned because this option is case-sensitive.
However, they would be returned when -iname is the option.

Note: An asterisk (*) is used as a wildcard to represent zero or more unknown characters.

-mtime

Security analysts might also use find to find files or directories last modified within a certain
time frame. The -mtime option can be used for this search. For example, entering find
/home/analyst/projects -mtime -3 returns all files and directories in the projects directory that have
been modified within the past three days.

The -mtime option search is based on days, so entering -mtime +1 indicates all files or directories
last modified more than one day ago, and entering -mtime -1 indicates all files or directories last
modified less than one day ago.

Note: The option -mmin can be used instead of -mtime if you want to base the search on minutes
rather than days.
Linux study again

Manage directories and files

Previously, you explored how to manage the file system using Linux commands. The following commands
were introduced: mkdir, rmdir, touch, rm, mv, and cp. In this reading, you’ll review these commands, the
nano text editor, and learn another way to write to files.

Creating and modifying directories

mkdir

The mkdir command creates a new directory. Like all of the commands presented in this reading, you can
either provide the new directory as the absolute file path, which starts from the root, or as a relative file path,
which starts from your current directory.

For example, if you want to create a new directory called network in your /home/analyst/logs directory, you
can enter mkdir /home/analyst/logs/network to create this new directory. If you’re already in the
/home/analyst/logs directory, you can also create this new directory by entering mkdir network.

Pro Tip: You can use the ls command to confirm the new directory was added.

rmdir

The rmdir command removes, or deletes, a directory. For example, entering rmdir
/home/analyst/logs/network would remove this empty directory from the file system.

Note: The rmdir command cannot delete directories with files or subdirectories inside. For example, entering
rmdir /home/analyst returns an error message.

Creating and modifying files

touch and rm
The touch command creates a new file. This file won’t have any content inside. If your current directory is
/home/analyst/reports, entering touch permissions.txt creates a new file in the reports subdirectory called
permissions.txt.

The rm command removes, or deletes, a file. This command should be used carefully because it’s not easy to
recover files deleted with rm. To remove the permissions file you just created, enter rm permissions.txt.

Pro Tip: You can verify that permissions.txt was successfully created or removed by entering ls.

mv and cp

You can also use mv and cp when working with files. The mv command moves a file or directory to a new
location, and the cp command copies a file or directory into a new location. The first argument after mv or cp
is the file or directory you want to move or copy, and the second argument is the location you want to move
or copy it to.

To move permissions.txt into the logs subdirectory, enter mv permissions.txt /home/analyst/logs. Moving a
file removes the file from its original location. However, copying a file doesn’t remove it from its original
location. To copy permissions.txt into the logs subdirectory while also keeping it in its original location, enter
cp permissions.txt /home/analyst/logs.

Note: The mv command can also be used to rename files. To rename a file, pass the new name in as the
second argument instead of the new location. For example, entering mv permissions.txt perm.txt renames
the permissions.txt file to perm.txt.

nano text editor

nano is a command-line file editor that is available by default in many Linux distributions. Many beginners
find it easy to use, and it’s widely used in the security profession. You can perform multiple basic tasks in
nano, such as creating new files and modifying file contents.

To open an existing file in nano from the directory that contains it, enter nano followed by the file name. For
example, entering nano permissions.txt from the /home/analyst/reports directory opens a new nano editing
window with the permissions.txt file open for editing. You can also provide the absolute file path to the file if
you’re not in the directory that contains it.

You can also create a new file in nano by entering nano followed by a new file name. For example, entering
nano authorized_users.txt from the /home/analyst/reports directory creates the authorized_users.txt file
within that directory and opens it in a new nano editing window.

Since there isn't an auto-saving feature in nano, it’s important to save your work before exiting. To save a file
in nano, use the keyboard shortcut Ctrl + O. You’ll be prompted to confirm the file name before saving. To
exit out of nano, use the keyboard shortcut Ctrl + X.

Note: Vim and Emacs are also popular command-line text editors.

Standard output redirection

There’s an additional way you can write to files. Previously, you learned about standard input and standard
output. Standard input is information received by the OS via the command line, and standard output is
information returned by the OS through the shell.

You’ve also learned about piping. Piping sends the standard output of one command as standard input to
another command for further processing. It uses the pipe character (|).

In addition to the pipe (|), you can also use the right angle bracket (>) and double right angle bracket (>>)
operators to redirect standard output.

When used with echo, the > and >> operators can be used to send the output of echo to a specified file rather
than the screen. The difference between the two is that > overwrites your existing file, and >> adds your
content to the end of the existing file instead of overwriting it. The > operator should be used carefully,
because it’s not easy to recover overwritten files.

When you’re inside the directory containing the permissions.txt file, entering echo "last updated date" >>
permissions.txt adds the string “last updated date” to the file contents. Entering echo "time" > permissions.txt
after this command overwrites the entire file contents of permissions.txt with the string “time”.

Note: Both the > and >> operators will create a new file if one doesn’t already exist with your specified name.

Permission commands
Previously, you explored file permissions and the commands that you can use to display and change them. In
this reading, you’ll review these concepts and also focus on an example of how these commands work
together when putting the principle of least privilege into practice.

Reading permissions
In Linux, permissions are represented with a 10-character string. Permissions include:

read: for files, this is the ability to read the file contents; for directories, this is the ability to read all contents
in the directory including both files and subdirectories

write: for files, this is the ability to make modifications on the file contents; for directories, this is the ability
to create new files in the directory

execute: for files, this is the ability to execute the file if it’s a program; for directories, this is the ability to
enter the directory and access its files

These permissions are given to these types of owners:

user: the owner of the file

group: a larger group that the owner is a part of

other: all other users on the system

Each character in the 10-character string conveys different information about these permissions. The
following table describes the purpose of each character:

Character Example Meaning

file type

d for directory
1st drwxrwxrwx
- for a regular file

read permissions for the user

r if the user has read permissions

2nd drwxrwxrwx
- if the user lacks read permissions

write permissions for the user

w if the user has write permissions

3rd drwxrwxrwx
- if the user lacks write permissions

execute permissions for the user

4th drwxrwxrwx x if the user has execute permissions

- if the user lacks execute permissions

read permissions for the group

5th drwxrwxrwx r if the group has read permissions

- if the group lacks read permissions

write permissions for the group

6th drwxrwxrwx w if the group has write permissions

- if the group lacks write permissions

execute permissions for the group
7th drwxrwxrwx
Character Example Meaning
x if the group has execute permissions

- if the group lacks execute permissions

read permissions for other

8th drwxrwxrwx r if the other owner type has read permissions

- if the other owner type lacks read permissions

write permissions for other

9th drwxrwxrwx w if the other owner type has write permissions

- if the other owner type lacks write permissions

execute permissions for other

10th drwxrwxrwx x if the other owner type has execute permissions

- if the other owner type lacks execute permissions

Exploring existing permissions

You can use the ls command to investigate who has permissions on files and directories. Previously, you
learned that ls displays the names of files in directories in the current working directory.

There are additional options you can add to the ls command to make your command more specific. Some of
these options provide details about permissions. Here are a few important ls options for security analysts:

ls -a: Displays hidden files. Hidden files start with a period ( .) at the beginning.

ls -l: Displays permissions to files and directories. Also displays other additional information, including owner
name, group, file size, and the time of last modification.

ls -la: Displays permissions to files and directories, including hidden files. This is a combination of the other
two options.

Changing permissions
The principle of least privilege is the concept of granting only the minimal access and authorization required
to complete a task or function. In other words, users should not have privileges that are beyond what is
necessary. Not following the principle of least privilege can create security risks.

The chmod command can help you manage this authorization. The chmod command changes permissions on
files and directories.
Using chmod

The chmod command requires two arguments. The first argument indicates how to change permissions, and
the second argument indicates the file or directory that you want to change permissions for. For example,
the following command would add all permissions to login_sessions.txt:

chmod u+rwx,g+rwx,o+rwx login_sessions.txt

If you wanted to take all the permissions away, you could use

chmod u-rwx,g-rwx,o-rwx login_sessions.txt

Another way to assign these permissions is to use the equals sign ( =) in this first argument. Using = with
chmod sets, or assigns, the permissions exactly as specified. For example, the following command would set
read permissions for login_sessions.txt for user, group, and other:

chmod u=r,g=r,o=r login_sessions.txt

This command overwrites existing permissions. For instance, if the user previously had write permissions,
these write permissions are removed after you specify only read permissions with =.

The following table reviews how each character is used within the first argument of chmod:

Character Description
u indicates changes will be made to user permissions
g indicates changes will be made to group permissions
o indicates changes will be made to other permissions
+ adds permissions to the user, group, or other
- removes permissions from the user, group, or other
= assigns permissions for the user, group, or other
Note: When there are permission changes to more than one owner type, commas are needed to separate
changes for each owner type. You should not add spaces after those commas.

The principle of least privilege in action

As a security analyst, you may encounter a situation like this one: There’s a file called bonuses.txt within a
compensation directory. The owner of this file is a member of the Human Resources department with a
username of hrrep1. It has been decided that hrrep1 needs access to this file. But, since this file contains
confidential information, no one else in the hr group needs access.

You run ls -l to check the permissions of files in the compensation directory and discover that the permissions
for bonuses.txt are -rw-rw----. The group owner type has read and write permissions that do not align with
the principle of least privilege.

To remedy the situation, you input chmod g-rw bonuses.txt. Now, only the user who needs to access this file
to carry out their job responsibilities can access this file.
Responsible use of sudo
To manage authorization and authentication, you need to be a root user, or a user with elevated privileges to
modify the system. The root user can also be called the “super user.” You become a root user by logging in as
the root user. However, running commands as the root user is not recommended in Linux because it can
create security risks if malicious actors compromise that account. It’s also easy to make irreversible mistakes,
and the system can’t track who ran a command. For these reasons, rather than logging in as the root user, it’s
recommended you use sudo in Linux when you need elevated privileges.

The sudo command temporarily grants elevated permissions to specific users. The name of this command
comes from “super user do.” Users must be given access in a configuration file to use sudo. This file is called
the “sudoers file.” Although using sudo is preferable to logging in as the root user, it's important to be aware
that users with the elevated permissions to use sudo might be more at risk in the event of an attack.

You can compare this to a hotel with a master key. The master key can be used to access any room in the
hotel. There are some workers at the hotel who need this key to perform their work. For example, to clean all
the rooms, the janitor would scan their ID badge and then use this master key. However, if someone outside
the hotel’s network gained access to the janitor’s ID badge and master key, they could access any room in the
hotel. In this example, the janitor with the master key represents a user using sudo for elevated privileges.
Because of the dangers of sudo, only users who really need to use it should have these permissions.

Additionally, even if you need access to sudo, you should be careful about using it with only the commands
you need and nothing more. Running commands with sudo allows users to bypass the typical security
controls that are in place to prevent elevated access to an attacker.

Note: Be aware of sudo if copying commands from an online source. It’s important you don’t use sudo
accidentally.

Authentication and authorization with sudo

You can use sudo with many authentication and authorization management tasks. As a reminder,
authentication is the process of verifying who someone is, and authorization is the concept of granting
access to specific resources in a system. Some of the key commands used for these tasks include the
following:

useradd

The useradd command adds a user to the system. To add a user with the username of fgarcia with sudo, enter
sudo useradd fgarcia. There are additional options you can use with useradd:

-g: Sets the user’s default group, also called their primary group

-G: Adds the user to additional groups, also called supplemental or secondary groups

To use the -g option, the primary group must be specified after -g. For example, entering sudo useradd -g
security fgarcia adds fgarcia as a new user and assigns their primary group to be security.
To use the -G option, the supplemental group must be passed into the command after -G. You can add more
than one supplemental group at a time with the -G option. Entering sudo useradd -G finance,admin fgarcia
adds fgarcia as a new user and adds them to the existing finance and admin groups.

usermod

The usermod command modifies existing user accounts. The same -g and -G options from the useradd
command can be used with usermod if a user already exists.

To change the primary group of an existing user, you need the -g option. For example, entering sudo usermod
-g executive fgarcia would change fgarcia’s primary group to the executive group.

To add a supplemental group for an existing user, you need the -G option. You also need a -a option, which
appends the user to an existing group and is only used with the -G option. For example, entering sudo
usermod -a -G marketing fgarcia would add the existing fgarcia user to the supplemental marketing group.

Note: When changing the supplemental group of an existing user, if you don't include the -a option, -G will
replace any existing supplemental groups with the groups specified after usermod. Using -a with -G ensures
that the new groups are added but existing groups are not replaced.

There are other options you can use with usermod to specify how you want to modify the user, including:

-d: Changes the user’s home directory.

-l: Changes the user’s login name.

-L: Locks the account so the user can’t log in.

The option always goes after the usermod command. For example, to change fgarcia’s home directory to
/home/garcia_f, enter sudo usermod -d /home/garcia_f fgarcia. The option -d directly follows the command
usermod before the other two needed arguments.

userdel

The userdel command deletes a user from the system. For example, entering sudo userdel fgarcia deletes
fgarcia as a user. Be careful before you delete a user using this command.

The userdel command doesn’t delete the files in the user’s home directory unless you use the -r option.
Entering sudo userdel -r fgarcia would delete fgarcia as a user and delete all files in their home directory.
Before deleting any user files, you should ensure you have backups in case you need them later.

Note: Instead of deleting the user, you could consider deactivating their account with usermod -L. This
prevents the user from logging in while still giving you access to their account and associated permissions.
For example, if a user left an organization, this option would allow you to identify which files they have
ownership over, so you could move this ownership to other users.

chown
The chown command changes ownership of a file or directory. You can use chown to change user or group
ownership. To change the user owner of the access.txt file to fgarcia, enter sudo chown fgarcia access.txt. To
change the group owner of access.txt to security, enter sudo chown :security access.txt. You must enter a
colon (:) before security to designate it as a group name.

Similar to useradd, usermod, and userdel, there are additional options that can be used with chown.

Linux community
Linux has a large online community, and this is a huge resource for Linux users of all levels. You
can likely find the answers to your questions with a simple online search. Troubleshooting
issues by searching and reading online is an effective way to discover how others approached
your issue. It’s also a great way for beginners to learn more about Linux.

The UNIX and Linux Stack Exchange is a trusted resource for troubleshooting Linux issues. The
Unix and Linux Stack Exchange is a question and answer website where community members
can ask and answer questions about Linux. Community members vote on answers, so the
higher quality answers are displayed at the top. Many of the questions are related to specific
topics from advanced users, and the topics might help you troubleshoot issues as you continue
using Linux.

Integrated Linux support

Linux also has several commands that you can use for support.

man

The man command displays information on other commands and how they work. It’s short for
“manual.” To search for information on a command, enter the command after man. For
example, entering man chown returns detailed information about chown, including the various
options you can use with it. The output of the man command is also called a “man page.”

apropos

The apropos command searches the man page descriptions for a specified string. Man pages can
be lengthy and difficult to search through if you’re looking for a specific keyword. To use apropos,
enter the keyword after apropos.

You can also include the -a option to search for multiple words. For example, entering apropos -a
graph editor outputs man pages that contain both the words “graph" and "editor” in their
descriptions.

whatis
The whatis command displays a description of a command on a single line. For example,
entering whatis nano outputs the description of nano. This command is useful when you don't
need a detailed description, just a general idea of the command. This might be as a reminder.
Or, it might be after you discover a new command through a colleague or online resource and
want to know more.

Terms and definitions from Course 4, Week 3

Absolute file path: The full file path, which starts from the root

Argument (Linux): Specific information needed by a command

Authentication: The process of verifying who someone is

Authorization: The concept of granting access to specific resources in a system

Bash: The default shell in most Linux distributions

Command: An instruction telling the computer to do something

File path: The location of a file or directory

Filesystem Hierarchy Standard (FHS): The component of the Linux OS that organizes data

Filtering: Selecting data that match a certain condition

nano: A command-line file editor that is available by default in many Linux distributions

Options: Input that modifies the behavior of a command

Permissions: The type of access granted for a file or directory

Principle of least privilege: The concept of granting only the minimal access and authorization required to
complete a task or function

Relative file path: A file path that starts from the user's current directory

Root directory: The highest-level directory in Linux

Root user (or superuser): A user with elevated privileges to modify the system

Standard input: Information received by the OS via the command line

Standard output: Information returned by the OS through the shell

SQL filtering versus Linux filtering
Previously, you explored the Linux commands that allow you to filter for specific information contained
within files or directories. And, more recently, you examined how SQL helps you efficiently filter for the
information you need. In this reading, you'll explore differences between the two tools as they relate to
filtering. You'll also learn that one way to access SQL is through the Linux command line.

Accessing SQL
There are many interfaces for accessing SQL and many different versions of SQL. One way to access SQL is
through the Linux command line.

To access SQL from Linux, you need to type in a command for the version of SQL that you want to use. For
example, if you want to access SQLite, you can enter the command sqlite3 in the command line.

After this, any commands typed in the command line will be directed to SQL instead of Linux commands.

Differences between Linux and SQL filtering

Although both Linux and SQL allow you to filter through data, there are some differences that affect which
one you should choose.

Structure

SQL offers a lot more structure than Linux, which is more free-form and not as tidy.

For example, if you wanted to access a log of employee log-in attempts, SQL would have each record
separated into columns. Linux would print the data as a line of text without this organization. As a result,
selecting a specific column to analyze would be easier and more efficient in SQL.

In terms of structure, SQL provides results that are more easily readable and that can be adjusted more
quickly than when using Linux.

Joining tables

Some security-related decisions require information from different tables. SQL allows the analyst to join
multiple tables together when returning data. Linux doesn’t have that same functionality; it doesn’t allow
data to be connected to other information on your computer. This is more restrictive for an analyst going
through security logs.

Best uses

As a security analyst, it’s important to understand when you can use which tool. Although SQL has a more
organized structure and allows you to join tables, this doesn’t mean that there aren’t situations that would
require you to filter data in Linux.
A lot of data used in cybersecurity will be stored in a database format that works with SQL. However, other
logs might be in a format that is not compatible with SQL. For instance, if the data is stored in a text file, you
cannot search through it with SQL. In those cases, it is useful to know how to filter in Linux.

Basic SQL query

There are two essential keywords in any SQL query: SELECT and FROM. You will use these
keywords every time you want to query a SQL database. Using them together helps SQL identify
what data you need from a database and the table you are returning it from.

The video demonstrated this SQL query:

SELECT employee_id, device_id

FROM employees;

In readings and quizzes, this course uses a sample database called the Chinook database to run
queries. The Chinook database includes data that might be created at a digital media company. A
security analyst employed by this company might need to query this data. For example, the
database contains eleven tables, including an employees table, a customers table, and an invoices
table. These tables include data such as names and addresses.

As an example, you can run this query to return data from the customers table of the Chinook
database:

SELECT customerid, city, country

FROM customers;

RunReset

+------------+---------------------+----------------+

| CustomerId | City | Country |

+------------+---------------------+----------------+

| 1 | São José dos Campos | Brazil |

| 2 | Stuttgart | Germany |

| 3 | Montréal | Canada |

| 4 | Oslo | Norway |

| 5 | Prague | Czech Republic |

| 6 | Prague | Czech Republic |

| 7 | Vienne | Austria |

| 8 | Brussels | Belgium |

| 9 | Copenhagen | Denmark |

| 10 | São Paulo | Brazil |

| 11 | São Paulo | Brazil |

| 12 | Rio de Janeiro | Brazil |

| 13 | Brasília | Brazil |

| 14 | Edmonton | Canada |

| 15 | Vancouver | Canada |

| 16 | Mountain View | USA |

| 17 | Redmond | USA |

| 18 | New York | USA |

| 19 | Cupertino | USA |

| 20 | Mountain View | USA |

| 21 | Reno | USA |

| 22 | Orlando | USA |

| 23 | Boston | USA |

| 24 | Chicago | USA |

| 25 | Madison | USA |

+------------+---------------------+----------------+

(Output limit exceeded, 25 of 59 total rows shown)

SELECT

The SELECT keyword indicates which columns to return. For example, you can return the
customerid column from the Chinook database with

SELECT customerid

You can also select multiple columns by separating them with a comma. For example, if you
want to return both the customerid and city columns, you should write SELECT customerid, city.
If you want to return all columns in a table, you can follow the SELECT keyword with an asterisk
(*). The first line in the query will be SELECT *.

Note: Although the tables you're querying in this course are relatively small, using SELECT * may
not be advisable when working with large databases and tables; in those cases, the final output
may be difficult to understand and might be slow to run.

FROM

The SELECT keyword always comes with the FROM keyword. FROM indicates which table to query.
To use the FROM keyword, you should write it after the SELECT keyword, often on a new line, and
follow it with the name of the table you’re querying. If you want to return all columns from the
customers table, you can write:

SELECT *

FROM customers;

When you want to end the query here, you put a semicolon ( ;) at the end to tell SQL that this is
the entire query.

Note: Line breaks are not necessary in SQL queries, but are often used to make the query easier
to understand. If you prefer, you can also write the previous query on one line as

SELECT * FROM customers;

ORDER BY
Database tables are often very complicated, and this is where other SQL keywords come in
handy. ORDER BY is an important keyword for organizing the data you extract from a table.

ORDER BY sequences the records returned by a query based on a specified column or columns.
This can be in either ascending or descending order.

Sorting in ascending order

To use the ORDER BY keyword, write it at the end of the query and specify a column to base the
sort on. In this example, SQL will return the customerid, city, and country columns from the
customers table, and the records will be sequenced by the city column:

SELECT customerid, city, country

FROM customers
ORDER BY city;

RunReset

+------------+--------------+----------------+

| CustomerId | City | Country |

+------------+--------------+----------------+

| 48 | Amsterdam | Netherlands |

| 59 | Bangalore | India |

| 36 | Berlin | Germany |

| 38 | Berlin | Germany |

| 42 | Bordeaux | France |

| 23 | Boston | USA |

| 13 | Brasília | Brazil |

| 8 | Brussels | Belgium |

| 45 | Budapest | Hungary |

| 56 | Buenos Aires | Argentina |

| 24 | Chicago | USA |

| 9 | Copenhagen | Denmark |

| 19 | Cupertino | USA |

| 58 | Delhi | India |

| 43 | Dijon | France |

| 46 | Dublin | Ireland |

| 54 | Edinburgh | United Kingdom |

| 14 | Edmonton | Canada |

| 26 | Fort Worth | USA |

| 37 | Frankfurt | Germany |

| 31 | Halifax | Canada |

| 44 | Helsinki | Finland |

| 34 | Lisbon | Portugal |

| 52 | London | United Kingdom |

| 53 | London | United Kingdom |

 +------------+--------------+----------------+

(Output limit exceeded, 25 of 59 total rows shown)

The ORDER BY keyword sorts the records based on the column specified after this keyword. By
default, as shown in this example, the sequence will be in ascending order. This means

if you choose a column containing numeric data, it sorts the output from the smallest to largest.
For example, if sorting on customerid, the ID numbers are sorted from smallest to largest.




if the column contains alphabetic characters, such as in the example with the city column, it
orders the records from the beginning of the alphabet to the end.

Sorting in descending order

You can also use the ORDER BY with the DESC keyword to sort in descending order. The DESC
keyword is short for "descending" and tells SQL to sort numbers from largest to smallest, or
alphabetically from Z to A. This can be done by following ORDER BY with the DESC keyword. For
example, you can run this query to examine how the results differ when DESC is applied:

SELECT customerid, city, country

FROM customers

ORDER BY city DESC;

RunReset

+------------+---------------------+----------------+

| CustomerId | City | Country |

+------------+---------------------+----------------+

| 33 | Yellowknife | Canada |

| 32 | Winnipeg | Canada |

| 49 | Warsaw | Poland |

| 7 | Vienne | Austria |

| 15 | Vancouver | Canada |

| 27 | Tucson | USA |

| 29 | Toronto | Canada |

| 10 | São Paulo | Brazil |

| 11 | São Paulo | Brazil |

| 1 | São José dos Campos | Brazil |

| 2 | Stuttgart | Germany |

| 51 | Stockholm | Sweden |

| 55 | Sidney | Australia |

| 57 | Santiago | Chile |
| 28 | Salt Lake City | USA |

| 47 | Rome | Italy |

| 12 | Rio de Janeiro | Brazil |

| 21 | Reno | USA |

| 17 | Redmond | USA |

| 5 | Prague | Czech Republic |

| 6 | Prague | Czech Republic |

| 35 | Porto | Portugal |

| 39 | Paris | France |

| 40 | Paris | France |

| 30 | Ottawa | Canada |

+------------+---------------------+----------------+

(Output limit exceeded, 25 of 59 total rows shown)

Now, cities at the end of the alphabet are listed first.

Sorting based on multiple columns

You can also choose multiple columns to order by. For example, you might first choose the
country and then the city column. SQL then sorts the output by country, and for rows with the
same country, it sorts them based on city. You can run this to explore how SQL displays this:

SELECT customerid, city, country

FROM customers

ORDER BY country, city;

RunReset

+------------+---------------------+----------------+

| CustomerId | City | Country |

+------------+---------------------+----------------+

| 56 | Buenos Aires | Argentina |

| 55 | Sidney | Australia |

| 7 | Vienne | Austria |

| 8 | Brussels | Belgium |

| 13 | Brasília | Brazil |

| 12 | Rio de Janeiro | Brazil |

| 1 | São José dos Campos | Brazil |

| 10 | São Paulo | Brazil |

| 11 | São Paulo | Brazil |

| 14 | Edmonton | Canada |

| 31 | Halifax | Canada |

| 3 | Montréal | Canada |

| 30 | Ottawa | Canada |

| 29 | Toronto | Canada |

| 15 | Vancouver | Canada |

| 32 | Winnipeg | Canada |

| 33 | Yellowknife | Canada |

| 57 | Santiago | Chile |

| 5 | Prague | Czech Republic |

| 6 | Prague | Czech Republic |

| 9 | Copenhagen | Denmark |

| 44 | Helsinki | Finland |

| 42 | Bordeaux | France |
| 43 | Dijon | France |

| 41 | Lyon | France |

+------------+---------------------+----------------+

(Output limit exceeded, 25 of 59 total rows shown)

The WHERE clause and basic operators

Previously, you focused on how to refine your SQL queries by using the WHERE clause to filter results. In this
reading, you’ll further explore how to use the WHERE clause, the LIKE operator and the percentage sign (%)
wildcard. You’ll also be introduced to the underscore ( _), another wildcard that can help you filter queries.

How filtering helps

As a security analyst, you'll often be responsible for working with very large and complicated security logs. To
find the information you need, you'll often need to use SQL to filter the logs.

In a cybersecurity context, you might use filters to find the login attempts of a specific user or all login
attempts made at the time of a security issue. As another example, you might filter to find the devices that
are running a specific version of an application.

WHERE
To create a filter in SQL, you need to use the keyword WHERE. WHERE indicates the condition for a filter.

If you needed to email employees with a title of IT Staff, you might use a query like the one in the following
example. You can run this example to examine what it returns:

SELECT firstname, lastname, title, email

FROM employees

WHERE title = 'IT Staff';

RunReset
 +-----------+----------+----------+------------------------+

| FirstName | LastName | Title | Email |

+-----------+----------+----------+------------------------+

| Robert | King | IT Staff | [email protected] |

| Laura | Callahan | IT Staff | [email protected] |

+-----------+----------+----------+------------------------+

Rather than returning all records in the employees table, this WHERE clause instructs SQL to return only those
that contain 'IT Staff' in the title column. It uses the equals sign (=) operator to set this condition.

Note: You should place the semicolon (;) where the query ends. When you add a filter to a basic query, the
semicolon is after the filter.

Filtering for patterns

You can also filter based on a pattern. For example, you can identify entries that start or end with a certain
character or characters. Filtering for a pattern requires incorporating two more elements into your WHERE
clause:

a wildcard




the LIKE operator

Wildcards
 A wildcard is a special character that can be substituted with any other character. Two of the most useful
wildcards are the percentage sign (%) and the underscore (_):

The percentage sign substitutes for any number of other characters.




The underscore symbol only substitutes for one other character.

These wildcards can be placed after a string, before a string, or in both locations depending on the pattern
you’re filtering for.

The following table includes these wildcards applied to the string 'a' and examples of what each pattern
would return.

Pattern Results that could be returned

'a%' apple123, art, a
'a_' as, an, a7
'a__' ant, add, a1c
'%a' pizza, Z6ra, a
'_a' ma, 1a, Ha
'%a%' Again, back, a
'_a_' Car, ban, ea7

LIKE

To apply wildcards to the filter, you need to use the LIKE operator instead of an equals sign (=). LIKE is used
with WHERE to search for a pattern in a column.

For instance, if you want to email employees with a title of either 'IT Staff' or 'IT Manager', you can use LIKE
operator combined with the % wildcard:

SELECT lastname, firstname, title, email

FROM employees

WHERE title LIKE 'IT%';

RunReset

+----------+-----------+------------+-------------------------+
| LastName | FirstName | Title | Email |

+----------+-----------+------------+-------------------------+

| Mitchell | Michael | IT Manager | [email protected] |

| King | Robert | IT Staff | [email protected] |

| Callahan | Laura | IT Staff | [email protected] |

+----------+-----------+------------+-------------------------+

This query returns all records with values in the title column that start with the pattern of 'IT'. This means
both 'IT Staff' and 'IT Manager' are returned.

As another example, if you want to search through the invoices table to find all customers located in states
with an abbreviation of 'NY', 'NV', 'NS' or 'NT', you can use the 'N_' pattern on the state column:

SELECT firstname,lastname, state, country

FROM customers

WHERE state LIKE 'N_';

RunReset

+-----------+----------+-------+---------+

| FirstName | LastName | State | Country |

+-----------+----------+-------+---------+

| Michelle | Brooks | NY | USA |

 | Kathy | Chase | NV | USA |

| Martha | Silk | NS | Canada |

| Ellie | Sullivan | NT | Canada |

+-----------+----------+-------+---------+

This returns all the records with state abbreviations that follow this pattern.

Operators for filtering dates and numbers

Previously, you examined operators like less than ( <) or greater than (>) and explored how they can be used
in filtering numeric and date and time data types. This reading summarizes what you learned and provides
new examples of using operators in filters.

Numbers, dates, and times in cybersecurity

Security analysts work with more than just string data, or data consisting of an ordered sequence of
characters.

They also frequently work with numeric data, or data consisting of numbers. A few examples of numeric data
that you might encounter in your work as a security analyst include:

the number of login attempts




the count of a specific type of log entry




the volume of data being sent from a source



 the volume of data being sent to a destination

You'll also encounter date and time data, or data representing a date and/or time. As a first example, logs
will generally timestamp every record. Other time and date data might include:

login dates




login times




dates for patches




the duration of a connection

Comparison operators
In SQL, filtering numeric and date and time data often involves operators. You can use the following
operators in your filters to make sure you return only the rows you need:

operator use
< less than
> greater than
= equal to
<= less than or equal to
>= greater than or equal to
<> not equal to
Note: You can also use != as an alternative operator for not equal to.

Incorporating operators into filters

These comparison operators are used in the WHERE clause at the end of a query. The following query uses
the > operator to filter the birthdate column. You can run this query to explore its output:

SELECT firstname, lastname, birthdate

FROM employees

WHERE birthdate > '1970-01-01';

RunReset

+-----------+----------+---------------------+

| FirstName | LastName | BirthDate |

+-----------+----------+---------------------+

| Jane | Peacock | 1973-08-29 00:00:00 |

| Michael | Mitchell | 1973-07-01 00:00:00 |

| Robert | King | 1970-05-29 00:00:00 |

+-----------+----------+---------------------+

This query returns the first and last names of employees born after, but not on, '1970-01-01' (or January 1,
1970). If you were to use the >= operator instead, the results would also include results on exactly '1970-01-
01'.

In other words, the > operator is exclusive and the >= operator is inclusive. An exclusive operator is an
operator that does not include the value of comparison. An inclusive operator is an operator that includes
the value of comparison.

BETWEEN

Another operator used for numeric data as well as date and time data is the BETWEEN operator. BETWEEN
filters for numbers or dates within a range. For example, if you want to find the first and last names of all
employees hired between January 1, 2002 and January 1, 2003, you can use the BETWEEN operator as follows:
SELECT firstname, lastname, hiredate

FROM employees

WHERE hiredate BETWEEN '2002-01-01' AND '2003-01-01';

RunReset

+-----------+----------+---------------------+

| FirstName | LastName | HireDate |

+-----------+----------+---------------------+

| Andrew | Adams | 2002-08-14 00:00:00 |

| Nancy | Edwards | 2002-05-01 00:00:00 |

| Jane | Peacock | 2002-04-01 00:00:00 |

+-----------+----------+---------------------+

Note: The BETWEEN operator is inclusive. This means records with a hiredate of January 1, 2002 or January 1,
2003 are included in the results of the previous query.

More on filters with AND, OR, and NOT

Previously, you explored how to add filters containing the AND, OR, and NOT operators to your SQL queries.
In this reading, you'll continue to explore how these operators can help you refine your queries.

Logical operators
AND

First, AND is used to filter on two conditions. AND specifies that both conditions must be met
simultaneously.
As an example, a cybersecurity concern might affect only those customer accounts that meet both the
condition of being handled by a support representative with an ID of 5 and the condition of being located in
the USA. To find the names and emails of those specific customers, you should place the two conditions on
either side of the AND operator in the WHERE clause:

SELECT firstname, lastname, email, country, supportrepid

FROM customers

WHERE supportrepid = 5 AND country = 'USA';

RunReset

+-----------+----------+-------------------------+---------+--------------+

| FirstName | LastName | Email | Country | SupportRepId |

+-----------+----------+-------------------------+---------+--------------+

| Jack | Smith | [email protected] | USA | 5|

| Kathy | Chase | [email protected] | USA | 5|

| Victor | Stevens | [email protected] | USA | 5|

| Julia | Barnett | [email protected] | USA | 5|

+-----------+----------+-------------------------+---------+--------------+

Running this query returns four rows of information about the customers. You can use this information to
contact them about the security concern.

OR

The OR operator also connects two conditions, but OR specifies that either condition can be met. It returns
results where the first condition, the second condition, or both are met.
For example, if you are responsible for finding all customers who are either in the USA or Canada so that you
can communicate information about a security update, you can use an OR operator to find all the needed
records. As the following query demonstrates, you should place the two conditions on either side of the OR
operator in the WHERE clause:

SELECT firstname, lastname, email, country

FROM customers

WHERE country = 'Canada' OR country = 'USA';

RunReset

+-----------+------------+--------------------------+---------+

| FirstName | LastName | Email | Country |

+-----------+------------+--------------------------+---------+

| François | Tremblay | [email protected] | Canada |

| Mark | Philips | [email protected] | Canada |

| Jennifer | Peterson | [email protected] | Canada |

| Frank | Harris | [email protected] | USA |

| Jack | Smith | [email protected] | USA |

| Michelle | Brooks | [email protected] | USA |

| Tim | Goyer | [email protected] | USA |

| Dan | Miller | [email protected] | USA |

| Kathy | Chase | [email protected] | USA |

| Heather | Leacock | [email protected] | USA |

| John | Gordon | [email protected] | USA |

| Frank | Ralston | [email protected] | USA |

| Victor | Stevens | [email protected] | USA |

| Richard | Cunningham | [email protected] | USA |

| Patrick | Gray | [email protected] | USA |

| Julia | Barnett | [email protected] | USA |

| Robert | Brown | [email protected] | Canada |

| Edward | Francis | [email protected] | Canada |

| Martha | Silk | [email protected] | Canada |

| Aaron | Mitchell | [email protected] | Canada |

| Ellie | Sullivan | [email protected] | Canada |

+-----------+------------+--------------------------+---------+

The query returns all customers in either the US or Canada.

Note: Even if both conditions are based on the same column, you need to write out both full conditions. For
instance, the query in the previous example contains the filter WHERE country = 'Canada' OR country = 'USA'.

NOT

Unlike the previous two operators, the NOT operator only works on a single condition, and not on multiple
ones. The NOT operator negates a condition. This means that SQL returns all records that don’t match the
condition specified in the query.

For example, if a cybersecurity issue doesn't affect customers in the USA but might affect those in other
countries, you can return all customers who are not in the USA. This would be more efficient than creating
individual conditions for all of the other countries. To use the NOT operator for this task, write the following
query and place NOT directly after WHERE:

SELECT firstname, lastname, email, country

FROM customers

WHERE NOT country = 'USA';

RunReset

+-----------+-------------+-------------------------------+----------------+

| FirstName | LastName | Email | Country |

+-----------+-------------+-------------------------------+----------------+

| Luís | Gonçalves | [email protected] | Brazil |

| Leonie | Köhler | [email protected] | Germany |

| François | Tremblay | [email protected] | Canada |

| Bjørn | Hansen | [email protected] | Norway |

| František | Wichterlová | [email protected] | Czech Republic |

| Helena | Holý | [email protected] | Czech Republic |

| Astrid | Gruber | [email protected] | Austria |

| Daan | Peeters | [email protected] | Belgium |

| Kara | Nielsen | [email protected] | Denmark |

| Eduardo | Martins | [email protected] | Brazil |

| Alexandre | Rocha | [email protected] | Brazil |

| Roberto | Almeida | [email protected] | Brazil |

| Fernanda | Ramos | [email protected] | Brazil |

| Mark | Philips | [email protected] | Canada |

| Jennifer | Peterson | [email protected] | Canada |

| Robert | Brown | [email protected] | Canada |

| Edward | Francis | [email protected] | Canada |

| Martha | Silk | [email protected] | Canada |

| Aaron | Mitchell | [email protected] | Canada |

| Ellie | Sullivan | [email protected] | Canada |

| João | Fernandes | [email protected] | Portugal |

| Madalena | Sampaio | [email protected] | Portugal |

| Hannah | Schneider | [email protected] | Germany |

| Fynn | Zimmermann | [email protected] | Germany |

| Niklas | Schröder | [email protected] | Germany |

+-----------+-------------+-------------------------------+----------------+

(Output limit exceeded, 25 of 46 total rows shown)

SQL returns every entry where the customers are not from the USA.

Pro tip: Another way of finding values that are not equal to a certain value is by using the <> operator or
the != operator. For example, WHERE country <> 'USA' and WHERE country != 'USA' are the same filters as
WHERE NOT country = 'USA'.

Combining logical operators

Logical operators can be combined in filters. For example, if you know that both the USA and Canada are not
affected by a cybersecurity issue, you can combine operators to return customers in all countries besides
these two. In the following query, NOT is placed before the first condition, it's joined to a second condition
with AND, and then NOT is also placed before that second condition. You can run it to explore what it returns:

SELECT firstname, lastname, email, country

FROM customers

WHERE NOT country = 'Canada' AND NOT country = 'USA';

RunReset

+-----------+-------------+-------------------------------+----------------+
| FirstName | LastName | Email | Country |

+-----------+-------------+-------------------------------+----------------+

| Luís | Gonçalves | [email protected] | Brazil |

| Leonie | Köhler | [email protected] | Germany |

| Bjørn | Hansen | [email protected] | Norway |

| František | Wichterlová | [email protected] | Czech Republic |

| Helena | Holý | [email protected] | Czech Republic |

| Astrid | Gruber | [email protected] | Austria |

| Daan | Peeters | [email protected] | Belgium |

| Kara | Nielsen | [email protected] | Denmark |

| Eduardo | Martins | [email protected] | Brazil |

| Alexandre | Rocha | [email protected] | Brazil |

| Roberto | Almeida | [email protected] | Brazil |

| Fernanda | Ramos | [email protected] | Brazil |

| João | Fernandes | [email protected] | Portugal |

| Madalena | Sampaio | [email protected] | Portugal |

| Hannah | Schneider | [email protected] | Germany |

| Fynn | Zimmermann | [email protected] | Germany |

| Niklas | Schröder | [email protected] | Germany |

| Camille | Bernard | [email protected] | France |

| Dominique | Lefebvre | [email protected] | France |

| Marc | Dubois | [email protected] | France |

| Wyatt | Girard | [email protected] | France |

| Isabelle | Mercier | [email protected] | France |

| Terhi | Hämäläinen | [email protected] | Finland |

| Ladislav | Kovács | [email protected] | Hungary |

| Hugh | O'Reilly | [email protected] | Ireland |

+-----------+-------------+-------------------------------+----------------+

(Output limit exceeded, 25 of 38 total rows shown)

Compare types of joins
Inner joins
The first type of join that you might perform is an inner join. INNER JOIN returns rows matching
on a specified column that exists in more than one table.

It only returns the rows where there is a match, but like other types of joins, it returns all
specified columns from all joined tables. For example, if the query joins two tables with SELECT *,
all columns in both of the tables are returned.

Note: If a column exists in both of the tables, it is returned twice when SELECT * is used.

The syntax of an inner join

To write a query using INNER JOIN, you can use the following syntax:

SELECT *

FROM employees

INNER JOIN machines ON employees.device_id = machines.device_id;

You must specify the two tables to join by including the first or left table after FROM and the
second or right table after INNER JOIN.

After the name of the right table, use the ON keyword and the = operator to indicate the column
you are joining the tables on. It's important that you specify both the table and column names
in this portion of the join by placing a period (.) between the table and the column.

In addition to selecting all columns, you can select only certain columns. For example, if you
only want the join to return the username, operating_system and device_id columns, you can write
this query:
SELECT username, operating_system, employees.device_id

FROM employees

INNER JOIN machines ON employees.device_id = machines.device_id;

Note: In the example query, username and operating_system only appear in one of the two tables,
so they are written with just the column name. On the other hand, because device_id appears in
both tables, it's necessary to indicate which one to return by specifying both the table and
column name (employees.device_id).

Outer joins
Outer joins expand what is returned from a join. Each type of outer join returns all rows from
either one table or both tables.

Left joins

When joining two tables, LEFT JOIN returns all the records of the first table, but only returns rows
of the second table that match on a specified column.

The syntax for using LEFT JOIN is demonstrated in the following query:

SELECT *

FROM employees

LEFT JOIN machines ON employees.device_id = machines.device_id;

As with all joins, you should specify the first or left table as the table that comes after FROM and
the second or right table as the table that comes after LEFT JOIN. In the example query, because
employees is the left table, all of its records are returned. Only records that match on the
device_id column are returned from the right table, machines.
Right joins

When joining two tables, RIGHT JOIN returns all of the records of the second table, but only
returns rows from the first table that match on a specified column.

The following query demonstrates the syntax for RIGHT JOIN:

SELECT *

FROM employees

RIGHT JOIN machines ON employees.device_id = machines.device_id;

RIGHT JOIN has the same syntax as LEFT JOIN, with the only difference being the keyword RIGHT
JOIN instructs SQL to produce different output. The query returns all records from machines,
which is the second or right table. Only matching records are returned from employees, which is
the first or left table.

Note: You can use LEFT JOIN and RIGHT JOIN and return the exact same results if you use the
tables in reverse order. The following RIGHT JOIN query returns the exact same result as the LEFT
JOIN query demonstrated in the previous section:

SELECT *

FROM machines

RIGHT JOIN employees ON employees.device_id = machines.device_id;

All that you have to do is switch the order of the tables that appear before and after the
keyword used for the join, and you will have swapped the left and right tables.
Full outer joins

FULL OUTER JOIN returns all records from both tables. You can think of it as a way of completely
merging two tables.

You can review the syntax for using FULL OUTER JOIN in the following query:

SELECT *

FROM employees

FULL OUTER JOIN machines ON employees.device_id = machines.device_id;

The results of a FULL OUTER JOIN query include all records from both tables. Similar to INNER JOIN,
the order of tables does not change the results of the query.

Continuous learning in SQL

You've explored a lot about SQL, including applying filters to SQL queries and joining multiple tables together
in a query. There's still more that you can do with SQL. This reading will explore an example of something
new you can add to your SQL toolbox: aggregate functions. You'll then focus on how you can continue
learning about this and other SQL topics on your own.

Aggregate functions
In SQL, aggregate functions are functions that perform a calculation over multiple data points and return the
result of the calculation. The actual data is not returned.
There are various aggregate functions that perform different calculations:

COUNT returns a single number that represents the number of rows returned from your query.

AVG returns a single number that represents the average of the numerical data in a column.

SUM returns a single number that represents the sum of the numerical data in a column.

Aggregate function syntax

To use an aggregate function, place the keyword for it after the SELECT keyword, and then in parentheses,
indicate the column you want to perform the calculation on.

For example, when working with the customers table, you can use aggregate functions to summarize
important information about the table. If you want to find out how many customers there are in total, you
can use the COUNT function on any column, and SQL will return the total number of records, excluding NULL
values. You can run this query and explore its output:

SELECT COUNT(firstname)

FROM customers;

RunReset

+------------------+

| COUNT(firstname) |

+------------------+

| 59 |

+------------------+

The result is a table with one column titled COUNT(firstname) and one row that indicates the count.

If you want to find the number of customers from a specific country, you can add a filter to your query:

SELECT COUNT(firstname)
FROM customers

WHERE country = 'USA';

RunReset

+------------------+

| COUNT(firstname) |

+------------------+

| 13 |

+------------------+

With this filter, the count is lower because it only includes the records where the country column contains a
value of 'USA'.

There are a lot of other aggregate functions in SQL. The syntax of placing them after SELECT is exactly the
same as the COUNT function.

Continuing to learn SQL

SQL is a widely used querying language, with many more keywords and applications. You can continue to
learn more about aggregate functions and other aspects of using SQL on your own.

Most importantly, approach new tasks with curiosity and a willingness to find new ways to apply SQL to your
work as a security analyst. Identify the data results that you need and try to use SQL to obtain these results.

Fortunately, SQL is one of the most important tools for working with databases and analyzing data, so you'll
find a lot of support in trying to learn SQL online. First, try searching for the concepts you've already learned
and practiced to find resources that have accurate easy-to-follow explanations. When you identify these
resources, you can use them to extend your knowledge.

Continuing your practical experience with SQL is also important. You can also search for new databases that
allow you to perform SQL queries using what you've learned.

Terms and definitions from Course 4, Week 4

Database: An organized collection of information or data

Date and time data: Data representing a date and/or time

Exclusive operator: An operator that does not include the value of comparison

Filtering: Selecting data that match a certain condition

Foreign key: A column in a table that is a primary key in another table

Inclusive operator: An operator that includes the value of comparison

Log: A record of events that occur within an organization's systems

Numeric data: Data consisting of numbers

Operator: A symbol or keyword that represents an operation

Primary key: A column where every row has a unique entry

Query: A request for data from a database table or a combination of tables

Relational database: A structured database containing tables that are related to each other

String data: Data consisting of an ordered sequence of characters

SQL (Structured Query Language): A programming language used to create, interact with, and request
information from a database

Syntax: The rules that determine what is correctly structured in a computing language

Wildcard: A special character that can be substituted with any other character

Course 5

Understand risks, threats, and vulnerabilities

When security events occur, you’ll need to work in close coordination with others to address the problem.
Doing so quickly requires clear communication between you and your team to get the job done.

Previously, you learned about three foundational security terms:

Risk: Anything that can impact the confidentiality, integrity, or availability of an asset

Threat: Any circumstance or event that can negatively impact assets

 Vulnerability: A weakness that can be exploited by a threat

These words tend to be used interchangeably in everyday life. But in security, they are used to describe very
specific concepts when responding to and planning for security events. In this reading, you’ll identify what
each term represents and how they are related.

Security risk
Security plans are all about how an organization defines risk. However, this definition can vary widely by
organization. As you may recall, a risk is anything that can impact the confidentiality, integrity, or availability
of an asset. Since organizations have particular assets that they value, they tend to differ in how they
interpret and approach risk.

One way to interpret risk is to consider the potential effects that negative events can have on a business.
Another way to present this idea is with this calculation:

Likelihood x Impact = Risk

For example, you risk being late when you drive a car to work. This negative event is more likely to happen if
you get a flat tire along the way. And the impact could be serious, like losing your job. All these factors
influence how you approach commuting to work every day. The same is true for how businesses handle
security risks.

In general, we calculate risk in this field to help:

Prevent costly and disruptive events




Identify improvements that can be made to systems and processes




Determine which risks can be tolerated




Prioritize the critical assets that require attention


 The business impact of a negative event will always depend on the asset and the situation. Your primary
focus as a security professional will be to focus on the likelihood side of the equation by dealing with certain
factors that increase the odds of a problem.

Risk factors
As you’ll discover throughout this course, there are two broad risk factors that you’ll be concerned with in
the field:

Threats




Vulnerabilities

The risk of an asset being harmed or damaged depends greatly on whether a threat takes advantage of
vulnerabilities.

Let’s apply this to the risk of being late to work. A threat would be a nail puncturing your tire, since tires are
vulnerable to running over sharp objects. In terms of security planning, you would want to reduce the
likelihood of this risk by driving on a clean road.

Categories of threat

Common asset classifications

Asset classification helps organizations implement an effective risk management strategy. It
also helps them prioritize security resources, reduce IT costs, and stay in compliance with legal
regulations.

The most common classification scheme is: restricted, confidential, internal-only, and public.

Restricted is the highest level. This category is reserved for incredibly sensitive assets, like
need-to-know information.

Confidential refers to assets whose disclosure may lead to a significant negative impact on an
organization.

Internal-only describes assets that are available to employees and business partners.
Public is the lowest level of classification. These assets have no negative consequences to the
organization if they’re released.

For example, an intentional threat might be a malicious hacker who gains access to sensitive information by
targeting a misconfigured application. An unintentional threat might be an employee who holds the door
open for an unknown person and grants them access to a restricted area. Either one can cause an event that
must be responded to.

Categories of vulnerability

Vulnerabilities are weaknesses that can be exploited by threats. There’s a wide range of vulnerabilities, but
they can be grouped into two categories: technical and human.

For example, a technical vulnerability can be misconfigured software that might give an unauthorized person
access to important data. A human vulnerability can be a forgetful employee who loses their access card in a
parking lot. Either one can lead to risk.

Soaring into the cloud

Starting an online business used to be a complicated and costly process. In years past,
companies had to build and maintain their own internal solutions to operate in the digital
marketplace. Now, it’s much easier for anyone to participate because of the cloud.

The availability of cloud technologies has drastically changed how businesses operate online.
These new tools allow companies to scale and adapt quickly while also lowering their costs.
Despite these benefits, the shift to cloud-based services has also introduced a range of new
cybersecurity challenges that put assets at risk.

Cloud-based services
The term cloud-based services refers to a variety of on demand or web-based business
solutions. Depending on a company’s needs and budget, services can range from website
hosting, to application development environments, to entire back-end infrastructure.

There are three main categories of cloud-based services:

Software as a service (SaaS)

SaaS refers to front-end applications that users access via a web browser. The service providers
host, manage, and maintain all of the back-end systems for those applications. Common
examples of SaaS services include applications like Gmail™ email service, Slack, and Zoom
software.

Platform as a service (PaaS)

 PaaS refers to back-end application development tools that clients can access online.
Developers use these resources to write code and build, manage, and deploy their own apps.
Meanwhile, the cloud service providers host and maintain the back-end hardware and software
that the apps use to operate. Some examples of PaaS services include Google App Engine™
platform, Heroku®, and VMware Cloud Foundry.

Infrastructure as a service (IaaS)

IaaS customers are given remote access to a range of back-end systems that are hosted by the
cloud service provider. This includes data processing servers, storage, networking resources,
and more. Resources are commonly licensed as needed, making it a cost-effective alternative to
buying and maintaining on premises.

Cloud-based services allow companies to connect with their customers, employees, and
business partners over the internet. Some of the largest organizations in the world offer cloud-
based services:

Google Cloud Platform




Microsoft Azure

Cloud security
Shifting applications and infrastructure over to the cloud can make it easier to operate an
online business. It can also complicate keeping data private and safe. Cloud security is a
growing subfield of cybersecurity that specifically focuses on the protection of data,
applications, and infrastructure in the cloud.

In a traditional model, organizations had their entire IT infrastructure on premises. Protecting

those systems was entirely up to the internal security team in that environment. These
responsibilities are not so clearly defined when part or all of an operational environment is in
the cloud.

For example, a PaaS client pays to access the resources they need to build their applications. So,
it is reasonable to expect them to be responsible for securing the apps they build. On the other
hand, the responsibility for maintaining the security of the servers they are accessing should
belong to the cloud service provider because there are other clients using the same systems.

In cloud security, this concept is known as the shared responsibility model. Clients are
commonly responsible for securing anything that is directly within their control:

Identity and access management

Resource configuration

Data handling

Note: The amount of responsibility that is delegated to a service provider varies depending on
the service being used: SaaS, PaaS, and IaaS.

Cloud security challenges

All service providers do their best to deliver secure products to their customers. Much of their
success depends on preventing breaches and how well they can protect sensitive information.
However, since data is stored in the cloud and accessed over the internet, several challenges
arise:

Misconfiguration is one of the biggest concerns. Customers of cloud-based services are

responsible for configuring their own security environment. Oftentimes, they use out-of-the-
box configurations that fail to address their specific security objectives.

Cloud-native breaches are more likely to occur due to misconfigured services.

Monitoring access might be difficult depending on the client and level of service.

Meeting regulatory standards is also a concern, particularly in industries that are required by
law to follow specific requirements such as HIPAA, PCI DSS, and GDPR.

Security guidelines in action

Organizations often face an overwhelming amount of risk. Developing a security plan from the beginning that
addresses all risk can be challenging. This makes security frameworks a useful option.
Origins of the framework
Originally released in 2014, NIST developed the Cybersecurity Framework to protect critical infrastructure in
the United States. NIST was selected to develop the CSF because they are an unbiased source of scientific
data and practices. NIST eventually adapted the CSF to fit the needs of businesses in the public and private
sector. Their goal was to make the framework more flexible, making it easier to adopt for small businesses or
anyone else that might lack the resources to develop their own security plans.

Implementing the CSF

Since its creation, many businesses have used the NIST CSF. As you might recall, the framework consists of
three main components:

Core

Tiers

Profiles

These three components were designed to help any business improve their security operations. Although
there are only three components, the entire framework consists of a complex system of subcategories and
processes.

CSF can be a challenge to implement due to its high level of detail. It can also be tough to find where the
framework fits in. For example, some businesses have established security plans, making it unclear how CSF
can benefit them. Alternatively, some businesses might be in the early stages of building their plans and need
a place to start.

In any scenario, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) provides detailed guidance
that any organization can use to implement the CSF. This is a quick overview and summary of their
recommendations:

Create a current profile of the security operations and outline the specific needs of your business.
Perform a risk assessment to identify which of your current operations are meeting business and regulatory
standards.

Analyze and prioritize existing gaps in security operations that place the businesses assets at risk.

Implement a plan of action to achieve your organization’s goals and objectives.

Pro tip: Always consider current risk, threat, and vulnerability trends when using the NIST CSF.

Industries embracing the CSF

The NIST CSF has continued to evolve since its introduction in 2014. Its design is influenced by the standards
and best practices of some of the largest companies in the world.

A benefit of the framework is that it aligns with the security practices of many organizations across the global
economy. It also helps with regulatory compliance that might be shared by business partners.

Principle of least privilege

Security controls are essential to keeping sensitive data private and safe. One of the most common controls is
the principle of least privilege, also referred to as PoLP or least privilege. The principle of least privilege is a
security concept in which a user is only granted the minimum level of access and authorization required to
complete a task or function.

Least privilege is a fundamental security control that supports the confidentiality, integrity, and availability
(CIA) triad of information. In this reading, you'll learn how the principle of least privilege reduces risk, how it's
commonly implemented, and why it should be routinely audited.

Limiting access reduces risk

Every business needs to plan for the risk of data theft, misuse, or abuse. Implementing the principle of least
privilege can greatly reduce the risk of costly incidents like data breaches by:

Limiting access to sensitive information

Reducing the chances of accidental data modification, tampering, or loss

Supporting system monitoring and administration

Least privilege greatly reduces the likelihood of a successful attack by connecting specific resources to
specific users and placing limits on what they can do. It's an important security control that should be applied
to any asset. Clearly defining who or what your users are is usually the first step of implementing least
privilege effectively.

Note: Least privilege is closely related to another fundamental security principle, the separation of duties—a
security concept that divides tasks and responsibilities among different users to prevent giving a single user
complete control over critical business functions. You'll learn more about separation of duties in a different
reading about identity and access management.

Determining access and authorization

To implement least privilege, access and authorization must be determined first. There are two questions to
ask to do so:

Who is the user?

How much access do they need to a specific resource?

Determining who the user is usually straightforward. A user can refer to a person, like a customer, an
employee, or a vendor. It can also refer to a device or software that's connected to your business network. In
general, every user should have their own account. Accounts are typically stored and managed within an
organization's directory service.

These are the most common types of user accounts:

Guest accounts are provided to external users who need to access an internal network, like customers,
clients, contractors, or business partners.

User accounts are assigned to staff based on their job duties.

Service accounts are granted to applications or software that needs to interact with other software on the
network.

Privileged accounts have elevated permissions or administrative access.

It's best practice to determine a baseline access level for each account type before implementing least
privilege. However, the appropriate access level can change from one moment to the next. For example, a
customer support representative should only have access to your information while they are helping you.
Your data should then become inaccessible when the support agent starts working with another customer
and they are no longer actively assisting you. Least privilege can only reduce risk if user accounts are
routinely and consistently monitored.

Pro tip: Passwords play an important role when implementing the principle of least privilege. Even if user
accounts are assigned appropriately, an insecure password can compromise your systems.

Auditing account privileges

Setting up the right user accounts and assigning them the appropriate privileges is a helpful first step.
Periodically auditing those accounts is a key part of keeping your company’s systems secure.

There are three common approaches to auditing user accounts:

Usage audits
When conducting a usage audit, the security team will review which resources each account is accessing and
what the user is doing with the resource. Usage audits can help determine whether users are acting in
accordance with an organization’s security policies. They can also help identify whether a user has
permissions that can be revoked because they are no longer being used.

Privilege audits

Users tend to accumulate more access privileges than they need over time, an issue known as privilege creep.
This might occur if an employee receives a promotion or switches teams and their job duties change.
Privilege audits assess whether a user's role is in alignment with the resources they have access to.

Account change audits

Account directory services keep records and logs associated with each user. Changes to an account are
usually saved and can be used to audit the directory for suspicious activity, like multiple attempts to change
an account password. Performing account change audits helps to ensure that all account changes are made
by authorized users.

Note: Most directory services can be configured to alert system administrators of suspicious activity.

The data lifecycle

Organizations of all sizes handle a large amount of data that must be kept private. You learned that data can
be vulnerable whether it is at rest, in use, or in transit. Regardless of the state it is in, information should be
kept private by limiting access and authorization.

In security, data vulnerabilities are often mapped in a model known as the data lifecycle. Each stage of the
data lifecycle plays an important role in the security controls that are put in place to maintain the CIA triad of
information. In this reading, you will learn about the data lifecycle, the plans that determine how data is
protected, and the specific types of data that require extra attention.

The data lifecycle

The data lifecycle is an important model that security teams consider when protecting information. It
influences how they set policies that align with business objectives. It also plays an important role in the
technologies security teams use to make information accessible.

In general, the data lifecycle has five stages. Each describe how data flows through an organization from the
moment it is created until it is no longer useful:

Collect

Store

Use

Archive
Destroy

Protecting information at each stage of this process describes the need to keep it accessible and recoverable
should something go wrong.

Data governance
Businesses handle massive amounts of data every day. New information is constantly being collected from
internal and external sources. A structured approach to managing all of this data is the best way to keep it
private and secure.

Data governance is a set of processes that define how an organization manages information. Governance
often includes policies that specify how to keep data private, accurate, available, and secure throughout its
lifecycle.

Effective data governance is a collaborative activity that relies on people. Data governance policies commonly
categorize individuals into a specific role:

Data owner: the person that decides who can access, edit, use, or destroy their information.

Data custodian: anyone or anything that's responsible for the safe handling, transport, and storage of
information.

Data steward: the person or group that maintains and implements data governance policies set by an
organization.

Businesses store, move, and transform data using a wide range of IT systems. Data governance policies often
assign accountability to data owners, custodians, and stewards.

Note: As a data custodian, you will primarily be responsible for maintaining security and privacy rules for
your organization.

Protecting data at every stage

Most security plans include a specific policy that outlines how information will be managed across an
organization. This is known as a data governance policy. These documents clearly define procedures that
should be followed to participate in keeping data safe. They place limits on who or what can access data.
Security professionals are important participants in data governance. As a data custodian, you will be
responsible for ensuring that data isn’t damaged, stolen, or misused.

Legally protected information

Data is more than just a bunch of 1s and 0s being processed by a computer. Data can represent someone's
personal thoughts, actions, and choices. It can represent a purchase, a sensitive medical decision, and
everything in between. For this reason, data owners should be the ones deciding whether or not to share
their data. As a security professional, protecting a person's data privacy decisions must always be respected.

Securing data can be challenging. In large part, that's because data owners generate more data than they can
manage. As a result, data custodians and stewards sometimes lack direct, explicit instructions on how they
should handle specific types of data. Governments and other regulatory agencies have bridged this gap by
creating rules that specify the types of information that organizations must protect by default:

PII is any information used to infer an individual's identity. Personally identifiable information, or PII, refers to
information that can be used to contact or locate someone.

PHI stands for protected health information. In the U.S., it is regulated by the Health Insurance Portability
and Accountability Act (HIPAA), which defines PHI as “information that relates to the past, present, or future
physical or mental health or condition of an individual.” In the EU, PHI has a similar definition but it is
regulated by the General Data Protection Regulation (GDPR).

SPII is a specific type of PII that falls under stricter handling guidelines. The S stands for sensitive, meaning
this is a type of personally identifiable information that should only be accessed on a need-to-know basis,
such as a bank account number or login credentials.

Information privacy: Regulations and

compliance
Security and privacy have a close relationship. As you may recall, people have the right to control how their
personal data is collected and used. Organizations also have a responsibility to protect the information they
are collecting from being compromised or misused. As a security professional, you will be highly involved in
these efforts.
Information security vs. information privacy
Security and privacy are two terms that often get used interchangeably outside of this field. Although the two
concepts are connected, they represent specific functions:

Information privacy refers to the protection of unauthorized access and distribution of data.

Information security (InfoSec) refers to the practice of keeping data in all states away from unauthorized
users.

The key difference: Privacy is about providing people with control over their personal information and how
it's shared. Security is about protecting people’s choices and keeping their information safe from potential
threats.

For example, a retail company might want to collect specific kinds of personal information about its
customers for marketing purposes, like their age, gender, and location. How this private information will be
used should be disclosed to customers before it's collected. In addition, customers should be given an option
to opt-out if they decide not to share their data.

Once the company obtains consent to collect personal information, it might implement specific security
controls in place to protect that private data from unauthorized access, use, or disclosure. The company
should also have security controls in place to respect the privacy of all stakeholders and anyone who chose to
opt-out.

Note: Privacy and security are both essential for maintaining customer trust and brand reputation.

Why privacy matters in security

Data privacy and protection are topics that started gaining a lot of attention in the late 1990s. At that time,
tech companies suddenly went from processing people’s data to storing and using it for business purposes.
For example, if a user searched for a product online, companies began storing and sharing access to
information about that user’s search history with other companies. Businesses were then able to deliver
personalized shopping experiences to the user for free.
Eventually this practice led to a global conversation about whether these organizations had the right to
collect and share someone’s private data. Additionally, the issue of data security became a greater concern;
the more organizations collected data, the more vulnerable it was to being abused, misused, or stolen.

Many organizations became more concerned about the issues of data privacy. Businesses became more
transparent about how they were collecting, storing, and using information. They also began implementing
more security measures to protect people's data privacy. However, without clear rules in place, protections
were inconsistently applied.

Note: The more data is collected, stored, and used, the more vulnerable it is to breaches and threats.

Notable privacy regulations

Businesses are required to abide by certain laws to operate. As you might recall, regulations are rules set by a
government or another authority to control the way something is done. Privacy regulations in particular exist
to protect a user from having their information collected, used, or shared without their consent. Regulations
may also describe the security measures that need to be in place to keep private information away from
threats.

Three of the most influential industry regulations that every security professional should know about are:

General Data Protection Regulation (GDPR)

Payment Card Industry Data Security Standard (PCI DSS)

Health Insurance Portability and Accountability Act (HIPAA)

GDPR

GDPR is a set of rules and regulations developed by the European Union (EU) that puts data owners in total
control of their personal information. Under GDPR, types of personal information include a person's name,
address, phone number, financial information, and medical information.

The GDPR applies to any business that handles the data of EU citizens or residents, regardless of where that
business operates. For example, a US based company that handles the data of EU visitors to their website is
subject to the GDPRs provisions.

PCI DSS

PCI DSS is a set of security standards formed by major organizations in the financial industry. This regulation
aims to secure credit and debit card transactions against data theft and fraud.

HIPAA

HIPAA is a U.S. law that requires the protection of sensitive patient health information. HIPAA prohibits the
disclosure of a person's medical information without their knowledge and consent.
Note: These regulations influence data handling at many organizations around the world even though they
were developed by specific nations.

Several other security and privacy compliance laws exist. Which ones your organization needs to follow will
depend on the industry and the area of authority. Regardless of the circumstances, regulatory compliance is
important to every business.

Security assessments and audits

Businesses should comply with important regulations in their industry. Doing so validates that they have met
a minimum level of security while also demonstrating their dedication to maintaining data privacy.

Meeting compliance standards is usually a continual, two-part process of security audits and assessments:

A security audit is a review of an organization's security controls, policies, and procedures against a set of
expectations.

A security assessment is a check to determine how resilient current security implementations are against
threats.

For example, if a regulation states that multi-factor authentication (MFA) must be enabled for all
administrator accounts, an audit might be conducted to check those user accounts for compliance. After the
audit, the internal team might perform a security assessment that determines many users are using weak
passwords. Based on their assessment, the team could decide to enable MFA on all user accounts to improve
their overall security posture.

Note: Compliance with legal regulations, such as GDPR, can be determined during audits.

As a security analyst, you are likely to be involved with security audits and assessments in the field.
Businesses usually perform security audits less frequently, approximately once per year. Security audits may
be performed both internally and externally by different third-party groups.

In contrast, security assessments are usually performed more frequently, about every three-to-six
months. Security assessments are typically performed by internal employees, often as preparation for a
security audit. Both evaluations are incredibly important ways to ensure that your systems are effectively
protecting everyone's privacy.

Symmetric and asymmetric encryption

Previously, you learned these terms:

Encryption: the process of converting data from a readable format to an encoded format

Public key infrastructure (PKI): an encryption framework that secures the exchange of online information

Cipher: an algorithm that encrypts information

All digital information deserves to be kept private, safe, and secure. Encryption is one key to doing that! It is
useful for transforming information into a form that unintended recipients cannot understand. In this reading,
you’ll compare symmetric and asymmetric encryption and learn about some well-known algorithms for each.

Types of encryption
There are two main types of encryption:

Symmetric encryption is the use of a single secret key to exchange information. Because it uses one key for
encryption and decryption, the sender and receiver must know the secret key to lock or unlock the cipher.

Asymmetric encryption is the use of a public and private key pair for encryption and decryption of data. It
uses two separate keys: a public key and a private key. The public key is used to encrypt data, and the private
key decrypts it. The private key is only given to users with authorized access.

The importance of key length

Ciphers are vulnerable to brute force attacks, which use a trial and error process to discover private
information. This tactic is the digital equivalent of trying every number in a combination lock trying to find
the right one. In modern encryption, longer key lengths are considered to be more secure. Longer key lengths
mean more possibilities that an attacker needs to try to unlock a cipher.

One drawback to having long encryption keys is slower processing times. Although short key lengths are
generally less secure, they’re much faster to compute. Providing fast data communication online while
keeping information safe is a delicate balancing act.

Approved algorithms
Many web applications use a combination of symmetric and asymmetric encryption. This is how they balance
user experience with safeguarding information. As an analyst, you should be aware of the most widely-used
algorithms.

Symmetric algorithms

Triple DES (3DES) is known as a block cipher because of the way it converts plaintext into ciphertext in
“blocks.” Its origins trace back to the Data Encryption Standard (DES), which was developed in the early
1970s. DES was one of the earliest symmetric encryption algorithms that generated 64-bit keys. A bit is the
smallest unit of data measurement on a computer. As you might imagine, Triple DES generates keys that are
192 bits, or three times as long. Despite the longer keys, many organizations are moving away from using
Triple DES due to limitations on the amount of data that can be encrypted. However, Triple DES is likely to
remain in use for backwards compatibility purposes.

Advanced Encryption Standard (AES) is one of the most secure symmetric algorithms today. AES generates
keys that are 128, 192, or 256 bits. Cryptographic keys of this size are considered to be safe from brute force
attacks. It’s estimated that brute forcing an AES 128-bit key could take a modern computer billions of years!
Asymmetric algorithms

Rivest Shamir Adleman (RSA) is named after its three creators who developed it while at the Massachusetts
Institute of Technology (MIT). RSA is one of the first asymmetric encryption algorithms that produces a public
and private key pair. Asymmetric algorithms like RSA produce even longer key lengths. In part, this is due to
the fact that these functions are creating two keys. RSA key sizes are 1,024, 2,048, or 4,096 bits. RSA is mainly
used to protect highly sensitive data.

Digital Signature Algorithm (DSA) is a standard asymmetric algorithm that was introduced by NIST in the early
1990s. DSA also generates key lengths of 2,048 bits. This algorithm is widely used today as a complement to
RSA in public key infrastructure.

Generating keys

These algorithms must be implemented when an organization chooses one to protect their data. One way
this is done is using OpenSSL, which is an open-source command line tool that can be used to generate public
and private keys. OpenSSL is commonly used by computers to verify digital certificates that are exchanged as
part of public key infrastructure.

Note: OpenSSL is just one option. There are various others available that can generate keys with any of these
common algorithms.

Although many businesses use OpenSSL, it is no longer recommended since the discovery of the Heartbleed
bug in 2014.

Obscurity is not security

In the world of cryptography, a cipher must be proven to be unbreakable before claiming that it is secure.
According to Kerchoff’s principle, cryptography should be designed in such a way that all the details of an
algorithm—except for the private key—should be knowable without sacrificing its security. For example, you
can access all the details about how AES encryption works online and yet it is still unbreakable.

Occasionally, organizations implement their own, custom encryption algorithms. There have been instances
where those secret cryptographic systems have been quickly cracked after being made public.

Pro tip: A cryptographic system should not be considered secure if it requires secrecy around how it works.

Encryption is everywhere

Companies use both symmetric and asymmetric encryption. They often work as a team, balancing security
with user experience.

For example, websites tend to use asymmetric encryption to secure small blocks of data that are important.
Usernames and passwords are often secured with asymmetric encryption while processing login requests.
Once a user gains access, the rest of their web session often switches to using symmetric encryption for its
speed.
Using data encryption like this is increasingly required by law. Regulations like the Federal Information
Processing Standards (FIPS 140-3) and the General Data Protection Regulation (GDPR) outline how data
should be collected, used, and handled. Achieving compliance with either regulation is critical to
demonstrating to business partners and governments that customer data is handled responsibly.

The evolution of hash functions

Hash functions are important controls that are part of every company's security strategy. Hashing is widely
used for authentication and non-repudiation, the concept that the authenticity of information can’t be
denied.

Previously, you learned that hash functions are algorithms that produce a code that can't be decrypted. Hash
functions convert information into a unique value that can then be used to determine its integrity. In this
reading, you’ll learn about the origins of hash functions and how they’ve changed over time.

Origins of hashing
Hash functions have been around since the early days of computing. They were originally created as a way to
quickly search for data. Since the beginning, these algorithms have been designed to represent data of any
size as small, fixed-size values, or digests. Using a hash table, which is a data structure that's used to store
and reference hash values, these small values became a more secure and efficient way for computers to
reference data.

One of the earliest hash functions is Message Digest 5, more commonly known as MD5. Professor Ronald
Rivest of the Massachusetts Institute of Technology (MIT) developed MD5 in the early 1990s as a way to
verify that a file sent over a network matched its source file.

Whether it’s used to convert a single email or the source code of an application, MD5 works by converting
data into a 128-bit value. You might recall that a bit is the smallest unit of data measurement on a computer.
Bits can either be a 0 or 1. In a computer, bits represent user input in a way that computers can interpret. In a
hash table, this appears as a string of 32 characters. Altering anything in the source file generates an entirely
new hash value.

Generally, the longer the hash value, the more secure it is. It wasn’t long after MD5's creation that security
practitioners discovered 128-bit digests resulted in a major vulnerability.
Here is an example of how plaintext gets turned into hash values:

Hash collisions

One of the flaws in MD5 happens to be a characteristic of all hash functions. Hash algorithms map any input,
regardless of its length, into a fixed-size value of letters and numbers. What’s the problem with that?
Although there are an infinite amount of possible inputs, there’s only a finite set of available outputs!

MD5 values are limited to 32 characters in length. Due to the limited output size, the algorithm is considered
to be vulnerable to hash collision, an instance when different inputs produce the same hash value. Because
hashes are used for authentication, a hash collision is similar to copying someone’s identity. Attackers can
carry out collision attacks to fraudulently impersonate authentic data.

Next-generation hashing
To avoid the risk of hash collisions, functions that generated longer values were needed. MD5's shortcomings
gave way to a new group of functions known as the Secure Hashing Algorithms, or SHAs.

The National Institute of Standards and Technology (NIST) approves each of these algorithms. Numbers
besides each SHA function indicate the size of its hash value in bits. Except for SHA-1, which produces a 160-
bit digest, these algorithms are considered to be collision-resistant. However, that doesn’t make them
invulnerable to other exploits.

Five functions make up the SHA family of algorithms:

SHA-1

SHA-224

SHA-256

SHA-384

SHA-512
Secure password storage
Passwords are typically stored in a database where they are mapped to a username. The server receives a
request for authentication that contains the credentials supplied by the user. It then looks up the username
in the database and compares it with the password that was provided and verifies that it matches before
granting them access.

This is a safe system unless an attacker gains access to the user database. If passwords are stored in plaintext,
then an attacker can steal that information and use it to access company resources. Hashing adds an
additional layer of security. Because hash values can't be reversed, an attacker would not be able to steal
someone's login credentials if they managed to gain access to the database.

Rainbow tables

A rainbow table is a file of pre-generated hash values and their associated plaintext. They’re like dictionaries
of weak passwords. Attackers capable of obtaining an organization’s password database can use a rainbow
table to compare them against all possible values.

Adding some “salt”

Functions with larger digests are less vulnerable to collision and rainbow table attacks. But as you’re learning,
no security control is perfect.

Salting is an additional safeguard that’s used to strengthen hash functions. A salt is a random string of
characters that are added to an input during the hashing process. Typically, salts are added to the beginning
or the end of data as it passes through the function. An increasingly common use of salting is in the storage
of passwords. This additional security measure helps to protect this type of information without burdening
the user.

Here is an example of the salting process:

 The rise of SSO and MFA
Most companies help keep their data safely locked up behind authentication systems.
Usernames and passwords are the keys that unlock information for most organizations.
But are those credentials enough? Information security often focuses on managing a
user's access of, and authorization to, information.

Previously, you learned about the three factors of authentication: knowledge,

ownership, and characteristic. Single sign-on (SSO) and multi-factor authentication
(MFA) are two technologies that have become popular for implementing these
authentication factors. In this reading, you’ll learn how these technologies work and
why companies are adopting them.

A better approach to authentication

Single sign-on (SSO) is a technology that combines several different logins into one.
More companies are turning to SSO as a solution to their authentication needs for
three reasons:

1.

SSO improves the user experience by eliminating the number of usernames and
passwords people have to remember.

2.
3.

Companies can lower costs by streamlining how they manage connected services.

4.
5.

SSO improves overall security by reducing the number of access points attackers can
target.

6.
This technology became available in the mid-1990s as a way to combat password
fatigue, which refers to people’s tendency to reuse passwords across services.
Remembering many different passwords can be a challenge, but using the same
password repeatedly is a major security risk. SSO solves this dilemma by shifting the
burden of authentication away from the user.

How SSO works

SSO works by automating how trust is established between a user and a service
provider. Rather than placing the responsibility on an employee or customer, SSO
solutions use trusted third-parties to prove that a user is who they claim to be. This is
done through the exchange of encrypted access tokens between the identity provider
and the service provider.

Similar to other kinds of digital information, these access tokens are exchanged using
specific protocols. SSO implementations commonly rely on two different authentication
protocols: LDAP and SAML. LDAP, which stands for Lightweight Directory Access
Protocol, is mostly used to transmit information on-premises; SAML, which stands for
Security Assertion Markup Language, is mostly used to transmit information off-
premises, like in the cloud.

Note: LDAP and SAML protocols are often used together.

Here's an example of how SSO can connect a user to multiple applications with one
access token:
Limitations of SSO

Usernames and passwords alone are not always the most secure way of protecting
sensitive information. SSO provides useful benefits, but there’s still the risk associated
with using one form of authentication. For example, a lost or stolen password could
expose information across multiple services. Thankfully, there’s a solution to this
problem.

MFA to the rescue

Multi-factor authentication (MFA) requires a user to verify their identity in two or

more ways to access a system or network. In a sense, MFA is similar to using an ATM
to withdraw money from your bank account. First, you insert a debit card into the
machine as one form of identification. Then, you enter your PIN number as a second
form of identification. Combined, both steps, or factors, are used to verify your
identity before authorizing you to access the account.
 Strengthening authentication

MFA builds on the benefits of SSO. It works by having users prove that they are who
they claim to be. The user must provide two factors (2FA) or three factors (3FA) to
authenticate their identification. The MFA process asks users to provide these proofs,
such as:

Something a user knows: most commonly a username and password




Something a user has: normally received from a service provider, like a one-time
passcode (OTP) sent via SMS




Something a user is: refers to physical characteristics of a user, like their fingerprints
or facial scans

Requiring multiple forms of identification is an effective security measure, especially in

cloud environments. It can be difficult for businesses in the cloud to ensure that the
users remotely accessing their systems are not threat actors. MFA can reduce the risk
of authenticating the wrong users by requiring forms of identification that are difficult
to imitate or brute force.
 Identity and access management
Security is more than simply combining processes and technologies to protect assets.
Instead, security is about ensuring that these processes and technologies are creating a
secure environment that supports a defense strategy. A key to doing this is
implementing two fundamental security principles that limit access to organizational
resources:

The principle of least privilege in which a user is only granted the minimum level of
access and authorization required to complete a task or function.




Separation of duties, which is the principle that users should not be given levels of
authorization that would allow them to misuse a system.

Both principles typically support each other. For example, according to least privilege,
a person who needs permission to approve purchases from the IT department shouldn't
have the permission to approve purchases from every department. Likewise, according
to separation of duties, the person who can approve purchases from the IT department
should be different from the person who can input new purchases.

In other words, least privilege limits the access that an individual receives, while
separation of duties divides responsibilities among multiple people to prevent any one
person from having too much control.

Previously, you learned about the authentication, authorization, and accounting (AAA)
framework. Many businesses used this model to implement these two security
principles and manage user access. In this reading, you’ll learn about the other major
 framework for managing user access, identity and access management (IAM). You will
learn about the similarities between AAA and IAM and how they're commonly
implemented.

Identity and access management (IAM)

As organizations become more reliant on technology, regulatory agencies have put

more pressure on them to demonstrate that they’re doing everything they can to
prevent threats. Identity and access management (IAM) is a collection of processes and
technologies that helps organizations manage digital identities in their environment.
Both AAA and IAM systems are designed to authenticate users, determine their access
privileges, and track their activities within a system.

Either model used by your organization is more than a single, clearly defined system.
They each consist of a collection of security controls that ensure the right user is
granted access to the right resources at the right time and for the right reasons. Each
of those four factors is determined by your organization's policies and processes.

Note: A user can either be a person, a device, or software.

Authenticating users

To ensure the right user is attempting to access a resource requires some form of proof
that the user is who they claim to be. In a video on authentication controls, you
learned that there are a few factors that can be used to authenticate a user:

Knowledge, or something the user knows




Ownership, or something the user possesses



 Characteristic, or something the user is

Authentication is mainly verified with login credentials. Single sign-on (SSO), a

technology that combines several different logins into one, and multi-factor
authentication (MFA), a security measure that requires a user to verify their identity in
two or more ways to access a system or network, are other tools that organizations
use to authenticate individuals and systems.

Pro tip: Another way to remember this authentication model is: something you know,
something you have, and something you are.

User provisioning

Back-end systems need to be able to verify whether the information provided by a

user is accurate. To accomplish this, users must be properly provisioned. User
provisioning is the process of creating and maintaining a user's digital identity. For
example, a college might create a new user account when a new instructor is hired.
The new account will be configured to provide access to instructor-only resources while
they are teaching. Security analysts are routinely involved with provisioning users and
their access privileges.

Pro tip: Another role analysts have in IAM is to deprovision users. This is an important
practice that removes a user's access rights when they should no longer have them.

Granting authorization

If the right user has been authenticated, the network should ensure the right resources
are made available. There are three common frameworks that organizations use to
handle this step of IAM:

Mandatory access control (MAC)




Discretionary access control (DAC)




Role-based access control (RBAC)


Mandatory Access Control (MAC)

MAC is the strictest of the three frameworks. Authorization in this model is based on a
strict need-to-know basis. Access to information must be granted manually by a
central authority or system administrator. For example, MAC is commonly applied in
law enforcement, military, and other government agencies where users must request
access through a chain of command. MAC is also known as non-discretionary control
because access isn’t given at the discretion of the data owner.
Discretionary Access Control (DAC)

DAC is typically applied when a data owner decides appropriate levels of access. One
example of DAC is when the owner of a Google Drive folder shares editor, viewer, or
commentor access with someone else.
Role-Based Access Control (RBAC)

RBAC is used when authorization is determined by a user's role within an organization.

For example, a user in the marketing department may have access to user analytics
but not network administration.

Access control technologies

Users often experience authentication and authorization as a single, seamless

experience. In large part, that’s due to access control technologies that are configured
to work together. These tools offer the speed and automation needed by
administrators to monitor and modify access rights. They also decrease errors and
potential risks.

An organization's IT department sometimes develops and maintains customized access

control technologies on their own. A typical IAM or AAA system consists of a user
directory, a set of tools for managing data in that directory, an authorization system,
and an auditing system. Some organizations create custom systems to tailor them to
their security needs. However, building an in-house solution comes at a steep cost of
time and other resources.

Instead, many organizations opt to license third-party solutions that offer a suite of
tools that enable them to quickly secure their information systems. Keep in mind,
security is about more than combining a bunch of tools. It’s always important to
configure these technologies so they can help to provide a secure environment.
What is OWASP?

OWASP is a nonprofit foundation that works to improve the security of

software. OWASP is an open platform that security professionals from
around the world use to share information, tools, and events that are
focused on securing the web.

The OWASP Top 10

One of OWASP’s most valuable resources is the OWASP Top 10. The
organization has published this list since 2003 as a way to spread
awareness of the web’s most targeted vulnerabilities. The Top 10 mainly
applies to new or custom made software. Many of the world's largest
organizations reference the OWASP Top 10 during application development
to help ensure their programs address common security mistakes.

Pro tip: OWASP’s Top 10 is updated every few years as technologies evolve.
Rankings are based on how often the vulnerabilities are discovered and the
level of risk they present.

Note: Auditors also use the OWASP Top 10 as one point of reference when
checking for regulatory compliance.

Common vulnerabilities

Businesses often make critical security decisions based on the vulnerabilities

listed in the OWASP Top 10. This resource influences how businesses design
new software that will be on their network, unlike the CVE® list, which
helps them identify improvements to existing programs. These are the most
regularly listed vulnerabilities that appear in their rankings to know about:
Broken access control

Access controls limit what users can do in a web application. For example, a
blog might allow visitors to post comments on a recent article but restricts
them from deleting the article entirely. Failures in these mechanisms can
lead to unauthorized information disclosure, modification, or destruction.
They can also give someone unauthorized access to other business
applications.

Cryptographic failures

Information is one of the most important assets businesses need to protect.

Privacy laws such as General Data Protection Regulation (GDPR) require
sensitive data to be protected by effective encryption methods.
Vulnerabilities can occur when businesses fail to encrypt things like
personally identifiable information (PII). For example, if a web application
uses a weak hashing algorithm, like MD5, it’s more at risk of suffering a
data breach.

Injection

Injection occurs when malicious code is inserted into a vulnerable application.

Although the app appears to work normally, it does things that it wasn’t
intended to do. Injection attacks can give threat actors a backdoor into an
organization’s information system. A common target is a website’s login
form. When these forms are vulnerable to injection, attackers can insert
malicious code that gives them access to modify or steal user credentials.

Insecure design

Applications should be designed in such a way that makes them resilient to

attack. When they aren’t, they’re much more vulnerable to threats like
injection attacks or malware infections. Insecure design refers to a wide
range of missing or poorly implemented security controls that should have
been programmed into an application when it was being developed.

Security misconfiguration

Misconfigurations occur when security settings aren’t properly set or

maintained. Companies use a variety of different interconnected systems.
Mistakes often happen when those systems aren’t properly set up or audited.
A common example is when businesses deploy equipment, like a network
server, using default settings. This can lead businesses to use settings that
fail to address the organization's security objectives.

Vulnerable and outdated components

Vulnerable and outdated components is a category that mainly relates to

application development. Instead of coding everything from scratch, most
developers use open-source libraries to complete their projects faster and
easier. This publicly available software is maintained by communities of
programmers on a volunteer basis. Applications that use vulnerable
components that have not been maintained are at greater risk of being
exploited by threat actors.

Identification and authentication failures

Identification is the keyword in this vulnerability category. When

applications fail to recognize who should have access and what they’re
authorized to do, it can lead to serious problems. For example, a home Wi-
Fi router normally uses a simple login form to keep unwanted guests off the
network. If this defense fails, an attacker can invade the homeowner’s
privacy.
Software and data integrity failures

Software and data integrity failures are instances when updates or patches
are inadequately reviewed before implementation. Attackers might exploit
these weaknesses to deliver malicious software. When that occurs, there can
be serious downstream effects. Third parties are likely to become infected if
a single system is compromised, an event known as a supply chain attack.

A famous example of a supply chain attack is the SolarWinds cyber attack

(2020) where hackers injected malicious code into software updates that
the company unknowingly released to their customers.

Security logging and monitoring failures

In security, it’s important to be able to log and trace back events. Having a
record of events like user login attempts is critical to finding and fixing
problems. Sufficient monitoring and incident response is equally important.

Server-side request forgery

Companies have public and private information stored on web servers. When
you use a hyperlink or click a button on a website, a request is sent to a
server that should validate who you are, fetch the appropriate data, and
then return it to you.
Server-side request forgeries (SSRFs) are when attackers manipulate the
normal operations of a server to read or update other resources on that
server. These are possible when an application on the server is vulnerable.
Malicious code can be carried by the vulnerable app to the host server that
will fetch unauthorized data.

Open source intelligence

Cyber attacks can sometimes be prevented with the right information, which starts
with knowing where your systems are vulnerable. Previously, you learned that the
CVE® list and scanning tools are two useful ways of finding weaknesses. But, there are
other ways to identify vulnerabilities and threats.

In this reading, you’ll learn about open-source intelligence, commonly known as OSINT.
OSINT is the collection and analysis of information from publicly available sources to
generate usable intelligence. It's commonly used to support cybersecurity activities, like
identifying potential threats and vulnerabilities. You'll learn why open-source
intelligence is gathered and how it can improve cybersecurity. You’ll also learn about
commonly used resources and tools for gathering information and intelligence.

Information vs intelligence

The terms intelligence and information are often used interchangeably, making it easy
to mix them up. Both are important aspects of cybersecurity that differ in their focus
and objectives.
 Information refers to the collection of raw data or facts about a specific subject.
Intelligence, on the other hand, refers to the analysis of information to produce
knowledge or insights that can be used to support decision-making.

For example, new information might be released about an update to the operating
system (OS) that's installed on your organization's workstations. Later, you might find
that new cyber threats have been linked to this new update by researching multiple
cybersecurity news resources. The analysis of this information can be used as
intelligence to guide your organization's decision about installing the OS updates on
employee workstations.

In other words, intelligence is derived from information through the process of analysis,
interpretation, and integration. Gathering information and intelligence are both
important aspects of cybersecurity.

Intelligence improves decision-making

Businesses often use information to gain insights into the behavior of their customers.
Insights, or intelligence, can then be used to improve their decision making. In security,
open-source information is used in a similar way to gain insights into threats and
vulnerabilities that can pose risks to an organization.

OSINT plays a significant role in information security (InfoSec), which is the practice of
keeping data in all states away from unauthorized users.

For example, a company's InfoSec team is responsible for protecting their network
from potential threats. They might utilize OSINT to monitor online forums and hacker
communities for discussions about emerging vulnerabilities. If they come across a forum
post discussing a newly discovered weakness in a popular software that the company
uses, the team can quickly assess the risk, prioritize patching efforts, and implement
necessary safeguards to prevent an attack.

Here are some of the ways OSINT can be used to generate intelligence:


 To provide insights into cyber attacks




To detect potential data exposures




To evaluate existing defenses




To identify unknown vulnerabilities

Collecting intelligence is sometimes part of the vulnerability management process.

Security teams might use OSINT to develop profiles of potential targets and make data
driven decisions on improving their defenses.

OSINT tools

There's an enormous amount of open-source information online. Finding relevant

information that can be used to gather intelligence is a challenge. Information can be
gathered from a variety of sources, such as search engines, social media, discussion
boards, blogs, and more. Several tools also exist that can be used in your intelligence
gathering process. Here are just a few examples of tools that you can explore:

VirusTotal is a service that allows anyone to analyze suspicious files, domains, URLs,
and IP addresses for malicious content.



 MITRE ATT&CK® is a knowledge base of adversary tactics and techniques based on
real-world observations.




OSINT Framework is a web-based interface where you can find OSINT tools for almost
any kind of source or platform.




Have I been Pwned is a tool that can be used to search for breached email accounts.

There are numerous other OSINT tools that can be used to find specific types of
information. Remember, information can be gathered from a variety of sources.
Ultimately, it's your responsibility to thoroughly research any available information
that's relevant to the problem you’re trying to solve.

Key takeaways

Approaches to vulnerability scanning

 Previously, you learned about a vulnerability assessment, which is the internal review
process of an organization's security systems. An organization performs vulnerability
assessments to identify weaknesses and prevent attacks. Vulnerability scanning tools
are commonly used to simulate threats by finding vulnerabilities in an attack surface.
They also help security teams take proactive steps towards implementing their
remediation strategy.

Vulnerability scanners are important tools that you'll likely use in the field. In this
reading, you’ll explore how vulnerability scanners work and the types of scans they can
perform.

What is a vulnerability scanner?

A vulnerability scanner is software that automatically compares known vulnerabilities

and exposures against the technologies on the network. In general, these tools scan
systems to find misconfigurations or programming flaws.

Scanning tools are used to analyze each of the five attack surfaces that you learned
about in the video about the defense in depth strategy:

1.

Perimeter layer, like authentication systems that validate user access

2.
3.

Network layer, which is made up of technologies like network firewalls and others

4.
5.

Endpoint layer, which describes devices on a network, like laptops, desktops, or servers

6.
7.
 Application layer, which involves the software that users interact with

8.
9.

Data layer, which includes any information that’s stored, in transit, or in use

10.

When a scan of any layer begins, the scanning tool compares the findings against
databases of security threats. At the end of the scan, the tool flags any vulnerabilities
that it finds and adds them to its reference database. Each scan adds more
information to the database, helping the tool be more accurate in its analysis.

Note: Vulnerability databases are also routinely updated by the company that designed
the scanning software.

Performing scans

Vulnerability scanners are meant to be non-intrusive. Meaning, they don’t break or

take advantage of a system like an attacker would. Instead, they simply scan a surface
and alert you to any potentially unlocked doors in your systems.

Note: While vulnerability scanners are non-intrusive, there are instances when a scan
can inadvertently cause issues, like crash a system.

There are a few different ways that these tools are used to scan a surface. Each
approach corresponds to the pathway a threat actor might take. Next, you can explore
each type of scan to get a clearer picture of this.

External vs. internal

External and internal scans simulate an attacker's approach.

External scans test the perimeter layer outside of the internal network. They analyze
outward facing systems, like websites and firewalls. These kinds of scans can uncover
vulnerable things like vulnerable network ports or servers.
Internal scans start from the opposite end by examining an organization's internal
systems. For example, this type of scan might analyze application software for
weaknesses in how it handles user input.

Authenticated vs. unauthenticated

Authenticated and unauthenticated scans simulate whether or not a user has access to
a system.

Authenticated scans might test a system by logging in with a real user account or even
with an admin account. These service accounts are used to check for vulnerabilities, like
broken access controls.

Unauthenticated scans simulate external threat actors that do not have access to your
business resources. For example, a scan might analyze file shares within the
organization that are used to house internal-only documents. Unauthenticated users
should receive "access denied" results if they tried opening these files. However, a
vulnerability would be identified if you were able to access a file.

Limited vs. comprehensive

Limited and comprehensive scans focus on particular devices that are accessed by
internal and external users.

Limited scans analyze particular devices on a network, like searching for

misconfigurations on a firewall.

Comprehensive scans analyze all devices connected to a network. This includes

operating systems, user databases, and more.

Pro tip: Discovery scanning should be done prior to limited or comprehensive scans.
Discovery scanning is used to get an idea of the computers, devices, and open ports
that are on a network.
Penetration testing
An effective security plan relies on regular testing to find an organization's weaknesses.
Previously, you learned that vulnerability assessments, the internal review process of an
organization's security systems, are used to design defense strategies based on system
weaknesses. In this reading, you'll learn how security teams evaluate the effectiveness of
their defenses using penetration testing.

Penetration testing

A penetration test, or pen test, is a simulated attack that helps identify vulnerabilities
in systems, networks, websites, applications, and processes. The simulated attack in a
pen test involves using the same tools and techniques as malicious actors in order to
mimic a real life attack. Since a pen test is an authorized attack, it is considered to be
a form of ethical hacking. Unlike a vulnerability assessment that finds weaknesses in a
system's security, a pen test exploits those weaknesses to determine the potential
consequences if the system breaks or gets broken into by a threat actor.

For example, the cybersecurity team at a financial company might simulate an attack
on their banking app to determine if there are weaknesses that would allow an
attacker to steal customer information or illegally transfer funds. If the pen test
uncovers misconfigurations, the team can address them and improve the overall
security of the app.

Note: Organizations that are regulated by PCI DSS, HIPAA, or GDPR must routinely
perform penetration testing to maintain compliance standards.

Learning from varied perspectives

 These authorized attacks are performed by pen testers who are skilled in programming
and network architecture. Depending on their objectives, organizations might use a few
different approaches to penetration testing:

Red team tests simulate attacks to identify vulnerabilities in systems, networks, or

applications.




Blue team tests focus on defense and incident response to validate an organization's
existing security systems.




Purple team tests are collaborative, focusing on improving the security posture of the
organization by combining elements of red and blue team exercises.

Red team tests are commonly performed by independent pen testers who are hired to
evaluate internal systems. Although, cybersecurity teams may also have their own pen
testing experts. Regardless of the approach, penetration testers must make an
important decision before simulating an attack: How much access and information do I
need?

Penetration testing strategies

There are three common penetration testing strategies:

Open-box testing is when the tester has the same privileged access that an internal
developer would have—information like system architecture, data flow, and network
 diagrams. This strategy goes by several different names, including internal, full
knowledge, white-box, and clear-box penetration testing.




Closed-box testing is when the tester has little to no access to internal systems—
similar to a malicious hacker. This strategy is sometimes referred to as external, black-
box, or zero knowledge penetration testing.




Partial knowledge testing is when the tester has limited access and knowledge of an
internal system—for example, a customer service representative. This strategy is also
known as gray-box testing.

Closed box testers tend to produce the most accurate simulations of a real-world
attack. Nevertheless, each strategy produces valuable results by demonstrating how an
attacker might infiltrate a system and what information they could access.

Becoming a penetration tester

Penetration testers are in-demand in the fast growing field of cybersecurity. All of the
skills you’re learning in this program can help you advance towards a career in pen
testing:

Network and application security




Experience with operating systems, like Linux




Vulnerability analysis and threat modeling




Detection and response tools




Programming languages, like Python and BASH




Communication skills

Programming skills are very helpful in penetration testing because it's often performed
on software and IT systems. With enough practice and dedication, cybersecurity
professionals at any level can develop the skills needed to be a pen tester.

Bug bounty programs

Organization’s commonly run bug bounty programs which offer freelance pen testers
financial rewards for finding and reporting vulnerabilities in their products. Bug
bounties are great opportunities for amateur security professionals to participate and
grow their skills.

Pro tip: HackerOne is a community of ethical hackers where you can find active bug
bounties to participate in.
 Types of hackers

Because the formal definition of a hacker is broad, the term can be a bit
ambiguous. In security, it applies to three types of individuals based on their
intent:

1.

Unauthorized hackers

2.
3.

Authorized, or ethical, hackers

4.
5.

Semi-authorized hackers

6.

An unauthorized hacker, or unethical hacker, is an individual who uses their

programming skills to commit crimes. Unauthorized hackers are also known
as malicious hackers. Skill level ranges widely among this category of hacker.
For example, there are hackers with limited skills who can’t write their own
malicious software, sometimes called script kiddies. Unauthorized hackers
like this carry out attacks using pre-written code that they obtain from
other, more skilled hackers.

Authorized, or ethical, hackers refer to individuals who use their

programming skills to improve an organization's overall security. These
include internal members of a security team who are concerned with
testing and evaluating systems to secure the attack surface. They also
include external security vendors and freelance hackers that some
companies incentivize to find and report vulnerabilities, a practice called
bug bounty programs.

Semi-authorized hackers typically refer to individuals who might violate

ethical standards, but are not considered malicious. For example, a
hacktivist is a person who might use their skills to achieve a political goal.
One might exploit security vulnerabilities of a public utility company to
spread awareness of their existence. The intentions of these types of threat
actors is often to expose security risks that should be addressed before a
malicious hacker finds them.

Advanced persistent threats

Many malicious hackers find their way into a system, cause trouble, and
then leave. But on some occasions, threat actors stick around. These kinds of
events are known as advanced persistent threats, or APTs.

An advanced persistent threat (APT) refers to instances when a threat

actor maintains unauthorized access to a system for an extended period of
time. The term is mostly associated with nation states and state-sponsored
actors. Typically, an APT is concerned with surveilling a target to gather
information. They then use the intel to manipulate government, defense,
financial, and telecom services.

Just because the term is associated with state actors does not mean that
private businesses are safe from APTs. These kinds of threat actors are
stealthy because hacking into another government agency or utility is costly
and time consuming. APTs will often target private organizations first as a
step towards gaining access to larger entities.
 Access points

Each threat actor has a unique motivation for targeting an organization's

assets. Keeping them out takes more than knowing their intentions and
capabilities. It’s also important to recognize the types of attack vectors
they’ll use.

For the most part, threat actors gain access through one of these attack
vector categories:

Direct access, referring to instances when they have physical access to a

system




Removable media, which includes portable hardware, like USB flash drives




Social media platforms that are used for communication and content
sharing




Email, including both personal and business accounts




Wireless networks on premises




Cloud services usually provided by third-party organizations




Supply chains like third-party vendors that can present a backdoor into
systems

Any of these attack vectors can provide access to a system. Recognizing a

threat actor’s intentions can help you determine which access points they
might target and what ultimate goals they could have. For example, remote
workers are more likely to present a threat via email than a direct access
threat.
 Fortify against brute force cyber
attacks
Usernames and passwords are one of the most common and important security
controls in use today. They’re like the door lock that organizations use to restrict access
to their networks, services, and data. But a major issue with relying on login
credentials as a critical line of defense is that they’re vulnerable to being stolen and
guessed by attackers.

In a video, you learned that brute force attacks are a trial-and-error process of
discovering private information. In this reading, you’ll learn about the many tactics
and tools used by threat actors to perform brute force attacks. You’ll also learn
prevention strategies that organizations can use to defend against them.

A matter of trial and error

One way of opening a closed lock is trying as many combinations as possible. Threat
actors sometimes use similar tactics to gain access to an application or a network.

Attackers use a variety of tactics to find their way into a system:

Simple brute force attacks are an approach in which attackers guess a user's login
credentials. They might do this by entering any combination of username and
password that they can think of until they find the one that works.




Dictionary attacks are a similar technique except in these instances attackers use a list
of commonly used credentials to access a system. This list is similar to matching a
definition to a word in a dictionary.




Reverse brute force attacks are similar to dictionary attacks, except they start with a
single credential and try it in various systems until a match is found.




Credential stuffing is a tactic in which attackers use stolen login credentials from
previous data breaches to access user accounts at another organization. A specialized
type of credential stuffing is called pass the hash. These attacks reuse stolen, unsalted
hashed credentials to trick an authentication system into creating a new authenticated
user session on the network.

Note: Besides access credentials, encrypted information can sometimes be brute forced
using a technique known as exhaustive key search.

Each of these methods involve a lot of guess work. Brute forcing your way into a
system can be a tedious and time consuming process—especially when it’s done
manually. That’s why threat actors often use tools to conduct their attacks.

Tools of the trade

There are so many combinations that can be used to create a single set of login
credentials. The number of characters, letters, and numbers that can be mixed
together is truly incredible. When done manually, it could take someone years to try
every possible combination.

Instead of dedicating the time to do this, attackers often use software to do the guess
work for them. These are some common brute forcing tools:

Aircrack-ng




Hashcat




John the Ripper




Ophcrack




THC Hydra

Sometimes, security professionals use these tools to test and analyze their own systems.
They each serve different purposes. For example, you might use Aircrack-ng to test a
Wi-Fi network for vulnerabilities to brute force attack.

Prevention measures

Organizations defend against brute force attacks with a combination of technical and
managerial controls. Each make cracking defense systems through brute force less likely:

Hashing and salting




Multi-factor authentication (MFA)




CAPTCHA




Password policies

Technologies, like multi-factor authentication (MFA), reinforce each login attempt by

requiring a second or third form of identification. Other important tools are CAPTCHA
and effective password policies.

Hashing and salting

Hashing converts information into a unique value that can then be used to determine
its integrity. Salting is an additional safeguard that’s used to strengthen hash functions.
It works by adding random characters to data, like passwords. This increases the
length and complexity of hash values, making them harder to brute force and less
susceptible to dictionary attacks.

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) is a security measure that requires a user to verify

their identity in two or more ways to access a system or network. MFA is a layered
approach to protecting information. MFA limits the chances of brute force attacks
because unauthorized users are unlikely to meet each authentication requirement even
if one credential becomes compromised.

CAPTCHA

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and
Humans Apart. It is known as a challenge-response authentication system. CAPTCHA
asks users to complete a simple test that proves they are human and not software
that’s trying to brute force a password.
Here are common CAPTCHA examples:
There are two types of CAPTCHA tests. One scrambles and distorts a randomly
generated sequence of letters and/or numbers and asks users to enter them into a text
box. The other test asks users to match images to a randomly generated word. You’ve
likely had to pass a CAPTCHA test when accessing a web service that contains sensitive
information, like an online bank account.

Password policy

Organizations use these managerial controls to standardize good password practices

across their business. For example, one of these policies might require users to create
passwords that are at least 8 characters long and feature a letter, number, and
symbol. Other common requirements can include password lockout policies. For
example, a password lockout can limit the number of login attempts before access to
an account is suspended and require users to create new, unique passwords after a
certain amount of time.

The purpose of each of these requirements is to create more possible password

combinations. This lengthens the amount of time it takes an attacker to find one that
will work. The National Institute of Standards and Technology (NIST) Special
Publication 800-63B provides detailed guidance that organizations can reference
when creating their own password policies.
Types of phishing
Phishing is one of the most common types of social engineering, which are
manipulation techniques that exploit human error to gain private information, access,
or valuables. Previously, you learned how phishing is the use of digital communications
to trick people into revealing sensitive data or deploying malicious software.

Sometimes, phishing attacks appear to come from a trusted person or business. This
can lead unsuspecting recipients into acting against their better judgment, causing
them to break security procedures. In this reading, you’ll learn about common phishing
tactics used by attackers today.
The origins of phishing

Phishing has been around since the early days of the internet. It can be traced back to
the 1990s. At the time, people across the world were coming online for the first time.
As the internet became more accessible it began to attract the attention of malicious
actors. These malicious actors realized that the internet gave them a level of
anonymity to commit their crimes.

Early persuasion tactics

One of the earliest instances of phishing was aimed at a popular chat service called
AOL Instant Messenger (AIM). Users of the service began receiving emails asking them
to verify their accounts or provide personal billing information. The users were
unaware that these messages were sent by malicious actors pretending to be service
providers.

This was one of the first examples of mass phishing, which describes attacks that send
malicious emails out to a large number of people, increasing the likelihood of baiting
someone into the trap.

During the AIM attacks, malicious actors carefully crafted emails that appeared to
come directly from AOL. The messages used official logos, colors, and fonts to trick
unsuspecting users into sharing their information and account details.

Attackers used the stolen information to create fraudulent AOL accounts they could
use to carry out other crimes anonymously. AOL was forced to adapt their security
policies to address these threats. The chat service began including messages on their
platforms to warn users about phishing attacks.

How phishing has evolved

Phishing continued evolving at the turn of the century as businesses and newer
technologies began entering the digital landscape. In the early 2000s, e-commerce and
online payment systems started to become popular alternatives to traditional
 marketplaces. The introduction of online transactions presented new opportunities for
attackers to commit crimes.

A number of techniques began to appear around this time period, many of which are
still used today. There are five common types of phishing that every security analyst
should know:

Email phishing is a type of attack sent via email in which threat actors send messages
pretending to be a trusted person or entity.




Smishing is a type of phishing that uses Short Message Service (SMS), a technology
that powers text messaging. Smishing covers all forms of text messaging services,
including Apple’s iMessages, WhatsApp, and other chat mediums on phones.




Vishing refers to the use of voice calls or voice messages to trick targets into providing
personal information over the phone.




Spear phishing is a subset of email phishing in which specific people are purposefully
targeted, such as the accountants of a small business.




Whaling refers to a category of spear phishing attempts that are aimed at high-
ranking executives in an organization.


Since the early days of phishing, email attacks remain the most common types that
are used. While they were originally used to trick people into sharing access credentials
and credit card information, email phishing became a popular method to infect
computer systems and networks with malicious software.

In late 2003, attackers around the world created fraudulent websites that resembled
businesses like eBay and PayPal™. Mass phishing campaigns to distribute malicious
programs were also launched against e-commerce and banking sites.
Recent trends

Starting in the 2010s, attackers began to shift away from mass phishing attempts
that relied on baiting unsuspecting people into a trap. Leveraging new technologies,
criminals began carrying out what’s known as targeted phishing attempts. Targeted
phishing describes attacks that are sent to specific targets using highly customized
methods to create a strong sense of familiarity.

A type of targeted phishing that evolved in the 2010s is angler phishing. Angler
phishing is a technique where attackers impersonate customer service representatives
on social media. This tactic evolved from people’s tendency to complain about
businesses online. Threat actors intercept complaints from places like message boards
or comment sections and contact the angry customer via social media. Like the AIM
attacks of the 1990s, they use fraudulent accounts that appear similar to those of
actual businesses. They then trick the angry customers into sharing sensitive
information with the promise of fixing their problem.

Key takeaways

Phishing tactics have become very sophisticated over the years. Unfortunately, there
isn't a perfect solution that prevents these attacks from happening. Tactics, like email
phishing that started in the last century, remain an effective and profitable method of
attack for criminals online today.

There isn’t a technological solution to prevent phishing entirely. However, there are
many ways to reduce the damage from these attacks when they happen. One way is
to spread awareness and inform others. As a security professional, you may be
responsible for helping others identify forms of social engineering, like phishing. For
example, you might create training programs that educate employees about topics like
phishing. Sharing your knowledge with others is an important responsibility that helps
build a culture of security.

Resources for more information

 Staying up-to-date on phishing threats is one of the best things you can do to educate
yourself and help your organization make smarter security decisions.

Google’s phishing quiz is a tool that you can use or share that illustrates just how
difficult it can be to identify these attacks.




Phishing.org reports on the latest phishing trends and shares free resources that can
help reduce phishing attacks.




The Anti-Phishing Working Group (APWG) is a non-profit group of multidisciplinary

security experts that publishes a quarterly report on phishing trends.

An introduction to malware
Previously, you learned that malware is software designed to harm devices or networks.
Since its first appearance on personal computers decades ago, malware has developed
into a variety of strains. Being able to identify different types of malware and
understand the ways in which they are spread will help you stay alert and be informed
as a security professional.
Virus

A virus is malicious code written to interfere with computer operations and cause
damage to data and software. This type of malware must be installed by the target
user before it can spread itself and cause damage. One of the many ways that viruses
are spread is through phishing campaigns where malicious links are hidden within links
or attachments.

Worm

A worm is malware that can duplicate and spread itself across systems on its own.
Similar to a virus, a worm must be installed by the target user and can also be spread
with tactics like malicious email. Given a worm's ability to spread on its own, attackers
sometimes target devices, drives, or files that have shared access over a network.

A well known example is the Blaster worm, also known as Lovesan, Lovsan, or MSBlast.
In the early 2000s, this worm spread itself on computers running Windows XP and
Windows 2000 operating systems. It would force devices into a continuous loop of
shutting down and restarting. Although it did not damage the infected devices, it was
able to spread itself to hundreds of thousands of users around the world. Many
variants of the Blaster worm have been deployed since the original and can infect
modern computers.

Note: Worms were very popular attacks in the mid 2000s but are less frequently used
in recent years.

Trojan

A trojan, also called a Trojan horse, is malware that looks like a legitimate file or
program. This characteristic relates to how trojans are spread. Similar to viruses,
attackers deliver this type of malware hidden in file and application downloads.
Attackers rely on tricking unsuspecting users into believing they’re downloading a
harmless file, when they’re actually infecting their own device with malware that can
be used to spy on them, grant access to other devices, and more.
Adware

Advertising-supported software, or adware, is a type of legitimate software that is

sometimes used to display digital advertisements in applications. Software developers
often use adware as a way to lower their production costs or to make their products
free to the public—also known as freeware or shareware. In these instances, developers
monetize their product through ad revenue rather than at the expense of their users.

Malicious adware falls into a sub-category of malware known as a potentially

unwanted application (PUA). A PUA is a type of unwanted software that is bundled in
with legitimate programs which might display ads, cause device slowdown, or install
other software. Attackers sometimes hide this type of malware in freeware with
insecure design to monetize ads for themselves instead of the developer. This works
even when the user has declined to receive ads.

Spyware

Similar to adware, spyware is malware that's used to gather and sell information
without consent. It's also considered a PUA. Spyware is commonly hidden in
bundleware, additional software that is sometimes packaged with other applications.
PUAs like spyware have become a serious challenge in the open-source software
development ecosystem. That’s because developers tend to overlook how their software
could be misused or abused by others.

Scareware

Another type of PUA is scareware. This type of malware employs tactics to frighten
users into infecting their own device. Scareware tricks users by displaying fake
warnings that appear to come from legitimate companies. Email and pop-ups are just
a couple of ways scareware is spread. Both can be used to deliver phony warnings with
false claims about the user's files or data being at risk.

Fileless malware
Fileless malware does not need to be installed by the user because it uses legitimate
programs that are already installed to infect a computer. This type of infection resides
in memory where the malware never touches the hard drive. This is unlike the other
types of malware, which are stored within a file on disk. Instead, these stealthy
infections get into the operating system or hide within trusted applications.

Pro tip: Fileless malware is detected by performing memory analysis, which requires
experience with operating systems.

Rootkits

A rootkit is malware that provides remote, administrative access to a computer. Most

attackers use rootkits to open a backdoor to systems, allowing them to install other
forms of malware or to conduct network security attacks.

This kind of malware is often spread by a combination of two components: a dropper

and a loader. A dropper is a type of malware that comes packed with malicious code
which is delivered and installed onto a target system. For example, a dropper is often
disguised as a legitimate file, such as a document, an image, or an executable to
deceive its target into opening, or dropping it, onto their device. If the user opens the
dropper program, its malicious code is executed and it hides itself on the target system.

Multi-staged malware attacks, where multiple packets of malicious code are deployed,
commonly use a variation called a loader. A loader is a type of malware that
downloads strains of malicious code from an external source and installs them onto a
target system. Attackers might use loaders for different purposes, such as to set up
another type of malware---a botnet.

Botnet

A botnet, short for “robot network,” is a collection of computers infected by malware

that are under the control of a single threat actor, known as the “bot-herder.” Viruses,
worms, and trojans are often used to spread the initial infection and turn the devices
into a bot for the bot-herder. The attacker then uses file sharing, email, or social
media application protocols to create new bots and grow the botnet. When a target
unknowingly opens the malicious file, the computer, or bot, reports the information
back to the bot-herder, who can execute commands on the infected computer.

Ransomware

Ransomware describes a malicious attack where threat actors encrypt an

organization's data and demand payment to restore access. According to the
Cybersecurity and Infrastructure Security Agency (CISA), ransomware crimes are on
the rise and becoming increasingly sophisticated. Ransomware infections can cause
significant damage to an organization and its customers. An example is the WannaCry
attack that encrypts a victim's computer until a ransom payment of cryptocurrency is
paid.
Traits of an effective threat model
Threat modeling is the process of identifying assets, their vulnerabilities, and how each
is exposed to threats. It is a strategic approach that combines various security activities,
such as vulnerability management, threat analysis, and incident response. Security
teams commonly perform these exercises to ensure their systems are adequately
protected. Another use of threat modeling is to proactively find ways of reducing risks
to any system or business process.

Traditionally, threat modeling is associated with the field of application development.

In this reading, you will learn about common threat modeling frameworks that are
used to design software that can withstand attacks. You'll also learn about the growing
need for application security and ways that you can participate.

Why application security matters

Applications have become an essential part of many organizations' success. For example,
web-based applications allow customers from anywhere in the world to connect with
businesses, their partners, and other customers.

Mobile applications have also changed the way people access the digital world.
Smartphones are often the main way that data is exchanged between users and a
business. The volume of data being processed by applications makes securing them a
key to reducing risk for everyone who’s connected.

For example, say an application uses Java-based logging libraries with the Log4Shell
vulnerability (CVE-2021-44228). If it's not patched, this vulnerability can allow
remote code execution that an attacker can use to gain full access to your system from
anywhere in the world. If exploited, a critical vulnerability like this can impact millions
of devices.

Defending the application layer

 Defending the application layer requires proper testing to uncover weaknesses that can
lead to risk. Threat modeling is one of the primary ways to ensure that an application
meets security requirements. A DevSecOps team, which stands for development,
security, and operations, usually performs these analyses.

A typical threat modeling process is performed in a cycle:

Define the scope




Identify threats




Characterize the environment




Analyze threats




Mitigate risks




Evaluate findings


 Ideally, threat modeling should be performed before, during, and after an application
is developed. However, conducting a thorough software analysis takes time and
resources. Everything from the application's architecture to its business purposes should
be evaluated. As a result, a number of threat-modeling frameworks have been
developed over the years to make the process smoother.

Note: Threat modeling should be incorporated at every stage of the software

development lifecycle, or SDLC.

Common frameworks

When performing threat modeling, there are multiple methods that can be used, such
as:

STRIDE




PASTA




Trike




VAST

Organizations might use any one of these to gather intelligence and make decisions to
improve their security posture. Ultimately, the “right” model depends on the situation
and the types of risks an application might face.
STRIDE

STRIDE is a threat-modeling framework developed by Microsoft. It’s commonly used to

identify vulnerabilities in six specific attack vectors. The acronym represents each of
these vectors: spoofing, tampering, repudiation, information disclosure, denial of
service, and elevation of privilege.

PASTA

The Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat
modeling process developed by two OWASP leaders and supported by a cybersecurity
firm called VerSprite. Its main focus is to discover evidence of viable threats and
represent this information as a model. PASTA's evidence-based design can be applied
when threat modeling an application or the environment that supports that
application. Its seven stage process consists of various activities that incorporate
relevant security artifacts of the environment, like vulnerability assessment reports.

Trike

Trike is an open source methodology and tool that takes a security-centric approach
to threat modeling. It's commonly used to focus on security permissions, application
use cases, privilege models, and other elements that support a secure environment.

VAST

The Visual, Agile, and Simple Threat (VAST) Modeling framework is part of an
automated threat-modeling platform called ThreatModeler®. Many security teams opt
to use VAST as a way of automating and streamlining their threat modeling
assessments.

Participating in threat modeling

Threat modeling is often performed by experienced security professionals, but it’s

almost never done alone. This is especially true when it comes to securing applications.
 Programs are complex systems responsible for handling a lot of data and processing a
variety of commands from users and other systems.

One of the keys to threat modeling is asking the right questions:

What are we working on?




What kinds of things can go wrong?




What are we doing about it?




Have we addressed everything?




Did we do a good job?

It takes time and practice to learn how to work with things like data flow diagrams
and attack trees. However, anyone can learn to be an effective threat modeler.
Regardless of your level of experience, participating in one of these exercises always
starts with simply asking the right questions.

Key takeaways
Glossary terms from week 4
Angler phishing: A technique where attackers impersonate customer service
representatives on social media

Advanced persistent threat (APT): Instances when a threat actor maintains

unauthorized access to a system for an extended period of time

Adware: A type of legitimate software that is sometimes used to display digital

advertisements in applications

Attack tree: A diagram that maps threats to assets

Baiting: A social engineering tactic that tempts people into compromising their
security

Botnet: A collection of computers infected by malware that are under the control of a
single threat actor, known as the “bot-herder"

Cross-site scripting (XSS): An injection attack that inserts code into a vulnerable
website or web application

Cryptojacking: A form of malware that installs software to illegally mine

cryptocurrencies

DOM-based XSS attack: An instance when malicious script exists in the webpage a
browser loads

Dropper: A type of malware that comes packed with malicious code which is delivered
and installed onto a target system

Fileless malware: Malware that does not need to be installed by the user because it uses
legitimate programs that are already installed to infect a computer
Hacker: Any person or group who uses computers to gain unauthorized access to data

Identity and access management (IAM): A collection of processes and technologies that
helps organizations manage digital identities in their environment

Injection attack: Malicious code inserted into a vulnerable application

Input validation: Programming that validates inputs from users and other programs

Intrusion detection system (IDS): An application that monitors system activity and
alerts on possible intrusions

Loader: A type of malware that downloads strains of malicious code from an external
source and installs them onto a target system

Malware: Software designed to harm devices or networks

Process of Attack Simulation and Threat Analysis (PASTA): A popular threat modeling
framework that’s used across many industries

Phishing: The use of digital communications to trick people into revealing sensitive data
or deploying malicious software

Phishing kit: A collection of software tools needed to launch a phishing campaign

Prepared statement: A coding technique that executes SQL statements before passing
them onto the database

Potentially unwanted application (PUA): A type of unwanted software that is bundled

in with legitimate programs which might display ads, cause device slowdown, or install
other software

Quid pro quo: A type of baiting used to trick someone into believing that they’ll be
rewarded in return for sharing access, information, or money

Ransomware: Type of malicious attack where attackers encrypt an organization’s data

and demand payment to restore access
Reflected XSS attack: An instance when malicious script is sent to a server and
activated during the server’s response

Rootkit: Malware that provides remote, administrative access to a computer

Scareware: Malware that employs tactics to frighten users into infecting their device

Smishing: The use of text messages to trick users to obtain sensitive information or to
impersonate a known source

Social engineering: A manipulation technique that exploits human error to gain private
information, access, or valuables

Spear phishing: A malicious email attack targeting a specific user or group of users,
appearing to originate from a trusted source

Spyware: Malware that’s used to gather and sell information without consent

SQL (Structured Query Language): A programming language used to create, interact

with, and request information from a database

SQL injection: An attack that executes unexpected queries on a database

Stored XSS attack: An instance when malicious script is injected directly on the server

Tailgating: A social engineering tactic in which unauthorized people follow an

authorized person into a restricted area

Threat: Any circumstance or event that can negatively impact assets

Threat actor: Any person or group who presents a security risk

Threat modeling: The process of identifying assets, their vulnerabilities, and how each is
exposed to threats

Trojan horse: Malware that looks like a legitimate file or program

Vishing: The exploitation of electronic voice communication to obtain sensitive
information or to impersonate a known source

Watering hole attack: A type of attack when a threat actor compromises a website
frequently visited by a specific group of users

Whaling: A category of spear phishing attempts that are aimed at high-ranking

executives in an organization

Web-based exploits: Malicious code or behavior that’s used to take advantage of coding
flaws in a web application