05-Security

CONTENTS

[[TOC]]

Security

Key security principles:

• Trust, but verify;
• Stay informed. Stay secure;
• There is no safe, only safer;
• Security is always expensive and inconvenient;
• A breach alone is not a disaster, but mishandling it is;
• Security is a people problem wearing a technical costume;
• Security is not something you can buy, it’s something you do;
• Threat modeling is integral to almost anything a security professional does;
• As cybersecurity leaders, we must craft a message of influence. Security is a culture, not a control;
• There are only two types of companies: those that have been breached and know it, and those that have been breached and don’t know it yet.

Security consists of prevention, detection and response.

NIST CSF (Cybersecurity framework):

> Identify > Protect > Detect > Respond > Recover >

Secure by design

• Security architect should design the system. Everything else will be done by engineers;
• Start from beginning. And not the other way around;
• Security begins from up to bottom, there should be system level of doing things.

> Risk analysis > Policies > Architecture > Implementation > Administration > Audit >

Design principles:

1. Defense in depth: Multi-layered security without single point of failure (SPOF);
2. Least privileges: Right users have right access to right data for right reasons. With yearly rights revision. In hardware settings everything needless should be disabled;
3. Separation in duties: There should be no concentration of power and no corruption (like conflict of interests);
4. KISS (keep it simple stupid): Otherwise users won’t cooperate. Security by obscurity. Secret or complexity doesn’t increase security of a system. In infrastructure configuration implement FOSS principles.

General directions of cybersecurity (CIA triad):

• Confidentiality: Access control and encryption;
• Integrity: Immutability by message authentication codes and digital signatures;
• Availability: DDoS and SYN flood.

The CIA triad is a foundational model that helps inform how organizations consider risk when setting up systems and security policies. CIA stands for confidentiality, integrity, and availability. Confidentiality means that only authorized users can access specific assets or data. For example, strict access controls that define who should and should not have access to data, must be put in place to ensure confidential data remains safe. Integrity means the data is correct, authentic, and reliable. To maintain integrity, security professionals can use a form of data protection like encryption to safeguard data from being tampered with. Availability means data is accessible to those who are authorized to access it. Let’s define a term that came up during our discussion of the CIA triad: asset. An asset is an item perceived as having value to an organization. And value is determined by the cost associated with the asset in question. For example, an application that stores sensitive data, such as social security numbers or bank accounts, is a valuable asset to an organization. It carries more risk and therefore requires tighter security controls in comparison to a website that shares publicly available news content.

specific framework developed by the U.S.-based National Institute of Standards and Technology: the Cybersecurity Framework, also referred to as the NIST CSF. The NIST Cybersecurity Framework is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.

How controls, frameworks, and compliance are related

The confidentiality, integrity, and availability (CIA) triad is a model that helps inform how organizations consider risk when setting up systems and security policies. A triangle representing the CIA (confidentiality, integrity, availability) triad

CIA are the three foundational principles used by cybersecurity professionals to establish appropriate controls that mitigate threats, risks, and vulnerabilities.

As you may recall, security controls are safeguards designed to reduce specific security risks. So they are used alongside frameworks to ensure that security goals and processes are implemented correctly and that organizations meet regulatory compliance requirements.

Security frameworks are guidelines used for building plans to help mitigate risks and threats to data and privacy. They have four core components:

Identifying and documenting security goals 

Setting guidelines to achieve security goals 

Implementing strong security processes

Monitoring and communicating results

Compliance is the process of adhering to internal standards and external regulations. Specific controls, frameworks, and compliance

The National Institute of Standards and Technology (NIST) is a U.S.-based agency that develops multiple voluntary compliance frameworks that organizations worldwide can use to help manage risk. The more aligned an organization is with compliance, the lower the risk.

Examples of frameworks include the NIST Cybersecurity Framework (CSF) and the NIST Risk Management Framework (RMF).

Note: Specifications and guidelines can change depending on the type of organization you work for.

In addition to the NIST CSF and NIST RMF

, there are several other controls, frameworks, and compliance standards that are important for security professionals to be familiar with to help keep organizations and the people they serve safe. The Federal Energy Regulatory Commission - North American Electric Reliability Corporation (FERC-NERC)

FERC-NERC is a regulation that applies to organizations that work with electricity or that are involved with the U.S. and North American power grid. These types of organizations have an obligation to prepare for, mitigate, and report any potential security incident that can negatively affect the power grid. They are also legally required to adhere to the Critical Infrastructure Protection (CIP) Reliability Standards defined by the FERC. The Federal Risk and Authorization Management Program (FedRAMP®)

FedRAMP is a U.S. federal government program that standardizes security assessment, authorization, monitoring, and handling of cloud services and product offerings. Its purpose is to provide consistency across the government sector and third-party cloud providers. Center for Internet Security (CIS®)

CIS is a nonprofit with multiple areas of emphasis. It provides a set of controls that can be used to safeguard systems and networks against attacks. Its purpose is to help organizations establish a better plan of defense. CIS also provides actionable controls that security professionals may follow if a security incident occurs. General Data Protection Regulation (GDPR)

GDPR is a European Union (E.U.) general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and out of E.U. territory. For example, if an organization is not being transparent about the data they are holding about an E.U. citizen and why they are holding that data, this is an infringement that can result in a fine to the organization. Additionally, if a breach occurs and an E.U. citizen’s data is compromised, they must be informed. The affected organization has 72 hours to notify the E.U. citizen about the breach. Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is an international security standard meant to ensure that organizations storing, accepting, processing, and transmitting credit card information do so in a secure environment. The objective of this compliance standard is to reduce credit card fraud. The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a U.S. federal law established in 1996 to protect patients’ health information. This law prohibits patient information from being shared without their consent. It is governed by three rules:

Privacy

Security 

Breach notification 

Organizations that store patient data have a legal obligation to inform patients of a breach because if patients’ Protected Health Information (PHI) is exposed, it can lead to identity theft and insurance fraud. PHI relates to the past, present, or future physical or mental health or condition of an individual, whether it’s a plan of care or payments for care. Along with understanding HIPAA as a law, security professionals also need to be familiar with the Health Information Trust Alliance (HITRUST®), which is a security framework and assurance program that helps institutions meet HIPAA compliance. International Organization for Standardization (ISO)

ISO was created to establish international standards related to technology, manufacturing, and management across borders. It helps organizations improve their processes and procedures for staff retention, planning, waste, and services. System and Organizations Controls (SOC type 1, SOC type 2)

The American Institute of Certified Public Accountants® (AICPA) auditing standards board developed this standard. The SOC1 and SOC2 are a series of reports that focus on an organization’s user access policies at different organizational levels such as:

Associate

Supervisor

Manager

Executive

Vendor 

Others 

They are used to assess an organization’s financial compliance and levels of risk. They also cover confidentiality, privacy, integrity, availability, security, and overall data safety. Control failures in these areas can lead to fraud.

Pro tip: There are a number of regulations that are frequently revised. You are encouraged to keep up-to-date with changes and explore more frameworks, controls, and compliance. Two suggestions to research: the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act.

Top 5 things that reduce the cost of a data breach:

• Artificial inteligence (AI);
• DevSecOps approach;
• Incident response (IR);
• Cryptography;
• Employee training.

Prevention:

IAM (directory):

• Administration: Process of giving and revoking rights to users;
• Authentification (who you’re?): Password, MFA, Single Sign-On system (SSO), behavior analysis;
• Authorization (what you allowed to do?): Privileged access management (PAM);
• Audit: User behavior analytics (UBA), user entity behavior analytics (UEBA);
• Federation capability: Ability to use the IAM system in other services.

Endpoint device:

• Holistic white list of supported hardware. Inventory, security policies, monitor usage, mandatory updates, control, encryption, remote wipe, rgequired software, location tracking, disposal.
• Limitations of use and accepted control over personal devices, policies and services.

Network:

• Multilayered firewalls;
• Transparent proxy;
• NAT;
• Segmentation (DMZ);
• VPN: PPTP/L2TP(2), IPSec(3), TLS/SSL(4), SSH(7).
  

App:
DevSecOps is system administrator and security engineer in application development process.

> Code > Build > Test > Release > Deploy > Monitor > Plan >

Software development requirements (by OWASP.org):

• Coding practicing;
• Trusted libs;
• Standard archs;
• Software Bill of Materials (SBOM) is a comprehensive list of all the software components, dependencies, and metadata associated with an application.

Static application security testing (SAST):
“White” box testing is a form of application testing that provides the tester with complete knowledge of the application being tested, including access to source code and design documents. Examples: SonarQube Code Coverage Analysis.
{+ Finds vulnerabilities earlier. +}

Dynamic application security testing (DAST):
“Black” box testing a form of testing that is performed with no knowledge of a system’s internals, can be carried out to evaluate the functionality, security, performance, and other aspects of an application.

Data security:

• Govern:
  • Policy: What’s sensitive;
  • Classification: Categories of sensitive data and how it is going to be secure;
  • Catalog: Structure of storing data;
  • Resilience: Plan how to restore lost data.
• Discover:
  • DB structure: How to look for data;
  • File unstructured: How to find unstructured data;
  • Network: How to find data that was send somewhere;
  • Data loss protection (DLP): How to discover lost data.
• Protect:
  • Encryption: Static and dynamic, at rest and in motion;
  • Key management: Frequent, complex and dynamic, but safe;
  • Quantum Safe Crypto (QSC);
  • Access control: Secure auth method;
  • Backup: Ransomware safe.
• Comply:
  • Report: Regulatory requirements (like GDPR);
  • Retain: How long we should store some types of data.
• Detect:
  • Monitor: Data flow;
  • UAB: Analyze changes in user behavior;
  • Alert: That will lead taking an action and opening a case;
• Respond:
  • Cases: To investigate an issue;
  • Dynamic playbook: Guide to take particular steps and based on results of that take another steps;
  • Orchistration;
  • Automation.

Detection:

Monitoring approaches:

• Security Information and Event Management system (SIEM): log management and network behavior anomaly detection;
  • collect: events, alarms and flow data;
  • correlate: make smaller more managable substance;
  • analize: rules policies, look for anomalies (AI/ML/UBA), trends (reports).
    

{- Works down-to-up -}

• Extended Detection Response (XDR): federated search (particular conditions). There is no need to have a big database prefetched and there won’t be huge traffic flow into the server.
  

{+ Works up-to-down +}.

Hunt:
Investigation is Reaction. Threat hunting is Proaction:

> Experience + Instinct;
    > Hypothesis + Tools (SIEM+XDR);
        > Early detection.

MyDLP: paid data loss prevention tool
OpenDLP: FOSS data loss prevention tool
StaffCounter: time management tool and user activity monitoring software
Kickidler employee monitoring software
СпрутМонитор
Stealthbits

wazuh

Response:

Incident response (IR):

• Manual: Doesn’t scale or truly repeatable;
• Triage: Real attack? Is it serious?;
• Remediate: fix, block, shutdown, patch apply.

Security Orchestration and Automation Response (SOAR): Security Operation Center (SOC) operator use a dynamic playbook (consistent repeatable way of figuring out what the problems are). Dynamic playbooks consist of events, scripts and procedures.

Breach notification:

• Types of data (name, SS#, CC#);
• Geography where it was compromised (nation, state);
• Regulatory requirements to follow (GDPR).

Vulnerabilities

Common Vulnerabilities and Exposures (CVE)
The mission of the CVE is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

CVE is not a vulnerability database. CVE enables the correlation of vulnerability data across tools, databases, and people. This enables two or more people or tools to refer to a vulnerability and know they are referring to the same issue.

CVE is restricted to publicly known vulnerabilities. For a variety of reasons, sharing information is more difficult within the cybersecurity community than it is for hackers. It takes much more work for an organization to protect its networks and fix all possible holes than it takes for a hacker to find a single vulnerability, exploit it, and compromise the network.

CVE helps because it enables rapid data correlation regarding a vulnerability across multiple information sources that are compatible with CVE. For example, if you own a security tool whose reports contain references to CVE IDs, you may then access fix information in a separate database that is compatible with CVE. CVE also provides you with a baseline for evaluating the coverage of your tools. With CVE’s common identifiers, you’ll know exactly what each tool covers allowing you to determine which tools are most effective and appropriate for your organization’s needs.

In addition, if the security advisories your organization receives include CVEs, you can see if your vulnerability scanners check for this threat and then determine whether your intrusion detection system has the appropriate attack signatures to identify attempts to exploit particular vulnerabilities. If you build or maintain systems for customers, the inclusion of CVEs in advisories will help you to directly identify any fixes from the vendors of the commercial software products in those systems (if the vendor fix site is compatible with CVE).

MITRE ATT&CK

MITRE ATT&CK - framework is a knowledge base of tactics and techniques designed for threat hunters, defenders and red teams to help classify attacks, identify attack attribution and objectives, and assess an organization’s risk.
MITTRE ATT&CK Navigator (Matrix):

Key attack methods:

• Defense evasion;
• Exfiltration;
• Privilege escalation;
• Command and control (C2).

Reconnaissance: active scanning; Initial Access: fishing compain by endpoints, email, DNS, humans; Credential Access: use unsecured creadentials to login to another system; Privilege escalation: use more valid account; Collection: exfiltration data to himself; Impact: destroying the data.

Kill chain:

1. Reconnaissance;
2. Weaponization;
3. Delivery;
4. Exploitation;
5. Installation;
6. Command and Control;
7. Actions on Objective.

Command & control (C2): at is core is being able to execute commands on a system that you can control. Usually by using SSH, Telnet, RDP, WinRM or some C2 agents. That is how most BotNets are created.

Listeners (reverse shell) Trojan/backdoors types:

• Long stealth: to create BotNet for DDOS attack in the future;
• Short grunt: to be a part of some actual attack on particular system.
  

C2C consists if technics that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic a normal, expected trafic to avoid detection.

Linux:

Basic security settings:

SSH:

Set up server authentication by authorized keys only:
Copy keys from the server at ~/.ssh/authorized_keys and check that they are working:
At /etc/ssh/sshd_config set parameter PasswordAuthentication to no
Restart SSH server:
sudo systemctl restart sshd.service
*For more safety look to Fail2ban, Crowdsec.

Firewall:

*for Ubuntu:
Add allowed ports, everything else will be blocked.
ufw allow <port>
Examples:
ufw allow 80
ufw allow 443
Restart, update settings and add to autostart.
ufw disable
ufw enable

CVEs:

ASLR (Address Space Layout Randomization):

sysctl -a –pattern 'randomize'
kernel.randomize_va_space = 2

#0 - Disabled
#1 - Conservative randomization
#2 - Full randomization

SUID, SGUID

Kernel Exploits

nCVEs:

in progress

Windows:

CVEs:

Active Directory: NTLM: Top 10 active directory attack methods

nCVEs:

розуміння архітектури, ключових сервісів та типових вразливостей середовища Active Directory (включаючи, але не обмежуючи NTLM, Kerberos, LDAP, LAPS, relay attacks, security descriptors, delegations, trusts, pass-the-hash, UAC bypass тощо)

Tools:

Any.run

Virustotal.com

Intezer.com

List of surveillance tools

List of password recovery tools

Security-exchanced Linux (SELinux):

A system offering mandatory access control. Performance drop is less than 5%.
SELinux {+ allows everything +} on OS level.

Discretionary Access Control (DAC) is identity-based access control. DAC mechanisms will be controlled by user identification such as username and password. DAC is discretionary because the owners can transfer objects or any authenticated information to other users. In simple words, the owner can determine the access privileges.

Mandatory Access Control The operating system in MAC will provide access to the user based on their identities and data. For gaining access, the user has to submit their personal information. It is very secure because the rules and restrictions are imposed by the admin and will be strictly followed. MAC settings and policy management will be established in a secure network and are limited to system administrators.

MAC will stop even if DAC is allowing

SELinux modes:

• Enforcing mode the loaded security policy on the entire system
• Permissive mode acts as if SELinux is enforcing the loaded security policy, including labeling objects and emitting access denial entries in the logs, but it does not actually deny any operations;
• Disabled mode not only does avoid enforcing the policy, it also avoids labeling any persistent objects such as files, making it difficult to enable SELinux in the future. Is strongly discouraged.

Config file location:
/etc/selinux/config
This file controls the state of SELinux on the system.
SELINUX= can take one of these three values:

• enforcing - SELinux security policy is enforced;
  
• permissive - SELinux prints warnings instead of enforcing;
  
• disabled - No SELinux policy is loaded.
  

Example, SELINUX=enforcing

SELINUXTYPE= can take one of three values:

• targeted - the default policy:
  
  • Only targeted processes (there are hundreds) are protected by SELinux;
  • Everything else is unconfirmed.
• minimum - modification of targeted policy.
  
  • Only selected processes are protected;
    
• mls - multi-level/category security custom policies:
  • Can be very complex;
  • Typically used in TLA government organizations.

Example, SELINUXTYPE=targeted

Check SELinux service status:
sestatus
Search for logs changes:
sudo ausearch -m AVC, USER_AVC -ts recent
Set SELinux service mode to enforce:
sudo setenforce 1
Set SELinux service to permissive mode:
sudo setenforce 0

SELinux workds by labeling:

• For files and directories: these labels are stored as extended attributes on the filesystem, user:role:type:level(optional);
• For processors, ports, booleans and etc: the kernel manages thes labels.

Get SELinux boolean value(s):
getsebool -a
Find booleans with “httpd”:
sudo semanage boolean -l | grep httpd
Change boolean parameter:
sudo semanage boolean -m --off httpd_ssi_exec
List the locally customized booleans by adding the -C option:
sudo semanage boolean -l -C
List file context definitions and add more:
sudo semanage fcontext -l | grep sshd
To store the sshd host keys in a separate subdirectory:
sudo semanage fcontext -a -t sshd_key_t '/etc/ssh/keys(/.*)?'
sudo restorecon -r /etc/ssh/keys
View any locally-customized file contexts by adding the -C option:
sudo semanage fcontext -l -C
View the port contexts with:
sudo semanage port -l | grep http
Add a port definition with:
sudo semanage port -a -t http_cache_port_t -p tcp 8010
List any domains currently in permissive mode use:
sudo semanage permissive -l
Place a domain into permissive mode use:
sudo semanage permissive -a squid_t
All of the semanage commands that add or modify the targeted policy configuration store information in *local files under the /etc/selinux/targeted directory tree.

Troubleshooting:

• Install setroubleshoot and setroubleshoot-server: bunch of tools to diagnose and fix SELinux issues. Reboot after install.
• To see everything logged since last reboot:
  journalcontrol -b -0
  

                          SELinux architecture
+-------------------------------------------------+
|  +----------------+     +-----------------+     |
|  | SELinux Policy |  ←  |  Access Vector  |     |
|  | Database       |  →  |  Cache (AVC)    |     |
|  +----------------+     +-----------------+     |
|                                 ↑ ↓             |
|                        +--------------------+   |
|                        | Policy Enforcement |   |    +----------+
|                        | Server (PES)       |-------→| Log file |
|                        +--------------------+   |    +----------+
|                                 ↑ ↓             |  
|                        +---------------------+  |
|  +-----------+         | SELinux Abstraction |  | 
|  | SELinuxFS |         |    & Hook Logic     |  |
|  +-----------+         +---------------------+  | 
|                                 ↑ ↓             |
|                          +-----------------+    |
+--------------------------|      Linux      |----+
Events flow     +-----+    |     security    |
----------------| DAC |---→|      module     |--------→
                +-----+    +-----------------+

Linux AppArmor

Is a Linux Security Module implementation of name-based mandatory access controls. Performance drop is around 0-2%.
AppArmor {- denies everything -} on app level.

AppArmor components:

• Server analyzer: scans ports and determines which applications are listening. This component also detects if an application doesn’t have a profile and if the server needs to confine it;
• Profile generator analyzes an application to create a profile template;
• Optimizer logs and gathers events.

To install the apparmor-profiles package from a terminal prompt:
sudo apt install apparmor-profiles

AppArmor modes of execution:

• Complaining/Learning: profile violations are permitted and logged. Useful for testing and developing new profiles;
• Enforced/Confined: enforces profile policy as well as logging the violation.
  

AppArmor types of rules in a profile:

• Paths determine which files an app or process can access;
• Capabilities specify the privilege that a confined process can use.

View the current status of AppArmor profiles.
sudo apparmor_status Places a profile into complain mode.
sudo aa-complain /bin/ping Places a profile into enforce mode.
sudo aa-enforce /bin/ping

Directory is where the AppArmor profiles are located. It can be used to manipulate the mode of all profiles.
/etc/apparmor.d
The files are named after the full path to the executable they profile replacing the ‘/’ with ‘.’

Place all profiles into complain mode.
sudo aa-complain /etc/apparmor.d/* Place all profiles in enforce mode.
sudo aa-enforce /etc/apparmor.d/* Reload disabled profile.
sudo apparmor_parser -r /etc/apparmor.d/bin.ping Reload all profiles.
sudo systemctl reload apparmor.service
To disable a profile.
sudo ln -s /etc/apparmor.d/bin.ping /etc/apparmor.d/disable/
sudo apparmor_parser -R /etc/apparmor.d/bin.ping Re-enable a disabled profile:
sudo rm /etc/apparmor.d/disable/bin.ping
cat /etc/apparmor.d/bin.ping | sudo apparmor_parser -a

Two type of rules used in profiles:

• Path entries: detail which files an application can access in the file system;
• Capability entries: determine what privileges a confined process is allowed to use.

cat /etc/apparmor.d/bin.ping:

#include <tunables/global>
/bin/ping flags=(complain) {
  #include <abstractions/base>
  #include <abstractions/consoles>
  #include <abstractions/nameservice>

  capability net_raw,
  capability setuid,
  network inet raw,
  
  /bin/ping mixr,
  /etc/modules.conf r,
}

#include <tunables/global>: include statements from other files. This allows statements pertaining to multiple applications to be placed in a common file.
/bin/ping flags=(complain): path to the profiled program, also setting the mode to complain.
capability net_raw: allows the application access to the CAP_NET_RAW Posix.1e capability.
/bin/ping mixr: allows the application read and execute access to the file.

Note: After editing a profile file the profile must be reloaded.

Creating a profile:
sudo aa-genprof ping

sudo aa-logprof

Confidentiality is controlling who can see the data. Records openly accessible and open the the public are breaches of confidentiality. Integrity is protecting against unauthorized changes. Wrong or incorrect data entered by an unauthorized attacker would be an attack against integrity. Availability is having systems and data accessible to authorized users. Missing, offline, or unavailable information represent an attack against availability.

onfidentiality: Keeping sensitive information secret and disclosing it only to those who are authorized. This is akin to patient-doctor confidentiality but on a digital scale, employing encryption, access controls, and secure communication channels to maintain secrecy. Integrity: Ensuring that information remains accurate and uncorrupted throughout its life cycle. Just as a patient’s health record must be precise and up-to-date, InfoSec practices like checksumschecksums A checksum is a value used to verify the integrity of a file or a data transfer. It is typically generated by an algorithm that processes the contents of a file or data packet and produces a short, fixed-size value (the checksum) that represents the content. , hashinghashing Hashing is a process that transforms input data (or ‘message’) of any size into a fixed-size string of characters. The output (the hash value) usually appears as a seemingly random sequence of characters. This transformation is performed by a hash function. , and audit trailsaudit trails An audit trail is a record, sometimes called a log file, that shows who has accessed a computer system and what operations they performed during a given period of time. Audit trails are useful both for maintaining security and for recovering lost transactions. help preserve the trustworthiness of data. Availability: Making sure that information is accessible to authorized users whenever it is needed. In healthcare, this could mean the difference between life and death, so systems must be resilient to attacks and failures, with backups and disaster recovery plans ready to activate.

Risk is a measure of impact and likelihood. Impact refers to the potential consequences or extent of damage that could occur if a particular threat or vulnerability is realized. This can include a variety of negative outcomes such as: Financial Loss: Costs associated with data breaches, system downtime, or recovery efforts Reputational Damage: Loss of customer trust and damage to the organization’s brand Operational Disruption: Interruption of business processes and services Legal and Regulatory Consequences: Fines, penalties, and legal actions resulting from non-compliance with laws and regulations Loss of Data Integrity: Unauthorized alterations to data, leading to incorrect or misleading information Loss of Data Availability: Inability to access critical data when needed, affecting business operations Breach of data confidentiality: Unauthorized access to sensitive information Impact is a critical component of risk assessment as it helps organizations understand the severity of potential threats and prioritize their security measures accordingly. Likelihood refers to the probability or chance that a specific threat or vulnerability will be realized. Likelihood is primarily determined by threats and vulnerabilities. Threats: The presence and activity level of potential threats, such as hackers, malware, or natural disasters Vulnerabilities: Weaknesses in the system, network, or processes that could be exploited by threats Likelihood is a key component of risk assessment because it helps organizations gauge the probability of different risk events, further refining priorities.

https://www.linkedin.com/posts/cyberpress-org_cybersecurity-ecosystem-credits-francis-activity-7248649102425501696-TlxC

in progress..

Cybersecurity, or security, is the practice of ensuring confidentiality, integrity, and availability of information by protecting networks, devices, people, and data from unauthorized access or criminal exploitation.

Most of cybersecurity work is going to be learned on the job in the specific environment that you’re protecting.

Draw: Cybersecurity Analyst > more operation work (detecting the threats) Cybersecurity Engineer > more project work (creating new tools to detect threats)

A playbook is a list of how to go through a certain detection, and what the analyst needs to look at in order to investigate those incidents.

Compliance is the process of adhering to internal standards and external regulations and enables organizations to avoid fines and security breaches.

Security frameworks are guidelines used for building plans to help mitigate risks and threats to data and privacy.

Security controls are safeguards designed to reduce specific security risks. They are used with security frameworks to establish a strong security posture.

Security posture is an organization’s ability to manage its defense of critical assets and data and react to change. A strong security posture leads to lower risk for the organization.

A threat actor, or malicious attacker, is any person or group who presents a security risk. This risk can relate to computers, applications, networks, and data.

An internal threat can be a current or former employee, an external vendor, or a trusted partner who poses a security risk. At times, an internal threat is accidental. For example, an employee who accidentally clicks on a malicious email link would be considered an accidental threat. Other times, the internal threat actor intentionally engages in risky activities, such as unauthorized data access.

Network security is the practice of keeping an organization’s network infrastructure secure from unauthorized access. This includes data, services, systems, and devices that are stored in an organization’s network.

Cloud security is the process of ensuring that assets stored in the cloud are properly configured, or set up correctly, and access to those assets is limited to authorized users. The cloud is a network made up of a collection of servers or computers that store resources and data in remote physical locations known as data centers that can be accessed via the internet. Cloud security is a growing subfield of cybersecurity that specifically focuses on the protection of data, applications, and infrastructure in the cloud.

Programming is a process that can be used to create a specific set of instructions for a computer to execute tasks. These tasks can include:

Automation of repetitive tasks (e.g., searching a list of malicious domains)

Reviewing web traffic 

Alerting suspicious activity

Cybersecurity (or security): The practice of ensuring confidentiality, integrity, and availability of information by protecting networks, devices, people, and data from unauthorized access or criminal exploitation

Cloud security: The process of ensuring that assets stored in the cloud are properly configured and access to those assets is limited to authorized users

Internal threat: A current or former employee, external vendor, or trusted partner who poses a security risk

Network security: The practice of keeping an organization’s network infrastructure secure from unauthorized access

Personally identifiable information (PII): Any information used to infer an individual’s identity

Security posture: An organization’s ability to manage its defense of critical assets and data and react to change

Sensitive personally identifiable information (SPII): A specific type of PII that falls under stricter handling guidelines

Technical skills: Skills that require knowledge of specific tools, procedures, and policies

Threat: Any circumstance or event that can negatively impact assets

Threat actor: Any person or group who presents a security risk

Transferable skills: Skills from other areas that can apply to different careers )

A computer virus is malicious code written to interfere with computer operations and cause damage to data and software. The virus attaches itself to programs or documents on a computer, then spreads and infects one or more computers in a network. Today, viruses are more commonly referred to as malware, which is software designed to harm devices or networks.

Phishing

Phishing is the use of digital communications to trick people into revealing sensitive data or deploying malicious software.

Some of the most common types of phishing attacks today include:

Business Email Compromise (BEC): A threat actor sends an email message that seems to be from a known source to make a seemingly legitimate request for information, in order to obtain a financial advantage.

Spear phishing: A malicious email attack that targets a specific user or group of users. The email seems to originate from a trusted source.

Whaling: A form of spear phishing. Threat actors target company executives to gain access to sensitive data.

Vishing: The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source.

Smishing: The use of text messages to trick users, in order to obtain sensitive information or to impersonate a known source.

Malware

Malware is software designed to harm devices or networks. There are many types of malware. The primary purpose of malware is to obtain money, or in some cases, an intelligence advantage that can be used against a person, an organization, or a territory.

Some of the most common types of malware attacks today include:

Viruses: Malicious code written to interfere with computer operations and cause damage to data and software. A virus needs to be initiated by a user (i.e., a threat actor), who transmits the virus via a malicious attachment or file download. When someone opens the malicious attachment or download, the virus hides itself in other files in the now infected system. When the infected files are opened, it allows the virus to insert its own code to damage and/or destroy data in the system.

Worms: Malware that can duplicate and spread itself across systems on its own. In contrast to a virus, a worm does not need to be downloaded by a user. Instead, it self-replicates and spreads from an already infected computer to other devices on the same network.

Ransomware: A malicious attack where threat actors encrypt an organization's data and demand payment to restore access. 

Spyware: Malware that’s used to gather and sell information without consent. Spyware can be used to access devices. This allows threat actors to collect personal data, such as private emails, texts, voice and image recordings, and locations.

Social Engineering

Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. Human error is usually a result of trusting someone without question. It’s the mission of a threat actor, acting as a social engineer, to create an environment of false trust and lies to exploit as many people as possible.

Some of the most common types of social engineering attacks today include:

Social media phishing: A threat actor collects detailed information about their target from social media sites. Then, they initiate an attack.

Watering hole attack: A threat actor attacks a website frequently visited by a specific group of users.

USB baiting: A threat actor strategically leaves a malware USB stick for an employee to find and install, to unknowingly infect a network. 

Physical social engineering: A threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location.

Social engineering principles

Social engineering is incredibly effective. This is because people are generally trusting and conditioned to respect authority. The number of social engineering attacks is increasing with every new social media application that allows public access to people’s data. Although sharing personal data—such as your location or photos—can be convenient, it’s also a risk.

Reasons why social engineering attacks are effective include:

Authority: Threat actors impersonate individuals with power. This is because people, in general, have been conditioned to respect and follow authority figures. 

Intimidation: Threat actors use bullying tactics. This includes persuading and intimidating victims into doing what they’re told. 

Consensus/Social proof: Because people sometimes do things that they believe many others are doing, threat actors use others’ trust to pretend they are legitimate. For example, a threat actor might try to gain access to private data by telling an employee that other people at the company have given them access to that data in the past. 

Scarcity: A tactic used to imply that goods or services are in limited supply. 

Familiarity: Threat actors establish a fake emotional connection with users that can be exploited.  

Trust: Threat actors establish an emotional relationship with users that can be exploited over time. They use this relationship to develop trust and gain personal information.

Urgency: A threat actor persuades others to respond quickly and without questioning.

the eight CISSP security domains As the tactics of threat actors evolve, so do the roles of security professionals. Having a solid understanding of core security concepts will support your growth in this field. One way to better understand these core concepts is by organizing them into categories, called security domains. As of 2022, CISSP has defined eight domains to organize the work of security professionals. It’s important to understand that these domains are related and that gaps in one domain can result in negative consequences to an entire organization. It’s also important to understand the domains because it may help you better understand your career goals and your role within an organization. As you learn more about the elements of each domain, the work involved in one may appeal to you more than the others. This domain may become a career path for you to explore further. CISSP defines eight domains in total, and we’ll discuss all eight between this video and the next. In this video, we’re going to cover the first four: security and risk management, asset security, security architecture and engineering, and communication and network security. Let’s start with the first domain, security and risk management. Security and risk management focuses on defining security goals and objectives, risk mitigation, compliance, business continuity, and the law. For example, security analysts may need to update company policies related to private health information if a change is made to a federal compliance regulation such as the Health Insurance Portability and Accountability Act, also known as HIPAA. The second domain is asset security. This domain focuses on securing digital and physical assets. It’s also related to the storage, maintenance, retention, and destruction of data. When working with this domain, security analysts may be tasked with making sure that old equipment is properly disposed of and destroyed, including any type of confidential information. The third domain is security architecture and engineering. This domain focuses on optimizing data security by ensuring effective tools, systems, and processes are in place. As a security analyst, you may be tasked with configuring a firewall. A firewall is a device used to monitor and filter incoming and outgoing computer network traffic. Setting up a firewall correctly helps prevent attacks that could affect productivity. The fourth security domain is communication and network security. This domain focuses on managing and securing physical networks and wireless communications. As a security analyst, you may be asked to analyze user behavior within your organization. Imagine discovering that users are connecting to unsecured wireless hotspots. This could leave the organization and its employees vulnerable to attacks. To ensure communications are secure, you would create a network policy to prevent and mitigate exposure. Maintaining an organization’s security is a team effort, and there are many moving parts. As an entry-level analyst, you will continue to develop your skills by learning how to mitigate risks to keep people and data safe. You don’t need to be an expert in all domains. But, having a basic understanding of them will aid you in your journey as a security professional. You’re doing great! We have just introduced the first four security domains, and in the next video, we’ll discuss four more! See you soon!

Welcome back. In the last video, we introduced you to the first four security domains. In this video, we’ll introduce you to the next four security domains: identity and access management, security assessment and testing, security operations, and software development security. Familiarizing yourself with these domains will allow you to navigate the complex world of security. The domains outline and organize how a team of security professionals work together. Depending on the organization, analyst roles may sit at the intersection of multiple domains or focus on one specific domain. Knowing where a particular role fits within the security landscape will help you prepare for job interviews and work as part of a full security team. Let’s move into the fifth domain: identity and access management. Identity and access management focuses on keeping data secure, by ensuring users follow established policies to control and manage physical assets, like office spaces, and logical assets, such as networks and applications. Validating the identities of employees and documenting access roles are essential to maintaining the organization’s physical and digital security. For example, as a security analyst, you may be tasked with setting up employees’ keycard access to buildings. The sixth domain is security assessment and testing. This domain focuses on conducting security control testing, collecting and analyzing data, and conducting security audits to monitor for risks, threats, and vulnerabilities. Security analysts may conduct regular audits of user permissions, to make sure that users have the correct level of access. For example, access to payroll information is often limited to certain employees, so analysts may be asked to regularly audit permissions to ensure that no unauthorized person can view employee salaries. The seventh domain is security operations. This domain focuses on conducting investigations and implementing preventative measures. Imagine that you, as a security analyst, receive an alert that an unknown device has been connected to your internal network. You would need to follow the organization’s policies and procedures to quickly stop the potential threat. The final, eighth domain is software development security. This domain focuses on using secure coding practices, which are a set of recommended guidelines that are used to create secure applications and services. A security analyst may work with software development teams to ensure security practices are incorporated into the software development life-cycle. If, for example, one of your partner teams is creating a new mobile app, then you may be asked to advise on the password policies or ensure that any user data is properly secured and managed. That ends our introduction to CISSP’s eight security domains. Challenge yourself to better understand each of these domains and how they affect the overall security of an organization. While they may still be a bit unclear to you this early in the program, these domains will be discussed in greater detail in the next course. See you there!

Attack types Password attack

A password attack is an attempt to access password-secured devices, systems, networks, or data. Some forms of password attacks that you’ll learn about later in the certificate program are:

Brute force

Rainbow table

Password attacks fall under the communication and network security domain. Social engineering attack

Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. Some forms of social engineering attacks that you will continue to learn about throughout the program are:

Phishing

Smishing

Vishing

Spear phishing

Whaling

Social media phishing

Business Email Compromise (BEC)

Watering hole attack

USB (Universal Serial Bus) baiting

Physical social engineering 

Social engineering attacks are related to the security and risk management domain. Physical attack

A physical attack is a security incident that affects not only digital but also physical environments where the incident is deployed. Some forms of physical attacks are:

Malicious USB cable

Malicious flash drive

Card cloning and skimming

Physical attacks fall under the asset security domain. Adversarial artificial intelligence

Adversarial artificial intelligence is a technique that manipulates artificial intelligence and machine learning

technology to conduct attacks more efficiently. Adversarial artificial intelligence falls under both the communication and network security and the identity and access management domains. Supply-chain attack

A supply-chain attack targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed. Because every item sold undergoes a process that involves third parties, this means that the security breach can occur at any point in the supply chain. These attacks are costly because they can affect multiple organizations and the individuals who work for them. Supply-chain attacks can fall under several domains, including but not limited to the security and risk management, security architecture and engineering, and security operations domains. Cryptographic attack

A cryptographic attack affects secure forms of communication between a sender and intended recipient. Some forms of cryptographic attacks are:

Birthday

Collision

Downgrade

Cryptographic attacks fall under the communication and network security domain.

cybersecurity birthday attack

Adversarial artificial intelligence (AI): A technique that manipulates artificial intelligence (AI) and machine learning (ML) technology to conduct attacks more efficiently

Business Email Compromise (BEC): A type of phishing attack where a threat actor impersonates a known source to obtain financial advantage

CISSP: Certified Information Systems Security Professional is a globally recognized and highly sought-after information security certification, awarded by the International Information Systems Security Certification Consortium

Computer virus: Malicious code written to interfere with computer operations and cause damage to data and software

Cryptographic attack: An attack that affects secure forms of communication between a sender and intended recipient

Hacker: Any person who uses computers to gain access to computer systems, networks, or data

Malware: Software designed to harm devices or networks

Password attack: An attempt to access password secured devices, systems, networks, or data

Phishing: The use of digital communications to trick people into revealing sensitive data or deploying malicious software

Physical attack: A security incident that affects not only digital but also physical environments where the incident is deployed

Physical social engineering: An attack in which a threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location

Social engineering: A manipulation technique that exploits human error to gain private information, access, or valuables

Social media phishing: A type of attack where a threat actor collects detailed information about their target on social media sites before initiating the attack

Spear phishing: A malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source

Supply-chain attack: An attack that targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed

USB baiting: An attack in which a threat actor strategically leaves a malware USB stick for an employee to find and install to unknowingly infect a network

Virus: refer to “computer virus”

Vishing: The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source

Watering hole attack: A type of attack when a threat actor compromises a website frequently visited by a specific group of users

Threat actor types Advanced persistent threats

Advanced persistent threats (APTs) have significant expertise accessing an organization’s network without authorization. APTs tend to research their targets (e.g., large corporations or government entities) in advance and can remain undetected for an extended period of time. Their intentions and motivations can include:

Damaging critical infrastructure, such as the power grid and natural resources

Gaining access to intellectual property, such as trade secrets or patents

Insider threats

Insider threats abuse their authorized access to obtain data that may harm an organization. Their intentions and motivations can include:

Sabotage

Corruption

Espionage

Unauthorized data access or leaks 

Hacktivists

Hacktivists are threat actors that are driven by a political agenda. They abuse digital technology to accomplish their goals, which may include:

Demonstrations

Propaganda

Social change campaigns

Fame

Hacker types Six hackers on computers.

A hacker is any person who uses computers to gain access to computer systems, networks, or data. They can be beginner or advanced technology professionals who use their skills for a variety of reasons. There are three main categories of hackers:

Authorized hackers are also called ethical hackers. They follow a code of ethics and adhere to the law to conduct organizational risk evaluations. They are motivated to safeguard people and organizations from malicious threat actors.

Semi-authorized hackers are considered researchers. They search for vulnerabilities but don’t take advantage of the vulnerabilities they find.

Unauthorized hackers are also called unethical hackers. They are malicious threat actors who do not follow or respect the law. Their goal is to collect and sell confidential data for financial gain. 

Note: There are multiple hacker types that fall into one or more of these three categories.

New and unskilled threat actors have various goals, including:

To learn and enhance their hacking skills

To seek revenge

To exploit security weaknesses by using existing malware, programming scripts, and other tactics 

Other types of hackers are not motivated by any particular agenda other than completing the job they were contracted to do. These types of hackers can be considered unethical or ethical hackers. They have been known to work on both illegal and legal tasks for pay.

There are also hackers who consider themselves vigilantes. Their main goal is to protect the world from unethical hackers.

Ethical principles and methodologies

Because counterattacks are generally disapproved of or illegal, the security realm has created frameworks and controls—such as the confidentiality, integrity, and availability (CIA) triad and others discussed earlier in the program—to address issues of confidentiality, privacy protections, and laws. To better understand the relationship between these issues and the ethical obligations of cybersecurity professionals, review the following key concepts as they relate to using ethics to protect organizations and the people they serve.

Confidentiality means that only authorized users can access specific assets or data. Confidentiality as it relates to professional ethics means that there needs to be a high level of respect for privacy to safeguard private assets and data.

Privacy protection means safeguarding personal information from unauthorized use. Personally identifiable information (PII) and sensitive personally identifiable information (SPII) are types of personal data that can cause people harm if they are stolen. PII data is any information used to infer an individual’s identity, like their name and phone number. SPII data is a specific type of PII that falls under stricter handling guidelines, including social security numbers and credit card numbers. To effectively safeguard PII and SPII data, security professionals hold an ethical obligation to secure private information, identify security vulnerabilities, manage organizational risks, and align security with business goals.

Laws are rules that are recognized by a community and enforced by a governing entity. As a security professional, you will have an ethical obligation to protect your organization, its internal infrastructure, and the people involved with the organization. To do this:

You must remain unbiased and conduct your work honestly, responsibly, and with the highest respect for the law. 

Be transparent and just, and rely on evidence.

Ensure that you are consistently invested in the work you are doing, so you can appropriately and ethically address issues that arise. 

Stay informed and strive to advance your skills, so you can contribute to the betterment of the cyber landscape. 

As an example, consider the Health Insurance Portability and Accountability Act (HIPAA), which is a U.S. federal law established to protect patients’ health information, also known as PHI, or protected health information. This law prohibits patient information from being shared without their consent. So, as a security professional, you might help ensure that the organization you work for adheres to both its legal and ethical obligation to inform patients of a breach if their health care data is exposed.

When you’re faced with one of these difficult decisions, it’s good to think about what would be the consequences of your decision.

It’s all about procedures, not personal relationships.

Security is like preparing for a storm. If you identify a leak, the color or shape of the bucket you use to catch the water doesn’t matter. What is important is mitigating the risks and threats to your home, by using the tools available to you.

Asset: An item perceived as having value to an organization

Availability: The idea that data is accessible to those who are authorized to access it

Compliance: The process of adhering to internal standards and external regulations

Confidentiality: The idea that only authorized users can access specific assets or data

Confidentiality, integrity, availability (CIA) triad: A model that helps inform how organizations consider risk when setting up systems and security policies

Hacktivist: A person who uses hacking to achieve a political goal

Health Insurance Portability and Accountability Act (HIPAA): A U.S. federal law established to protect patients’ health information

Integrity: The idea that the data is correct, authentic, and reliable

National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF): A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk

Privacy protection: The act of safeguarding personal information from unauthorized use

Protected health information (PHI): Information that relates to the past, present, or future physical or mental health or condition of an individual

Security architecture: A type of security design composed of multiple components, such as tools and processes, that are used to protect an organization from risks and external threats

Security controls: Safeguards designed to reduce specific security risks

Security ethics: Guidelines for making appropriate decisions as a security professional

Security frameworks: Guidelines used for building plans to help mitigate risk and threats to data and privacy

Security governance: Practices that help support, define, and direct security efforts of an organization

Sensitive personally identifiable information (SPII): A specific type of PII that falls under stricter handling guidelines

Security information and event management (SIEM) tools

A SIEM tool is an application that collects and analyzes log data to monitor critical activities in an organization. A log is a record of events that occur within an organization’s systems. Depending on the amount of data you’re working with, it could take hours or days to filter through log data on your own. SIEM tools reduce the amount of data an analyst must review by providing alerts for specific types of threats, risks, and vulnerabilities.

SIEM tools provide a series of dashboards that visually organize data into categories, allowing users to select the data they wish to analyze. Different SIEM tools have different dashboard types that display the information you have access to.

SIEM tools also come with different hosting options, including on-premise and cloud. Organizations may choose one hosting option over another based on a security team member’s expertise. For example, because a cloud-hosted version tends to be easier to set up, use, and maintain than an on-premise version, a less experienced security team may choose this option for their organization. Network protocol analyzers (packet sniffers)

A network protocol analyzer, also known as a packet sniffer, is a tool designed to capture and analyze data traffic in a network. This means that the tool keeps a record of all the data that a computer within an organization’s network encounters. Later in the program, you’ll have an opportunity to practice using some common network protocol analyzer (packet sniffer) tools. Playbooks

A playbook is a manual that provides details about any operational action, such as how to respond to a security incident. Organizations usually have multiple playbooks documenting processes and procedures for their teams to follow. Playbooks vary from one organization to the next, but they all have a similar purpose: To guide analysts through a series of steps to complete specific security-related tasks.

For example, consider the following scenario: You are working as a security analyst for an incident response firm. You are given a case involving a small medical practice that has suffered a security breach. Your job is to help with the forensic investigation and provide evidence to a cybersecurity insurance company. They will then use your investigative findings to determine whether the medical practice will receive their insurance payout.

In this scenario, playbooks would outline the specific actions you need to take to conduct the investigation. Playbooks also help ensure that you are following proper protocols and procedures. When working on a forensic case, there are two playbooks you might follow:

The first type of playbook you might consult is called the chain of custody playbook. Chain of custody is the process of documenting evidence possession and control during an incident lifecycle. As a security analyst involved in a forensic analysis, you will work with the computer data that was breached. You and the forensic team will also need to document who, what, where, and why you have the collected evidence. The evidence is your responsibility while it is in your possession. Evidence must be kept safe and tracked. Every time evidence is moved, it should be reported. This allows all parties involved to know exactly where the evidence is at all times.

The second playbook your team might use is called the protecting and preserving evidence playbook. Protecting and preserving evidence is the process of properly working with fragile and volatile digital evidence. As a security analyst, understanding what fragile and volatile digital evidence is, along with why there is a procedure, is critical. As you follow this playbook, you will consult the order of volatility, which is a sequence outlining the order of data that must be preserved from first to last. It prioritizes volatile data, which is data that may be lost if the device in question powers off, regardless of the reason. While conducting an investigation, improper management of digital evidence can compromise and alter that evidence. When evidence is improperly managed during an investigation, it can no longer be used. For this reason, the first priority in any investigation is to properly preserve the data. You can preserve the data by making copies and conducting your investigation using those copies.

Antivirus software: A software program used to prevent, detect, and eliminate malware and viruses

Database: An organized collection of information or data

Data point: A specific piece of information

Intrusion detection system (IDS): An application that monitors system activity and alerts on possible intrusions

Linux: An open-source operating system

Log: A record of events that occur within an organization’s systems

Network protocol analyzer (packet sniffer): A tool designed to capture and analyze data traffic within a network

Order of volatility: A sequence outlining the order of data that must be preserved from first to last

Programming: A process that can be used to create a specific set of instructions for a computer to execute tasks

Protecting and preserving evidence: The process of properly working with fragile and volatile digital evidence

Security information and event management (SIEM): An application that collects and analyzes log data to monitor critical activities in an organization

SQL (Structured Query Language): A query language used to create, interact with, and request information from a database

https://www.youtube.com/playlist?list=PL590L5WQmH8dsxxz7ooJAgmijwOz0lh2H

Public vs. private keys

In a rapidly evolving world of technology, it is more critical than ever to establish security policies throughout an organization that safeguard valuable information and data assets. Asymmetric cryptography relies on public and private keys as its core building blocks to maintain data security and confidentiality in the face of dangers. However, to enable organizations to make wise decisions that will protect online interactions and information, it is important that we understand when public and private keys are used and how to do so effectively. What is a public key?

A public key is frequently employed to establish secure communication through data encryption or to validate the authenticity of a digital signature. Safety is ensured because the public key comes from a trusted certificate authority, which gives digital certificates verifying the owner’s identity and key. Public keys are created through an asymmetric algorithm that conducts several operations on a pair of connected keys before being transmitted over the internet. What is a private key?

A private key is a secret and secure key that must be kept confidential and protected. Its role involves decryption and the creation of digital signatures, assuring the data’s integrity and authenticity. It is the counterpart of the public key and is shared to decrypt encoded information. Any data encrypted using the private key can be decrypted using the corresponding public key. How do public and private keys work together?

Public and private keys work together to ensure secure communication, data encryption, digital signatures, and key exchanges take place safely across various communication channels. This process encompasses:

Key generation: A public and private key is generated for both the sender and receiver.

Key exchange: The public keys are exchanged between sender and receiver.

Encryption: The sender encrypts their data using the recipient's public key.

Transmitting encrypted data: The encrypted data is transmitted to the recipient.

Decryption: The recipient decrypts the message using their exclusive private key.

Key takeaway

In summary, although public and private keys are distinct, they work together to create a powerful and flexible foundation for achieving data security, confidentiality, integrity, and authentication in a wide range of digital settings.

Brute force attacks and OS hardening

In this reading, you’ll learn about brute force attacks. You’ll consider how vulnerabilities can be assessed using virtual machines and sandboxes, and learn ways to prevent brute force attacks using a combination of authentication measures. Implementing various OS hardening tasks can help prevent brute force attacks. An attacker can use a brute force attack to gain access and compromise a network.

Usernames and passwords are among the most common and important security controls in place today. They are used and enforced on everything that stores or accesses sensitive or private information, like personal phones, computers, and restricted applications within an organization. However, a major issue with relying on login credentials as a critical line of defense is that they’re vulnerable to being stolen and guessed by malicious actors. Brute force attacks

A brute force attack is a trial-and-error process of discovering private information. There are different types of brute force attacks that malicious actors use to guess passwords, including:

Simple brute force attacks. When attackers try to guess a user's login credentials, it’s considered a simple brute force attack. They might do this by entering any combination of usernames and passwords that they can think of until they find the one that works.

    Dictionary attacks use a similar technique. In dictionary attacks, attackers use a list of commonly used passwords and stolen credentials from previous breaches to access a system. These are called “dictionary” attacks because attackers originally used a list of words from the dictionary to guess the passwords, before complex password rules became a common security practice. 

    Using brute force to access a system can be a tedious and time consuming process, especially when it’s done manually. There are a range of tools attackers use to conduct their attacks. 
    Assessing vulnerabilities

    Before a brute force attack or other cybersecurity incident occurs, companies can run a series of tests on their network or web applications to assess vulnerabilities. Analysts can use virtual machines and sandboxes to test suspicious files, check for vulnerabilities before an event occurs, or to simulate a cybersecurity incident.
    Virtual machines (VMs)

    Virtual machines (VMs) are software versions of physical computers. VMs provide an additional layer of security for an organization because they can be used to run code in an isolated environment, preventing malicious code from affecting the rest of the computer or system. VMs can also be deleted and replaced by a pristine image after testing malware. 

    VMs are useful when investigating potentially infected machines or running malware in a constrained environment. Using a VM may prevent damage to your system in the event its tools are used improperly. VMs also give you the ability to revert to a previous state. However, there are still some risks involved with VMs. There’s still a small risk that a malicious program can escape virtualization and access the host machine. 

    You can test and explore applications easily with VMs, and it’s easy to switch between different VMs from your computer. This can also help in streamlining many security tasks.
    Sandbox environments

    A sandbox is a type of testing environment that allows you to execute software or programs separate from your network. They are commonly used for testing patches, identifying and addressing bugs, or detecting cybersecurity vulnerabilities. Sandboxes can also be used to evaluate suspicious software, evaluate files containing malicious code, and simulate attack scenarios. 

    Sandboxes can be stand-alone physical computers that are not connected to a network; however, it is often more time- and cost-effective to use software or cloud-based virtual machines as sandbox environments. Note that some malware authors know how to write code to detect if the malware is executed in a VM or sandbox environment. Attackers can program their malware to behave as harmless software when run inside these types of  testing environments. 
    Prevention measures

    Some common measures organizations use to prevent brute force attacks and similar attacks from occurring include: 

        Salting and hashing: Hashing converts information into a unique value that can then be used to determine its integrity. It is a one-way function, meaning it is impossible to decrypt and obtain the original text. Salting adds random characters to hashed passwords. This increases the length and complexity of hash values, making them more secure.

            Multi-factor authentication (MFA) and two-factor authentication (2FA): MFA is a security measure which requires a user to verify their identity in two or more ways to access a system or network. This verification happens using a combination of authentication factors: a username and password, fingerprints, facial recognition, or a one-time password (OTP) sent to a phone number or email. 2FA is similar to MFA, except it uses only two forms of verification.

                CAPTCHA and reCAPTCHA: CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It asks users to complete a simple test that proves they are human. This helps prevent software from trying to brute force a password. reCAPTCHA is a free CAPTCHA service from Google that helps protect websites from bots and malicious software.

                    Password policies: Organizations use password policies to standardize good password practices throughout the business. Policies can include guidelines on how complex a password should be, how often users need to update passwords, whether passwords can be reused or not, and if there are limits to how many times a user can attempt to log in before their account is suspended.

Recommend one remediation for brute force attacks

After documenting the incident, write one recommendation to help your organization prevent brute force attacks in the future.

Some of the common security methods used to prevent brute force attacks include:

Requiring strong passwords

    Enforcing two-factor authentication (2FA)

        Monitoring login attempts

            Requiring more frequent password changes

                Disallowing previous passwords from being used

                    Limiting the number of login attempts

How to read the tcpdump log https://docs.google.com/document/d/1zuVm_KixJqoHxrMefsxG0bi1tB6RYBQsXkPHIWxdRag/template/preview#heading=h.shz1bcdh2tm3

Apply OS hardening techniques Section 1: Identify the network protocol involved in the incident The protocol involved in the incident is the Hypertext transfer protocol (HTTP). Since the issue was with accessing the web server for yummyrecipesforme.com, we know that requests to web servers for web pages involve http traffic. Also, when we ran tcpdump and accessed the yummyrecipesforme.com website the corresponding tcpdump log file showed the usage of the http protocol when contacting the . The malicious file is observed being transported to the users’ computers using the HTTP protocol at the application layer.

The primary goal of this activity was to identify the network protocol used in the incident. The first line of the report announces the answer to that step. The protocol involved was determined by using information presented in the scenario, the DNS & HTTP log, and the knowledge you have learned about the TCP/IP model in this course:

● The tcpdump log shows a request is sent to the DNS server to resolve the IP address for the yummyrecipesforme.com URL. The DNS server replies with the correct IP address. The browser uses this to direct users to the correct website. ● The scenario states that when the website loads, a function on the website prompts users to download a file to access free recipes. Both the scenario and the logs indicate this activity occurs over the HTTP protocol, which you previously learned is part of the application layer of the TCP/IP model. Please review the article “How to read the tcpdump traffic log” linked in Step 2 of the activity for an explanation of the evidence found in the log. ● After the user downloads and runs the file, the logs show that the user’s browser sends a new request to the DNS server to retrieve the IP address for a different URL: greatrecipesforme.com. The DNS server sends the IP address to the users’ browser and the users are redirected to this new website over HTTP.

Section 2: Document the incident Several customers contacted the website’s helpdesk stating that when they visited the website, they were prompted to download and run a file that contained access to new recipes. Their personal computers have been operating slowly ever since. The website owner tried logging into the web server but noticed they were locked out of their account.

The cybersecurity analyst used a sandbox environment to open the website without impacting the company network. Then, the analyst ran tcpdump to capture the network traffic packets produced by interacting with the website. The analyst was prompted to download a file claiming it would provide access to free recipes, accepted the download and ran it. The browser then redirected the analyst to a fake website (greatrecipesforme.com).

The cybersecurity analyst inspected the tcpdump log and observed that the browser initially requested the IP address for the yummyrecipesforme.com website. Once the connection with the website was established over the HTTP protocol, the analyst recalled downloading and executing the file. The logs showed a sudden change in network traffic as the browser requested a new IP address for the greatrecipesforme.com URL. The network traffic was then rerouted to the new IP address for the greatrecipesforme.com website.

The senior cybersecurity professional analyzed the source code for the websites and the downloaded file. The analyst discovered that an attacker had manipulated the website to add code that prompted the users to download a malicious file disguised as a browser update. Since the website owner stated that they had been locked out of their administrator account, the team believes the attacker used a brute force attack to access the account and change the admin password. The execution of the malicious file compromised the end users’ computers.

Section 2 of the report should contain your interpretation of the log file and the Scenario section in the activity. You should have connected these events to what you have learned in the course to help you describe the investigation and analysis process. Note that it is a common practice for report writing to refer to all people involved in the third person (e.g., “the cybersecurity analyst” or “they”), even when you are the cybersecurity analyst describing actions you performed.

1. The first paragraph summarizes the events and problems identified when the incident was first reported. This information can be found at the beginning of the scenario.
2. The second paragraph describes the testing activities involved in investigating this event. This information is also provided in the scenario section. You should have summarized these activities in your own words.
3. The third paragraph describes the analysis work. This information is available in the scenario and the log file. The article “How to read the tcpdump traffic log” is available in Step 2 of the activity to help you interpret the log file.
4. The final paragraph adds what the senior cybersecurity analyst and the incident management team concluded about the root cause of the attack.

Section 3: Recommend one or more remediations for brute force attacks One security measure the team plans to implement to protect against brute force attacks is to disallow previous passwords from being used. Since the vulnerability that lead to this attack was the attacker’s ability to use a default password to log in, it’s important that we prevent any old passwords such as default passwords from being used to reset the password. Another supportive measure is to require more frequent password updates, so in case any unauthorized person becomes aware of the password, they are less likely to be able to use that password if the password is updated sooner than later. Finally, another helpful solution is to implement two-factor authentication (2FA). 2FA requires authentication via a password and also by confirming a one-time passcode (OTP) sent to either their email or phone. Once the user confirms their identity through their login credentials and the OTP, they will gain access to the system. Any malicious actor that attempts a brute force attack will not likely gain access to the system because it requires additional authentication.

In the third section, you were to write about addressing brute force attacks. You should have selected at least one or more of the options provided in the reading about brute force attacks. Then you should have explained the remediation method and how it works in your own words.

Which of the following activities are security hardening tasks? Select all that apply. Making patch updates Enforcing password policies Disposing of hardware and software properly

What are examples of physical security hardening? Select all that apply. Installing security cameras Hiring security guards

Security hardening task Description Common uses Baseline configurations A documented set of specifications within a system that is used as a basis for future builds, releases, and updates. To restore a system to a previous baseline after a network outage, or unauthorized changes on a baseline. Configuration checks Updating the encryption standards for data that is stored in databases. To see if there are any unauthorized changes to the system. Disabling unused ports Ports can be blocked on firewalls, routers, servers, and more to prevent potentially dangerous network traffic from passing through. Before an incident occurs, to prevent malicious actors from entering the network through the open port. Can be used after an incident to prevent future attacks from happening through unused open ports. Encryption using the latest standards Rules or methods used to conceal outgoing data and uncover or decrypt the incoming data. Can be implemented regularly to assess if the current encryption standards are secure and effective for your organization. The encryption standards can also be updated after a data breach. Firewall maintenance Firewall maintenance entails checking and updating security configurations regularly to stay ahead of potential threats. This can happen regularly. Firewall rules can be updated in response to an event that allows abnormal network traffic into the network. This measure can be used to protect against various DDoS attacks. Hardware & software disposal Ensures that all old hardware is properly wiped of all data and disposed of. Prevent the network from various threats by removing outdated or unused software or hardware that do not have the latest security patches or updates. Unpatched devices can allow malicious actors to easily access the network. Multifactor authentication (MFA) A security measure which requires a user to verify their identity in two or more ways to access a system or network. MFA options include a password, pin number, badge, one-time password (OTP) sent to a cell phone, fingerprint, and more. Can help protect against brute force attacks and similar security events. MFA can be implemented at any time, and is mostly a technique that is set up once then maintained. Network access privileges Network access privileges involves permitting, limiting, and/or blocking access privileges to network assets for people, roles, groups, IP addresses, MAC addresses, etc. Reduces the risk of unauthorized users and outside traffic from accessing the internal network. This can be implemented once, or revisited depending on the likelihood of social engineering or brute force attacks. Network log analysis The process of examining network logs to identify events of interest. Can be configured to alert the security team when there is abnormal traffic on the network. This can be used either before an incident occurs, during to track network traffic, and can be configured in the response of a cybersecurity attack. A common tool used for analyzing network logs is a SIEM. Password policies The National Institute of Standards and Technology’s (NIST) latest recommendations for password policies focuses on using methods to salt and hash passwords, rather than requiring overly complex passwords or enforcing frequent changes to passwords. Password policies are used to prevent attackers from easily guessing user passwords, either manually or by using a script to attempt thousands of stolen passwords (commonly called a brute force attack). Patch updates A software and operating system (OS) update that addresses security vulnerabilities within a program or product. Patch updates often contain fixes to security problems. It is important to keep systems up to date with the latest security patches because attackers will be alerted to the security vulnerability when patches are released. They will be more likely to target that vulnerability before people eventually apply the patches. Penetration test (pen test) A simulated attack that helps identify vulnerabilities in systems, networks, websites, applications, and processes. Pen tests are used to protect and prevent against potential attacks. Port filtering A firewall function that blocks or allows certain port numbers to limit unwanted communication. Port filtering is used to control network traffic and can prevent potential attackers from entering a private network. Removing or disabling unused applications and services Unused applications and services can become a point of vulnerability because they are less likely to be maintained or updated with new security features. This procedure is used to reduce potential vulnerabilities within a network. Server and data storage backups Server and data storage backups help protect data assets from being lost. Backups can be recorded and stored in a physical location or uploaded/synced to a cloud repository. Backups are used to restore lost data from attacks, human error, equipment failures, and other unplanned losses.

Security risk assessment report Part 1: Select up to three hardening tools and methods to implement Three hardening tools the organization can use to address the vulnerabilities found include:

1. Implementing multi-factor authentication (MFA)
2. Setting and enforcing strong password policies
3. Performing firewall maintenance regularly

MFA requires users to use more than one way to identify and verify their credentials before accessing an application. Some MFA methods include fingerprint scans, ID cards, pin numbers, and passwords.

Password policies can be refined to include rules regarding password length, a list of acceptable characters, and a disclaimer to discourage password sharing. They can also include rules surrounding unsuccessful login attempts, such as the user losing access to the network after five unsuccessful attempts.

Firewall maintenance entails checking and updating security configurations regularly to stay ahead of potential threats.

Part 2: Explain your recommendation(s) Enforcing multi-factor authentication (MFA) adds an additional layer of security beyond a password. It will reduce the likelihood that a malicious actor can access a network through a brute force or related attack since additional effort is required to authenticate in more than one way. MFA may also reduce the likelihood of people sharing passwords. Since the recipient of the shared password would need to possess additional authentication besides a password, MFA makes it less useful to share passwords, thereby making passwords less likely to be shared.

Creating and enforcing a password policy within the company will make it increasingly challenging for malicious actors to access the network. Policies such as suspending the account after a certain number of logins can prevent successful brute force attacks. Increasing password complexity, requiring more frequent password updates, and not allowing passwords to be reused also help stall malicious actors from infiltrating the network.

Firewall maintenance should happen regularly. Network administrators should ensure that firewall rules are in place that reflect the most up to date standards for allowed and denied traffic. Traffic from sources that are suspicious should be placed on a denied traffic list. Firewall rules should be updated whenever a security event occurs, especially an event that allows suspicious network traffic into the network. This measure can be used to protect against various DoS and DDoS attacks.

Cloud security considerations

Many organizations choose to use cloud services because of the ease of deployment, speed of deployment, cost savings, and scalability of these options. Cloud computing presents unique security challenges that cybersecurity analysts need to be aware of. Identity access management

Identity access management (IAM) is a collection of processes and technologies that helps organizations manage digital identities in their environment. This service also authorizes how users can use different cloud resources. A common problem that organizations face when using the cloud is the loose configuration of cloud user roles. An improperly configured user role increases risk by allowing unauthorized users to have access to critical cloud operations. Configuration

The expanding cloud ecosystem introduces significant complexity to network management. Each cloud service necessitates precise configuration to uphold security and compliance standards. This challenge intensifies during cloud migrations, where ensuring accurate configuration for every migrated process is critical. Neglect in this area can expose the network to vulnerabilities. Misconfigured cloud services are a frequent source of security breaches, underscoring the importance of meticulous attention to detail by network administrators and architects during the migration and ongoing management of cloud services. Attack surface

Cloud service providers (CSPs) offer numerous applications and services for organizations at a low cost.

Every service or application on a network carries its own set of risks and vulnerabilities and increases an organization’s overall attack surface. An increased attack surface must be compensated for with increased security measures.

Cloud networks that utilize many services introduce lots of entry points into an organization’s network. However, if the network is designed correctly, utilizing several services does not introduce more entry points into an organization’s network design. These entry points can be used to introduce malware onto the network and pose other security vulnerabilities. It is important to note that CSPs often defer to more secure options, and have undergone more scrutiny than a traditional on-premises network. Zero-day attacks

Zero-day attacks are an important security consideration for organizations using cloud or traditional on-premise network solutions. A zero day attack is an exploit that was previously unknown. CSPs are more likely to know about a zero day attack occurring before a traditional IT organization does. CSPs have ways of patching hypervisors and migrating workloads to other virtual machines. These methods ensure the customers are not impacted by the attack. There are also several tools available for patching at the operating system level that organizations can use. Visibility and tracking

Network administrators have access to every data packet crossing the network with both on-premise and cloud networks. They can sniff and inspect data packets to learn about network performance or to check for possible threats and attacks.

This kind of visibility is also offered in the cloud through flow logs and tools, such as packet mirroring. CSPs take responsibility for security in the cloud, but they do not allow the organizations that use their infrastructure to monitor traffic on the CSP’s servers. Many CSPs offer strong security measures to protect their infrastructure. Still, this situation might be a concern for organizations that are accustomed to having full access to their network and operations. CSPs pay for third-party audits to verify how secure a cloud network is and identify potential vulnerabilities. The audits can help organizations identify whether any vulnerabilities originate from on-premise infrastructure and if there are any compliance lapses from their CSP. Things change fast in the cloud

CSPs are large organizations that work hard to stay up-to-date with technology advancements. For organizations that are used to being in control of any adjustments made to their network, this can be a potential challenge to keep up with. Cloud service updates can affect security considerations for the organizations using them. For example, connection configurations might need to be changed based on the CSP’s updates.

Organizations that use CSPs usually have to update their IT processes. It is possible for organizations to continue following established best practices for changes, configurations, and other security considerations. However, an organization might have to adopt a different approach in a way that aligns with changes made by the CSP.

Cloud networking offers various options that might appear attractive to a small company—options that they could never afford to build on their own premises. However, it is important to consider that each service adds complexity to the security profile of the organization, and they will need security personnel to monitor all of the cloud services. Shared responsibility model

A commonly accepted cloud security principle is the shared responsibility model. The shared responsibility model states that the CSP must take responsibility for security involving the cloud infrastructure, including physical data centers, hypervisors, and host operating systems. The company using the cloud service is responsible for the assets and processes that they store or operate in the cloud.

The shared responsibility model ensures that both the CSP and the users agree about where their responsibility for security begins and ends. A problem occurs when organizations assume that the CSP is taking care of security that they have not taken responsibility for. One example of this is cloud applications and configurations. The CSP takes responsibility for securing the cloud, but it is the organization’s responsibility to ensure that services are configured properly according to the security requirements of their organization.

Cloud security hardening

There are various techniques and tools that can be used to secure cloud network infrastructure and resources. Some common cloud security hardening techniques include incorporating IAM, hypervisors, baselining, cryptography, and cryptographic erasure. Identity access management (IAM)

Identity access management (IAM) is a collection of processes and technologies that helps organizations manage digital identities in their environment. This service also authorizes how users can leverage different cloud resources. Hypervisors

A hypervisor abstracts the host’s hardware from the operating software environment. There are two types of hypervisors. Type one hypervisors run on the hardware of the host computer. An example of a type one hypervisor is VMware®’s ESXi. Type two hypervisors operate on the software of the host computer. An example of a type two hypervisor is VirtualBox. Cloud service providers (CSPs) commonly use type one hypervisors. CSPs are responsible for managing the hypervisor and other virtualization components. The CSP ensures that cloud resources and cloud environments are available, and it provides regular patches and updates. Vulnerabilities in hypervisors or misconfigurations can lead to virtual machine escapes (VM escapes). A VM escape is an exploit where a malicious actor gains access to the primary hypervisor, potentially the host computer and other VMs. As a CSP customer, you will rarely deal with hypervisors directly. Baselining

Baselining for cloud networks and operations cover how the cloud environment is configured and set up. A baseline is a fixed reference point. This reference point can be used to compare changes made to a cloud environment. Proper configuration and setup can greatly improve the security and performance of a cloud environment. Examples of establishing a baseline in a cloud environment include: restricting access to the admin portal of the cloud environment, enabling password management, enabling file encryption, and enabling threat detection services for SQL databases. Cryptography in the cloud

Cryptography can be applied to secure data that is processed and stored in a cloud environment. Cryptography uses encryption and secure key management systems to provide data integrity and confidentiality. Cryptographic encryption is one of the key ways to secure sensitive data and information in the cloud.

Encryption is the process of scrambling information into ciphertext, which is not readable to anyone without the encryption key. Encryption primarily originated from manually encoding messages and information using an algorithm to convert any given letter or number to a new value. Modern encryption relies on the secrecy of a key, rather than the secrecy of an algorithm. Cryptography is an important tool that helps secure cloud networks and data at rest to prevent unauthorized access. You’ll learn more about cryptography in-depth in an upcoming course. Cryptographic erasure

Cryptographic erasure is a method of erasing the encryption key for the encrypted data. When destroying data in the cloud, more traditional methods of data destruction are not as effective. Crypto-shredding is a newer technique where the cryptographic keys used for decrypting the data are destroyed. This makes the data undecipherable and prevents anyone from decrypting the data. When crypto-shredding, all copies of the key need to be destroyed so no one has any opportunity to access the data in the future. Key Management

Modern encryption relies on keeping the encryption keys secure. Below are the measures you can take to further protect your data when using cloud applications:

Trusted platform module (TPM). TPM is a computer chip that can securely store passwords, certificates, and encryption keys.

    Cloud hardware security module (CloudHSM). CloudHSM is a computing device that provides secure storage for cryptographic keys and processes cryptographic operations, such as encryption and decryption.

    Organizations and customers do not have access to the cloud service provider (CSP) directly, but they can request audits and security reports by contacting the CSP. Customers typically do not have access to the specific encryption keys that CSPs use to encrypt the customers’ data. However, almost all CSPs allow customers to provide their own encryption keys, depending on the service the customer is accessing. In turn, the customer is responsible for their encryption keys and ensuring the keys remain confidential. The CSP is limited in how they can help the customer if the customer’s keys are compromised or destroyed. One key benefit of the shared responsibility model is that the customer is not entirely responsible for maintenance of the cryptographic infrastructure. Organizations can assess and monitor the risk involved with allowing the CSP to manage the infrastructure by reviewing a CSPs audit and security controls. For federal contractors, FEDRAMP provides a list of verified CSPs.

Fill in the blank: A key distinction between cloud and traditional network hardening is the use of a server baseline image, which enables security analysts to prevent _____ by comparing data in cloud servers to the baseline image. unverified changes

Who is responsible for ensuring the safety of cloud networks? Select all that apply. Cloud service provider Individual users Security

Applying patches specifically helps to defend against exploitable software flaws by directly addressing the underlying weaknesses in the software’s code. Here’s a more detailed breakdown of how this works:

Identification of Vulnerabilities: Software vendors, security researchers, or even malicious actors discover flaws, bugs, or errors in an operating system or application’s code. These flaws could allow an attacker to bypass security controls, gain unauthorized access, execute arbitrary code, or cause a denial of service. Once identified, these are often cataloged in databases like the National Vulnerability Database (NVD). Development of Patches: When a vulnerability is identified, the software vendor develops a “patch,” which is a piece of code designed to fix the specific flaw. These patches essentially modify the existing software to remove the vulnerability, correct the error, or close the security gap that an attacker could exploit. Removal of the Attack Vector: By applying the patch, the vulnerable code is replaced or modified, eliminating the “entry point” or “weakness” that an attacker would otherwise use. For example, if a flaw allows for buffer overflow, the patch would correct the code to prevent such an overflow, thus preventing an attacker from injecting malicious code. Reducing the Attack Surface: Regular patching significantly reduces the “attack surface” of a system. Attackers often rely on exploiting known vulnerabilities for which patches have been publicly available. If systems are kept up-to-date, these common and well-documented attack methods become ineffective. Closing the Window of Vulnerability: Timely application of patches is crucial. The period between a vulnerability’s public disclosure and the application of its corresponding patch is known as the “window of vulnerability.” Attackers actively seek out unpatched systems during this window. By promptly applying patches, organizations minimize this window, making it much harder for attackers to successfully exploit the flaw. Disrupting Exploit Kits: Many cybercriminals use automated tools called “exploit kits” that scan systems for known, unpatched vulnerabilities. If a system is fully patched, these exploit kits will fail to find an exploitable weakness, effectively stopping the attack before it can deploy malware or gain control.

Security hardening diminishes the attack surface.

An “attack surface” refers to the total sum of potential entry points or vulnerabilities that unauthorized entities could exploit to infiltrate systems, networks, or access sensitive information. This includes hardware, software applications, network endpoints, and even human elements.

“Security hardening” is the process of enhancing the security posture of a system or network by implementing proactive measures to reduce vulnerabilities and mitigate potential risks. This involves configuring systems, applications, and infrastructure to adhere to best security practices, such as disabling unnecessary services, enforcing strong authentication, applying patches, and configuring firewalls. The primary objective of security hardening is to minimize the attack surface, thereby making it more difficult for cybercriminals to exploit potential weaknesses and strengthening defenses against cyber threats.

Fill in the blank: A/An _____ is a documented set of specifications within a system that is used as a basis for future builds, releases, and updates baseline configuration

You are a cybersecurity analyst working for a multimedia company that offers web design services, graphic design, and social media marketing solutions to small businesses. Your organization recently experienced a DDoS attack, which compromised the internal network for two hours until it was resolved.

During the attack, your organization’s network services suddenly stopped responding due to an incoming flood of ICMP packets. Normal internal network traffic could not access any network resources. The incident management team responded by blocking incoming ICMP packets, stopping all non-critical network services offline, and restoring critical network services.

The company’s cybersecurity team then investigated the security event. They found that a malicious actor had sent a flood of ICMP pings into the company’s network through an unconfigured firewall. This vulnerability allowed the malicious attacker to overwhelm the company’s network through a distributed denial of service (DDoS) attack.

To address this security event, the network security team implemented:

A new firewall rule to limit the rate of incoming ICMP packets

    Source IP address verification on the firewall to check for spoofed IP addresses on incoming ICMP packets

        Network monitoring software to detect abnormal traffic patterns

            An IDS/IPS system to filter out some ICMP traffic based on suspicious characteristics

            As a cybersecurity analyst, you are tasked with using this security event to create a plan to improve your company’s network security, following the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). You will use the CSF to help you navigate through the different steps of analyzing this cybersecurity event and integrate your analysis into a general security strategy. We have broken the analysis into different parts in the template below. You can explore them here:

                Identify security risks through regular audits of internal networks, systems, devices, and access privileges to identify potential gaps in security. 

                    Protect internal assets through the implementation of policies, procedures, training and tools that help mitigate cybersecurity threats. 

                        Detect potential security incidents and improve monitoring capabilities to increase the speed and efficiency of detections. 

                            Respond to contain, neutralize, and analyze security incidents; implement improvements to the security process. 

                            Recover affected systems to normal operation and restore systems data and/or assets that have been affected by an incident. 

Incident report analysis - Example

Summary This morning, an intern reported to the IT department that she was unable to log in to her internal network account. Access logs indicate that her account has been actively accessing records in the customer database, even though she is locked out of that account. The intern indicated that she received an email this morning asking her to go to an external website to log in with her internal network credentials to retrieve a message. We believe this is the method used by a malicious actor to gain access to our network and customer database. A couple of other employees have noticed that several customer records are either missing or contain incorrect data. It appears that not only was customer data exposed to a malicious actor, but that some data was deleted or manipulated as well. Identify The incident management team audited the systems, devices, and access policies involved in the attack to identify the gaps in security. The team found that an intern’s login and password were obtained by a malicious attacker and used to access data from our customer database. Upon initial review, it appears that some customer data was deleted from the database. Protect The team has implemented new authentication policies to prevent future attacks: multi-factor authentication (MFA), login attempts limited to three tries, and training for all employees on how to protect login credentials. Additionally, we will implement a new protective firewall configuration and invest in an intrusion prevention system (IPS). Detect To detect new unauthorized access attacks in the future, the team will use a firewall logging tool and an intrusion detection system (IDS) to monitor all incoming traffic from the internet. Respond The team disabled the intern’s network account. We provided training to interns and employees on how to protect login credentials in the future. We informed upper management of this event and they will contact our customers by mail to inform them about the data breach. Management will also need to inform law enforcement and other organizations as required by local laws. Recover The team will recover the deleted data by restoring the database from last night’s full backup. We have informed staff that any customer information entered or changed this morning would not be recorded on the backup. So, they will need to re-enter that information into the database once it has been restored from last night’s backup.

Incident report analysis - Example

Summary This morning, an intern reported to the IT department that she was unable to log in to her internal network account. Access logs indicate that her account has been actively accessing records in the customer database, even though she is locked out of that account. The intern indicated that she received an email this morning asking her to go to an external website to log in with her internal network credentials to retrieve a message. We believe this is the method used by a malicious actor to gain access to our network and customer database. A couple of other employees have noticed that several customer records are either missing or contain incorrect data. It appears that not only was customer data exposed to a malicious actor, but that some data was deleted or manipulated as well. Identify The incident management team audited the systems, devices, and access policies involved in the attack to identify the gaps in security. The team found that an intern’s login and password were obtained by a malicious attacker and used to access data from our customer database. Upon initial review, it appears that some customer data was deleted from the database. Protect The team has implemented new authentication policies to prevent future attacks: multi-factor authentication (MFA), login attempts limited to three tries, and training for all employees on how to protect login credentials. Additionally, we will implement a new protective firewall configuration and invest in an intrusion prevention system (IPS). Detect To detect new unauthorized access attacks in the future, the team will use a firewall logging tool and an intrusion detection system (IDS) to monitor all incoming traffic from the internet. Respond The team disabled the intern’s network account. We provided training to interns and employees on how to protect login credentials in the future. We informed upper management of this event and they will contact our customers by mail to inform them about the data breach. Management will also need to inform law enforcement and other organizations as required by local laws. Recover The team will recover the deleted data by restoring the database from last night’s full backup. We have informed staff that any customer information entered or changed this morning would not be recorded on the backup. So, they will need to re-enter that information into the database once it has been restored from last night’s backup.

Incident report analysis Instructions As you continue through this course, you may use this template to record your findings after completing an activity or just to take notes on what you’ve learned about a specific tool or concept. You can also use this chart as a way to continue practicing applying the NIST CSF framework to different situations you may encounter. Summary The company experienced a security event when all network services suddenly stopped responding. The cybersecurity team found the disruption was caused by a distributed denial of services (DDoS) attack through a flood of incoming ICMP packets. The team responded by blocking the attack and stopping all non-critical network services, so that critical network services could be restored. Identify A malicious actor or actors targeted the company with an ICMP flood attack. The entire internal network was affected. All critical network resources needed to be secured and restored to a functioning state. Protect The cybersecurity team implemented a new firewall rule to limit the rate of incoming ICMP packets and an IDS/IPS system to filter out some ICMP traffic based on suspicious characteristics. Detect The cybersecurity team configured source IP address verification on the firewall to check for spoofed IP addresses on incoming ICMP packets and implemented network monitoring software to detect abnormal traffic patterns. Respond For future security events, the cybersecurity team will isolate affected systems to prevent further disruption to the network. They will attempt to restore any critical systems and services that were disrupted by the event. Then, the team will analyze network logs to check for suspicious and abnormal activity. The team will also report all incidents to upper management and appropriate legal authorities, if applicable. Recover To recover from a DDoS attack by ICMP flooding, access to network services need to be restored to a normal functioning state. In the future, external ICMP flood attacks can be blocked at the firewall. Then, all non-critical network services should be stopped to reduce internal network traffic. Next, critical network services should be restored first. Finally, once the flood of ICMP packets have timed out, all non-critical network systems and services can be brought back online.

Using the template provided, provide a summary of the security event that occurred. Include information about the security event, its cause, the impact, and the response. You can also include information about targeted systems, the attack source, and the estimated impact.

Think about all of the concepts covered in the course so far and reflect on the scenario and define what type of attack occurred and which systems were affected. List this information in the incident report analysis worksheet in the section titled “Identify.”

Next, you will assess where the organization can improve to further protect its assets. In this step, you will focus on creating an immediate action plan to respond to the cybersecurity incident. When creating this plan, reflect on the following question:

What systems or procedures need to be updated or changed to further secure the organization’s assets?

Write your response in the incident report analysis template in the “Protect” section.

It is important to continuously monitor network traffic on network devices to check for suspicious activity, such as incoming external ICMP packets from non-trusted IP addresses attempting to pass through the organization’s network firewall. 

For this step, consider ways you and your team can monitor and analyze network traffic, software applications, track authorized versus unauthorized users, and detect any unusual activity on user accounts. Write your response in the incident response analysis worksheet in the “Detect” section.

After identifying the tools and methods you and your organization have in place for detecting potential vulnerabilities and threats, create a response plan in the event of a future incident. This typically happens after the incident occurred and has been resolved by you and your team. In this case, you will create a response plan for future cybersecurity incidents. Some items to consider when creating a response plan to any cybersecurity incident:

    How can you and your team contain cybersecurity incidents and affected devices?

        What procedures are in place to help you and your team neutralize cybersecurity incidents?

            What data or information can be used to analyze this incident?

                How can your organization’s recovery process be improved to better handle future cybersecurity incidents?

                Write your response in the incident report analysis template under the “respond” section. 

                Consider what steps need to be taken to help the organization recover from the cybersecurity incident. Reflect on all the information you gathered about the incident in the previous steps to consider which devices, systems, and processes need to be restored and recovered. 

                Consider the following questions: 

                    What information do you need to be able to recover immediately? 

                        What processes are in place to help the organization recover from the incident? 

                        Write your response in the “recover” portion of the worksheet.

Applying the NIST CSF

Earlier in this program you learned about the uses and benefits of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). There are five core functions of the NIST CSF framework: identify, protect, detect, respond, and recover.

Image: 5 core functions of the NIST CSF

These core functions help organizations manage cybersecurity risks, implement risk management strategies, and learn from previous mistakes. Plans based on this framework should be continuously updated to stay ahead of the latest security threats. The core functions help ensure organizations are protected against potential threats, risks, and vulnerabilities. Each function can be used to improve an organization’s security:

● Identify: Manage security risks through regular audits of internal networks, systems, devices, and access privileges to identify potential gaps in security. ● Protect: Develop a strategy to protect internal assets through the implementation of policies, procedures, training and tools that help mitigate cybersecurity threats. ● Detect: Scan for potential security incidents and improve monitoring capabilities to increase the speed and efficiency of detections. ● Respond: Ensure that the proper procedures are used to contain, neutralize and analyze security incidents and implement improvements to the security process. ● Recover: Return affected systems back to normal operation and restore systems data and assets that have been affected by an incident. Some questions to ask for each of the five core functions, include: Identify Create an inventory of organizational systems, processes, assets, data, people, and capabilities that need to be secured: ● Technology/Asset Management: Which hardware devices, operating systems, and software were affected? Trace the flow of the attack through the internal network. ● Process/Business environment: Which business processes were affected in the attack? ● People: Who needs access to the affected systems?
Protect Develop and implement safeguards to protect the identified items and ensure delivery of services: ● Access control: Who needs access to the affected items? How are non-trusted sources blocked from having access? ● Awareness/Training: Who needs to be made aware of this attack and how to prevent it from happening again? ● Data security: Is there any affected data that needs to be made more secure? ● Information protection and procedures: Do any procedures need to be updated or added to protect data assets? ● Maintenance: Do any of the affected hardware, operating systems, or software need to be updated? ● Protective technology: Are there any protective technologies, like a firewall or an intrusion prevention system (IDS), that should be implemented to protect against future attacks? Detect Design and implement a system with tools needed for detecting threats and attacks: ● Anomalies and events: What tools could be used to detect and alert IT security staff of anomalies and security events, such as a security information and event management system (SIEM) tool? ● Security continuous monitoring: What tools or IT processes are needed to monitor the network for security events? ● Detection process: What tools are needed to detect security events, such as an IDS? Respond Design action plans for responding to threats and attacks: ● Response planning: What action plans need to be implemented to respond to similar attacks in the future? ● Communications: How will security event response procedures be communicated within the organization and with those directly affected by the attack, including end users and IT staff? ● Analysis: What analysis steps should be followed in response to a similar attack? ● Mitigation: What responding steps could be used to mitigate the impact of an attack, such as offlining or isolating affected resources? ● Improvements: What improvements are needed to improve response procedures in the future? Recover Construct a plan and implement the framework for recovering and restoring affected systems and/or data: ● Recovery planning: How will resources be restored following an attack? ● Improvements: Do any improvements need to be made to the current recovery systems or processes? ● Communications: How will restoration procedures be communicated within the organization and with those directly affected by the attack, including end users and IT staff?

The NIST CSF and its five core functions provide a framework of planning proactive to applying reactive measures to cybersecurity threats. These functions are essential for ensuring that an organization has effective security strategies in place. An organization must have the ability to quickly recover from any damage caused by an incident to minimize their level of risk.

Personally Identifiable Information (PII) includes information (e.g., name, email, address, phone number) that can be used to distinguish or trace an individual’s identity, either directly or indirectly, when used with other information. It is important to have a basic understanding of these principles when working with PII at Cisco.

Sensitive PII (SPII) is especially personal, sometimes culturally or legally protected, and includes someone’s social security number (SSN), date of birth (DOB), sexual orientation, or religion. SPII can be used to embarrass, harm, discriminate, impersonate, or commit fraud.

Risk: Anything that can impact the confidentiality, integrity, or availability of an asset

    Threat: Any circumstance or event that can negatively impact assets

        Vulnerability: A weakness that can be exploited by a threat

Asset management is the process of tracking assets and the risks that affects them. Asset management is the process of tracking assets and the risks that affect them. The idea behind this process is simple: you can only protect what you know you have. *NOTE: A fundamental truth of security is you can only protect the things you account for.

asset classification is the practice of labeling assets based on sensitivity and importance to an organization. What you have

    Where it is

        Who owns it, and

            How important it is

Asset classification helps organizations implement an effective risk management strategy. It also helps them prioritize security resources, reduce IT costs, and stay in compliance with legal regulations.

The most common classification scheme is: restricted, confidential, internal-only, and public.

Restricted is the highest level. This category is reserved for incredibly sensitive assets,  like need-to-know information.

    Confidential refers to assets whose disclosure may lead to a significant negative impact on an organization.

        Internal-only describes assets that are available to employees and business partners.

            Public is the lowest level of classification. These assets have no negative consequences to the organization if they’re released.

Asset: An item perceived as having value to an organization

Asset classification: The practice of labeling assets based on sensitivity and importance to an organization

Asset inventory: A catalog of assets that need to be protected

Asset management: The process of tracking assets and the risks that affect them

Compliance: The process of adhering to internal standards and external regulations

Data: Information that is translated, processed, or stored by a computer

Data at rest: Data not currently being accessed

Data in transit: Data traveling from one point to another

Data in use: Data being accessed by one or more users

Information security (InfoSec): The practice of keeping data in all states away from unauthorized users

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF): A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk

Policy: A set of rules that reduce risk and protect information

Procedures: Step-by-step instructions to perform a specific security task

Regulations: Rules set by a government or other authority to control the way something is done

Which of the following are components of the NIST Cybersecurity Framework? Select three answers. Tiers Profiles Core

What are the three types of security controls? Select three answers. Technical The three types of security controls are technical, operational, and managerial. Each type of security control plays a key role in effective information privacy. Operational The three types of security controls are technical, operational, and managerial. Each type of security control plays a key role in effective information privacy. Managerial The three types of security controls are technical, operational, and managerial. Each type of security control plays a key role in effective information privacy.

Fill in the blank: Most security plans address risks by breaking them down into these categories: damage, disclosure, and _____. loss of information

Cloud security challenges

All service providers do their best to deliver secure products to their customers. Much of their success depends on preventing breaches and how well they can protect sensitive information. However, since data is stored in the cloud and accessed over the internet, several challenges arise:

Misconfiguration is one of the biggest concerns. Customers of cloud-based services are responsible for configuring their own security environment. Oftentimes, they use out-of-the-box configurations that fail to address their specific security objectives.

    Cloud-native breaches are more likely to occur due to misconfigured services.

        Monitoring access might be difficult depending on the client and level of service.

            Meeting regulatory standards is also a concern, particularly in industries that are required by law to follow specific requirements such as HIPAA, PCI DSS, and GDPR.

NIST CSF Core

The CSF core is a set of desired cybersecurity outcomes that help organizations customize their security plan. It consists of six functions, or parts: Identify, Protect, Detect, Respond, Recover, and Govern. These functions are commonly used as an informative reference to help organizations identify their most important assets and protect those assets with appropriate safeguards. The CSF core is also used to understand ways to detect attacks and develop response and recovery plans should an attack happen.

Previously, the core consisted of just five functions. Govern was added in February of 2024 to emphasize the importance of leadership and decision-making when it comes to managing cybersecurity risks. Tiers

The CSF tiers are a way of measuring the sophistication of an organization’s cybersecurity program. CSF tiers are measured on a scale of 1 to 4. Tier 1 is the lowest score, indicating that a limited set of security controls have been implemented. Overall, CSF tiers are used to assess an organization’s security posture and identify areas for improvement. Profiles

The CSF profiles are pre-made templates of the NIST CSF that are developed by a team of industry experts. CSF profiles are tailored to address the specific risks of an organization or industry. They are used to help organizations develop a baseline for their cybersecurity plans, or as a way of comparing their current cybersecurity posture to a specific industry standard.

Risk register Operational environment: The bank is located in a coastal area with low crime rates. Many people and systems handle the bank’s data—100 on-premise employees and 20 remote employees. The customer base of the bank includes 2,000 individual accounts and 200 commercial accounts. The bank’s services are marketed by a professional sports team and ten local businesses in the community. There are strict financial regulations that require the bank to secure their data and funds, like having enough cash available each day to meet Federal Reserve requirements.

    Asset: The asset at risk of being harmed, damaged, or stolen.
    Risk(s): A potential risk to the organization's information systems and data.
    Description: A vulnerability that might lead to a security incident.
    Likelihood: Score from 1-3 of the chances of a vulnerability being exploited. A 1 means there's a low likelihood, a 2 means there's a moderate likelihood, and a 3 means there's a high likelihood.
    Severity: Score from 1-3 of the potential damage the threat would cause to the business. A 1 means a low severity impact, a 2 is a moderate severity impact, and a 3 is a high severity impact.
    Priority: How quickly a risk should be addressed to avoid the potential incident. Use the following formula to calculate the overall score: Likelihood x Impact Severity = Risk

The principle of least privilege is a security concept in which a user is only granted the minimum level of access and authorization required to complete a task or function.

Least privilege is a fundamental security control that supports the confidentiality, integrity, and availability (CIA) triad of information. In this reading, you’ll learn how the principle of least privilege reduces risk, how it’s commonly implemented, and why it should be routinely audited. Limiting access reduces risk

Every business needs to plan for the risk of data theft, misuse, or abuse. Implementing the principle of least privilege can greatly reduce the risk of costly incidents like data breaches by:

Limiting access to sensitive information

    Reducing the chances of accidental data modification, tampering, or loss

        Supporting system monitoring and administration

        Least privilege greatly reduces the likelihood of a successful attack by connecting specific resources to specific users and placing limits on what they can do. It's an important security control that should be applied to any asset. Clearly defining who or what your users are is usually the first step of implementing least privilege effectively.

        Note: Least privilege is closely related to another fundamental security principle, the separation of duties—a security concept that divides tasks and responsibilities among different users to prevent giving a single user complete control over critical business functions. You'll learn more about separation of duties in a different reading about identity and access management.

The data lifecycle

The data lifecycle is an important model that security teams consider when protecting information. It influences how they set policies that align with business objectives. It also plays an important role in the technologies security teams use to make information accessible.

In general, the data lifecycle has five stages. Each describe how data flows through an organization from the moment it is created until it is no longer useful:

Collect

    Store

        Use

            Archive

                Destroy



PII is any information used to infer an individual's identity. Personally identifiable information, or PII, refers to information that can be used to contact or locate someone.

    PHI stands for protected health information.  In the U.S., it is regulated by the Health Insurance Portability and Accountability Act (HIPAA), which defines PHI as “information that relates to the past, present, or future physical or mental health or condition of an individual.” In the EU, PHI has a similar definition but it is regulated by the General Data Protection Regulation (GDPR).

        SPII is a specific type of PII that falls under stricter handling guidelines. The S stands for sensitive, meaning this is a type of personally identifiable information that should only be accessed on a need-to-know basis, such as a bank account number or login credentials.

Information security vs. information privacy

Security and privacy are two terms that often get used interchangeably outside of this field. Although the two concepts are connected, they represent specific functions:

Information privacy refers to the protection of unauthorized access and distribution of data.

    Information security (InfoSec) refers to the practice of keeping data in all states away from unauthorized users.

    The key difference: Privacy is about providing people with control over their personal information and how it's shared. Security is about protecting people’s choices and keeping their information safe from potential threats.

    For example, a retail company might want to collect specific kinds of personal information about its customers for marketing purposes, like their age, gender, and location. How this private information will be used should be disclosed to customers before it's collected. In addition, customers should be given an option to opt-out if they decide not to share their data.

Notable privacy regulations

Businesses are required to abide by certain laws to operate. As you might recall, regulations are rules set by a government or another authority to control the way something is done. Privacy regulations in particular exist to protect a user from having their information collected, used, or shared without their consent. Regulations may also describe the security measures that need to be in place to keep private information away from threats.

Three of the most influential industry regulations that every security professional should know about are:

General Data Protection Regulation (GDPR)

    Payment Card Industry Data Security Standard (PCI DSS)

        Health Insurance Portability and Accountability Act (HIPAA)

GDPR

GDPR is a set of rules and regulations developed by the European Union (EU) that puts data owners in total control of their personal information. Under GDPR, types of personal information include a person’s name, address, phone number, financial information, and medical information.

The GDPR applies to any business that handles the data of EU citizens or residents, regardless of where that business operates. For example, a US based company that handles the data of EU visitors to their website is subject to the GDPRs provisions. PCI DSS

PCI DSS is a set of security standards formed by major organizations in the financial industry. This regulation aims to secure credit and debit card transactions against data theft and fraud. HIPAA

HIPAA is a U.S. law that requires the protection of sensitive patient health information. HIPAA prohibits the disclosure of a person’s medical information without their knowledge and consent.

Security assessments and audits

Businesses should comply with important regulations in their industry. Doing so validates that they have met a minimum level of security while also demonstrating their dedication to maintaining data privacy.

Meeting compliance standards is usually a continual, two-part process of security audits and assessments:

A security audit is a review of an organization's security controls, policies, and procedures against a set of expectations.

    A security assessment is a check to determine how resilient current security implementations are against threats.

Data leak worksheet

Incident summary: A sales manager shared access to a folder of internal-only documents with their team during a meeting. The folder contained files associated with a new product that has not been publicly announced. It also included customer analytics and promotional materials. After the meeting, the manager did not revoke access to the internal folder, but warned the team to wait for approval before sharing the promotional materials with others.

During a video call with a business partner, a member of the sales team forgot the warning from their manager. The sales representative intended to share a link to the promotional materials so that the business partner could circulate the materials to their customers. However, the sales representative accidentally shared a link to the internal folder instead. Later, the business partner posted the link on their company’s social media page assuming that it was the promotional materials.

Penetration testing

A penetration test, or pen test, is a simulated attack that helps identify vulnerabilities in systems, networks, websites, applications, and processes. The simulated attack in a pen test involves using the same tools and techniques as malicious actors in order to mimic a real life attack. Since a pen test is an authorized attack, it is considered to be a form of ethical hacking. Unlike a vulnerability assessment that finds weaknesses in a system’s security, a pen test exploits those weaknesses to determine the potential consequences if the system breaks or gets broken into by a threat actor.

For example, the cybersecurity team at a financial company might simulate an attack on their banking app to determine if there are weaknesses that would allow an attacker to steal customer information or illegally transfer funds. If the pen test uncovers misconfigurations, the team can address them and improve the overall security of the app.

Note: Organizations that are regulated by PCI DSS, HIPAA, or GDPR must routinely perform penetration testing to maintain compliance standards.

Manual updates

A manual deployment strategy relies on IT departments or users obtaining updates from the developers. Home office or small business environments might require you to find, download, and install updates yourself. In enterprise settings, the process is usually handled with a configuration management tool. These tools offer a range of options to deploy updates, like to all clients on your network or a select group of users.

Advantage: An advantage of manual update deployment strategies is control. That can be useful if software updates are not thoroughly tested by developers, leading to instability issues.

Disadvantage: A drawback to manual update deployments is that critical updates can be forgotten or disregarded entirely. Automatic updates

An automatic deployment strategy takes the opposite approach. With this option, finding, downloading, and installing updates can be done by the system or application.

Pro tip: The Cybersecurity and Infrastructure Security Agency (CISA) recommends using automatic options whenever they’re available.

Certain permissions need to be enabled by users or IT groups before updates can be installed, or pushed, when they’re available. It is up to the developers to adequately test their patches before release.

Advantage: An advantage to automatic updates is that the deployment process is simplified. It also keeps systems and software current with the latest, critical patches.

Disadvantage: A drawback to automatic updates is that instability issues can occur if the patches were not thoroughly tested by the vendor. This can result in performance problems and a poor user experience.

What is a vulnerability scanner?

A vulnerability scanner is software that automatically compares known vulnerabilities and exposures against the technologies on the network. In general, these tools scan systems to find misconfigurations or programming flaws.

Scanning tools are used to analyze each of the five attack surfaces that you learned about in the video about the defense in depth strategy

:

Perimeter layer, like authentication systems that validate user access

    Network layer, which is made up of technologies like network firewalls and others

        Endpoint layer, which describes devices on a network, like laptops, desktops, or servers

            Application layer, which involves the software that users interact with

                Data layer, which includes any information that’s stored, in transit, or in use

                When a scan of any layer begins, the scanning tool compares the findings against databases of security threats. At the end of the scan, the tool flags any vulnerabilities that it finds and adds them to its reference database. Each scan adds more information to the database, helping the tool be more accurate in its analysis.

                Note: Vulnerability databases are also routinely updated by the company that designed the scanning software.
                Performing scans

                Vulnerability scanners are meant to be non-intrusive. Meaning, they don’t break or take advantage of a system like an attacker would. Instead, they simply scan a surface and alert you to any potentially unlocked doors in your systems.

                Note: While vulnerability scanners are non-intrusive, there are instances when a scan can inadvertently cause issues, like crash a system.

                There are a few different ways that these tools are used to scan a surface. Each approach corresponds to the pathway a threat actor might take. Next, you can explore each type of scan to get a clearer picture of this. 

                External vs. internal

                External and internal scans simulate an attacker's approach.

                External scans test the perimeter layer outside of the internal network. They analyze outward facing systems, like websites and firewalls. These kinds of scans can uncover vulnerable things like vulnerable network ports or servers.

                Internal scans start from the opposite end by examining an organization's internal systems. For example, this type of scan might analyze application software for weaknesses in how it handles user input.
                Authenticated vs. unauthenticated

                Authenticated and unauthenticated scans simulate whether or not a user has access to a system.

                Authenticated scans might test a system by logging in with a real user account or even with an admin account. These service accounts are used to check for vulnerabilities, like broken access controls.

                Unauthenticated scans simulate external threat actors that do not have access to your business resources. For example, a scan might analyze file shares within the organization that are used to house internal-only documents. Unauthenticated users should receive "access denied" results if they tried opening these files. However, a vulnerability would be identified if you were able to access a file.
                Limited vs. comprehensive

                Limited and comprehensive scans focus on particular devices that are accessed by internal and external users.

                Limited scans analyze particular devices on a network, like searching for misconfigurations on a firewall.

                Comprehensive scans analyze all devices connected to a network. This includes operating systems, user databases, and more.

                Pro tip: Discovery scanning should be done prior to limited or comprehensive scans. Discovery scanning is used to get an idea of the computers, devices, and open ports that are on a network.

Information vs intelligence

The terms intelligence and information are often used interchangeably, making it easy to mix them up. Both are important aspects of cybersecurity that differ in their focus and objectives.

Information refers to the collection of raw data or facts about a specific subject. Intelligence, on the other hand, refers to the analysis of information to produce knowledge or insights that can be used to support decision-making.

For example, new information might be released about an update to the operating system (OS) that’s installed on your organization’s workstations. Later, you might find that new cyber threats have been linked to this new update by researching multiple cybersecurity news resources. The analysis of this information can be used as intelligence to guide your organization’s decision about installing the OS updates on employee workstations.

In other words, intelligence is derived from information through the process of analysis, interpretation, and integration. Gathering information and intelligence are both important aspects of cybersecurity. Intelligence improves decision-making

Businesses often use information to gain insights into the behavior of their customers. Insights, or intelligence, can then be used to improve their decision making. In security, open-source information is used in a similar way to gain insights into threats and vulnerabilities that can pose risks to an organization.

OSINT plays a significant role in information security (InfoSec), which is the practice of keeping data in all states away from unauthorized users.

For example, a company’s InfoSec team is responsible for protecting their network from potential threats. They might utilize OSINT to monitor online forums and hacker communities for discussions about emerging vulnerabilities. If they come across a forum post discussing a newly discovered weakness in a popular software that the company uses, the team can quickly assess the risk, prioritize patching efforts, and implement necessary safeguards to prevent an attack.

Here are some of the ways OSINT can be used to generate intelligence:

To provide insights into cyber attacks

    To detect potential data exposures

        To evaluate existing defenses

            To identify unknown vulnerabilities

            Collecting intelligence is sometimes part of the vulnerability management process. Security teams might use OSINT to develop profiles of potential targets and make data driven decisions on improving their defenses.

Which of the following steps may be part of a vulnerability assessment? Select three answers. A vulnerability assessment may include identification, risk assessment, and remediation. It may also include vulnerability analysis. During remediation, the vulnerabilities that were identified and analyzed are addressed. It may also include vulnerability analysis. During a risk assessment, a score is assigned to each vulnerability based on its likelihood and severity. It may also include vulnerability analysis. During identification, scanning tools and manual testing are performed to understand the current state of a security system.

Vulnerabilities must only affect a single codebase, be submitted with supporting evidence, and be recognized as potential security risks to qualify for a CVE® ID. They must also be independent of other issues.

Defense in depth is a layered approach to vulnerability management that reduces risk. It’s a security approach that protects assets by surrounding them with multiple layers of protection.

Vulnerability management is a four-step process that includes the following steps: identify vulnerabilities, consider potential exploits, prepare defenses against threats, and evaluate those defenses.

A vulnerability ____ refers to the internal review process of an organization’s security systems. assessment

What are the goals of a vulnerability assessment? Select two answers. To reduce overall threat exposure To identify existing weaknesses

Which of the following remediation examples might be implemented after a vulnerability scan? Select two answers. Training employees to follow new security procedures Installing software updates and patches

What are two types of vulnerability scans? Select two answers. Authenticated or unauthenticated Limited or comprehensive

An attack surface is all the potential vulnerabilities that a threat actor could exploit.

Security hardening is the process of strengthening a system to reduce its vulnerabilities and attack surface

The organization’s website is an example of its digital attack surface. An attack surface refers to all the potential vulnerabilities that a threat actor could exploit. The digital attack surface consists of everything that’s connected to an organization’s network.

Identification: A vulnerable server is flagged because it's running an outdated operating system (OS).

    Vulnerability analysis: Research is done on the outdated OS and its vulnerabilities.

        Risk assessment: After doing your due diligence, the severity of each vulnerability is scored and the impact of not fixing it is evaluated.

            Remediation: Finally, the information that you’ve gathered can be used to address the issue.

A threat actor is any person or group who presents a security risk. This broad definition refers to people inside and outside an organization. It also includes individuals who intentionally pose a threat, and those that accidentally put assets at risk. That’s a wide range of people!

Threat actors are normally divided into five categories based on their motivations:

Competitors refers to rival companies who pose a threat because they might benefit from leaked information.

    State actors are government intelligence agencies.

        Criminal syndicates refer to organized groups of people who make money from criminal activity.

            Insider threats can be any individual who has or had authorized access to an organization’s resources. This includes employees who accidentally compromise assets or individuals who purposefully put them at risk for their own benefit.

                Shadow IT refers to individuals who use technologies that lack IT governance. A common example is when an employee uses their personal email to send work-related communications.

Types of hackers

Because the formal definition of a hacker is broad, the term can be a bit ambiguous. In security, it applies to three types of individuals based on their intent:

Unauthorized hackers 

    Authorized, or ethical, hackers

        Semi-authorized hackers

An advanced persistent threat (APT) refers to instances when a threat actor maintains unauthorized access to a system for an extended period of time. The term is mostly associated with nation states and state-sponsored actors. Typically, an APT is concerned with surveilling a target to gather information. They then use the intel to manipulate government, defense, financial, and telecom services.

Access points

Each threat actor has a unique motivation for targeting an organization’s assets. Keeping them out takes more than knowing their intentions and capabilities. It’s also important to recognize the types of attack vectors they’ll use.

For the most part, threat actors gain access through one of these attack vector categories:

Direct access, referring to instances when they have physical access to a system

    Removable media, which includes portable hardware, like USB flash drives

        Social media platforms that are used for communication and content sharing

            Email, including both personal and business accounts

                Wireless networks on premises

                    Cloud services usually provided by third-party organizations

                        Supply chains like third-party vendors that can present a backdoor into systems

Attack vectors refer to the pathways attackers use to penetrate security defenses. Threat actors use attack vectors to exploit vulnerabilities and exposures.

Defending attack vectors

1. Educating users
2. Applying the principle of least privilege
3. Using the right security controls and tools
4. Building a diverse security team

Fortify against brute force cyber attacks

Attackers use a variety of tactics to find their way into a system:

Simple brute force attacks are an approach in which attackers guess a user's login credentials. They might do this by entering any combination of username and password that they can think of until they find the one that works.

    Dictionary attacks are a similar technique except in these instances attackers use a list of commonly used credentials to access a system. This list is similar to matching a definition to a word in a dictionary.

        Reverse brute force attacks are similar to dictionary attacks, except they start with a single credential and try it in various systems until a match is found.

            Credential stuffing is a tactic in which attackers use stolen login credentials from previous data breaches to access user accounts at another organization. A specialized type of credential stuffing is called pass the hash. These attacks reuse stolen, unsalted hashed credentials to trick an authentication system into creating a new authenticated user session on the network.

The attack surfaces of a home include both physical and digital elements. Physical attack surfaces consist of doors, windows, and other entry points that could be accessed by intruders, while digital attack surfaces involve devices like Wi-Fi routers, smart home systems, and computers that may be vulnerable to cyber threats. Each surface presents unique vulnerabilities that should be regularly assessed for potential risks.

Attack vectors for a home’s physical surfaces include unlocked doors or windows, which intruders could use to gain entry. For digital surfaces, attackers might exploit weak Wi-Fi passwords, unpatched smart devices, or phishing emails to access networks or personal data. Defenses like installing strong locks, using security cameras, enabling multi-factor authentication, and regularly updating device firmware help reduce these risks. Additional strategies include creating unique, complex passwords and monitoring network activity for unusual behavior. By proactively identifying vulnerabilities and implementing layered defenses, you can significantly enhance your home’s overall security.

Identify the attack vectors of a USB drive Contents Write 2-3 sentences about the types of information found on this device. Some documents appear to contain personal information that Jorge wouldn’t want to be made public. The work files include the Pll of other people. Also, the work files contain information about the hospital’s operations. Attacker mindset Write 2-3 sentences about how this information could be used against Jorge or the hospital. The timesheets can provide an attacker intel about other people that Jorge works with. Either work or personal information could be used to trick Jorge. For example, a malicious email can be designed to look as though it comes from a coworker or relative. Risk analysis Write 3 or 4 sentences describing technical, operational, or managerial controls that could mitigate these types of attacks: Promoting employee awareness about these types of attacks and what to do when a suspicious USB drive is a managerial control that can reduce the risk of a negative incident. Setting up routine antivirus scans is an operational control that can be implemented. Another line of defense could be a technical control, like disabling AutoPlay on company PCs that will prevent a computer from automatically executing malicious code when a USB drive is plugged in.

What is the difference between an attack vector and an attack surface?

An attack vector refers to the pathways attackers use to penetrate security defenses; an attack surface refers to all the vulnerabilities of an asset that can be exploited.

Which steps are applied when using an attacker mindset? Select three answers. Evaluate a target’s attack vectors Determine how a target can be accessed Identify a target

What are examples of security hardening? Select three answers. Hashing all user passwords Disabling unused network ports Keeping systems patched and updated

How can businesses reduce the number of attack vectors they must defend? Select three answers. By educating users so they can participate in preventing attacks By controlling access and authorization to assets By implementing security controls that protect information

Advanced persistent threat (APT): An instance when a threat actor maintains unauthorized access to a system for an extended period of time

Attack surface: All the potential vulnerabilities that a threat actor could exploit

Attack tree: A diagram that maps threats to assets

Attack vector: The pathways attackers use to penetrate security defenses

Bug bounty: Programs that encourage freelance hackers to find and report vulnerabilities

Common Vulnerabilities and Exposures (CVE®) list: An openly accessible dictionary of known vulnerabilities and exposures

Common Vulnerability Scoring System (CVSS): A measurement system that scores the severity of a vulnerability

CVE Numbering Authority (CNA): An organization that volunteers to analyze and distribute information on eligible CVEs

Defense in depth: A layered approach to vulnerability management that reduces risk

Exploit: A way of taking advantage of a vulnerability

Exposure: A mistake that can be exploited by a threat

Hacker: Any person who uses computers to gain access to computer systems, networks, or data

MITRE: A collection of non-profit research and development centers

Security hardening: The process of strengthening a system to reduce its vulnerability and attack surface

Threat actor: Any person or group who presents a security risk

Vulnerability: A weakness that can be exploited by a threat

Vulnerability assessment: The internal review process of a company’s security systems

Vulnerability management: The process of finding and patching vulnerabilities

Vulnerability scanner: Software that automatically compares existing common vulnerabilities and exposures against the technologies on the network

Zero-day: An exploit that was previously unknown

A security team is preparing new workstations that will be installed in an office. Which vulnerability management steps should they take to prepare these workstations? Select three answers. Configure the company firewall to allow network access. Download the latest patches and updates for each system. Consider who will be using each computer.

Question 6

A security team is conducting a periodic vulnerability assessment on their security procedures. Their objective is to review gaps in their current procedures that could lead to a data breach. After identifying and analyzing current procedures, the team conducts a risk assessment.

What is the purpose of performing a risk assessment? To score vulnerabilities based on their severity and impact

An online newspaper suffered a data breach. The attackers exploited a vulnerability in the login form of their website. The attackers were able to access the newspaper’s user database, which did not encrypt personally identifiable information (PII). What attack vectors did the malicious hackers use to steal user information? Select two answers. The newspaper’s website The online login form

What phase comes after identifying a target when practicing an attacker mindset? Determine how the target can be accessed

You are working as a security professional for a school district. An application developer with the school district created an app that connects students to educational resources. You’ve been assigned to evaluate the security of the app. Using an attacker mindset, which of the following steps would you take to evaluate the application? Select two answers. Evaluate how the app handles user data. Identify the types of users who will interact with the app.

An application has broken access controls that fail to restrict any user from creating new accounts. This allows anyone to add new accounts with full admin privileges. The application’s broken access controls are an example of what? A vulnerability

Why do organizations use the defense in depth model to protect information? Select two answers. Threats that penetrate one level can be contained in another. Layered defenses reduce risk by addressing multiple vulnerabilities.

An organization’s firewall is configured to allow traffic only from authorized IP addresses. Which layer of the defense in depth model is the firewall associated with? Network

What is the main purpose of the CVE® list? To share a standard way of identifying and categorizing known vulnerabilities and exposures

What is the purpose of vulnerability management? Select three answers. To review an organization’s internal security systems To identify exposures to internal and external threats To uncover vulnerabilities and reduce their exploitation

During a vulnerability assessment, a scanner identifies a vulnerable onsite server. After analyzing the server, you discover that its operating system is missing critical updates. What is the next step you should take in the vulnerability assessment process? Perform a risk assessment of the old operating system.

A project manager at a utility company receives a suspicious email that contains a file attachment. They open the attachment and it installs malicious software on their laptop. What are the attack vectors used in this situation? Select two answers. The file attachment The suspicious email

Which of the following are reasons that security teams practice an attacker mindset? Select three answers. To uncover vulnerabilities that should be monitored To identify attack vectors To find insights into the best security controls to use

The stages of a social engineering attack may be to establish trust, use persuasion tactics, and disconnect from the target. An attack may also include preparing information about the target. The use of persuasion tactics is when the attacker manipulates their target into volunteering information. use persuasion tactics, and disconnect from the target. An attack may also include preparing information about the target. To disconnect from the target, an attacker will stop communicating with their target after collecting the information they wanted. use persuasion tactics, and disconnect from the target. An attack may also include preparing information about the target. To establish trust, attackers use the information they gathered earlier to open a line of communication.

social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. It’s an umbrella term that can apply to a broad range of attacks. Each technique is designed to capitalize on the trusting nature of people and their willingness to help. In this reading, you will learn about specific social engineering tactics to watch out for. You’ll also learn ways that organizations counter these threats.

Signs of an attack

Oftentimes, people are unable to tell that an attack is happening until it’s too late. Social engineering is such a dangerous threat because it typically allows attackers to bypass technological defenses that are in their way. Although these threats are difficult to prevent, recognizing the signs of social engineering is a key to reducing the likelihood of a successful attack.

These are common types of social engineering to watch out for:

Baiting is a social engineering tactic that tempts people into compromising their security. A common example is USB baiting that relies on someone finding an infected USB drive and plugging it into their device.

    Phishing is the use of digital communications to trick people into revealing sensitive data or deploying malicious software. It is one of the most common forms of social engineering, typically performed via email.

        Quid pro quo is a type of baiting used to trick someone into believing that they’ll be rewarded in return for sharing access, information, or money. For example, an attacker might impersonate a loan officer at a bank and call customers offering them a lower interest rate on their credit card. They'll tell the customers that they simply need to provide their account details to claim the deal.

            Tailgating is a social engineering tactic in which unauthorized people follow an authorized person into a restricted area. This technique is also sometimes referred to as piggybacking.

                Watering hole is a type of attack when a threat actor compromises a website frequently visited by a specific group of users. Oftentimes, these watering hole sites are infected with malicious software. An example is the Holy Water attack of 2020 that infected various religious, charity, and volunteer websites.

                Attackers might use any of these techniques to gain unauthorized access to an organization. Everyone is vulnerable to them, from entry-level employees to senior executives. However, you can reduce the risks of social engineering attacks at any business by teaching others what to expect.
                Encouraging caution

                Spreading awareness usually starts with comprehensive security training. When it comes to social engineering, there are three main areas to focus on when teaching others:

                    Stay alert of suspicious communications and unknown people, especially when it comes to email. For example, look out for spelling errors and double-check the sender's name and email address.

                        Be cautious about sharing information, especially over social media. Threat actors often search these platforms for any information they can use to their advantage.

                            Control curiosity when something seems too good to be true. This can include wanting to click on attachments or links in emails and advertisements.

                            Pro tip: Implementing technologies like firewalls, multi-factor authentication (MFA), block lists, email filtering, and others helps layers the defenses should someone make a mistake.

                            Ideally, security training extends beyond employees. Educating customers about social engineering threats is also a key to mitigating these threats. And security analysts play an important part in promoting safe practices. For example, a big part of an analyst's job is testing systems and documenting best practices for others at an organization to follow.

Smishing

This is a combination of “SMS” and “phishing.” It’s a phishing attack conducted through text messages, where attackers send malicious links or requests for sensitive information. Vishing

This is a combination of “voice” and “phishing.” It’s a phishing attack that occurs over the phone, where attackers use social engineering tactics to trick victims into revealing personal or financial information.

Email phishing is a type of attack sent via email in which threat actors send messages pretending to be a trusted person or entity.

    Smishing is a type of phishing that uses Short Message Service (SMS), a technology that powers text messaging. Smishing covers all forms of text messaging services, including Apple’s iMessages, WhatsApp, and other chat mediums on phones.

        Vishing refers to the use of voice calls or voice messages to trick targets into providing personal information over the phone.

            Spear phishing is a subset of email phishing in which specific people are purposefully targeted, such as the accountants of a small business.

                Whaling refers to a category of spear phishing attempts that are aimed at high-ranking executives in an organization.

_____ is the use of digital communications to trick people into revealing sensitive data or deploying malicious software. Phishing

Fill in the blank: The stages of a social engineering attack include to prepare, establish trust, use persuasion tactics, and ____. disconnect from the target

Phishing kits typically contain which of the following tools to help attackers avoid detection? Select three answers. Fake data-collection forms Fraudulent web links Malicious attachments

Virus

A virus is malicious code written to interfere with computer operations and cause damage to data and software. This type of malware must be installed by the target user before it can spread itself and cause damage. One of the many ways that viruses are spread is through phishing campaigns where malicious links are hidden within links or attachments. Worm

A worm is malware that can duplicate and spread itself across systems on its own. Similar to a virus, a worm must be installed by the target user and can also be spread with tactics like malicious email. Given a worm’s ability to spread on its own, attackers sometimes target devices, drives, or files that have shared access over a network.

A well known example is the Blaster worm, also known as Lovesan, Lovsan, or MSBlast. In the early 2000s, this worm spread itself on computers running Windows XP and Windows 2000 operating systems. It would force devices into a continuous loop of shutting down and restarting. Although it did not damage the infected devices, it was able to spread itself to hundreds of thousands of users around the world. Many variants of the Blaster worm have been deployed since the original and can infect modern computers.

Note: Worms were very popular attacks in the mid 2000s but are less frequently used in recent years. Trojan

A trojan, also called a Trojan horse, is malware that looks like a legitimate file or program. This characteristic relates to how trojans are spread. Similar to viruses, attackers deliver this type of malware hidden in file and application downloads. Attackers rely on tricking unsuspecting users into believing they’re downloading a harmless file, when they’re actually infecting their own device with malware that can be used to spy on them, grant access to other devices, and more. Adware

Advertising-supported software, or adware, is a type of legitimate software that is sometimes used to display digital advertisements in applications. Software developers often use adware as a way to lower their production costs or to make their products free to the public—also known as freeware or shareware. In these instances, developers monetize their product through ad revenue rather than at the expense of their users.

Malicious adware falls into a sub-category of malware known as a potentially unwanted application (PUA). A PUA is a type of unwanted software that is bundled in with legitimate programs which might display ads, cause device slowdown, or install other software. Attackers sometimes hide this type of malware in freeware with insecure design to monetize ads for themselves instead of the developer. This works even when the user has declined to receive ads. Spyware

Spyware is malware that’s used to gather and sell information without consent. It’s also considered a PUA. Spyware is commonly hidden in bundleware, additional software that is sometimes packaged with other applications. PUAs like spyware have become a serious challenge in the open-source software development ecosystem. That’s because developers tend to overlook how their software could be misused or abused by others. Scareware

Another type of PUA is scareware. This type of malware employs tactics to frighten users into infecting their own device. Scareware tricks users by displaying fake warnings that appear to come from legitimate companies. Email and pop-ups are just a couple of ways scareware is spread. Both can be used to deliver phony warnings with false claims about the user’s files or data being at risk. Fileless malware

Fileless malware does not need to be installed by the user because it uses legitimate programs that are already installed to infect a computer. This type of infection resides in memory where the malware never touches the hard drive. This is unlike the other types of malware, which are stored within a file on disk. Instead, these stealthy infections get into the operating system or hide within trusted applications.

Pro tip: Fileless malware is detected by performing memory analysis, which requires experience with operating systems. Rootkits

A rootkit is malware that provides remote, administrative access to a computer. Most attackers use rootkits to open a backdoor to systems, allowing them to install other forms of malware or to conduct network security attacks.

This kind of malware is often spread by a combination of two components: a dropper and a loader. A dropper is a type of malware that comes packed with malicious code which is delivered and installed onto a target system. For example, a dropper is often disguised as a legitimate file, such as a document, an image, or an executable to deceive its target into opening, or dropping it, onto their device. If the user opens the dropper program, its malicious code is executed and it hides itself on the target system.

Multi-staged malware attacks, where multiple packets of malicious code are deployed, commonly use a variation called a loader. A loader is a type of malware that downloads strains of malicious code from an external source and installs them onto a target system. Attackers might use loaders for different purposes, such as to set up another type of malware—a botnet. Botnet

A botnet, short for “robot network,” is a collection of computers infected by malware that are under the control of a single threat actor, known as the “bot-herder.” Viruses, worms, and trojans are often used to spread the initial infection and turn the devices into a bot for the bot-herder. The attacker then uses file sharing, email, or social media application protocols to create new bots and grow the botnet. When a target unknowingly opens the malicious file, the computer, or bot, reports the information back to the bot-herder, who can execute commands on the infected computer. Ransomware

Ransomware describes a malicious attack where threat actors encrypt an organization’s data and demand payment to restore access. According to the Cybersecurity and Infrastructure Security Agency (CISA), ransomware crimes are on the rise and becoming increasingly sophisticated. Ransomware infections can cause significant damage to an organization and its customers. An example is the WannaCry attack that encrypts a victim’s computer until a ransom payment of cryptocurrency is paid.

Which of the following are types of cross-site scripting (XSS) attacks? Select three answers. Types of XSS attacks are: reflected, stored, and DOM-based. A DOM-based XSS attack is an instance when a malicious script exists in the webpage a browser loads. A stored XSS attack is an instance when a malicious script is injected directly on the server. A reflected XSS attack is an instance when a malicious script is sent to a server and activated during the server’s response.

Cross site scripting, or XSS, is an injection attack that inserts code into a vulnerable website or web application. These attacks are often delivered by exploiting the two languages used by most websites, HTML and JavaScript. Both can give cybercriminals access to everything that loads on the infected web page. This can include session cookies, geolocation, and even webcams and microphones. There are three main types of cross-site scripting attacks reflected, stored, and DOM-based. A reflected XSS attack is an instance where a malicious script is sent to the server and activated during the server’s response. A common example of this is the search bar of a website. In a reflected XSS attack, criminals send their target a web link that appears to go to a trusted site. When they click the link, it sends a HTTP request to the vulnerable site server. The attacker script is then returned or reflected back to the innocent user’s browser. Here, the browser loads the malicious script because it trusts the server’s response. With the script loaded, information like session cookies are sent back to the attacker. In a stored XSS attack, the malicious script isn’t hidden in a link that needs to be sent to the server. Instead a stored XSS attack is an instance when malicious script is injected directly on the server.

Here, attackers target elements of a site that are served to the user. This could be things like images and buttons that load when the site is visited. Infected elements activate the malicious code when a user simply visits the site. Stored XSS attacks can be damaging because the user has no way of knowing the site is infected beforehand. Finally there’s DOM-based XSS. DOM stands for Document Object Model, which is basically the source code of a website. A DOM-based XSS attack is an instance when malicious script exists in the web page a browser loads. Unlike reflected XSS, these attacks don’t need to be sent to the server to activate. In a DOM-based attack, a malicious script can be seen in the URL. In this example, the website’s URL contains parameter values. The parameter values reflect input from the user. Here, the site allows users to select color themes. When the user makes a selection, it appears as part of the URL. In a DOM-based attack, criminals change the parameter that’s expecting an input. For example, they could hide malicious JavaScript in the HTML tags. The browser would process the HTML and execute the JavaScript. Hackers use these methods of cross-site scripting to steal sensitive information.

SQL injection categories

There are three main categories of SQL injection:

In-band

    Out-of-band

        Inferential

        In the following sections, you'll learn that each type describes how a SQL injection is initiated and how it returns the results of the attack.
        In-band SQL injection

        In-band, or classic, SQL injection is the most common type. An in-band injection is one that uses the same communication channel to launch the attack and gather the results.

        For example, this might occur in the search box of a retailer's website that lets customers find products to buy. If the search box is vulnerable to injection, an attacker could enter a malicious query that would be executed in the database, causing it to return sensitive information like user passwords. The data that's returned is displayed back in the search box where the attack was initiated.
        Out-of-band SQL injection

        An out-of-band injection is one that uses a different communication channel  to launch the attack and gather the results.

        For example, an attacker could use a malicious query to create a connection between a vulnerable website and a database they control. This separate channel would allow them to bypass any security controls that are in place on the website's server, allowing them to steal sensitive data

        Note: Out-of-band injection attacks are very uncommon because they'll only work when certain features are enabled on the target server.
        Inferential SQL injection

        Inferential SQL injection occurs when an attacker is unable to directly see the results of their attack. Instead, they can interpret the results by analyzing the behavior of the system.

        For example, an attacker might perform a SQL injection attack on the login form of a website that causes the system to respond with an error message. Although sensitive data is not returned, the attacker can figure out the database's structure based on the error. They can then use this information to craft attacks that will give them access to sensitive data or to take control of the system.
        Injection Prevention

        SQL queries are often programmed with the assumption that users will only input relevant information. For example, a login form that expects users to input their email address assumes the input will be formatted a certain way, such as jdoe@domain.com. Unfortunately, this isn’t always the case.

        A key to preventing SQL injection attacks is to escape user inputs—preventing someone from inserting any code that a program isn't expecting.

        There are several ways to escape user inputs:

            Prepared statements: a coding technique that executes SQL statements before passing them on to a database

                Input sanitization: programming that removes user input which could be interpreted as code.

                    Input validation: programming that ensures user input meets a system's expectations.

Cross-site scripting (XSS) attacks are often delivered by exploiting which of the following languages? Select two answers. JavaScript HTML

Fill in the blank: A _____ is a coding technique that executes SQL statements before passing them onto the database. prepared statement

What are two examples of when SQL injections can take place? When using the login form to access a site When a malicious script is injected directly on the server

In a SQL injection attack, malicious hackers attempt to obtain which of the following? Select two answers. Administrative rights Sensitive information

A SQL injection is an attack that executes unexpected queries on a database. The injections take place in areas of the website that are designed to accept user input.

There are six steps of the threat modeling process: define the scope, identify threats, characterize the environment, analyze threats, mitigate risks, and evaluate findings.

PASTA is a popular threat modeling framework that’s used across many industries. Threat modeling is the process of identifying assets, their vulnerabilities, and how each is exposed to threats.

The Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling process developed by two OWASP leaders and supported by a cybersecurity firm called VerSprite. Its main focus is to discover evidence of viable threats and represent this information as a model. PASTA’s evidence-based design can be applied when threat modeling an application or the environment that supports that application. Its seven stage process consists of various activities that incorporate relevant security artifacts of the environment, like vulnerability assessment reports.

Stage 1: Define business and security objectives checkmark

The team determines the retailer wants their app to protect customer data. Stage 2: Define the technical scope checkmark

The team identifies the application components that must be evaluated. Stage 3: Decompose the application checkmark

The team identifies existing controls that will protect user data from attackers. Stage 4: Perform a threat analysis checkmark

The team gathers up-to-date intelligence on types of mobile-app attacks. Stage 5: Perform a vulnerability analysis checkmark

The team more deeply investigates potential vulnerabilities related to the app. Stage 6: Conduct attack modeling checkmark

The team creates an attack tree and maps vulnerabilities to attack vectors. Stage 7: Analyze risk and impact checkmark

The team analyzes all collected data and makes risk management recommendations.

Let’s review each stage of this PASTA threat modeling exercise: Stage I: Define business and security objectives

Summary: These objectives are defined early by asking broad questions about the purpose of the application. For example, how does the app make the business money? Understanding the answer to these questions helps guide the detailed work that will follow.

Recommendations: A shopping application like this will need to process payments. Based on this description, we know certain technologies are required to keep information private and secure and that everything will need to be compliant with PCI-DSS. Stage II: Define the technical scope

Summary: The objective here is to understand the attack surface by identifying the technologies being used by the application and understanding their dependencies.

Recommendations: APIs facilitate the exchange of data between customers, partners, and employees, so they should be prioritized. They handle a lot of sensitive data while they connect various users and systems together. However, details such as which APIs are being used should be considered before prioritizing one technology over another. So, they can be more prone to security vulnerabilities because there’s a larger attack surface. Stage III: Decompose the application

Summary: Stage three builds upon the previous stage by investigating how the application’s components communicate together. The objective here is to review how the application works and how security controls are currently implemented.

Recommendations: The sample data flow diagram shows how a typical search request passes through multiple layers. One thing you might review here would be to ensure the MySQL database is using prepared statements when queries are input. Stage IV: Threat analysis

Summary: The main objective of stage four is to consider the types of threats that might affect your application. This relates to the technologies you’ve already scoped. Another thing to consider is the types of data your application will be processing.

Recommendations: Injection attacks are common for SQL databases. Session hijacking is possible because the app communicates cookies between multiple layers. It’s important to consider your technological attack surface and any relevant threats to your product to effectively implement your information security responsibilities. Stage V: Vulnerability analysis

Summary: Stage five is about associating asset vulnerabilities with potential threats. The objective here is to identify what is wrong with the design of the app or its codebase based on your security testing.

Recommendations: A lack of prepared statements can make our SQL database vulnerable to injection attacks. And session hijacking is possible if cookies are mishandled between input and output sources. Stage VI: Attack modeling

Summary: In this stage, the objective is to link the threats and vulnerabilities identified in the previous steps using attack trees. The purpose of using attack trees here is to show that the potential threats that you’ve identified are actually viable. Resources like MITRE ATT&CK and the CVE® list are useful references to find evidence that validates the information that you’ve modeled in your attack tree.

Recommendations: This sample attack tree models how user data is vulnerable to the attacks that were identified earlier. Like the sample data flow diagram, an actual attack tree for a mobile application would be much more complex than this. Stage VII: Risk analysis and impact

Summary: The objective of the final stage of PASTA is to identify ways to mitigate the risks that were identified from stages IV - VI and plan for any remaining risks that can’t be remediated.

Recommendations: SHA-256, incident response procedures, password policy, and principle of least privilege are a few examples of technical, operational, and managerial controls that can be implemented before launch to reduce risk.

A threat modeling team has identified potential threats and vulnerabilities that might be exploited. The team creates a diagram that maps the threats to assets. What type of diagram is this known as? An attack tree

Which of the following are steps of a threat modeling process? Select three answers. Characterize the environment. Mitigate risks. Identify threats. Identify threats, characterize the environment, and mitigate risks are some steps of a typical threat modeling process. Classifying assets is a step of asset management and not threat modeling.

Angler phishing: A technique where attackers impersonate customer service representatives on social media

Advanced persistent threat (APT): Instances when a threat actor maintains unauthorized access to a system for an extended period of time

Adware: A type of legitimate software that is sometimes used to display digital advertisements in applications

Attack tree: A diagram that maps threats to assets

Baiting: A social engineering tactic that tempts people into compromising their security

Botnet: A collection of computers infected by malware that are under the control of a single threat actor, known as the “bot-herder"

Cross-site scripting (XSS): An injection attack that inserts code into a vulnerable website or web application

Cryptojacking: A form of malware that installs software to illegally mine cryptocurrencies

DOM-based XSS attack: An instance when malicious script exists in the webpage a browser loads

Dropper: A type of malware that comes packed with malicious code which is delivered and installed onto a target system

Fileless malware: Malware that does not need to be installed by the user because it uses legitimate programs that are already installed to infect a computer

Hacker: Any person or group who uses computers to gain unauthorized access to data

Identity and access management (IAM): A collection of processes and technologies that helps organizations manage digital identities in their environment

Injection attack: Malicious code inserted into a vulnerable application

Input validation: Programming that validates inputs from users and other programs

Intrusion detection system (IDS): An application that monitors system activity and alerts on possible intrusions

Loader: A type of malware that downloads strains of malicious code from an external source and installs them onto a target system

Malware: Software designed to harm devices or networks

Process of Attack Simulation and Threat Analysis (PASTA): A popular threat modeling framework that’s used across many industries

Phishing: The use of digital communications to trick people into revealing sensitive data or deploying malicious software

Phishing kit: A collection of software tools needed to launch a phishing campaign

Prepared statement: A coding technique that executes SQL statements before passing them onto the database

Potentially unwanted application (PUA): A type of unwanted software that is bundled in with legitimate programs which might display ads, cause device slowdown, or install other software

Quid pro quo: A type of baiting used to trick someone into believing that they’ll be rewarded in return for sharing access, information, or money

Ransomware: Type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access

Reflected XSS attack: An instance when malicious script is sent to a server and activated during the server’s response

Rootkit: Malware that provides remote, administrative access to a computer

Scareware: Malware that employs tactics to frighten users into infecting their device

Smishing: The use of text messages to trick users to obtain sensitive information or to impersonate a known source

Social engineering: A manipulation technique that exploits human error to gain private information, access, or valuables

Spear phishing: A malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source

Spyware: Malware that’s used to gather and sell information without consent

SQL (Structured Query Language): A programming language used to create, interact with, and request information from a database

SQL injection: An attack that executes unexpected queries on a database

Stored XSS attack: An instance when malicious script is injected directly on the server

Tailgating: A social engineering tactic in which unauthorized people follow an authorized person into a restricted area

Threat: Any circumstance or event that can negatively impact assets

Threat actor: Any person or group who presents a security risk

Threat modeling: The process of identifying assets, their vulnerabilities, and how each is exposed to threats

Trojan horse: Malware that looks like a legitimate file or program

Vishing: The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source

Watering hole attack: A type of attack when a threat actor compromises a website frequently visited by a specific group of users

Whaling: A category of spear phishing attempts that are aimed at high-ranking executives in an organization

Web-based exploits: Malicious code or behavior that’s used to take advantage of coding flaws in a web applicationAngler phishing: A technique where attackers impersonate customer service representatives on social media

Advanced persistent threat (APT): Instances when a threat actor maintains unauthorized access to a system for an extended period of time

Adware: A type of legitimate software that is sometimes used to display digital advertisements in applications

Attack tree: A diagram that maps threats to assets

Baiting: A social engineering tactic that tempts people into compromising their security

Botnet: A collection of computers infected by malware that are under the control of a single threat actor, known as the “bot-herder"

Cross-site scripting (XSS): An injection attack that inserts code into a vulnerable website or web application

Cryptojacking: A form of malware that installs software to illegally mine cryptocurrencies

DOM-based XSS attack: An instance when malicious script exists in the webpage a browser loads

Dropper: A type of malware that comes packed with malicious code which is delivered and installed onto a target system

Fileless malware: Malware that does not need to be installed by the user because it uses legitimate programs that are already installed to infect a computer

Hacker: Any person or group who uses computers to gain unauthorized access to data

Identity and access management (IAM): A collection of processes and technologies that helps organizations manage digital identities in their environment

Injection attack: Malicious code inserted into a vulnerable application

Input validation: Programming that validates inputs from users and other programs

Intrusion detection system (IDS): An application that monitors system activity and alerts on possible intrusions

Loader: A type of malware that downloads strains of malicious code from an external source and installs them onto a target system

Malware: Software designed to harm devices or networks

Process of Attack Simulation and Threat Analysis (PASTA): A popular threat modeling framework that’s used across many industries

Phishing: The use of digital communications to trick people into revealing sensitive data or deploying malicious software

Phishing kit: A collection of software tools needed to launch a phishing campaign

Prepared statement: A coding technique that executes SQL statements before passing them onto the database

Potentially unwanted application (PUA): A type of unwanted software that is bundled in with legitimate programs which might display ads, cause device slowdown, or install other software

Quid pro quo: A type of baiting used to trick someone into believing that they’ll be rewarded in return for sharing access, information, or money

Ransomware: Type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access

Reflected XSS attack: An instance when malicious script is sent to a server and activated during the server’s response

Rootkit: Malware that provides remote, administrative access to a computer

Scareware: Malware that employs tactics to frighten users into infecting their device

Smishing: The use of text messages to trick users to obtain sensitive information or to impersonate a known source

Social engineering: A manipulation technique that exploits human error to gain private information, access, or valuables

Spear phishing: A malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source

Spyware: Malware that’s used to gather and sell information without consent

SQL (Structured Query Language): A programming language used to create, interact with, and request information from a database

SQL injection: An attack that executes unexpected queries on a database

Stored XSS attack: An instance when malicious script is injected directly on the server

Tailgating: A social engineering tactic in which unauthorized people follow an authorized person into a restricted area

Threat: Any circumstance or event that can negatively impact assets

Threat actor: Any person or group who presents a security risk

Threat modeling: The process of identifying assets, their vulnerabilities, and how each is exposed to threats

Trojan horse: Malware that looks like a legitimate file or program

Vishing: The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source

Watering hole attack: A type of attack when a threat actor compromises a website frequently visited by a specific group of users

Whaling: A category of spear phishing attempts that are aimed at high-ranking executives in an organization

Web-based exploits: Malicious code or behavior that’s used to take advantage of coding flaws in a web application

Which of the following could be examples of social engineering attacks? Select three answers. An unfamiliar employee asking you to hold the door open to a restricted area An email urgently asking you to send money to help a friend who is stuck in a foreign country A pop-up advertisement promising a large cash reward in return for sensitive information

What are the characteristics of a ransomware attack? Select three answers. Attackers encrypt data on the device without the user’s permission. Attackers demand payment to restore access to a device. Attackers make themselves known to their targets.

An attacker sends a malicious link to subscribers of a sports news site. If someone clicks the link, a malicious script is sent to the site’s server and activated during the server’s response. This is an example of what type of injection attack? Reflected

Which of the following are coding techniques that can be used to prevent SQL injection attacks? Select three answers. Prepared statements Input sanitization Input validation

A security team is conducting a threat model on a new software system. The team is creating their plan for defending against threats. Their choices are to avoid risk, transfer it, reduce it, or accept it. Which key step of a threat model does this scenario represent? Mitigate risks

During which stage of the PASTA framework is an attack tree created? Attack modeling

Preparation: the planning and training process The organization takes action to ensure it has the correct tools and resources in place:

Set up uniform company email conventions
    Create a collaborative, ethical environment where employees feel comfortable asking questions
        Provide cybersecurity training on a quarterly basis

Detection and analysis: the detect and assess process Security professionals create processes to detect and assess incidents:

Identify signs of an incident
    Filter external emails to flag messages containing attachments such as voicemails
        Have an incident response plan to reference

Containment, eradication, and recovery: the minimize and mitigate process Security professionals and stakeholders collaborate to minimize the impact of the incident and mitigate any operational disruption.

Communicate with sender to confirm the origin of the voice message
    Provide employees with an easy way to report and contain suspicious messages

Post-incident activity: the learning process New protocols, procedures, playbooks, etc. are implemented to help reduce any similar incidents in the future.

Update the playbook to highlight additional red flags employees should be aware of
    Review processes and workflows related to permissions and adjust oversight of those permissions

The “5 W’s” of incident investigation typically refer to: What happened? Where the incident took place When the incident took place Who triggered the incident (or who was affected/involved) Why it happened?

So far, you’ve been introduced to the National Institute of Standards and Technology (NIST) Incident Response Lifecycle, which is a framework for incident response consisting of four phases:

Preparation

    Detection and Analysis

        Containment, Eradication, and Recovery

            Post-incident activity

Command, control, and communication

A computer security incident response team (CSIRT) is a specialized group of security professionals that are trained in incident management and response. During incident response, teams can encounter a variety of different challenges. For incident response to be effective and efficient, there must be clear command, control, and communication of the situation to achieve the desired goal.

Command refers to having the appropriate leadership and direction to oversee the response.

    Control refers to the ability to manage technical aspects during incident response, like coordinating resources and assigning tasks.

        Communication refers to the ability to keep stakeholders informed.

        Establishing a CSIRT organizational structure with clear and distinctive roles aids in achieving an effective and efficient response.
        Roles in CSIRTs 

        CSIRTs are organization dependent, so they can vary in their structure and operation. Structurally, they can exist as a separate, dedicated team or as a task force that meets when necessary. CSIRTs involve both nonsecurity and security professionals. Nonsecurity professionals are often consulted to offer their expertise on the incident. These professionals can be from external departments, such as human resources, public relations, management, IT, legal, and others. Security professionals involved in a CSIRT typically include three key security related roles: 

            Security analyst

                Technical lead

                    Incident coordinator

                    Security analyst

                    The job of the security analyst is to continuously monitor an environment for any security threats. This includes: 

                        Analyzing and triaging alerts

                            Performing root-cause investigations

                                Escalating or resolving alerts 

                                If a critical threat is identified, then analysts escalate it to the appropriate team lead, such as the technical lead.
                                Technical lead

                                The job of the technical lead is to manage all of the technical aspects of the incident response process, such as applying software patches or updates. They do this by first determining the root cause of the incident. Then, they create and implement the strategies for containing, eradicating, and recovering from the incident. Technical leads often collaborate with other teams to ensure their incident response priorities align with business priorities, such as reducing disruptions for customers or returning to normal operations. 
                                Incident coordinator

                                Responding to an incident also requires cross-collaboration with nonsecurity professionals. CSIRTs will often consult with and leverage the expertise of members from external departments. The job of the incident coordinator is to coordinate with the relevant departments during a security incident. By doing so, the lines of communication are open and clear, and all personnel are made aware of the incident status. Incident coordinators can also be found in other teams, like the SOC. 
                                Other roles

                                Depending on the organization, many other roles can be found in a CSIRT, including a dedicated communications lead, a legal lead, a planning lead, and more. 

                                Note: Teams, roles, responsibilities, and organizational structures can differ for each company. For example, some different job titles for incident coordinator include incident commander and incident manager.

Tier 1 SOC analyst

The first tier is composed of the least experienced SOC analysts who are known as level 1s (L1s). They are responsible for:

Monitoring, reviewing, and prioritizing alerts based on criticality or severity

    Creating and closing alerts using ticketing systems

        Escalating alert tickets to Tier 2 or Tier 3

        Tier 2 SOC analyst

        The second tier comprises the more experienced SOC analysts, or level 2s (L2s). They are responsible for: 

            Receiving escalated tickets from L1 and conducting deeper investigations

                Configuring and refining security tools

                    Reporting to the SOC Lead

                    Tier 3 SOC lead

                    The third tier of a SOC is composed of the SOC leads, or level 3s (L3s). These highly experienced professionals are responsible for:

                        Managing the operations of their team

                            Exploring methods of detection by performing advanced detection techniques, such as malware and forensics analysis

                                Reporting to the SOC manager

                                SOC manager 

                                The SOC manager is at the top of the pyramid and is responsible for: 

                                    Hiring, training, and evaluating the SOC team members

                                        Creating performance metrics and managing the performance of the SOC team

                                            Developing reports related to incidents, compliance, and auditing

                                                Communicating findings to stakeholders such as executive management   

                                                Other roles

                                                SOCs can also contain other specialized roles such as: 

                                                    Forensic investigators: Forensic investigators are commonly L2s and L3s who collect, preserve, and analyze digital evidence related to security incidents to determine what happened.

                                                        Threat hunters: Threat hunters are typically L3s who work to detect, analyze, and defend against new and advanced cybersecurity threats using threat intelligence.

                                                        Note: Just like CSIRTs, the organizational structure of a SOC can differ depending on the organization. 

An IDS is an application that can monitor system and network activity, and provide alerts on possible intrusions. An IDS also collects and analyzes system information for abnormal or unusual activity.

An intrusion detection system (IDS) is an application that monitors system activity and alerts on possible intrusions. An IDS provides continuous monitoring of network events to help protect against security threats or attacks. The goal of an IDS is to detect potential malicious activity and generate an alert once such activity is detected. An IDS does not stop or prevent the activity. Instead, security professionals will investigate the alert and act to stop it, if necessary.

For example, an IDS can send out an alert when it identifies a suspicious user login, such as an unknown IP address logging into an application or a device at an unusual time. But, an IDS will not stop or prevent any further actions, like blocking the suspicious user login.

Examples of IDS tools include Zeek, Suricata, Snort®, and Sagan. Detection categories

As a security analyst, you will investigate alerts that an IDS generates. There are four types of detection categories you should be familiar with:

A true positive is an alert that correctly detects the presence of an attack.

    A true negative is a state where there is no detection of malicious activity. This is when no malicious activity exists and no alert is triggered. 

        A false positive is an alert that incorrectly detects the presence of a threat. This is when an IDS identifies an activity as malicious, but it isn't. False positives are an inconvenience for security teams because they spend time and resources investigating an illegitimate alert. 

            A false negative is a state where the presence of a threat is not detected. This is when malicious activity happens but an IDS fails to detect it. False negatives are dangerous because security teams are left unaware of legitimate attacks that they can be vulnerable to. 

            Overview of IPS tools

            An intrusion prevention system (IPS) is an application that monitors system activity for intrusive activity and takes action to stop the activity. An IPS works similarly to an IDS. But, IPS monitors system activity to detect and alert on intrusions, and it also takes action to prevent the activity and minimize its effects. For example, an IPS can send an alert and modify an access control list on a router to block specific traffic on a server.

            Note: Many IDS tools can also operate as an IPS. Tools like Suricata, Snort, and Sagan have both IDS and IPS capabilities.
            Overview of EDR tools  

            Endpoint detection and response (EDR) is an application that monitors an endpoint for malicious activity. EDR tools are installed on endpoints. Remember that an endpoint is any device connected on a network. Examples include end-user devices, like computers, phones, tablets, and more.

            EDR tools monitor, record, and analyze endpoint system activity to identify, alert, and respond to suspicious activity. Unlike IDS or IPS tools, EDRs collect endpoint activity data and perform behavioral analysis to identify threat patterns happening on an endpoint. Behavioral analysis uses the power of machine learning and artificial intelligence to analyze system behavior to identify malicious or unusual activity. EDR tools also use automation to stop attacks without the manual intervention of security professionals. For example, if an EDR detects an unusual process starting up on a user’s workstation that normally is not used, it can automatically block the process from running.

            Tools like Open EDR®, Bitdefender™ Endpoint Detection and Response, and FortiEDR™ are examples of EDR tools.

            Note: Security information and event management (SIEM) tools also have detection capabilities, which you'll explore later.

The three steps of the SIEM process are: collect and aggregate data, normalize data, and analyze data.

a security information and event management (SIEM) tool is an application that collects and analyzes log data to monitor critical activities in an organization. You might recall that SIEM tools help security analysts perform log analysis which is the process of examining logs to identify events of interest. SIEM advantages

SIEM tools collect and manage security-relevant data that can be used during investigations. This is important because SIEM tools provide awareness about the activity that occurs between devices on a network. The information SIEM tools provide can help security teams quickly investigate and respond to security incidents. SIEM tools have many advantages that can help security teams effectively respond to and manage incidents. Some of the advantages are:

Access to event data: SIEM tools provide access to the event and activity data that happens on a network, including real-time activity. Networks can be connected to hundreds of different systems and devices. SIEM tools have the ability to ingest all of this data so that it can be accessed.

    Monitoring, detecting, and alerting: SIEM tools continuously monitor systems and networks in real-time. They then analyze the collected data using detection rules to detect malicious activity. If an activity matches the rule, an alert is generated and sent out for security teams to assess.

        Log storage: SIEM tools can act as a system for data retention, which can provide access to historical data. Data can be kept or deleted after a period depending on an organization's requirements. 

        The SIEM process

        The SIEM process consists of three critical steps:

            Collect and aggregate data

                Normalize data 

                    Analyze data

                    By understanding these steps, organizations can utilize the power of SIEM tools to gather, organize, and analyze security event data from different sources. Organizations can later use this information to improve their ability to identify and mitigate potential threats.
                    Collect and aggregate data

                    SIEM tools require data for them to be effectively used. During the first step, the SIEM collects event data from various sources like firewalls, servers, routers, and more. This data, also known as logs, contains event details like timestamps, IP addresses, and more. Logs are a record of events that occur within an organization’s systems. After all of this log data is collected, it gets aggregated in one location. Aggregation refers to the process of consolidating log data into a centralized place. Through collection and aggregation, SIEM tools eliminate the need for manually reviewing and analyzing event data by accessing individual data sources. Instead, all event data is accessible in one location—the SIEM. 

Normalize data

SIEM tools collect data from many different sources. This data must be transformed into a single format so that it can be easily processed by the SIEM. However, each data source is different and data can be formatted in many different ways. For example, a firewall log can be formatted differently than a server log. A SIEM solution ingests raw data and normalizes it into structured data.

Analyze data

After log data has been collected, aggregated, and normalized, the SIEM must do something useful with all of the data to enable security teams to investigate threats. During this final step in the process, SIEM tools analyze the data. Analysis can be done with some type of detection logic such as a set of rules and conditions. SIEM tools then apply these rules to the data, and if any of the log activity matches a rule, alerts are sent out to cybersecurity teams.

Note: A part of the analysis process includes correlation. Correlation involves the comparison of multiple log events to identify common patterns that indicate potential security threats. SIEM tools

There are many SIEM tools. The following are some SIEM tools commonly used in the cybersecurity industry:

AlienVault® OSSIM™

    Chronicle

        Elastic

            Exabeam

                IBM QRadar® Security Intelligence Platform

                    LogRhythm

                        Splunk

                        Key takeaways

                        SIEM tools collect and organize enormous amounts of data to create meaningful insights for security teams. By understanding how SIEM tools work, what the process includes, and how organizations leverage them, you can contribute to efforts in detecting and responding to security incidents effectively. With this knowledge, you can assist in analyzing log data, identifying threats, and aiding incident response activities to help improve security posture and protect valuable assets from threats.

Security orchestration, automation, and response (SOAR) is a collection of applications, tools, and workflows that uses automation to _____ security events.

respond to

Which step in the SIEM process transforms raw data to create consistent log records? Normalize data

What is the process of gathering data from different sources and putting it in one centralized place? Aggregation

Which of the following statements describe security incidents and events? All security incidents are events, but not all events are security incidents.

What process is used to provide a blueprint for effective incident response? The NIST Incident Response Lifecycle

Which core functions of the NIST Cybersecurity Framework relate to the NIST Incident Response Lifecycle? Select two answers. Respond Detect

Fill in the blank: A specialized group of security professionals who are trained in incident management and response is a _____. computer security incident response team

Monitor your network

Once you’ve determined a baseline, you can monitor a network to identify any deviations from that baseline. Monitoring involves examining network components to detect unusual activities, such as large and unusual data transfers. Here are examples of network components that can be monitored to detect malicious activity: Flow analysis

Flow refers to the movement of network communications and includes information related to packets, protocols, and ports. Packets can travel to ports, which receive and transmit communications. Ports are often, but not always, associated with network protocols. For example, port 443 is commonly used by HTTPS which is a protocol that provides website traffic encryption.

However, malicious actors can use protocols and ports that are not commonly associated to maintain communications between the compromised system and their own machine. These communications are what’s known as command and control (C2), which are the techniques used by malicious actors to maintain communications with compromised systems.

For example, malicious actors can use HTTPS protocol over port 8088 as opposed to its commonly associated port 443 to communicate with compromised systems. Organizations must know which ports should be open and approved for connections, and watch out for any mismatches between ports and their associated protocols. Packet payload information

Network packets contain components related to the transmission of the packet. This includes details like source and destination IP address, and the packet payload information, which is the actual data that’s transmitted. Often, this data is encrypted and requires decryption for it to be readable. Organizations can monitor the payload information of packets to uncover unusual activity, such as sensitive data transmitting outside of the network, which could indicate a possible data exfiltration attack. Temporal patterns

Network packets contain information relating to time. This information is useful in understanding time patterns. For example, a company operating in North America experiences bulk traffic flows between 9 a.m. to 5 p.m., which is the baseline of normal network activity. If large volumes of traffic are suddenly outside of the normal hours of network activity, then this is considered off baseline and should be investigated.

Through network monitoring, organizations can promptly detect network intrusions and work to prevent them from happening by securing network components.

Infiltration (Initial access): Unauthorized entry into a network or system. Exfiltration (Data theft after access is gained): Unauthorized extraction of data from a network.

How do indicators of compromise (IoCs) help security analysts detect network traffic abnormalities? They confirm that a security incident happened.

IoCs help security analysts detect network traffic abnormalities by providing a way to identify an attack. IoCs provide analysts with specific evidence associated with an attack, such as a known malicious IP address, which can help quickly identify and respond to a potential security incident.

Fill in the blank: Data _____ is the term for unauthorized transmission of data from a system. exfiltration

An attacker has infiltrated a network. Next, they spend time exploring it in order to expand and maintain their access. They look for valuable assets such as proprietary code and financial records. What does this scenario describe? Lateral movement

What can security professionals use network traffic analysis for? Select three answers. To monitor network activity To identify malicious activity To understand network traffic patterns

packet captures

The role of security analysts involves monitoring and analyzing network traffic flows. One way to do this is by generating packet captures and then analyzing the captured traffic to identify unusual activity on a network.

Previously, you explored the fundamentals of networks. Throughout this section, you’ll refer to your foundation in networking to better understand network traffic flows. In this reading, you’ll learn about the three main aspects of network analysis: packets, network protocol analyzers, and packet captures. Packets

Previously in the program, you learned that a data packet is a basic unit of information that travels from one device to another within a network. Detecting network intrusions begins at the packet level. That’s because packets form the basis of information exchange over a network. Each time you perform an activity on the internet—like visiting a website—packets are sent and received between your computer and the website’s server. These packets are what help transmit information through a network. For example, when uploading an image to a website, the data gets broken up into multiple packets, which then get routed to the intended destination and reassembled upon delivery.

In cybersecurity, packets provide valuable information that helps add context to events during investigations. Understanding the transfer of information through packets will not only help you develop insight on network activity, it will also help you identify abnormalities and better defend networks from attacks.

Packets contain three components: the header, the payload, and the footer. Here’s a description of each of these components. Header

Packets begin with the most essential component: the header. Packets can have several headers depending on the protocols used such as an Ethernet header, an IP header, a TCP header, and more. Headers provide information that’s used to route packets to their destination. This includes information about the source and destination IP addresses, packet length, protocol, packet identification numbers, and more.

Here is an IPv4 header with the information it provides:

+—————————————————————-+ | Version | IHL | ToS | Total Length | +—————————————————————-+ | Identification | Flags | Fragment Offset | +—————————————————————-+ | TTL | Protocol | Header Checksum | +—————————————————————-+ | Source Address | +—————————————————————-+ | Destination Address | +—————————————————————-+ | Options | +—————————————————————-+

IPv4

IPv4 is the most commonly used version of IP. There are thirteen fields in the header:

Version: This field indicates the IP version. For an IPv4 header, IPv4 is used. 

    Internet Header Length (IHL): This field specifies the length of the IPv4 header including any Options.

        Type of Service (ToS): This field provides information about packet priority for delivery.

            Total Length: This field specifies the total length of the entire IP packet including the header and the data.

                Identification: Packets that are too large to send are fragmented into smaller pieces. This field specifies a unique identifier for fragments of an original IP packet so that they can be reassembled once they reach their destination.

                    Flags: This field provides information about packet fragmentation including whether the original packet has been fragmented and if there are more fragments in transit.

                        Fragment Offset: This field is used to identify the correct sequence of fragments.

                            Time to Live (TTL): This field limits how long a packet can be circulated in a network, preventing packets from being forwarded by routers indefinitely.

                                Protocol: This field specifies the protocol used for the data portion of the packet.

                                    Header Checksum: This field specifies a checksum value which is used for error-checking the header.

                                        Source Address: This field specifies the source address of the sender.

                                            Destination Address: This field specifies the destination address of the receiver.

                                                Options: This field is optional and can be used to apply security options to a packet.

                                                An IPv4 header with its 13 fields.

+———————————————————-+ | Version| Traffic Class | Flow Label | +———————————————————-+ | Payload Length | Next Header | Hop Limit | +———————————————————-+ | | | Source Address | | | +———————————————————-+ | | | Destination Address | | | +———————————————————-+

IPv6

IPv6 adoption has been increasing because of its large address space. There are eight fields in the header:

Version: This field indicates the IP version. For an IPv6 header, IPv6 is used.

    Traffic Class: This field is similar to the IPv4 Type of Service field. The Traffic Class field provides information about the packet's priority or class to help with packet delivery.

        Flow Label: This field identifies the packets of a flow. A flow is the sequence of packets sent from a specific source. 

            Payload Length: This field specifies the length of the data portion of the packet.

                Next Header: This field indicates the type of header that follows the IPv6 header such as TCP.

                    Hop Limit: This field is similar to the IPv4 Time to Live field. The Hop Limit limits how long a packet can travel in a network before being discarded.

                        Source Address: This field specifies the source address of the sender.

                            Destination Address: This field specifies the destination address of the receiver.

Payload

The payload component directly follows the header and contains the actual data being delivered. Think back to the example of uploading an image to a website; the payload of this packet would be the image itself. Footer

The footer, also known as the trailer, is located at the end of a packet. The Ethernet protocol uses footers to provide error-checking information to determine if data has been corrupted. In addition, Ethernet network packets that are analyzed might not display footer information due to network configurations.

Note: Most protocols, such as the Internet Protocol (IP), do not use footers. Network protocol analyzers

Network protocol analyzers (packet sniffers) are tools designed to capture and analyze data traffic within a network. Examples of network protocol analyzers include tcpdump, Wireshark, and TShark.

Beyond their use in security as an investigative tool used to monitor networks and identify suspicious activity, network protocol analyzers can be used to collect network statistics, such as bandwidth or speed, and troubleshoot network performance issues, like slowdowns.

Network protocol analyzers can also be used for malicious purposes. For example, malicious actors can use network protocol analyzers to capture packets containing sensitive data, such as account login information.

Here’s a network diagram illustrating how packets get transmitted from a sender to the receiver. A network protocol analyzer is placed in the middle of the communications to capture the data packets that travel over the wire.

How network protocol analyzers work

Network protocol analyzers use both software and hardware capabilities to capture network traffic and display it for security analysts to examine and analyze. Here’s how:

First, packets must be collected from the network via the Network Interface Card (NIC), which is hardware that connects computers to a network, like a router. NICs receive and transmit network traffic, but by default they only listen to network traffic that’s addressed to them. To capture all network traffic that is sent over the network, a NIC must be switched to a mode that has access to all visible network data packets. In wireless interfaces this is often referred to as monitoring mode, and in other systems it may be called promiscuous mode. This mode enables the NIC to have access to all visible network data packets, but it won’t help analysts access all packets across a network. A network protocol analyzer must be positioned in an appropriate network segment to access all traffic between different hosts. 

    The network protocol analyzer collects the network traffic in raw binary format. Binary format consists of 0s and 1s and is not as easy for humans to interpret. The network protocol analyzer takes the binary and converts it so that it’s displayed in a human-readable format, so analysts can easily read and understand the information.  

A packet contains a header, payload, and footer. The header includes information like the type of protocol and port being used. The payload is the actual data being delivered. The footer signifies the end of the packet.

Capturing packets

Packet sniffing is the practice of capturing and inspecting data packets across a network. A packet capture (p-cap) is a file containing data packets intercepted from an interface or network. Packet captures can be viewed and further analyzed using network protocol analyzers. For example, you can filter packet captures to only display information that’s most relevant to your investigation, such as packets sent from a specific IP address.

Note: Using network protocol analyzers to intercept and examine private network communications without permission is considered illegal in many places.

P-cap files can come in many formats depending on the packet capture library that’s used. Each format has different uses and network tools may use or support specific packet capture file formats by default. You should be familiar with the following libraries and formats:

Libpcap is a packet capture library designed to be used by Unix-like systems, like Linux and MacOS®. Tools like tcpdump use Libpcap as the default packet capture file format. 

    WinPcap is an open-source packet capture library designed for devices running Windows operating systems. It’s considered an older file format and isn’t predominantly used.

        Npcap is a library designed by the port scanning tool Nmap that is commonly used in Windows operating systems.

            PCAPng is a modern file format that can simultaneously capture packets and store data. Its ability to do both explains the “ng,” which stands for “next generation.”

            Pro tip: Analyzing your home network can be a good way to practice using these tools.
            Key takeaways

            Network protocol analyzers are helpful investigative tools that provide you with insight into the activity happening on a network. As an analyst, you'll use network protocol analyzer tools to view and analyze packet capture files to better understand network communications and defend against intrusions.

The Internet Layer accepts and delivers packets for the network.

The SIEM process for data collection involves the following steps: collect and process, normalize, and index. Collect and process is the step that involves the handling of an enormous amount of data generated by devices and systems from all over an environment. Indexing is the step that sorts data so it can be easily searched and accessed.Normalizing is the step that makes raw data easy to read and analyze. It processes the raw data so that it is formatted consistently, and only relevant event information is included.

Wireshark

Wireshark is an open-source network protocol analyzer. It uses a graphical user interface (GUI), which makes it easier to visualize network communications for packet analysis purposes. Wireshark has many features to explore that are beyond the scope of this course. You’ll focus on how to use basic filtering to isolate network packets so that you can find what you need. Wireshark’s interface. Display filters

Wireshark’s display filters let you apply filters to packet capture files. This is helpful when you are inspecting packet captures with large volumes of information. Display filters will help you find specific information that’s most relevant to your investigation. You can filter packets based on information such as protocols, IP addresses, ports, and virtually any other property found in a packet. Here, you’ll focus on display filtering syntax and filtering for protocols, IP addresses, and ports. Comparison operators

You can use different comparison operators to locate specific header fields and values. Comparison operators can be expressed using either abbreviations or symbols. For example, this filter using the == equal symbol in this filter ip.src == 8.8.8.8 is identical to using the eq abbreviation in this filter ip.src eq 8.8.8.8.

This table summarizes the different types of comparison operators you can use for display filtering.

Pro tip: You can combine comparison operators with Boolean logical operators like and and or to create complex display filters. Parentheses can also be used to group expressions and to prioritize search terms. Contains operator

The contains operator is used to filter packets that contain an exact match of a string of text. Here is an example of a filter that displays all HTTP streams that match the keyword “moved”.

Matches operator

The matches operator is used to filter packets based on the regular expression (regex) that’s specified. Regular expression is a sequence of characters that forms a pattern. You’ll explore more about regular expressions later in this program. Filter toolbar

You can apply filters to a packet capture using Wireshark’s filter toolbar. In this example, dns is the applied filter, which means Wireshark will only display packets containing the DNS protocol. A Wireshark filter toolbar with a dns filter applied.

Pro tip: Wireshark uses different colors to represent protocols. You can customize colors and create your own filters. Filter for protocols

Protocol filtering is one of the simplest ways you can use display filters. You can simply enter the name of the protocol to filter. For example, to filter for DNS packets simply type dns in the filter toolbar. Here is a list of some protocols you can filter for:

dns

    http

        ftp

            ssh

                arp

                    telnet

                        icmp

                        Filter for an IP address

                        You can use display filters to locate packets with a specific IP address. 

                        For example, if you would like to filter packets that contain a specific IP address use ip.addr, followed by a space, the equal == comparison operator, and the IP address. Here is an example of a display filter that filters for the IP address 172.21.224.2:

                        ip.addr == 172.21.224.2

                        To filter for packets originating from a specific source IP address, you can use the ip.src filter. Here is an example that looks for the 10.10.10.10 source IP address:

                        ip.src == 10.10.10.10

Filter for a MAC address

You can also filter packets according to the Media Access Control (MAC) address. As a refresher, a MAC address is a unique alphanumeric identifier that is assigned to each physical device on a network.

Here’s an example:

eth.addr == 00:70:f4:23:18:c4 Filter for ports

Port filtering is used to filter packets based on port numbers. This is helpful when you want to isolate specific types of traffic. DNS traffic uses TCP or UDP port 53 so this will list traffic related to DNS queries and responses only.

For example, if you would like to filter for a UDP port:

udp.port == 53

Likewise, you can filter for TCP ports as well:

tcp.port == 25 Follow streams

Wireshark provides a feature that lets you filter for packets specific to a protocol and view streams. A stream or conversation is the exchange of data between devices using a protocol. Wireshark reassembles the data that was transferred in the stream in a way that’s simple to read.

A _____ is a file that contains data packets that have been intercepted from an interface or a network. packet capture

Overview of tcpdump

As a security analyst, you’ll use network protocol analyzers to help defend against any network intrusions. Previously, you learned the following terms related to network monitoring and analysis:

A network protocol analyzer (packet sniffer) is a tool designed to capture and analyze data traffic within a network.

    Packet sniffing is the practice of capturing and inspecting data packets across a network. 

    In this reading, you'll learn more about tcpdump, a network protocol analyzer that can be used to capture and view network communications. 
    What is tcpdump?

    Tcpdump is a command-line network protocol analyzer. Recall that a command-line interface (CLI) is a text-based user interface that uses commands to interact with the computer. 

    Tcpdump is used to capture network traffic. This traffic can be saved to a packet capture (p-cap), which is a file containing data packets intercepted from an interface or network. The p-cap file can be  accessed, analyzed, or shared at a later time. Analysts use tcpdump for a variety of reasons, from troubleshooting network issues to identifying malicious activity. Tcpdump comes pre-installed in many Linux distributions and can also be installed on other Unix-based operating systems such as macOS®. 

    Note: It's common for network traffic to be encrypted, which means data is encoded and unreadable. Inspecting the network packets might require decrypting the data using the appropriate private keys. 
    Capturing packets with tcpdump

    Previously in this program, you learned that a Linux root user (or superuser) has elevated privileges to modify the system. You also learned that the sudo command temporarily grants elevated permissions to specific users in Linux. Like many other packet sniffing tools, you’ll need to have administrator-level privileges to capture network traffic using tcpdump. This means you will need to either be logged in as the root user or have the ability to use the sudo command. Here is a breakdown of the tcpdump syntax for capturing packets:

    sudo tcpdump [-i interface] [option(s)] [expression(s)]

        The sudo tcpdump command begins running tcpdump using elevated permissions as sudo. 

            The -i parameter specifies the network interface to capture network traffic. You must specify a network interface to capture from to begin capturing packets. For example, if you specify -i any you’ll sniff traffic from all network interfaces on the system. 

                The option(s) are optional and provide you with the ability to alter the execution of the command. The expression(s) are a way to further filter network traffic packets so that you can isolate network traffic. You’ll learn more about option(s) and expression(s) in the next section.

                Note: Before you can begin capturing network traffic, you must identify which network interface you'll want to use to capture packets from. You can use the -D flag to list the network interfaces available on a system.
                Options

                With tcpdump, you can apply options, also known as flags, to the end of commands to filter network traffic. Short options are abbreviated and represented by a hyphen and a single character like -i. Long options are spelled out using a double hyphen like --interface. Tcpdump has over fifty options that you can explore using the manual page

                . Here, you’ll examine a couple of essential tcpdump options including how to write and read packet capture files. 

                Note: Options are case sensitive. For example, a lowercase -w is a separate option with a different use than the option with an uppercase -W.

                Note: tcpdump options that are written using short options can be written with or without a space between the option and its value. For example, sudo tcpdump -i any -c 3 and sudo tcpdump -iany -c3 are equivalent commands.
                -w

                Using the -w flag, you can write or save the sniffed network packets to a packet capture file instead of just printing it out in the terminal. This is very useful because you can refer to this saved file for later analysis. In this command, tcpdump is capturing network traffic from all network interfaces and saving it to a packet capture file named packetcapture.pcap:
                sudo tcpdump -i any -w packetcapture.pcap
                -r

                Using the -r flag, you can read a packet capture file by specifying the file name as a parameter. Here is an example of a tcpdump command that reads a file called packetcapture.pcap:
                sudo tcpdump -r packetcapture.pcap
                -v

                As you’ve learned, packets contain a lot of information. By default, tcpdump will not print out all of a packet's information. This option, which stands for verbose, lets you control how much packet information you want tcpdump to print out.

                There are three levels of verbosity you can use depending on how much packet information you want tcpdump to print out. The levels are -v, -vv, and -vvv. The level of verbosity increases with each added v. The verbose option can be helpful if you’re looking for packet information like the details of a packet’s IP header fields. Here’s an example of a tcpdump command that reads the packetcapture.pcap file with verbosity:
                sudo tcpdump -r packetcapture.pcap -v
                -c

                The -c option stands for count. This option lets you control how many packets tcpdump will capture. For example, specifying -c 1 will only print out one single packet, whereas -c 10 prints out 10 packets. This example is telling tcpdump to only capture the first three packets it sniffs from any network interface:
                sudo tcpdump -i any -c 3
                -n  

                By default, tcpdump will perform name resolution. This means that tcpdump automatically converts IP addresses to names. It will also resolve ports to commonly associated services that use these ports. This can be problematic because tcpdump isn’t always accurate in name resolution. For example, tcpdump can capture traffic from port 80 and automatically translates port 80 to HTTP in the output. However, this is misleading because port 80 isn’t always going to be using HTTP; it could be using a different protocol.

                Additionally, name resolution uses what’s known as a reverse DNS lookup. A reverse DNS lookup is a query that looks for the domain name associated with an IP address. If you perform a reverse DNS lookup on an attacker’s system, they might be alerted that you are investigating them through their DNS records.

                Using the -n flag disables this automatic mapping of numbers to names and is considered to be best practice when sniffing or analyzing traffic. Using -n will not resolve hostnames, whereas -nn will not resolve both hostnames or ports. Here’s an example of a tcpdump command that reads the packetcapture.pcap file with verbosity and disables name resolution:
                sudo tcpdump -r packetcapture.pcap -v -n

                Pro tip: You can combine options together. For example, -v and -n can be combined as -vn. But, if an option accepts a parameter right after it like -c 1 or -r capture.pcap then you can’t combine other options to it.
                Expressions

                Using filter expressions in tcpdump commands is also optional, but knowing how and when to use filter expressions can be helpful during packet analysis. There are many ways to use filter expressions. 

                If you want to specifically search for network traffic by protocol, you can use filter expressions to isolate network packets. For example, you can filter to find only IPv6 traffic using the filter expression ip6.

                You can also use boolean operators like and, or, or not to further filter network traffic for specific IP addresses, ports, and more. The example below reads the packetcapture.pcap file and combines two expressions ip and port 80 using the and boolean operator:

                sudo tcpdump -r packetcapture.pcap -n 'ip and port 80'

                Pro tip: You can use single or double quotes to ensure that tcpdump executes all of the expressions. You can also use parentheses to group and prioritize different expressions. Grouping expressions is helpful for complex or lengthy commands. For example, the command ip and (port 80 or port 443) tells tcpdump to prioritize executing the filters enclosed in the parentheses before filtering for IPv4.
                Interpreting output

                Once you run a command to capture packets, tcpdump will print the output of the command as the sniffed packets. In the output, tcpdump prints one line of text for each packet with each line beginning with a timestamp. Here’s an example of a command and output for a single TCP packet: 

                sudo tcpdump -i any -v -c 1

                This command tells tcpdump to capture packets on -i any network interface. The option -v prints out the packet with detailed information and the option -c 1 prints out only one packet. Here is the output of this command: 
                Output of a tcpdump command with labels for the timestamp, source IP, source port, destination IP, and destination port.

                    Timestamp: The output begins with the timestamp, which starts with hours, minutes, seconds, and fractions of a second. 

                        Source IP: The packet’s origin is provided by its source IP address.

                            Source port: This port number is where the packet originated.

                                Destination IP: The destination IP address is where the packet is being transmitted to.

                                    Destination port: This port number is where the packet is being transmitted to.

                                    The remaining output contains details of the TCP connection including flags and sequence number. The options information is additional packet information that the  -v option has provided.

Inspect the network traffic of a network interface with tcpdump

In this task, you must use tcpdump to filter live network packet traffic on an interface.

 Filter live network packet data from the eth0 interface with tcpdump:

sudo tcpdump -i eth0 -v -c5

This command will run tcpdump with the following options:

-i eth0: Capture data specifically from the eth0 interface.

    -v: Display detailed packet data.

        -c5: Capture 5 packets of data.

Exploring network packet details

In this example, you’ll identify some of the properties that tcpdump outputs for the packet capture data you’ve just seen.

In the example data at the start of the packet output, tcpdump reported that it was listening on the eth0 interface, and it provided information on the link type and the capture size in bytes:

tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

Capture network traffic with tcpdump

In this task, you will use tcpdump to save the captured network data to a packet capture file.

In the previous command, you used tcpdump to stream all network traffic. Here, you will use a filter and other tcpdump configuration options to save a small sample that contains only web (TCP port 80) network packet data.

Capture packet data into a file called capture.pcap:

sudo tcpdump -i eth0 -nn -c9 port 80 -w capture.pcap &

This command will run tcpdump in the background with the following options:

-i eth0: Capture data from the eth0 interface.

    -nn: Do not attempt to resolve IP addresses or ports to names.This is best practice from a security perspective, as the lookup data may not be valid. It also prevents malicious actors from being alerted to an investigation.

        -c9: Capture 9 packets of data and then exit.

            port 80: Filter only port 80 traffic. This is the default HTTP port.

                -w capture.pcap: Save the captured data to the named file.

                    &: This is an instruction to the Bash shell to run the command in the background.

Filter the captured packet data

In this task, use tcpdump to filter data from the packet capture file you saved previously.

Use the tcpdump command to filter the packet header data from the capture.pcap capture file:

sudo tcpdump -nn -r capture.pcap -v

This command will run tcpdump with the following options:

-nn: Disable port and protocol name lookup.

    -r: Read capture data from the named file.

        -v: Display detailed packet data.

        You must specify the -nn switch again here, as you want to make sure tcpdump does not perform name lookups of either IP addresses or ports, since this can alert threat actors.

Use the tcpdump command to filter the extended packet data from the capture.pcap capture file: 1This command will run tcpdump with the following options:

-nn: Disable port and protocol name lookup.

    -r: Read capture data from the named file.

        -X: Display the hexadecimal and ASCII output format packet data. Security analysts can analyze hexadecimal and ASCII output to detect patterns or anomalies during malware analysis or forensic analysis.

        Note: Hexadecimal, also known as hex or base 16, uses 16 symbols to represent values, including the digits 0-9 and letters A, B, C, D, E, and F. American Standard Code for Information Interchange (ASCII) is a character encoding standard that uses a set of characters to represent text in digital form.
        Test your understanding

        To test your ability to capture and view network data, answer the multiple-choice questions.

        Answer: Use the sudo tcpdump -c3 -i any -v.

        What does the -i option indicate?

        The -i option indicates the network interface to monitor.

        What type of information does the -v option include?

        Answer: The -v option provides verbose information.

        What tcpdump command can you use to identify the interfaces that are available to perform a packet capture on?

        Use the sudo tcpdump -D command.

Which of the following behaviors may suggest an ongoing data exfiltration attack? Select two answers. Unexpected modifications to files containing sensitive data Outbound network traffic to an unauthorized file hosting service

Network protocol analyzers can save network communications into files known as a _____. packet capture

Which IPv4 header fields involve fragmentation? Select three answers. Fragment Offset Flags Identification

Cybersecurity incident detection methods

Security analysts use detection tools to help them discover threats, but there are additional methods of detection that can be used as well.

Previously, you learned about how detection tools can identify attacks like data exfiltration. In this reading, you’ll be introduced to different detection methods that organizations can employ to discover threats. Methods of detection

During the Detection and Analysis Phase of the incident response lifecycle, security teams are notified of a possible incident and work to investigate and verify the incident by collecting and analyzing data. As a reminder, detection refers to the prompt discovery of security events and analysis involves the investigation and validation of alerts.

As you’ve learned, an intrusion detection system (IDS) can detect possible intrusions and send out alerts to security analysts to investigate the suspicious activity. Security analysts can also use security information and event management (SIEM) tools to detect, collect, and analyze security data.

You’ve also learned that there are challenges with detection. Even the best security teams can fail to detect real threats for a variety of reasons. For example, detection tools can only detect what security teams configure them to monitor. If they aren’t properly configured, they can fail to detect suspicious activity, leaving systems vulnerable to attack. It’s important for security teams to use additional methods of detection to increase their coverage and accuracy. Threat hunting

Threats evolve and attackers advance their tactics and techniques. Automated, technology-driven detection can be limited in keeping up to date with the evolving threat landscape. Human-driven detection like threat hunting combines the power of technology with a human element to discover hidden threats left undetected by detection tools.

Threat hunting is the proactive search for threats on a network. Security professionals use threat hunting to uncover malicious activity that was not identified by detection tools and as a way to do further analysis on detections. Threat hunting is also used to detect threats before they cause damage. For example, fileless malware is difficult for detection tools to identify. It’s a form of malware that uses sophisticated evasion techniques such as hiding in memory instead of using files or applications, allowing it to bypass traditional methods of detection like signature analysis. With threat hunting, the combination of active human analysis and technology is used to identify threats like fileless malware.

Note: Threat hunting specialists are known as threat hunters. Threat hunters perform research on emerging threats and attacks and then determine the probability of an organization being vulnerable to a particular attack. Threat hunters use a combination of threat intelligence, indicators of compromise, indicators of attack, and machine learning to search for threats in an organization. Threat intelligence

Organizations can improve their detection capabilities by staying updated on the evolving threat landscape and understanding the relationship between their environment and malicious actors. One way to understand threats is by using threat intelligence, which is evidence-based threat information that provides context about existing or emerging threats.

Threat intelligence can come from private or public sources like:

Industry reports: These often include details about attacker's tactics, techniques, and procedures (TTP).

    Government advisories: Similar to industry reports, government advisories include details about attackers' TTP. 

        Threat data feeds: Threat data feeds provide a stream of threat-related data that can be used to help protect against sophisticated attackers like advanced persistent threats (APTs). APTs are instances when a threat actor maintains unauthorized access to a system for an extended period of time. The data is usually a list of indicators like IP addresses, domains, and file hashes.

        It can be difficult for organizations to efficiently manage large volumes of threat intelligence. Organizations can leverage a threat intelligence platform (TIP) which is an application that collects, centralizes, and analyzes threat intelligence from different sources. TIPs provide a centralized platform for organizations to identify and prioritize relevant threats and improve their security posture. 

        Note: Threat intelligence data feeds are best used to add context to detections. They should not drive detections completely and should be assessed before applied to an organization.
        Cyber deception

        Cyber deception involves techniques that deliberately deceive malicious actors with the goal of increasing detection and improving defensive strategies.

        Honeypots are an example of an active cyber defense mechanism that uses deception technology. Honeypots are systems or resources that are created as decoys vulnerable to attacks with the purpose of attracting potential intruders. For example, having a fake file labeled Client Credit Card Information - 2022 can be used to capture the activity of malicious actors by tricking them into accessing the file because it appears to be legitimate. Once a malicious actor tries to access this file, security teams are alerted.

Ongoing Monitoring of CI/CD Ongoing Monitoring of CI/CD: Automatically Finding Threats

In our last reading about cybersecurity incident detection methods, you explored ways to discover threats. You learned about tools like intrusion detection systems (IDS) and security information and event management (SIEM). This reading focuses on ongoing monitoring specifically for your Continuous Integration and Continuous Delivery/Deployment (CI/CD) pipelines. Monitoring your CI/CD pipeline helps protect your software supply chain.and there are special tools that can automatically find unusual activity and help you pinpoint Indicators of Compromise (IoCs). Automation for Finding Threats

CI/CD pipelines help you release software faster, but they can also open up new vulnerabilities for attackers. If someone breaks into your pipeline, they could add code, steal private information, or stop your software from working. So, ongoing monitoring that automatically finds unusual pipeline activity is critical. Effective CI/CD monitoring uses automation to do more than just collect logs. It uses monitoring tools to automatically find unusual things happening in build processes, code, or deployment steps that may indicate potential security threats. When these threats are found, security teams can respond quickly and limit the damage. This automated threat detection is a main goal of strong CI/CD security. Common Indicators of Compromise (IoCs) in CI/CD Pipelines

Understanding common CI/CD IoCs helps you monitor effectively and quickly find security incidents. Here are some examples:

Unauthorized Code Changes:

        Code changes from people who shouldn't be making changes.

                Code changes made at unusual times or from unexpected locations.

                        Code changes that look suspicious, like confusing code, very large deletions without a good reason, or code that doesn't follow coding rules.

                            Suspicious Deployment Patterns:

                                    Deployments to unusual or unapproved systems (for example, production deployments started directly from developer branches).

                                            Deployments happening at unexpected times or too often (deployments outside of planned release times).

                                                    Deployments started by unusual user accounts or automated accounts that shouldn't be releasing to production.

                                                        Compromised Dependencies:

                                                                Finding known vulnerabilities (CVEs) in dependencies during automated checks in the CI/CD pipeline.

                                                                        Suddenly adding new, unexpected dependencies to build settings.

                                                                                Attempts to download dependencies from unofficial or untrusted sources.

                                                                                    Unusual Pipeline Execution:

                                                                                            Pipeline steps that normally work fine suddenly failing.

                                                                                                    Pipelines takeing much longer to run for no clear reason.

                                                                                                            Changes in the order or way pipeline steps run without approved changes being made.

                                                                                                                Secrets Exposure Attempts:

                                                                                                                        Logs showing attempts to get to secrets from unapproved places in the pipeline.

                                                                                                                                Finding private secrets hardcoded in code changes (ideally prevented earlier, but monitoring can catch mistakes).

                                                                                                                                Proactive Security Through Monitoring for IoCs

                                                                                                                                Ongoing monitoring of CI/CD pipelines, focusing on automated anomaly detection and finding IoCs, makes your security stronger and more proactive. By using monitoring tools to continuously check pipeline activity for these indicators before serious damage occurs, you can:

                                                                                                                                    Respond to Incidents Quickly: Finding IoCs early helps security teams respond rapidly to potential attacks, stopping problems before attackers reach their goals.

                                                                                                                                        Limit the Damage: Responding quickly based on IoC detection reduces the possible impact of a security issue by limiting how long attackers are in the pipeline.

                                                                                                                                            Improve Threat Knowledge: Checking IoCs gives valuable information about how attackers are targeting your CI/CD, which helps improve security and threat hunting in the future.

                                                                                                                                            Using Automation to Find Anomalies and IoCs

                                                                                                                                            To monitor CI/CD pipelines and automatically find threats, you can use these methods:
                                                                                                                                            Comprehensive Logging and Auditing 

                                                                                                                                            Detailed logs are the bases of monitoring. Logs provide the raw data that monitoring tools check for unusual activity and potential Indicators of Compromise (IoCs). The most common logs for finding anomalies include:

                                                                                                                                                Pipeline Execution Logs: To effectively leverage pipeline execution logs for security monitoring, specialized tools employ automated baselining techniques. These tools analyze logs from successful, typical CI/CD pipeline runs to establish a profile of normal operation. This baseline encompasses key performance indicators such as the standard duration of each pipeline stage and expected success and failure rates. By continuously monitoring execution logs and comparing them against this established baseline, the tools can automatically detect anomalous activities. Deviations from the norm, including pipeline steps exceeding typical execution times, unexpected error occurrences, or alterations in the usual step order, are flagged as potential Indicators of Compromise (IoCs), warranting further security scrutiny.

                                                                                                                                                    Code Commit Logs: Keep track of code changes for each pipeline run. Unusual code changes, such as changes from people who shouldn't be making changes, changes made late at night, or changes with suspicious content (like very large deletions or confusing code), are important IoCs to monitor.

                                                                                                                                                        Access Logs: Monitoring tools can learn who usually accesses CI/CD. Unusual logins, like logins from different countries, failed login attempts followed by a successful login, or login attempts to change important pipeline settings, are strong indicators of compromise.

                                                                                                                                                            Deployment Logs: Tools can learn how often deployments usually happen and what those deployments look like. Unusual deployments, such as deployments at odd times or deployments to unexpected places, can be IoCs.

                                                                                                                                                            Security Information and Event Management (SIEM) Integration

                                                                                                                                                            Connecting your CI/CD logs to a SIEM tool can help  automatically find anomalies at a large scale. SIEM platforms are made to:

                                                                                                                                                                Automatically Find Anomalies: SIEMs use machine learning and analytics to automatically find unusual patterns in CI/CD logs, which are  possible IoCs to investigate.

                                                                                                                                                                    Use Rules to Alert for Known IoCs: You can set up specific rules in the SIEM to find known CI/CD IoCs. For example, rules can send alerts when:

                                                                                                                                                                            Detection of specific malicious file hashes (related to known CI/CD attacks) are found in build results.

                                                                                                                                                                                    CI/CD servers connect to known malicious command and control (C2) servers (using threat intelligence data).

                                                                                                                                                                                            Someone tries to download or access private secrets outside of approved pipeline steps.

                                                                                                                                                                                            Real-time Alerting and Notifications 

                                                                                                                                                                                            Automated alerts make sure security teams are notified right away about unusual activity and possible IoCs, so they can respond quickly. Alerts should be set up for:

                                                                                                                                                                                                Unusual Build Failures: Pipeline steps failing repeatedly, especially after code changes that shouldn't cause failures.

                                                                                                                                                                                                    Suspicious Code Changes (Based on Anomalies): Alerts sent by code analysis tools that find highly unusual code changes based on size, author, or confusing content.

                                                                                                                                                                                                        Attempts to Expose Secrets: Alerts sent by security tools when someone tries to access or steal secrets from unapproved parts of the pipeline.

                                                                                                                                                                                                            Unusual Network Traffic: Alerts for unusual network traffic from CI/CD servers, especially traffic going out to unknown or suspicious locations.

                                                                                                                                                                                                            Performance Monitoring to Find IoAs and Discover IoCs 

                                                                                                                                                                                                            Performance monitoring, while mainly used to make sure things are running smoothly, can also indirectly help find IoCs. Performance issues (Indicators of Attack - IoAs) like sudden slowdowns or CI/CD servers running out of resources can lead to deeper checks that may uncover IoCs.
                                                                                                                                                                                                            Continuous Vulnerability Scanning

                                                                                                                                                                                                            Regularly checking the CI/CD infrastructure for weaknesses can proactively find vulnerable parts. This includes Common Vulnerabilities and Exposures (CVEs) in CI/CD tools, plugins, and containers. These weaknesses are potential IoCs. They highlight areas that need to be patched right away to prevent attacks and possible pipeline compromise.


                                                                                                                                    Indicators of compromise

                                                                                                                                    In this reading, you’ll be introduced to the concept of the Pyramid of Pain and you'll explore examples of the different types of indicators of compromise. Understanding and applying this concept helps organizations improve their defense and reduces the damage an incident can cause.
                                                                                                                                    Indicators of compromise

                                                                                                                                    Indicators of compromise (IoCs) are observable evidence that suggests signs of a potential security incident. IoCs chart specific pieces of evidence that are associated with an attack, like a file name associated with a type of malware. You can think of an IoC as evidence that points to something that's already happened, like noticing that a valuable has been stolen from inside of a car. 

                                                                                                                                    Indicators of attack (IoA) are the series of observed events that indicate a real-time incident.  IoAs focus on identifying the behavioral evidence of an attacker, including their methods and intentions.

                                                                                                                                    Essentially, IoCs help to identify the who and what of an attack after it's taken place, while IoAs focus on finding the why and how of an ongoing or unknown attack. For example, observing a process that makes a network connection is an example of an IoA. The filename of the process and the IP address that the process contacted are examples of the related IoCs.

                                                                                                                                    Note: Indicators of compromise are not always a confirmation that a security incident has happened. IoCs may be the result of human error, system malfunctions, and other reasons not related to security. 
                                                                                                                                    Pyramid of Pain

                                                                                                                                    Not all indicators of compromise are equal in the value they provide to security teams. It’s important for security professionals to understand the different types of indicators of compromise so that they can quickly and effectively detect and respond to them. This is why security researcher David J. Bianco created the concept of the Pyramid of Pain

                                                                                                                                    , with the goal of improving how indicators of compromise are used in incident detection.
                                                                                                                                    A triangle divided into six tiers outlines six indicators of compromise each with a corresponding level of difficulty.

                                                                                                                                    The Pyramid of Pain captures the relationship between indicators of compromise and the level of difficulty that malicious actors experience when indicators of compromise are blocked by security teams. It lists the different types of indicators of compromise that security professionals use to identify malicious activity. 

                                                                                                                                    Each type of indicator of compromise is separated into levels of difficulty. These levels represent the “pain” levels that an attacker faces when security teams block the activity associated with the indicator of compromise. For example, blocking an IP address associated with a malicious actor is labeled as easy because malicious actors can easily use different IP addresses to work around this and continue with their malicious efforts. If security teams are able to block the IoCs located at the top of the pyramid, the more difficult it becomes for attackers to continue their attacks. Here’s a breakdown of the different types of indicators of compromise found in the Pyramid of Pain. 

                                                                                                                                        Hash values: Hashes that correspond to known malicious files. These are often used to provide unique references to specific samples of malware or to files involved in an intrusion.

                                                                                                                                            IP addresses: An internet protocol address like 192.168.1.1

                                                                                                                                                Domain names: A web address such as www.google.com 

                                                                                                                                                    Network artifacts: Observable evidence created by malicious actors on a network. For example, information found in network protocols such as User-Agent strings. 

                                                                                                                                                        Host artifacts: Observable evidence created by malicious actors on a host. A host is any device that’s connected on a network. For example, the name of a file created by malware.

                                                                                                                                                            Tools: Software that’s used by a malicious actor to achieve their goal. For example, attackers can use password cracking tools like John the Ripper to perform password attacks to gain access into an account.

                                                                                                                                                                Tactics, techniques, and procedures (TTPs): This is the behavior of a malicious actor. Tactics refer to the high-level overview of the behavior. Techniques provide detailed descriptions of the behavior relating to the tactic. Procedures are highly detailed descriptions of the technique. TTPs are the hardest to detect. 




                                                                                                                                    Analyze indicators of compromise with investigative tools

                                                                                                                                    So far, you've learned about the different types of detection methods that can be used to detect security incidents. This reading explores how investigative tools can be used during investigations to analyze suspicious indicators of compromise (IoCs) and build context around alerts. Remember, an IoC is observable evidence that suggests signs of a potential security incident.
                                                                                                                                    Adding context to investigations

                                                                                                                                    You've learned about the Pyramid of Pain which describes the relationship between indicators of compromise and the level of difficulty that malicious actors experience when indicators of compromise are blocked by security teams. You also learned about different types of IoCs, but as you know, not all IoCs are equal. Malicious actors can manage to evade detection and continue compromising systems despite having their IoC-related activity blocked or limited. 

                                                                                                                                    For example, identifying and blocking a single IP address associated with malicious activity does not provide a broader insight on an attack, nor does it stop a malicious actor from continuing their activity. Focusing on a single piece of evidence is like fixating on a single section of a painting: You miss out on the bigger picture.
                                                                                                                                    A woman observes a single section of a large painting.

                                                                                                                                    Security analysts need a way to expand the use of IoCs so that they can add context to alerts. Threat intelligence is evidence-based threat information that provides context about existing or emerging threats. By accessing additional information related to IoCs, security analysts can expand their viewpoint to observe the bigger picture and construct a narrative that helps inform their response actions. 
                                                                                                                                    A woman views a large painting of an elephant in its entirety.

                                                                                                                                    By adding context to an IoC—for instance, identifying other artifacts related to the suspicious IP address, such as suspicious network communications or unusual processes—security teams can start to develop a detailed picture of a security incident. This context can help security teams detect security incidents faster and take a more informed approach in their response.
                                                                                                                                    The power of crowdsourcing

                                                                                                                                    Crowdsourcing is the practice of gathering information using public input and collaboration. Threat intelligence platforms use crowdsourcing to collect information from the global cybersecurity community. Traditionally, an organization's response to incidents was performed in isolation. A security team would receive and analyze an alert, and then work to remediate it without additional insights on how to approach it. Without crowdsourcing, attackers can perform the same attacks against multiple organizations. 
                                                                                                                                    An attacker successfully attacks five different organizations.

                                                                                                                                    With crowdsourcing, organizations harness the knowledge of millions of other cybersecurity professionals, including cybersecurity product vendors, government agencies, cloud providers, and more. Crowdsourcing allows people and organizations from the global cybersecurity community to openly share and access a collection of threat intelligence data, which helps to continuously improve detection technologies and methodologies. 

                                                                                                                                    Examples of information-sharing organizations include Information Sharing and Analysis Centers (ISACs), which focus on collecting and sharing sector-specific threat intelligence to companies within specific industries like energy, healthcare, and others. Open-source intelligence (OSINT) is the collection and analysis of information from publicly available sources to generate usable intelligence. OSINT can also be used as a method to gather information related to threat actors, threats, vulnerabilities, and more.

                                                                                                                                    This threat intelligence data is used to improve the detection methods and techniques of security products, like detection tools or anti-virus software. For example, attackers often perform the same attacks on multiple targets with the hope that one of them will be successful. Once an organization detects an attack, they can immediately publish the attack details, such as malicious files, IP addresses, or URLs, to tools like VirusTotal. This threat intelligence can then help other organizations defend against the same attack.
                                                                                                                                    An attacker is prevented from attacking organizations due to crowdsourced threat intelligence.
                                                                                                                                    VirusTotal 

                                                                                                                                    VirusTotal

                                                                                                                                     is a service that allows anyone to analyze suspicious files, domains, URLs, and IP addresses for malicious content. VirusTotal also offers additional services and tools for enterprise use. This reading focuses on the VirusTotal website, which is available for free and non-commercial use.

                                                                                                                                     It can be used to analyze suspicious files, IP addresses, domains, and URLs to detect cybersecurity threats such as malware. Users can submit and check artifacts, like file hashes or IP addresses, to get VirusTotal reports, which provide additional information on whether an IoC is considered malicious or not, how that IoC is connected or related to other IoCs in the dataset, and more.


                                                                                                                                    

                                                                                                                                    Jotti malware scan

                                                                                                                                    Jotti's malware scan

                                                                                                                                     is a free service that lets you scan suspicious files with several antivirus programs. There are some limitations to the number of files that you can submit. 
                                                                                                                                     Urlscan.io

                                                                                                                                     Urlscan.io

                                                                                                                                      is a free service that scans and analyzes URLs and provides a detailed report summarizing the URL information.
                                                                                                                                      MalwareBazaar

                                                                                                                                      MalwareBazaar
                                                                                                                                       is a free repository for malware samples. Malware samples are a great source of threat intelligence that can be used for research purposes. 

_____ involves the investigation and validation of alerts. Analysis

What are some causes of high alert volumes? Select two answers. Broad detection rules Misconfigured alert settings

Best practices for log collection and management

In this reading, you’ll examine some best practices related to log management, storage, and protection. Understanding the best practices related to log collection and management will help improve log searches and better support your efforts in identifying and resolving security incidents. Logs

Data sources such as devices generate data in the form of events. A log is a record of events that occur within an organization’s systems. Logs contain log entries and each entry details information corresponding to a single event that happened on a device or system. Originally, logs served the sole purpose of troubleshooting common technology issues. For example, error logs provide information about why an unexpected error occurred and help to identify the root cause of the error so that it can be fixed. Today, virtually all computing devices produce some form of logs that provide valuable insights beyond troubleshooting.

Security teams access logs from logging receivers like SIEM tools which consolidate logs to provide a central repository for log data. Security professionals use logs to perform log analysis, which is the process of examining logs to identify events of interest. Logs help uncover the details surrounding the 5 W’s of incident investigation: who triggered the incident, what happened, when the incident took place, where the incident took place, and why the incident occurred. Types of logs

Depending on the data source, different log types can be produced. Here’s a list of some common log types that organizations should record:

Network: Network logs are generated by network devices like firewalls, routers, or switches.

    System: System logs are generated by operating systems like Chrome OS™, Windows, Linux, or macOS®. 

        Application: Application logs are generated by software applications and contain information relating to the events occurring within the application such as a smartphone app.

            Security: Security logs are generated by various devices or systems such as antivirus software and intrusion detection systems. Security logs contain security-related information such as file deletion.

                Authentication: Authentication logs are generated whenever authentication occurs such as a successful login attempt into a computer.

                Log details

                Generally, logs contain a date, time, location, action, and author of the action. Here is an example of an authentication log:

                Login Event [05:45:15] User1 Authenticated successfully

                Logs contain information and can be adjusted to contain even more information. Verbose logging records additional, detailed information beyond the default log recording. Here is an example of the same log above but logged as verbose.

                Login Event [2022/11/16 05:45:15.892673] auth_performer.cc:470 User1 Authenticated successfully from device1 (192.168.1.2)
                Log management

                Because all devices produce logs, it can quickly become overwhelming for organizations to keep track of all the logs that are generated. To get the most value from your logs, you need to choose exactly what to log, how to access it easily, and keep it secure using log management. Log management is the process of collecting, storing, analyzing, and disposing of log data. 
                What to log

                The most important aspect of log management is choosing what to log. Organizations are different, and their logging requirements can differ too. It's important to consider which log sources are most likely to contain the most useful information depending on your event of interest. This might be configuring log sources to reduce the amount of data they record, such as excluding excessive verbosity. Some information, including but not limited to phone numbers, email addresses, and names, form personally identifiable information (PII), which requires special handling and in some jurisdictions might not be possible to be logged.
                The issue with overlogging

                From a security perspective, it can be tempting to log everything. This is the most common mistake organizations make. Just because it can be logged, doesn't mean it needs to be logged. Storing excessive amounts of logs can have many disadvantages with some SIEM tools. For example, overlogging can increase storage and maintenance costs. Additionally, overlogging can increase the load on systems, which can cause performance issues and affect usability, making it difficult to search for and identify important events. 
                Log retention

                Organizations might operate in industries with regulatory requirements. For example, some regulations require organizations to retain logs for set periods of time and organizations can implement log retention practices in their log management policy.

                Organizations that operate in the following industries might need to modify their log management policy to meet regulatory requirements:

                    Public sector industries, like the Federal Information Security Modernization Act (FISMA)

                        Healthcare industries, like the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

                            Financial services industries, such as the Payment Card Industry Data Security Standard (PCI DSS), the Gramm-Leach-Bliley Act (GLBA), and the Sarbanes-Oxley Act of 2002 (SOX)

                            Log protection

                            Along with management and retention, the protection of logs is vital in maintaining log integrity. It’s not unusual for malicious actors to modify logs in attempts to mislead security teams and to even hide their activity.

                            Storing logs in a centralized log server is a way to maintain log integrity. When logs are generated, they get sent to a dedicated server instead of getting stored on a local machine. This makes it more difficult for attackers to access logs because there is a barrier between the attacker and the log location. 

Which of the following capabilities can syslog be used for? Select three answers. Protocol Log format Service

Detection tools and techniques

In this reading, you’ll examine the different types of intrusion detection system (IDS) technologies and the alerts they produce. You’ll also explore the two common detection techniques used by detection systems. Understanding the capabilities and limitations of IDS technologies and their detection techniques will help you interpret security information to identify, analyze, and respond to security events.

As you’ve learned, an intrusion detection system (IDS) is an application that monitors system activity and alerts on possible intrusions. IDS technologies help organizations monitor the activity that happens on their systems and networks to identify indications of malicious activity. Depending on the location you choose to set up an IDS, it can be either host-based or network-based. Host-based intrusion detection system

A host-based intrusion detection system (HIDS) is an application that monitors the activity of the host on which it’s installed. A HIDS is installed as an agent on a host. A host is also known as an endpoint, which is any device connected to a network like a computer or a server.

Typically, HIDS agents are installed on all endpoints and used to monitor and detect security threats. A HIDS monitors internal activity happening on the host to identify any unauthorized or abnormal behavior. If anything unusual is detected, such as the installation of an unauthorized application, the HIDS logs it and sends out an alert.

In addition to monitoring inbound and outbound traffic flows, HIDS can have additional capabilities, such as monitoring file systems, system resource usage, user activity, and more.

This diagram shows a HIDS tool installed on a computer. The dotted circle around the host indicates that it is only monitoring the local activity on the single computer on which it’s installed. A network diagram with a host-based intrusion detection system monitoring a single computer. Network-based intrusion detection system

A network-based intrusion detection system (NIDS) is an application that collects and monitors network traffic and network data. NIDS software is installed on devices located at specific parts of the network that you want to monitor. The NIDS application inspects network traffic from different devices on the network. If any malicious network traffic is detected, the NIDS logs it and generates an alert.

This diagram shows a NIDS that is installed on a network. The highlighted circle around the server and computers indicates that the NIDS is installed on the server and is monitoring the activity of the computers. Network-based intrusion detection system installed on a server monitoring network communications between multiple computers

Using a combination of HIDS and NIDS to monitor an environment can provide a multi-layered approach to intrusion detection and response. HIDS and NIDS tools provide a different perspective on the activity occurring on a network and the individual hosts that are connected to it. This helps provide a comprehensive view of the activity happening in an environment. Detection techniques

Detection systems can use different techniques to detect threats and attacks. The two types of detection techniques that are commonly used by IDS technologies are signature-based analysis and anomaly-based analysis. Signature-based analysis

Signature analysis, or signature-based analysis, is a detection method that is used to find events of interest. A signature is a pattern that is associated with malicious activity. Signatures can contain specific patterns like a sequence of binary numbers, bytes, or even specific data like an IP address.

Previously, you explored the Pyramid of Pain, which is a concept that prioritizes the different types of indicators of compromise (IoCs) associated with an attack or threat, such as IP addresses, tools, tactics, techniques, and more. IoCs and other indicators of attack can be useful for creating targeted signatures to detect and block attacks.

Different types of signatures can be used depending on which type of threat or attack you want to detect. For example, an anti-malware signature contains patterns associated with malware. This can include malicious scripts that are used by the malware. IDS tools will monitor an environment for events that match the patterns defined in this malware signature. If an event matches the signature, the event gets logged and an alert is generated. Advantages

 Low rate of false positives: Signature-based analysis is very efficient at detecting known threats because it is simply comparing activity to signatures. This leads to fewer false positives. Remember that a false positive is an alert that incorrectly detects the presence of a threat.

 Disadvantages

     Signatures can be evaded: Signatures are unique, and attackers can modify their attack behaviors to bypass the signatures. For example, attackers can make slight modifications to malware code to alter its signature and avoid detection.

         Signatures require updates: Signature-based analysis relies on a database of signatures to detect threats. Each time a new exploit or attack is discovered, new signatures must be created and added to the signature database.

             Inability to detect unknown threats: Signature-based analysis relies on detecting known threats through signatures. Unknown threats can't be detected, such as new malware families or zero-day attacks, which are exploits that were previously unknown. 

             Anomaly-based analysis

             Anomaly-based analysis is a detection method that identifies abnormal behavior. There are two phases to anomaly-based analysis: a training phase and a detection phase. In the training phase, a baseline of normal or expected behavior must be established. Baselines are developed by collecting data that corresponds to normal system behavior. In the detection phase, the current system activity is compared against this baseline. Activity that happens outside of the baseline gets logged, and an alert is generated. 
             Advantages

                 Ability to detect new and evolving threats: Unlike signature-based analysis, which uses known patterns to detect threats, anomaly-based analysis can detect unknown threats.

                 Disadvantages

                     High rate of false positives: Any behavior that deviates from the baseline can be flagged as abnormal, including non-malicious behaviors. This leads to a high rate of false positives.

                         Pre-existing compromise: The existence of an attacker during the training phase will include malicious behavior in the baseline. This can lead to missing a pre-existing attacker.

Suricata

is an open-source intrusion detection system, intrusion prevention system, and network analysis tool. Suricata features

There are three main ways Suricata can be used:

 Intrusion detection system (IDS): As a network-based IDS, Suricata can monitor network traffic and alert on suspicious activities and intrusions. Suricata can also be set up as a host-based IDS to monitor the system and network activities of a single host like a computer.

     Intrusion prevention system (IPS): Suricata can also function as an intrusion prevention system (IPS) to detect and block malicious activity and traffic. Running Suricata in IPS mode requires additional configuration such as enabling IPS mode. 

         Network security monitoring (NSM): In this mode, Suricata helps keep networks safe by producing and saving relevant network logs. Suricata can analyze live network traffic, existing packet capture files, and create and save full or conditional packet captures. This can be useful for forensics, incident response, and for testing signatures. For example, you can trigger an alert and capture the live network traffic to generate traffic logs, which you can then analyze to refine detection signatures.

         Rules 

         Rules or signatures are used to identify specific patterns, behavior, and conditions of network traffic that might indicate malicious activity. The terms rule and signature are often used interchangeably in Suricata. Security analysts use signatures, or patterns associated with malicious activity, to detect and alert on specific malicious activity. Rules can also be used to provide additional context and visibility into systems and networks, helping to identify potential security threats or vulnerabilities. 

         Suricata uses signatures analysis, which is a detection method used to find events of interest. Signatures consist of three components:

              Action: The first component of a signature. It describes the action to take if network or system activity matches the signature. Examples include: alert, pass, drop, or reject.

                  Header: The header includes network traffic information like source and destination IP addresses, source and destination ports, protocol, and traffic direction.

                      Rule options: The rule options provide you with different options to customize signatures.

Note: The terms rule and signature are synonymous.

Note: Rule order refers to the order in which rules are evaluated by Suricata. Rules are processed in the order in which they are defined in the configuration file. However, Suricata processes rules in a different default order: pass, drop, reject, and alert. Rule order affects the final verdict of a packet especially when conflicting actions such as a drop rule and an alert rule both match on the same packet. Custom rules

Although Suricata comes with pre-written rules, it is highly recommended that you modify or customize the existing rules to meet your specific security requirements.

There is no one-size-fits-all approach to creating and modifying rules. This is because each organization’s IT infrastructure differs. Security teams must extensively test and modify detection signatures according to their needs.

Creating custom rules helps to tailor detection and monitoring. Custom rules help to minimize the amount of false positive alerts that security teams receive. It’s important to develop the ability to write effective and customized signatures so that you can fully leverage the power of detection technologies. Configuration file

Before detection tools are deployed and can begin monitoring systems and networks, you must properly configure their settings so that they know what to do. A configuration file is a file used to configure the settings of an application. Configuration files let you customize exactly how you want your IDS to interact with the rest of your environment.

Suricata’s configuration file is suricata.yaml, which uses the YAML file format for syntax and structure. Log files

There are two log files that Suricata generates when alerts are triggered:

eve.json: The eve.json file is the standard Suricata log file. This file contains detailed information and metadata about the events and alerts generated by Suricata stored in JSON format. For example, events in this file contain a unique identifier called flow_id  which is used to correlate related logs or alerts to a single network flow, making it easier to analyze network traffic. The eve.json file is used for more detailed analysis and is considered to be a better file format for log parsing and SIEM log ingestion.

    fast.log: The fast.log file is used to record minimal alert information including basic IP address and port details about the network traffic. The fast.log file is used for basic logging and alerting and is considered a legacy file format and is not suitable for incident response or threat hunting tasks.

    The main difference between the eve.json file and the fast.log file is the level of detail that is recorded in each. The fast.log file records basic information, whereas the eve.json file contains additional verbose information. 

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:“GET on wire”; flow:established,to_server; content:“GET”; http_method; sid:12345; rev:3;)

The action is the first part of the signature. It determines the action to take if all conditions are met.

Actions differ across network intrusion detection system (NIDS) rule languages, but some common actions are alert, drop, pass, and reject.

Using our example, the file contains a single alert as the action. The alert keyword instructs to alert on selected network traffic. The IDS will inspect the traffic packets and send out an alert in case it matches.

Note that the drop action also generates an alert, but it drops the traffic. A drop action only occurs when Suricata runs in IPS mode.

The pass action allows the traffic to pass through the network interface. The pass rule can be used to override other rules. An exception to a drop rule can be made with a pass rule. For example, the following rule has an identical signature to the previous example, except that it singles out a specific IP address to allow only traffic from that address to pass:

pass http 172.17.0.77 any -> $EXTERNAL_NET any (msg:“BAD USER-AGENT”;flow:established,to_server;content:!”Mozilla/5.0”; http_user_agent; sid: 12365; rev:1;)

The reject action does not allow the traffic to pass. Instead, a TCP reset packet will be sent, and Suricata will drop the matching packet. A TCP reset packet tells computers to stop sending messages to each other.

You’ll most often use the alert rule in this lab activity.

Note: Rule order refers to the order in which rules are evaluated by Suricata. Rules are loaded in the order in which they are defined in the configuration file. However, Suricata processes rules in a different default order: pass, drop, reject, and alert. Rule order affects the final verdict of a packet.

ALT Text: Header highlighted http $HOME_NET any - > $EXTERNAL_NET any

The next part of the signature is the header. The header defines the signature’s network traffic, which includes attributes such as protocols, source and destination IP addresses, source and destination ports, and traffic direction.

The next field after the action keyword is the protocol field. In our example, the protocol is http, which determines that the rule applies only to HTTP traffic.

The parameters to the protocol http field are $HOME_NET any -> $EXTERNAL_NET any. The arrow indicates the direction of the traffic coming from the $HOME_NET and going to the destination IP address $EXTERNAL_NET.

$HOME_NET is a Suricata variable defined in /etc/suricata/suricata.yaml that you can use in your rule definitions as a placeholder for your local or home network to identify traffic that connects to or from systems within your organization.

In this lab $HOME_NET is defined as the 172.21.224.0/20 subnet.

The word any means that Suricata catches traffic from any port defined in the $HOME_NET network.

Note: The $ symbol indicates the start of a variable. Variables are used as placeholders to store values.

So far, we know that this signature triggers an alert when it detects any http traffic leaving the home network and going to the external network. Rule options Rule options highlighted which includes msg, flow, content, http_method, sid, and rev

ALT Text: Rule options highlighted which includes msg, flow, content, http_method, sid, and rev

The many available rule options allow you to customize signatures with additional parameters. Configuring rule options helps narrow down network traffic so you can find exactly what you’re looking for. As in our example, rule options are typically enclosed in a pair of parentheses and separated by semicolons.

Let’s further examine the rule options in our example:

The msg: option provides the alert text. In this case, the alert will print out the text “GET on wire”, which specifies why the alert was triggered.

    The flow:established,to_server option determines that packets from the client to the server should be matched. (In this instance, a server is defined as the device responding to the initial SYN packet with a SYN-ACK packet.)

        The content:"GET" option tells Suricata to look for the word GET in the content of the http.method portion of the packet.

            The sid:12345 (signature ID) option is a unique numerical value that identifies the rule.

                The rev:3 option indicates the signature's revision which is used to identify the signature's version. Here, the revision version is 3.

                To summarize, this signature triggers an alert whenever Suricata observes the text GET as the HTTP method in an HTTP packet from the home network going to the external network.

sudo suricata -r sample.pcap -S custom.rules -k none This command starts the Suricata application and processes the sample.pcap file using the rules in the custom.rules file. It returns an output stating how many packets were processed by Suricata.

Note: In this lab, using sudo is required to process packet capture files with Suricata, although it may not be required in a real-world environment.

Now you’ll further examine the options in the command:

The -r sample.pcap option specifies an input file to mimic network traffic. In this case, the sample.pcap file.

    The -S custom.rules option instructs Suricata to use the rules defined in the custom.rules file.

        The -k none option instructs Suricata to disable all checksum checks.

        As a refresher, checksums are a way to detect if a packet has been modified in transit. Because you are using network traffic from a sample packet capture file, you won't need Suricata to check the integrity of the checksum.

        Suricata adds a new alert line to the /var/log/suricata/fast.log file when all the conditions in any of the rules are met.

A security analyst uses a network protocol analyzer to capture HTTP traffic to analyze patterns. What type of data are they using? Network telemetry

Which statement accurately describes the difference between a network-based intrusion detection system (NIDS) and a host-based intrusion detection system (HIDS)? A NIDS is installed on a network; a HIDS is installed on individual devices.

A security analyst creates a Suricata signature to identify and detect security threats based on the direction of network traffic. Which of the following rule options should they use? Flow

security information and event management (SIEM) tools collect and analyze log data to monitor critical activities in an organization. You also learned about log analysis, which is the process of examining logs to identify events of interest. Understanding how log sources are ingested into SIEM tools is important because it helps security analysts understand the types of data that are being collected, and can help analysts identify and prioritize security incidents. SIEM process overview

Previously, you covered the SIEM process. As a refresher, the process consists of three steps:

Collect and aggregate data: SIEM tools collect event data from various data sources.

    Normalize data: Event data that's been collected becomes normalized. Normalization converts data into a standard format so that data is structured in a consistent way and becomes easier to read and search. While data normalization is a common feature in many SIEM tools, it's important to note that SIEM tools vary in their data normalization capabilities.

        Analyze data: After the data is collected and normalized, SIEM tools analyze and correlate the data to identify common patterns that indicate unusual activity.

        This reading focuses on the first step of this process, the collection and aggregation of data.
        Log ingestion
        A SIEM tool collects data from various sources.

        Data is required for SIEM tools to work effectively. SIEM tools must first collect data using log ingestion. Log ingestion is the process of collecting and importing data from log sources into a SIEM tool. Data comes from any source that generates log data, like a server.

        In log ingestion, the SIEM creates a copy of the event data it receives and retains it within its own storage. This copy allows the SIEM to analyze and process the data without directly modifying the original source logs. The collection of event data provides a centralized platform for security analysts to analyze the data and respond to incidents. This event data includes authentication attempts, network activity, and more.
        Log forwarders

        There are many ways SIEM tools can ingest log data. For instance, you can manually upload data or use software to help collect data for log ingestion. Manually uploading data may be inefficient and time-consuming because networks can contain thousands of systems and devices. Hence, it's easier to use software that helps collect data. 

        A common way that organizations collect log data is to use log forwarders. Log forwarders are software that automate the process of collecting and sending log data. Some operating systems have native log forwarders. If you are using an operating system that does not have a native log forwarder, you would need to install a third-party log forwarding software on a device. After installing it, you'd configure the software to specify which logs to forward and where to send them. For example, you can configure the logs to be sent to a SIEM tool. The SIEM tool would then process and normalize the data. This allows the data to be easily searched, explored, correlated, and analyzed.

        Note: Many SIEM tools utilize their own proprietary log forwarders. SIEM tools can also integrate with open-source log forwarders. Choosing the right log forwarder depends on many factors such as the specific requirements of your system or organization, compatibility with your existing infrastructure, and more. 

Splunk searches

As you’ve learned, Splunk has its own querying language called Search Processing Language (SPL). SPL is used to search and retrieve events from indexes using Splunk’s Search & Reporting app. An SPL search can contain many different commands and arguments. For example, you can use commands to transform your search results into a chart format or filter results for specific information. Splunk Cloud’s search page.

Here is an example of a basic SPL search that is querying an index for a failed event:

index=main fail

index=main: This is the beginning of the search command that tells Splunk to retrieve events from an  index named main. An index stores event data that's been collected and processed by Splunk.

    fail: This is the search term. This tells Splunk to return any event that contains the term fail.

    Knowing how to effectively use SPL has many benefits. It helps shorten the time it takes to return search results. It also helps you obtain the exact results you need from various data sources. SPL supports many different types of searches that are beyond the scope of this reading. If you would like to learn more about SPL, explore Splunk's Search Reference

    .
    Pipes

    Previously, you might have learned about how piping is used in the Linux bash shell. As a refresher, piping sends the output of one command as the input to another command.

    SPL also uses the pipe character | to separate the individual commands in the search. It's also used to chain commands together so that the output of one command combines into the next command. This is useful because you can refine data in various ways to get the results you need using a single command.

    Here is an example of two commands that are piped together: 

    index=main fail| chart count by host

        index=main fail: This is the beginning of the search command that tells Splunk to retrieve events from an  index named main for events containing the search term fail. 

            |: The pipe character separates and chains the two commands index=main and chart count by host. This means that the output of the first command index=main is used as the input of the second command chart count by host. 

                chart count by host: This command tells Splunk to transform the search results by creating a chart according to the  count or number of events. The argument by host tells Splunk to list the events by host, which are the names of the devices the events come from. This command can be helpful in identifying hosts with excessive failure counts in an environment.

                Wildcard

                A wildcard is a special character that can be substituted with any other character. A wildcard is usually symbolized by an asterisk character *. Wildcards match characters in string values. In Splunk, the wildcard that you use depends on the command that you are using the wildcard with. Wildcards are useful because they can help find events that contain data that is similar but not entirely identical. Here is an example of using a wildcard to expand the search results for a search term:

                index=main fail*

                    index=main: This command retrieves events from an index named main. 

                        fail*: The wildcard after fail represents any character. This tells Splunk to search for all possible endings that contain the term fail. This expands the search results to return any event that contains the term fail such as “failed” or “failure”.

                        Pro tip: Double quotations are used to specify a search for an exact phrase or string. For example, if you want to only search for events that contain the exact phrase login failure, you can enclose the phrase in double quotations "login failure". This search will match only events that contain the exact phrase login failure and not other events that contain the words  failure or login separately.
                        Google Security Operations (Chronicle) searches

                        In Google SecOps (Chronicle), you can search for events using the Search field. You can also use Procedural Filtering to apply filters to a search to further refine the search results. For example, you can use Procedural Filtering to include or exclude search results that contain specific information relating to an event type or log source. There are two types of searches you can perform to find events in Google SecOps (Chronicle), a Unified Data Model (UDM) Search or a Raw Log Search.
                        Unified Data Model (UDM) Search

                        The UDM Search is the default search type used in Google SecOps (Chronicle). You can perform a UDM search by typing your search, clicking on “Search,” and selecting “UDM Search.” Through a UDM Search, Google SecOps (Chronicle) searches security data that has been ingested, parsed, and normalized. A UDM Search retrieves search results faster than a Raw Log Search because it searches through indexed and structured data that’s normalized in UDM.

                        A UDM Search retrieves events formatted in UDM and these events contain UDM fields. There are many different types of UDM fields that can be used to query for specific information from an event. Discussing all of these UDM fields is beyond the scope of this reading, but you can learn more about UDM fields by exploring Google Security Operations UDM field list

                        . Know that all UDM events contain a set of common fields including:

                            Entities: Entities are also known as nouns. All UDM events must contain at least one entity. This field provides additional context about a device, user, or process that’s involved in an event. For example, a UDM event that contains entity information includes the details of the origin of an event such as the hostname, the username, and IP address of the event.

                                Event metadata: This field provides a basic description of an event, including what type of event it is, timestamps, and more. 

                                    Network metadata: This field provides information about network-related events and protocol details. 

                                        Security results: This field provides the security-related outcome of events. An example of a security result can be an antivirus software detecting and quarantining a malicious file by reporting "virus detected and quarantined." 

                                        Here’s an example of a simple UDM search that uses the event metadata field to locate events relating to user logins:

                                        metadata.event_type = “USER_LOGIN” 

                                            metadata.event_type = “USER_LOGIN”: This UDM field metadata.event_type contains information about the event type. This includes information like timestamp, network connection, user authentication, and more. Here, the event type specifies USER_LOGIN, which searches for events relating to authentication. 

                                            Using just the metadata fields, you can quickly start searching for events. As you continue practicing searching in Google SecOps (Chronicle) using UDM Search, you will encounter more fields. Try using these fields to form specific searches to locate different events.
                                            Raw Log Search 

                                            If you can't find the information you are searching for through the normalized data, using a Raw Log Search will search through the raw, unparsed logs. You can perform a Raw Log Search by typing your search, clicking on “Search,” and selecting “Raw Log Search.” Because it is searching through raw logs, it takes longer than a structured search. In the Search field, you can perform a Raw Log Search by specifying information like usernames, filenames, hashes, and more. Google SecOps (Chronicle) will retrieve events that are associated with the search.

                                            Pro tip: Raw Log Search supports the use of regular expressions, which can help you narrow down a search to match on specific patterns.

Which of the following steps are part of the security information and event management (SIEM) process? Select three answers. Index data to improve search performance Normalize data so it is ready to read and analyze Collect and process data

Fill in the blank: Google SecOps (Chronicle) uses _____ to search through unstructured logs. raw log search

Fill in the blank: A syslog entry contains a header, _____, and a message. structured-data

Consider the following scenario:

A security analyst at a midsized company is tasked with installing and configuring a host-based intrusion detection system (HIDS) on a laptop. The security analyst installs the HIDS and wants to test whether it is working properly by simulating malicious activity. The security analyst runs unauthorized programs on the laptop, which the HIDS successfully detects and alerts on. What is the laptop an example of? An endpoint

What are examples of common rule actions that can be found in signature? Select three answers. Reject Alert Pass

Which rule option is used to match based on the direction of network traffic? flow

What is the difference between network telemetry and network alert logs? Network telemetry contains information about network traffic flows; network alert logs are the output of a signature.

Fill in the blank: The asterisk symbol is also known as a(n) _____. wildcard

What is the method to search for normalized data in Chronicle? UDM search

What are the steps in the SIEM process for data collection? Select three answers. Index Normalize Collect

Chronicle uses UDM to search through normalized data.

YARA-L Chronicle uses the YARA-L language to define rules for detection. It’s a computer language used to create rules for searching through ingested log data. For example, you can use YARA-L to write a rule to detect specific activities related to the exfiltration of valuable data. Using Chronicle’s search field, you can search for fields like hostname, domain, IP, URL, email, username, or file hash. Using the search field, you can enter different types of searches.

Google Chronicles > Google Seurity Operations

Why Automate Security Tasks in CI/CD with Python?

Imagine manually checking every piece of code for problems, or manually testing every version of software for security issues before it’s released. That would be really slow and have a lot of errors. Python is a great tool to automate these security tasks in CI/CD because it’s flexible and has many helpful tools - like libraries.

Using Python to automate security tasks in your CI/CD pipeline is beneficial for a few reasons: :

Increases Speed and Efficiency: Python scripts for security checks are fast and work well as part of your pipeline. This keeps your software releases quick and secure at the same time.

    Finds Problems Early: Python can help find security problems early on when software is being developed. This makes problems easier and less expensive to fix. 

        Remains Consistent: Python scripts make sure security checks are done the same way every time you build and release software. This lowers the chance of human error.

            Reduces workload  for Security Teams: Python frees up security teams from repetitive tasks and allows them to work on  larger security problems, planning, or creating better Python scripts for security automation.

                Supports a culture or security: Python-based automation helps put security into the CI/CD process. This helps create a DevSecOps culture where everyone thinks about security, not just the security team.

                What Security Tasks Can You Automate in CI/CD with Python?

                You can use Python to automate many kinds of security tasks in CI/CD pipelines. Here are some main tasks:
                Security Testing 

                    Static Application Security Testing (SAST): Python scripts can be written to start SAST tools that look at your code for weaknesses before it gets built. Python can also be used to understand the SAST results, create reports, and automatically stop the process if serious security problems are found.

                        Dynamic Application Security Testing (DAST): Python can be used to automatically run DAST tools to test software while it’s running in a test area. Then, Python scripts can look at the DAST results and give feedback in the CI/CD pipeline.

                            Software Composition Analysis (SCA): Python can work with SCA tools to check your software’s dependencies for weaknesses. Dependencies are things like open source code and components from other companies. Scripts can control the SCA process, report problems, and set rules based on the severity of weaknesses.

                            Automated Vulnerability Scanning 

                            Python scripts can organize vulnerability scans of things like container images, infrastructure settings, and the CI/CD pipeline itself. You can use Python to schedule these scans, collect the results, and send alerts when new vulnerabilities are discovered.
                            Compliance Checks 

                            Python scripts can automatically check for compliance. For example, scripts can check if code follows secure coding rules or if infrastructure settings meet security guidelines. You can then use Python to make reports about compliance and ensure security standards are followed.
                            Secrets Management Automation 

                            Python is key for automating secure secrets management. Scripts can be used to review through code and stop private credentials from being directly written in the code. Also, Python scripts can work with secret management tools (like HashiCorp Vault) to safely get and put secrets into applications during automated releases.
                            Policy Enforcement 

                            "Policy as Code" and Python scripts work together to automatically enforce security policies. Python can be used to define and understand security policies. Then, scripts can check pipeline steps against these policies. If policies are broken (for example, if too many vulnerabilities are found), Python can automatically stop releases.
                            How Python Works with CI/CD Tools

                            Python is even more helpful for CI/CD security automation because it works well with popular CI/CD tools. Tools like Jenkins, GitLab CI, and CircleCI let you easily run Python scripts as part of your release process.

                            Here’s how Python fits in:

                                Run Scripts: CI/CD systems let you set up release steps that run commands or scripts. You can easily set up steps to run Python scripts that do security tasks.

                                    API Connections: Many CI/CD tools and security tools have APIs (Application Programming Interfaces). Python is excellent at using APIs. You can write Python scripts to use CI/CD system APIs to manage the release process, start jobs, get software build files, and connect to security tool APIs to start scans and get results.

                                        Add-ons and Extensions: Some CI/CD systems have add-ons or extensions made in Python or that can easily use Python scripts. This makes it even simpler to add security automation based on Python.

                                        Using Python to Set Up Environments, Check Code Quality, and Secure Releases

                                        Besides security testing, Python scripts can automate other important CI/CD tasks while adding security best practices:

                                            Set Up Environments: Python can automate staging areas. Scripts can make sure these areas are set up securely, with good network settings and security controls.

                                                Code Quality Checks: Python can be used to run code quality tools (linters). Scripts can check code for style problems and possible security errors. This helps make sure code quality standards are followed early in development.

                                                    Automate Secure Releases: Python scripts are very useful for automating releases to staging and production areas securely. Python can manage release processes and ensure releases follow security best practices. This includes using secure settings and moving software files securely.

                                                    Conclusion: Python - Your Automation Ally for Secure CI/CD

                                                    Using Python to automate security tasks is key to making your CI/CD pipeline secure and fast. By using Python’s abilities and connecting it to your CI/CD tools, you can find and fix security problems early, do less manual work, enforce security rules, and make your software more secure overall.

                                                    By making Python automation a main part of your CI/CD security plan, you’ll be ready to create and release secure software, quickly and with confidence. Now you know how Python helps automate security in CI/CD. Next, you’ll learn about the specific parts of Python that make this possible. You’ll learn about variables, conditional statements, iterative statements, functions, and working with files. These are the basic pieces for creating your own powerful Python scripts to automate security in CI/CD.

Best Python Libraries for Cybersecurity in 2024. https://medium.com/@Scofield_Idehen/best-python-libraries-for-cybersecurity-in-2024-037a870f39d1

Python library for Hashicorp Vault implementation. https://discuss.hashicorp.com/t/python-library-for-hashicorp-vault-implementation/55805

Continuous Integration With Python: An Introduction. https://realpython.com/python-continuous-integration/

Python for DevOps: An Ultimate Guide. https://code-b.dev/blog/python-devops

Building Custom Cybersecurity Tools with Python: A Guide for Beginners. https://www.linkedin.com/pulse/building-custom-cybersecurity-tools-python-bi6if

Secure Coding in Python: Essential Practices for Data Engineers. https://www.linkedin.com/pulse/secure-coding-python-essential-practices-data-engineers-priyanka-sain-wewkc

Which Python component contributes to automation by allowing you to perform the same actions a certain number of times based on a sequence? while loops Bracket notation Conditional statements for loops ???? The Python component that contributes to automation by allowing you to perform the same actions a certain number of times based on a sequence is for loops.

while loops: Execute a block of code repeatedly as long as a specified condition is true. Use them when you don’t know in advance how many times you need to repeat, but you have a condition that will eventually become false. Example: Keep asking for input until a valid number is entered.

Bracket notation: Used to access elements within sequences (like strings, lists, or tuples) by their index (position) or to access values in dictionaries by their keys. It’s not for repetition or control flow. Example: my_list[0] to get the first item, my_dict[‘key’] to get a value.

Conditional statements (e.g., if, elif, else): Allow your program to make decisions. They execute a block of code only if a certain condition is true. They don’t inherently repeat actions. Example: If a number is positive, print “Positive”; otherwise, print “Not positive.”

for loops: Iterate over a sequence (like a list, string, tuple, or range) or any other iterable object, executing a block of code once for each item in the sequence. Use them when you need to perform an action for every item in a collection or a known number of times. Example: Print every item in a list, or perform an action 10 times.

You need to check for unusual login activity. Specifically, you need to check a list of login timestamps to determine if any of the login times occurred at unusual hours. If you want to automate this through Python, what would be part of your code? Select two answers. An if statement that checks if the login timestamp occurred at unusual hours A for loop that iterates through the list of timestamps

Parsing

Part of working with files involves structuring its contents to meet your needs. Parsing is the process of converting data into a more readable format. Data may need to become more readable in a couple of different ways. First, certain parts of your Python code may require modification into a specific format. By converting data into this format, you enable Python to process it in a specific way. Second, programmers need to read and interpret the results of their code, and parsing can also make the data more readable for them.

Methods that can help you parse your data include .split() and .join().

An important element of working with files is being able to parse the data it contains. Parsing means converting the data into a readable format. The .split() and .join() methods are both useful for parsing data. The .split() method allows you to convert a string into a list, and the .join() method allows you to convert a list into a string.

removed_users = “wjaffrey jsoto abernard jhill awilliam” print(“before .split():”, removed_users) removed_users = removed_users.split() print(“after .split():”, removed_users)

with open(“update_log.txt”, “r”) as file: updates = file.read() updates = updates.split()

approved_users = [“elarson”, “bmoreno”, “tshah”, “sgilmore”, “eraab”] print(“before .join():”, approved_users) approved_users = “,".join(approved_users) print(“after .join():”, approved_users)

updates = " “.join(updates) with open(“update_log.txt”, “w”) as file: file.write(updates)

Assign import_file to the name of the text file that contains the security log file

import_file = “data/login.txt”

Assign missing entry to a log that was not recorded in the log file

missing_entry = “jrafael,192.168.243.140,4:56:27,2022-05-09”

Use open() to import security log file and store it as a string

Pass in “a” as the second parameter to indicate that the file is being opened for appending purposes

with open(import_file, “a”) as file:

# Use `.write()` to append `missing_entry` to the log file

    file.write(missing_entry)

    # Use `open()` with the parameter "r" to open the security log file for reading purposes

    with open(import_file, "r") as file:

        # Use `.read()` to read in the contents of the log file and store in a variable named `text`

            text = file.read()

            # Display the contents of `text`

            print(text)

Assign import_file to the name of the text file that you want to create

import_file = “data/allow_list.txt”

Assign ip_addresses to a list of IP addresses that are allowed to access the restricted information

ip_addresses = “192.168.218.160 192.168.97.225 192.168.145.158 192.168.108.13 192.168.60.153 192.168.96.200 192.168.247.153 192.168.3.252 192.168.116.187 192.168.15.110 192.168.39.246”

Create a with statement to write to the text file

with open(import_file, “w”) as file:

# Write `ip_addresses` to the text file

    file.write(ip_addresses)

    # Create a `with` statement to read in the text file 

    with open(import_file, "r") as file:

        # Read the file and store the result in a variable named `text`

            text = file.read()

            # Display the contents of `text`

            print(text)

Resets the "data/login.txt" file to its original contents

Allows learners to complete lab more than once

Assigns the original contents of the file to the login_file variable

login_file = “““username,ip_address,time,date tshah,192.168.92.147,15:26:08,2022-05-10 dtanaka,192.168.98.221,9:45:18,2022-05-09 tmitchel,192.168.110.131,14:13:41,2022-05-11 daquino,192.168.168.144,7:02:35,2022-05-08 eraab,192.168.170.243,1:45:14,2022-05-11 jlansky,192.168.238.42,1:07:11,2022-05-11 acook,192.168.52.90,9:56:48,2022-05-10 asundara,192.168.58.217,23:17:52,2022-05-12 jclark,192.168.214.49,20:49:00,2022-05-10 cjackson,192.168.247.153,19:36:42,2022-05-12 jclark,192.168.197.247,14:11:04,2022-05-12 apatel,192.168.46.207,17:39:42,2022-05-10 mabadi,192.168.96.244,10:24:43,2022-05-12 iuduike,192.168.131.147,17:50:00,2022-05-11 abellmas,192.168.60.111,13:37:05,2022-05-10 gesparza,192.168.148.80,6:30:14,2022-05-11 cgriffin,192.168.4.157,23:04:05,2022-05-09 alevitsk,192.168.210.228,8:10:43,2022-05-08 eraab,192.168.24.12,11:29:27,2022-05-11 jsoto,192.168.25.60,5:09:21,2022-05-09 "””

Writes login_file to the "data/login.txt" file

with open(“data/login.txt”, “w”) as file: file.write(login_file)

Define a function named update_file that takes in two parameters: import_file and remove_list

and combines the steps you’ve written in this lab leading up to this

def update_file(import_file, remove_list):

Build with statement to read in the initial contents of the file

with open(import_file, "r") as file:

    # Use `.read()` to read the imported file and store it in a variable named `ip_addresses`

        ip_addresses = file.read()

          # Use `.split()` to convert `ip_addresses` from a string to a list

            ip_addresses = ip_addresses.split()

              # Build iterative statement
                # Name loop variable `element`
                  # Loop through `ip_addresses`

                    for element in ip_addresses:
                        
                            # Build conditional statement
                                # If current element is in `remove_list`,
                                    
                                        if element in remove_list:

                                              # then current element should be removed from `ip_addresses`

                                                    ip_addresses.remove(element)

                                                      # Convert `ip_addresses` back to a string so that it can be written into the text file     

                                                        ip_addresses = " ".join(ip_addresses)

                                                          # Build `with` statement to rewrite the original file

                                                            with open(import_file, "w") as file:

                                                                # Rewrite the file, replacing its contents with `ip_addresses`

                                                                    file.write(ip_addresses)

                                                                    # Call `update_file()` and pass in "allow_list.txt" and a list of IP addresses to be removed

                                                                    update_file("allow_list.txt", ["192.168.25.60", "192.168.140.81", "192.168.203.198"])

                                                                    # Build `with` statement to read in the updated file

                                                                    with open("allow_list.txt", "r") as file:

                                                                      # Read in the updated file and store the contents in `text`

                                                                        text = file.read()

                                                                        # Display the contents of `text`

                                                                        print(text)

Types of errors

It’s a normal part of developing code in Python to get error messages or find that the code you’re running isn’t working as you intended. The important thing is that you can figure out how to fix errors when they occur. Understanding the three main types of errors can help. These types include syntax errors, logic errors, and exceptions. Syntax errors

A syntax error is an error that involves invalid usage of a programming language. Syntax errors occur when there is a mistake with the Python syntax itself. Common examples of syntax errors include forgetting a punctuation mark, such as a closing bracket for a list or a colon after a function header.

When you run code with syntax errors, the output will identify the location of the error with the line number and a portion of the affected code. It also describes the error. Syntax errors often begin with the label “SyntaxError:” . Then, this is followed by a description of the error. The description might simply be “invalid syntax” . Or if you forget a closing parentheses on a function, the description might be “unexpected EOF while parsing”. “EOF” stands for “end of file.”

message = “You are debugging a syntax error print(message)

This outputs the message “SyntaxError: EOL while scanning string literal”. “EOL” stands for “end of line”. The error message also indicates that the error happens on the first line. The error occurred because a quotation mark was missing at the end of the string on the first line. You can fix it by adding that quotation mark.

Note: You will sometimes encounter the error label “IndentationError” instead of “SyntaxError”. “IndentationError” is a subclass of “SyntaxError” that occurs when the indentation used with a line of code is not syntactically correct.

Logic errors

A logic error is an error that results when the logic used in code produces unintended results. Logic errors may not produce error messages. In other words, the code will not do what you expect it to do, but it is still valid to the interpreter.

For example, using the wrong logical operator, such as a greater than or equal to sign (>=) instead of greater than sign (>) can result in a logic error. Python will not evaluate a condition as you intended. However, the code is valid, so it will run without an error message.

The following example outputs a message related to whether or not a user has reached a maximum number of five login attempts. The condition in the if statement should be login_attempts < 5, but it is written as login_attempts >= 5. A value of 5 has been assigned to login_attempts so that you can explore what it outputs in that instance:

login_attempts = 5 if login_attempts >= 5: print(“User has not reached maximum number of login attempts.”) else: print(“User has reached maximum number of login attempts.”)

The output displays the message “User has not reached maximum number of login attempts.” However, this is not true since the maximum number of login attempts is five. This is a logic error.

Logic errors can also result when you assign the wrong value in a condition or when a mistake with indentation means that a line of code executes in a way that was not planned. Exceptions

An exception is an error that involves code that cannot be executed even though it is syntactically correct. This happens for a variety of reasons.

One common cause of an exception is when the code includes a variable that hasn’t been assigned or a function that hasn’t been defined. In this case, your output will include “NameError” to indicate that this is a name error. After you run the following code, use the error message to determine which variable was not assigned:

username = “elarson” month = “March” total_logins = 75 failed_logins = 18 print(“Login report for”, username, “in”, month) print(“Total logins:”, total_logins) print(“Failed logins:”, failed_logins) print(“Unusual logins:”, unusual_logins)

The output indicates there is a “NameError” involving the unusual_logins variable. You can fix this by assigning this variable a value.

In addition to name errors, the following messages are output for other types of exceptions:

"IndexError": An index error occurs when you place an index in bracket notation that does not exist in the sequence being referenced. For example, in the list usernames = ["bmoreno", "tshah", "elarson"], the indices are 0, 1, and 2. If you referenced this list with the statement print(usernames[3]), this would result in an index error.

    "TypeError": A type error results from using the wrong data type. For example, if you tried to perform a mathematical calculation by adding a string value to an integer, you would get a type error.

        "FileNotFound": A file not found error occurs when you try to open a file that does not exist in the specified location.

        Debugging strategies  

        Keep in mind that if you have multiple errors, the Python interpreter will output error messages one at a time, starting with the first error it encounters. After you fix that error and run the code again, the interpreter will output another message for the next syntax error or exception it encounters.

        When dealing with syntax errors, the error messages you receive in the output will generally help you fix the error. However, with logic errors and exceptions, additional strategies may be needed.
        Debuggers 

        In this course, you have been running code in a notebook environment. However, you may write Python code in an Integrated Development Environment (IDE). An Integrated Development Environment (IDE) is a software application for writing code that provides editing assistance and error correction tools. Many IDEs offer error detection tools in the form of a debugger. A debugger is a software tool that helps to locate the source of an error and assess its causes.

Use print statements

Another debugging strategy is to incorporate temporary print statements that are designed to identify the source of the error. You should strategically incorporate these print statements to print at various locations in the code. You can specify line numbers as well as descriptive text about the location.

For example, you may have code that is intended to add new users to an approved list and then display the approved list. The code should not add users that are already on the approved list. If you analyze the output of this code after you run it, you will realize that there is a logic error:

new_users = [“sgilmore”, “bmoreno”] approved_users = [“bmoreno”, “tshah”, “elarson”] def add_users(): for user in new_users: if user in approved_users: print(user,“already in list”) approved_users.append(user) add_users() print(approved_users)

Even though you get the message “bmoreno already in list”, a second instance of “bmoreno” is added to the list. In the following code, print statements have been added to the code. When you run it, you can examine what prints:

new_users = [“sgilmore”, “bmoreno”] approved_users = [“bmoreno”, “tshah”, “elarson”] def add_users(): for user in new_users: print(“line 5 - inside for loop”) if user in approved_users: print(“line 7 - inside if statement”) print(user,“already in list”) print(“line 9 - before .append method”) approved_users.append(user) add_users() print(approved_users)

The print statement “line 5 - inside for loop” outputs twice, indicating that Python has entered the for loop for each username in new_users. This is as expected. Additionally, the print statement “line 7 - inside if statement” only outputs once, and this is also as expected because only one of these usernames was already in approved_users.

However, the print statement “line 9 - before .append method” outputs twice. This means the code calls the .append() method for both usernames even though one is already in approved_users. This helps isolate the logic error to this area. This can help you realize that the line of code approved_users.append(user) should be the body of an else statement so that it only executes when user is not in approved_users.

Syntax errors involve invalid usage of the Python language. Use the keyword elsif instead of elif. Don’t use “:” or “(” or “,” when needed.

You have written code that uses a search algorithm to find an employee’s IP address. When testing your code, an error message indicates that an unknown index is being accessed. What type of error is this? Exception

You did not define a function before calling it. What type of error is this? Exception

You included username_list[10] in your code, but username_list only contains five elements. What type of error is this? Exception More specifically, it’s an IndexError. An IndexError is a type of exception that occurs when you try to access an index that is outside the valid range of indices for a sequence (like a list, tuple, or string).

You have written code that assigns security incident tickets to the appropriate cybersecurity team based on its priority level. If the priority level is 1, it should get forwarded to Team A. If the priority level is 2, it should get forwarded to Team B. When testing your code, you notice that an incident with priority level 2 is forwarded to Team A instead of Team B. What type of error is this? Logic error

The line of code with open(“ip_addresses.txt”, “r”) as file: instructs Python to open the “ip_addresses.txt” file in order to read it (“r”). It also instructs Python to store the file object in the file variable while inside the with statement.

What is the process of converting data into a more readable format? Parsing

Business continuity plan

The impact of successful security attacks on an organization can be significant. Loss of profits and customers are two possible outcomes that organizations never want to happen. A business continuity plan is a document that outlines the procedures to sustain business operations during and after a significant disruption. It is created alongside a disaster recovery plan to minimize the damage of a successful security attack. Here are four essential steps for business continuity plans:

Conduct a business impact analysis. The business impact analysis step focuses on the possible effects a disruption of business functions can have on an organization. 

    Identify, document, and implement steps to recover critical business functions and processes. This step helps the business continuity team create actionable steps toward responding to a security event.

        Organize a business continuity team. This step brings various members of the organization together to help execute the business continuity plan, if it is needed. The members of this team are typically from the cybersecurity,  IT, HR, communications, and operations departments. 

            Conduct training for the business continuity team. The team considers different risk scenarios and prepares for security threats during these training exercises. 

            Disaster recovery plan

            A disaster recovery plan allows an organization’s security team to outline the steps needed to minimize the impact of a security incident, such as a successful ransomware attack that has stopped the manufacturing team from retrieving certain data. It also helps the security team resolve the security threat. A disaster recovery plan is typically created alongside a business continuity plan. Steps to create a disaster recovery plan should include:

                Implementing recovery strategies to restore software

                    Implementing recovery strategies to restore hardware functionality

                        Identifying applications and data that might be impacted after a security incident has taken place 

Information lifecycle strategy

Juliana recalls the following steps of the information lifecycle:

The first step in the information lifecycle is to identify the important assets to the company, including sensitive customer information such as PII, financial information, social security numbers, and EINs. 

    The second step is to assess the security measures in place to protect the identified assets and review the company’s information security policies. There are different components to this step, ranging from vulnerability scanning to reviewing processes and procedures that are already in place. Juliana is new to the company and might not be ready to conduct vulnerability scans. 

        The third step of the information lifecycle is to protect the identified assets of the organization. Once again, this is only Juliana’s first day on the job. She asks her supervisor if she can observe a more senior security analyst for a day. This will give her the opportunity to learn how the security team monitors the company’s systems and network.

            The last step of the security lifecycle is to monitor the security processes that have been implemented to protect the organization’s assets. She contacts her supervisor and gives them a detailed report of what she has learned on her first day. She requests to finish her day by monitoring a few of the systems that are in place. Her supervisor is impressed with her initiative and prepares Juliana to monitor the security systems. What a great first day for Juliana! 

Which of the following are examples of the potential impact of a security incident involving malicious code? Select three answers. Loss of assets Financial consequences Operational downtime [-] Dataprotection

What is the correct term for a security event that results in a data breach? Data security event Compromised data Phishing incident [+]Security incident

Fill in the blank: A security analyst should _____ escalate potential security events. sometimes rarely never [+]always

Incident escalation

Security incident escalation is the process of identifying a potential security incident. During this process, potential incidents are transferred to a more experienced department or team member. As a security analyst, you’ll be expected to recognize potential issues, such as when an employee excessively enters the wrong credentials to their account, and report it to the appropriate person. When you join a new organization, you’ll learn about the specific processes and procedures for escalating incidents.
Notification of breaches

Many countries have breach notification laws, so it’s important to familiarize yourself with the laws applicable in the area your company is operating in. Breach notification laws require companies and government entities to notify individuals of security breaches involving personally identifiable information (PII). PII includes personal identification numbers (e.g., Social Security numbers, driver’s license numbers, etc.), medical records, addresses, and other sensitive customer information. As an entry-level security analyst, you’ll need to be aware of various security laws, especially because they are regularly updated. Low-level security issues

Low-level security issues are security risks that do not result in the exposure of PII. These issues can include the following and other risks:

An employee having one failed login attempt on their account

    An employee downloading unapproved software onto their work laptop 

    These issues are not significant security challenges, but they must be investigated further in case they need to be escalated. An employee typing in a password two to three times might not be of concern. But if that employee types in a password 15 times within 30 minutes, there might be an issue that needs to be escalated. What if the multiple failed login attempts were a malicious actor attempting to compromise an employee’s account? What if an employee downloads an internet game or software on their work laptop that is infected with malware? You previously learned that malware is software designed to harm devices or networks. If malware is downloaded onto an organization’s network, it can lead to financial loss and even loss of reputation with the organization’s customers. While low-level security issues are not considered significant security threats, they should still be investigated to ensure they result in minimal impact to the organization.
    The escalation process

    Every company has different protocols and procedures, including unique escalation policies. These policies detail who should be notified when a security alert is received and who should be contacted if the first responder is not available. The policy will also determine how someone should specifically escalate an incident, whether it’s via the IT desk, an incident management tool, or direct communication between security team members.

Data owners

A data owner is the person that decides who can access, edit, use, or destroy their information. Data owners have administrative control over specific information hardware or software and are accountable for the classification, protection, access, and use of company data. For example, consider a situation where an employee gains unauthorized access to software they do not need to use for work. This kind of security event would be escalated to the data owner of that software. Data controllers

Data controllers determine the procedure and purpose for processing data. This role largely focuses on collecting the personal information of customers. The data controller determines how that data is used. The data controller also ensures that data is used, stored, and processed in accordance with relevant security and privacy regulations. If sensitive customer information was at risk, that event would be escalated to data controllers. Data processors

Data processors report directly to the data controller and are responsible for processing the data on behalf of the data controller. The data processor is typically a vendor and is often tasked with installing security measures to help protect the data. Data processing issues are typically escalated to the individual who oversees the third-party organization responsible for data processing. Data custodians

Data custodians assign and remove access to software or hardware. Custodians are responsible for implementing security controls for the data they are responsible for, granting and revoking access to that data, creating policies regarding how that data is stored and transmitted, advising on potential threats to that data, and monitoring the data. Data custodians are notified when data security controls need to be strengthened or have been compromised. Data protection officers (DPOs)

Data protection officers are responsible for monitoring the internal compliance of an organization’s data protection procedures. These individuals advise the security team on the obligations required by the organization’s data protection standards and procedures. They also conduct assessments to determine whether or not the security measures in place are properly protecting the data as necessary. DPOs are notified when set standards or protocols have been violated.

Fill in the blank: Improper usage is an incident type that occurs when _____. an employee of an organization violates the organization’s acceptable use policies

When should you escalate improper usage to a supervisor? Improper usage incidents should always be escalated out of caution.

Your decisions matter

Security is a fast-paced environment with bad actors constantly trying to compromise an organization’s systems and data. This means security analysts must be prepared to make daily decisions to help keep a company’s data and systems safe. Entry-level security analysts help the security team escalate potential security incidents to the right team members. A big part of your role as a security analyst will be making decisions about which security events to escalate before they become major security incidents. Trust your instincts and ask questions

Confidence is an important attribute for a security analyst to have, especially when it comes to the escalation process. The security team will depend on you to be confident in your decision-making. You should be intentional about learning the organization’s escalation policy. This will help you gain confidence in making the right decisions when it comes to escalating security events. But remember to ask questions when necessary. It shows that you’re committed to constantly learning the right way to do your job. All security events are not equal

An important part of escalation is recognizing which assets and data are the most important for your organization. You can determine this information by reading through your onboarding materials, asking your supervisor directly about which assets and data are most important, and reviewing your company’s security policies. When you have that type of understanding, it allows you to recognize when one incident should be given a higher priority over others. You previously learned about the following incident classification types:

Malware infections: Occur when malicious software designed to disrupt a system infiltrates an organization’s computers or network

    Unauthorized access: Occurs when an individual gains digital or physical access to a system, data,  or application without permission 

        Improper usage: Occurs when an employee of an organization violates the organization’s acceptable use policies

        Identifying a specific incident type allows you to properly prioritize and quickly escalate those incidents. Remember, an incident which directly impacts assets that are essential to business operations should always take priority over incidents that do not directly impact business operations. For example, an incident where unauthorized access has been gained to a manufacturing application should take priority over an incident where malware has infected a legacy system that does not impact business operations. As you gain experience in the cybersecurity field, you will learn how to quickly assess the priority levels of incident types. 
        Quick escalation tips  

        A big part of your role in cybersecurity will be determining when to escalate a security event. Here are a few tips to help with this:

            Familiarize yourself with the escalation policy of the organization you work for.

                Follow the policy at all times.

                    Ask questions.

High-level security incidents should be escalated and handled immediately. The more time that passes before an incident is escalated, the higher the risk.

Fill in the blank: A(n) _____ is a set of actions that outlines who should be notified when an incident alert occurs and how that incident should be handled. playbook

Data controller: A person that determines the procedure and purpose for processing data

Data processor: A person that is responsible for processing data on behalf of the data controller

Data protection officer (DPO): An individual that is responsible for monitoring the compliance of an organization’s data protection procedures

Escalation policy: A set of actions that outlines who should be notified when an incident alert occurs and how that incident should be handled

Improper usage: An incident type that occurs when an employee of an organization violates the organization’s acceptable use policies

Incident escalation: The process of identifying a potential security incident, triaging it, and handing it off to a more experienced team member

Malware infection: An incident type that occurs when malicious software designed to disrupt a system infiltrates an organization’s computers or network

Unauthorized access: An incident type that occurs when an individual gains digital or physical access to a system or an application without permission

What elements of security do terms like unauthorized access, malware infections, and improper usage describe? Incident classification types

You have recently been hired as a security analyst for an organization. You previously worked at another company doing security, and you were very familiar with their escalation policy. Why would it be important for you to learn your new company’s escalation policy? Every company has a different escalation policy, and it is an analyst’s job to ensure incidents are handled correctly.

Who are stakeholders?

A stakeholder is defined as an individual or group that has an interest in any decision or activity of an organization. A big part of what you’ll do as a security analyst is report your findings to various security stakeholders. Levels of stakeholders

There are many levels of stakeholders within larger organizations. As an entry-level analyst, you might only communicate directly with a few of them. Although you might not communicate with all of the security stakeholders in an organization, it’s important to have an understanding of who key stakeholders are:

A cybersecurity risk manager is a professional responsible for leading efforts to identify, assess, and mitigate security risks within an organization.

    A Chief Executive Officer, also known as the CEO, is the highest ranking person in an organization. You are unlikely to communicate directly with this stakeholder as an entry-level analyst.

        A Chief Financial Officer, also known as the CFO, is another high-level stakeholder that you’re unlikely to communicate with directly.

            A Chief Information Security Officer, also known as the CISO, is the highest level of security stakeholder. You are also unlikely to communicate directly with this stakeholder as an entry-level analyst. 

                An operations manager oversees the day-to-day security operations. These individuals lead teams related to the development and implementation of security strategies that protect an organization from cyber threats.

                CFOs and CISOs are focused on the big picture, like the potential financial burden of a security incident, whereas other roles like operations managers are more focused on the impact on day-to-day operations. Although you will rarely interact directly with high-level security stakeholders, it’s still important to recognize their relevance.
                Stakeholder communications for entry-level analysts

                Two examples of security stakeholders with whom you might regularly communicate are operations managers and risk managers. When you report to these stakeholders, you'll need to clearly communicate the current security issue and its possible causes. The operations managers will then determine next steps and coordinate other team members to remediate or resolve the issue. 

                For example, you might report multiple failed login attempts by an employee to your operations manager. This stakeholder might contact the employee’s supervisor to ensure the occurrence is a genuine issue of entering the wrong password or determine if the account has been compromised. The stakeholder and supervisor might also need to discuss the consequences for day-to-day operations if genuine failed login attempts can lead to account lockouts that might impact business operations. As an entry-level security analyst, you might play a role in implementing preventative measures once next steps have been determined.
                From one stakeholder to the next  

                Operations managers and risk managers are stakeholders who rely on entry-level analysts and other team members to keep them informed of security events in day-to-day operations. These stakeholders commonly report back to the CISOs and CFOs to give a broader narrative of the organization's overall security picture. Although you won't regularly communicate with high-level stakeholders, it's important to recognize that your efforts still reach the highest levels of security stakeholders in the organization. These other members of your team keep those top-level stakeholders informed on the security measures and protocols in place that are continuously helping to protect the organization.

Risk manager The risk manager helps to identify risks and manage the response to cybersecurity threats. They may also develop, implement, and enforce IT policies that employees must follow.

Chief Executive Officer (CEO) The Chief Executive Officer (CEO) is the highest ranking person in an organization. They are responsible for financial and managerial decisions and reporting to shareholders. Because of this, they are concerned with the financial and operational impacts of incidents.

Operations manager The operations manager often works with security analysts as the first line of defense in protecting the company from security incidents. They are often responsible for daily maintenance of security operations and are essential when it comes to security response.

Legal counsel The legal counsel tracks applicable litigation and provides legal advice to the organization. To track litigation, they follow new and changing security legislation and regulations. They may also help address loss of secured data, legal penalties, and regulatory fines.

Chief Financial Officer (CFO) The Chief Financial Officer (CFO) is concerned about security from a financial standpoint, including the potential costs of an incident. They are also interested in the costs of the tools and strategies necessary to combat security incidents.

Chief Information Security Officer (CISO) The Chief Information Security Officer (CISO) is a high-level executive responsible for developing an organization’s security architecture and conducting risk analysis and system audits. CISOs are also tasked with creating security and business continuity plans.

Communicate effectively with stakeholders What do I want this person to know?

    Why is it important for them to know it? 

        When do they need to take action?

            How do I explain the situation in a nontechnical manner?

Which of the following are concise, effective communication methods for conveying key details to stakeholders? Visual presentations and emails can be used to effectively convey key details to stakeholders.

When calculating ALE, why consider the annual loss expectancy in budgeting for security? To prevent exceeding company profits

• To justify the cost of security against potential losses To ensure spending is equal to ALE To allocate funds across departments equally

Insider threats Hacktivists - threat actor is often motivated by political or social ideologies Organized crime groups State-sponsored attackers

Hash types: *MD5 (Message Digest 5? 128 bit) *SHA / SHA-1 (Secure Hash Algorythm, 160 bit) SHA2 (256, 512) RIPEMD (RACE Integrity Primitives Evaluation Message Digest)

• • Collisions are possible.

What is a rainbow table used for in the context of cybersecurity? Cracking password hashes by matching results from a precomputed table.

What defines a strong encryption algorithm according to Kirk’s Principle? Secrecy of the encryption key.

What feature of hash functions contributes to data integrity? Their unique output for identical input enables detection of data changes.

What is the role of the exclusive OR (XOR) operation in basic encryption? It provides a simple method to encrypt and decrypt data by reversible transformation.

Why was the original WEP encryption considered insecure? Because its encryption methods and key lengths were easily compromised

What security measure helps prevent tailgating in secure facilities? Mantrap or Security Vestibule

How might an attacker use a keylogger unnoticed in a typical office setting? Attaching it to a USB port when nobody is present

Why might IP cameras present a security risk? Remote accessibility

Which action should be taken to detect a hardware keylogger? Physically inspect devices regularly

Which of the following is a type of physical security control? Fences

Identification - username Autorization - I am Dmytro Zuienko (password) Authentication - I am Dmytro Zuienko who has confirmation number to recieve the ticket. (one time password)

MFA: You know You have You are

What is the main risk of relying solely on passwords for authentication? Passwords can be easily compromised.

Why might a network administrator choose to use a load balancer for their applications? To distribute loads and ensure uptime

What is a public key infrastructure (PKI) primarily used for in cybersecurity? Encrypting and decrypting messages for secure communication

What is one advantage of using multifactor authentication (MFA)? It enhances security by requiring multiple forms of verification.

What is the primary purpose of encryption in cybersecurity? Protect data confidentiality and integrity

Why is Common Vulnerability Enumeration important in Security+? It allows for clearer threat identification

What is data masking? Hiding original data with altered data

What function does a TPM chip mainly serve in computers? Ensuring integrity in the boot-up process to prevent tampering.

Why are fire suppression systems critical in data centers? Preventing physical damage from fire

What does the use of Kerberos in a network primarily provide? Network authentication

Why is understanding the structure of the CompTIA Security+ exam important? To focus study on key areas with more questions

Where can you purchase a voucher for the CompTIA Security+ exam? CompTIA official website

What kind of ID is necessary to take the CompTIA Security+ exam? Government-issued ID

What are the options for taking the CompTIA Security+ exam? Online or at a test center

What does ‘risk transference’ mean in risk management? Sharing risk impacts, often with insurance

What is the primary focus of a qualitative risk assessment? Descriptive assessment of risk impact and likelihood

What is an application allow list used for in cybersecurity? Specifying permitted applications

How can social media platforms become security risks? Through user data oversharing

What is the common misconception about encryption keys when discussing password systems? That ‘key’ means the same as ‘password.’

How is user authentication handled in Linux systems using hashes? Passwords are hashed, and during authentication, the entered password is hashed and compared to the stored hash.

What is the importance of configuring SSH public-key authentication? Eliminates the need to use passwords, hence reducing risks from password-based attacks.

What is the purpose of the Linux shadow file? To store hashed user passwords, protecting them from exposure.

What measure ensures that IP cameras are less likely to be hacked? Isolating on a separate VLAN

What is the main purpose of hot and cold aisle containment in data centers? Regulating temperature

For what purpose is video surveillance primarily used in a facility? Monitoring activities

Which method will NOT help in preventing malware on USB devices? Painting the USB port

Which of the following is a biometric authentication method? Fingerprint scanning

In cybersecurity protocols, what is the main purpose of using an Intrusion Detection System (IDS)? Monitor and alert on suspicious activities

Which of the following factors is NOT typically used in multifactor authentication? Something you know +Something you eat Something you have Something you are

What is one of the primary purposes of two-factor authentication (2FA)? To increase security by requiring two forms of identification

How is user authentication handled in Linux systems using hashes? Passwords are hashed, and during authentication, the entered password is hashed and compared to the stored hash.

What is a benefit of using an agentless security solution? Scans without direct system access.

Why is it risky to allow unrestricted USB access on corporate devices? It allows data transfer and malware infection

What is a common consequence of privilege escalation vulnerabilities? Unauthorized access to sensitive information

What distinguishes a password spraying attack from other types of password attacks? It involves trying only one password across many usernames

What is the main purpose of a RAID configuration in servers? To increase data redundancy and performance

What is the purpose of creating a DNS text record for packet capture processes? To validate domain ownership for services

Digital signature - public key + payload encrypted by private key (to prove that only owner of private key could encrypt it)

PKI vs Web of trust vs Self signed certificate

Certificate Authority (CA)

Intermediate Authorities

Root certificate

PKCS

DV (Domain Validation) Certificate: (Contain name of the domains) EV (Extended Validation) Certificate:

When it comes to zero trust, separation at every level is required to ensure confidentiality, integrity and availability at the network level. This means dividing devices into logically two separate planes that are completely separated. One is going to be called the control plane, while the other is the data plane. In networking, the control plane is a crucial component that manages how the data should flow across the network. It’s separate from the data plane which is responsible for actually moving the packets.

What is a common method to mitigate ARP poisoning attacks? Implementing dynamic ARP inspection

How does SASE differ from traditional VPN solutions? SASE combines security and networking into a single framework, enhancing security

What is the primary role of a forward proxy in network architecture? Fetching resources on behalf of users while providing anonymity

In network transmission, what part of the packet is primarily encrypted? The payload of the packet

What is a key characteristic of signature-based intrusion detection systems (IDS)? They detect known attack patterns based on signatures

Why is capturing a handshake essential for cracking WPA2 encryption? It contains encryption protocols data

What impact does signal jamming have on a wireless network? Disrupts wireless communications

What is ‘war driving’ in the context of wireless networks? Discovering wireless networks using a vehicle

What is the main goal of ARP poisoning in network attacks? To redirect or intercept network traffic

What is the purpose of disabling SSID broadcast in a network? To hide the network from unauthorized users

How is malware often executed using Visual Basic for Applications (VBA)? Embed malicious code into macros.

What is the core function of centralized web filtering in an organization? Controlling and securing access to web resources

Which of the following is an example of a processor attack? Race condition

What primary role do digital certificates play in a secure computing environment? Verifying the identity of users and systems

What is one key advantage of WPA3 over WPA2? Stronger encryption

What is a reverse shell typically used for in cybersecurity? Allowing attackers to control a victim machine.

How do you verify that SSH is listening for connections on port 22? Use the command ’netstat -tuln’.

Is it ethical to use network scanning tools like Nmap on a network without permission? No, because it invades network privacy.

Why is packet capture important for network security analysis? For detailed traffic analysis and anomaly detection.

What is the primary use of the nmap command? Network discovery and security auditing.

How does a denial of service attack work? By overwhelming the network or service with traffic

Why are default configurations on devices considered risky? Because they promote accessibility, potentially compromising security

What role does the Secure Enclave play in macOS? It manages encryption keys and sensitive data

What is the role of packet filtering in network security appliances? To allow or deny traffic based on IP and ports

What makes zero-day vulnerabilities significant threats? They are unknown to the software vendor and have no immediate fix

What is a passive type of standby server configuration often associated with? Activating additional servers only as needed

How is OWASP ZAP primarily used in cybersecurity? Performing penetration testing on web applications

What is the primary function of the control plane in a network? Routing and forwarding decisions

In a split tunnel VPN setup, how is traffic from a client handled differently? Traffic to the corporate network goes through the VPN, while general browsing does not

What purpose does a honeypot server serve in a network security setup? To monitor and trap unauthorized access attempts

What does ‘bluesnarfing’ refer to in terms of Bluetooth security? Exploiting Bluetooth for data theft

What does EAP stand for in wireless security terminology? Extensible Authentication Protocol

What is a practical step to avoid interference between two Wi-Fi networks in close proximity? Using different frequency channels

Why is it still advisable to configure MAC address filtering despite being easily spoofed? It guarantees security

What process is used to capture a WPA handshake for analysis? Deauthentication attack

What is one method of hardening a virtual machine to enhance its security? Disabling unnecessary services

What purpose does policy compliance serve in Microsoft Azure? Enforce organizational standards and reduce risks

What is a key feature of using a Virtual Private Cloud (VPC) in AWS? Communication with private IP addresses

What is amplification in the context of a cyber attack like DDOS? Sending small requests that result in large responses to the victim

What is a key consideration when setting up a public-facing server to ensure its security? Deploying a robust firewall

In an industrial control system, what is the main function of a monitoring station? Measure system operations

What is a common challenge in securing mobile devices compared to desktops? Limited computing resources

What should be a primary concern when managing IoT devices with embedded web servers? Security patches and credentials management

What does it mean when a smartphone is described as acting as a ‘wireless router’? Shares mobile data connection

What is triangulation used for in GPS systems? Pinpoint a geographical location

What is the primary function of the OWASP ZAP tool in cybersecurity? Identifying security vulnerabilities in web applications

In email communication, what is the purpose of using S/MIME? Encrypts and digitally signs emails

Which method helps in identifying stored XSS vulnerabilities in web applications? Periodic vulnerability scans

How is JavaScript typically executed in a web environment? Runs in the client web browser

Input validation vs input sanitation. Validation - check correct format of data itself Sanitizing - clean data from unacceptable symbols

What is a common strategy to mitigate against Denial of Service (DoS) attacks? Rate limiting requests

Why is it risky to release network configuration diagrams to unauthorized personnel? It provides attackers with insight to exploit

What is the primary function of the Metasploit Framework during penetration tests? To perform exploitations of vulnerabilities

What is the primary attack surface in a phishing attack? Email users

What does a Non-disclosure Agreement (NDA) primarily protect? Confidential information

What is a potential disadvantage of improper automation implementation? Decreased system efficiency

Why is it important to regularly update security training materials? To reflect current security threats

Why is automation considered a workforce multiplier in security operations? It handles tasks without tiring

How can organizations effectively classify sensitive data? By using metadata and tagging

What is the purpose of requiring approval for software downloads on company devices? To enforce security policies

What is a characteristic of a public cloud model? Resources are shared among multiple tenants

Why is security considered a major concern for IoT devices? They can be used to access other devices in the network

Which protocol is commonly used for directory services, such as managing users and computers? LDAP

What is the main purpose of a Service Level Agreement (SLA)? To ensure service availability and performance standards

What is a benefit of managing an on-premises hypervisor? Full configuration control

How does air gapping help secure sensitive networks like in industrial environments? Provides physical network isolation

What is a potential benefit of smart meters in utility management? They report usage data in real-time.

Which security measure can be enabled to enhance smartphone security? Enable fingerprint scanning

What is a common consequence of using outdated software components in web applications? Exposed vulnerabilities that attackers can exploit

What is a likely threat when users receive initial certificate errors on a secured website? Potential interception of communication by attackers

Which secure protocol can be used to encrypt FTP data transfers? SFTP

What kind of agreement might be involved when securing financial transactions in businesses? Credit Agreement

After reconnaissance, what is generally the next phase in a penetration test? Vulnerability Scanning

Which document might you sign before conducting a security audit to ensure confidentiality? Non-disclosure Agreement (NDA)

What is the primary goal of a vulnerability scan? Identify potential security weaknesses

What role does a company’s compliance department play in audits? To ensure adherence to laws and company policies

What does separation of duties help prevent in an organization? Employee collusion

Why is a structured offboarding process important in organizations? To minimize security risks and protect systems

Why are maintenance windows scheduled during off-peak hours? To minimize operational disruption

What is the purpose of creating a hash like MD5 in forensic investigations? To verify data integrity

What is the primary difference between incremental and differential backups? Differential backups are faster to restore than incremental

What is the purpose of conducting tabletop exercises in incident response? To rehearse incident response strategies

What is a Recovery Point Objective (RPO) in data protection strategies? The interval by which data must be backed up

Which action is typically considered a method for covering tracks during a cyber attack? Clearing log files

Why might it be important to use compression in backup processes? To reduce storage requirements

In an incident response scenario, what does the term ‘containment’ refer to? Limiting the damage of the incident

Which command is used to start the Autopsy forensic tool in Kali Linux? sudo autopsy

A large retail organization plans to significantly update its customer management system. This update involves several software and hardware component changes that could affect system performance and security. Before proceeding, the change management team conducts an impact analysis and establishes an approval process involving key stakeholders. What is the primary benefit of this change management process for security?

• Guarantees that all documentation is automatically updated
• Ensures all stakeholders are informed about the changes
• Minimizes downtime and ensures a smooth transition

• Helps identify potential security vulnerabilities and dependencies before changes are made

An organization recently discovered that several legacy systems are still in use. These systems pose significant security risks due to outdated software and a lack of vendor support. These systems are susceptible to vulnerabilities, including buffer overflow and malware exploitation. What should the organization’s security team prioritize to address these risks?

• Replace legacy systems with modern, supported alternatives

• Limit network access to legacy systems without upgrades
• Train employees to use legacy systems more efficiently
• Patch the legacy systems regularly

A financial institution develops an Acceptable Use Policy (AUP) to guide employees about using company technology. Which of the following statements identifies a critical element that should be included in the policy?

• Guidelines for submitting expense reports

• Prohibitions against unauthorized access to sensitive data

• Procedures for filing IT support tickets
• Instructions for using company email for personal communications

A company implements a security information and event management (SIEM) system to improve its threat detection capabilities. Which of the following activities is the top priority for the company during the SIEM system implementation process?

• Conducting a training session for all employees on SIEM system usage
• Setting up a budget for ongoing maintenance of the SIEM system

• Configuring log aggregation from all critical systems

• Creating user accounts for all employees in the SIEM system

A financial institution has implemented microservices architecture to enhance the scalability of its applications. However, the security team worries about the complexities of managing security across multiple services. Which architectural consideration does the financial institution prioritize to mitigate security risks?

• Using a single authentication method for all services

• Implementing a centralized logging system

• Reducing the number of microservices
• Ensuring all microservices use the same programming language

A company conducts a business impact analysis (BIA) to determine the effects of potential disruptions. Which of the following key metrics should they focus on to ensure they understand their recovery requirements?

• Key Risk Indicators (KRIs)

• Recovery Time Objective (RTO)

• Single Loss Expectancy (SLE)
• Annualized Rate of Occurrence (ARO)

An organization uses an intrusion detection system (IDS) to monitor network traffic for potential security threats. What should be the primary focus for the IDS configuration to enhance security?

• Utilize trending and signature-based detection methods

• Limit the monitoring to only web traffic
• Set the IDS to operate in passive mode only
• Configure the IDS to ignore all traffic from internal sources

An organization uses virtualization technology to consolidate its server infrastructure. The IT team is aware of the need for high availability but is also concerned about security vulnerabilities in virtual environments. What task is the primary focus for maintaining security in a virtualized environment?

• Enforcing strict physical security for the data center

• Updating all virtual machines regularly

• Limiting access to only a few administrators
• Creating a backup for every virtual machine available

A company is transitioning to a hybrid cloud to manage customer data. The security team is concerned about the potential vulnerabilities associated with third-party vendors. What primary security implication should the organization consider when engaging third-party vendors in a hybrid cloud environment?

• Potential for increased costs due to vendor fees

• The need for a clearly defined responsibility matrix

• Increased reliance on vendor support for uptime
• Higher likelihood of service disruptions

A manufacturing company is implementing an IoT solution to enhance operational efficiency in its production line. The security team evaluates the implications of integrating IoT devices into its network infrastructure. Which statement identifies the company’s primary security concern when deploying IoT devices?

• Ensuring that devices have user-friendly interfaces
• The cost of each IoT device
• The need for all devices to be connected to a single network

• Potential vulnerabilities associated with device firmware

A company plans to implement a significant update to its network infrastructure. This transformation involves introducing new security protocols and phasing out legacy systems. During the change management process, the security team discovers that the proposed changes still need to undergo impact analysis or stakeholder approval. What is the primary risk associated with this oversight?

• Improved system performance

• Potential security vulnerabilities

• Streamlined operations
• Increased user satisfaction

A healthcare organization must implement multi-factor authentication (MFA) to comply with regulatory requirements for accessing sensitive patient data. Which combination of factors should be considered for an effective MFA solution?

• Only something you know, such as a password

• Something you have (Example: a smartphone) and something you know, such as a password

• Only something you are that’s part of your identity, such as your fingerprint
• Something you have, such as a key fob, and something a part of your identity, such as your fingerprint

A company is assessing its network security posture and decides to harden its servers against potential attacks. Which action is the most effective initial step in the hardening process?

• Disable unnecessary services and ports on the server

• Update the server’s operating system to the latest version
• Install additional software applications for monitoring
• Conduct a user awareness training session

A financial institution’s web application allows users to input their account information and view transaction history. During a security assessment, the team discovers that the application is vulnerable to SQL injection (SQLi) attacks, which could allow an attacker to manipulate the database and access sensitive data. What should the development team implement to mitigate this vulnerability?

• Limit user access to the application
• Increase the number of input fields on the web form

• Use prepared statements and parameterized queries

• Encrypt the database without modifying the application code

A software development team releases an update for their application that includes new features and enhancements. However, users report unexpected crashes and erratic behavior shortly after installation. The team discovers that a specific function in the new code is susceptible to buffer overflow attacks, allowing attackers to inject malicious code. What actions should the team prioritize in their change management process to mitigate this risk?

• Ignore user reports as minor issues

• Conduct thorough code reviews and testing for vulnerabilities

• Decrease the number of support staff
• Increase the number of features in future updates

An organization identifies several risks during a recent assessment. What is the next step in the risk management process after risk identification?

• Implementing security controls for all identified risks
• Reporting all identified risks to external stakeholders right away

• Performing a risk analysis to evaluate the potential impact and likelihood of each identified risk

• Creating a risk register without assessing the risks

A security analyst discovers several outdated software packages on a critical web server during a vulnerability assessment. What should be the first action taken in response to this finding?

• Implement compensating controls to mitigate risk
• Schedule a follow-up audit to confirm the findings
• Perform a thorough risk assessment to evaluate potential impacts

• Prioritize patching the outdated software packages

A financial institution prepares to implement a bring your own device (BYOD) policy for employees. The IT security team is concerned about protecting sensitive data on employee-owned devices. What is the best security measure to implement in this scenario?

• Provide employees with physical security training only
• Require employees to use a specific brand of mobile device

• Implement Mobile Device Management (MDM) to enforce security policies

• Install a basic antivirus program on all devices

A company that relies heavily on cloud services experiences a data breach that exposes sensitive customer information. Investigations reveal that the breach was due to misconfigured security settings in their cloud environment, allowing unauthorized access to their databases. What is the most critical step the company should take to prevent future incidents of this nature?

• Disable all cloud services temporarily
• Increase the number of cloud service providers used
• Focus solely on user education and awareness

• Implement regular security audits and configuration reviews

A company prepares to evaluate third-party vendors to ensure they meet its security standards. Which option identifies the most effective first step in this assessment process?

• Signing a Service-Level Agreement (SLA) before completing assessments

• Reviewing the vendor security policies and practices

• Relying solely on the vendors’ self-reported compliance status
• gnoring previous audit reports of the vendors

[MOCK] A leading technology firm experiences a coordinated attack, resulting in the theft of proprietary software and sensitive client data. Investigators determine that the attack’s sophistication suggests involvement from a well-organized group with geopolitical motives. What type of threat actor is likely responsible for this incident?

• Cybercriminal organization

• Nation-state

• Insider threat
• Script kiddie

A cybersecurity analyst finds that some employees are using personal devices to access company resources without proper security measures. What risk does this behavior introduce?

• Compliance with regulations
• Enhanced security

• Data exfiltration

• Increased productivity

During a cybersecurity assessment, a company discovers that a former employee is accessing its systems from an unauthorized location. Which attribute of this threat actor is most relevant to assess?

• Level of sophistication/capability
• Resources/funding

• Internal/external

• Motivation

A company is deploying a remote work solution for employees, requiring secure communication over an open network. Which tunneling protocol should be implemented?

• NGFW

• TLS

• SASE
• 802.1X

A manufacturing firm assesses its disaster recovery strategies during a simulated incident response drill. Which aspect should they concentrate on for effective capacity planning?

• System encryption
• People management
• Technology infrastructure

• Recovery speed

A healthcare organization is adopting virtualization technology for its data centers. What is the primary security benefit of using virtualization in this context?

• Faster processing speed
• Simplified patch management
• Lower operational costs

• Isolation of workloads

Your team is about to update the company’s critical payroll system. Before the update can be deployed, management insists on assessing the potential impact of the change, getting approval from key stakeholders, and developing a backup plan if the update fails. Which element of change management is being highlighted in this scenario?

• Approval and impact analysis

• Testing and downtime
• Maintenance window scheduling
• Documentation update

A manufacturing company must submit regular compliance reports to internal and external stakeholders. Which type of reporting is primarily focused on meeting legal and regulatory requirements?

• Due diligence reporting
• Automation reporting
• Internal compliance reporting

• External compliance reporting

A company identifies gaps in its incident response strategy during a tabletop exercise. Which activity should be prioritized to address these gaps effectively?

• Recovery

• Training

• Eradication
• Analysis

A company’s website is defaced after a content management system (CMS) vulnerability is exploited. What type of attack is this most likely?

• Web-based attack

• Phishing
• Malware infection
• SQL Injection

After an extensive audit, a company discovers several employees use weak, easily guessable passwords to access critical systems. What is the primary risk associated with this behavior?

• Data loss

• Increased likelihood of unauthorized access

• Regulatory compliance issues
• Enhanced system performance

Following a simulated breach at a tech company, the incident response team discovers several weaknesses in their communication strategy. What should they prioritize to improve their incident response communication?

• Eradication
• Analysis
• Recovery

• Training

A financial institution must protect its endpoints from sophisticated cyber threats while gaining insights into user behavior. Which solution is most appropriate for this requirement?

• IDS/IPS

• EDR/XDR

• Firewall
• Web filter

A penetration testing team evaluates a company’s new application within a sandbox environment, where they have access to architecture details and security protocols. What type of penetration testing is being conducted in this scenario?

• Partially known environment
• Passive reconnaissance
• Offensive penetration testing

• Known environment

A healthcare provider encrypts all electronic health records to protect patient information from unauthorized access. What is the primary motivation behind this security measure?

• Increase data retrieval speed
• Maintain data integrity

• Protect data confidentiality

• Improve data access

A high-security data center installs an access control vestibule at its main entrance. This vestibule requires employees to scan their badges and provide a fingerprint scan before being allowed to enter the secure facility. Additionally, video surveillance monitors the entrance 24/7. What type of controls are in place at this facility?

• Technical controls

• Physical controls

• Managerial controls
• Operational controls

After conducting a vulnerability scan, a cybersecurity team found several issues in their infrastructure. They want to ensure that the identified vulnerabilities are legitimate before taking action. What should be their next step?

• Confirm, prioritize, and assess

• Shut down the system until everything is fixed
• Wait for user reports of problems
• Patch all vulnerabilities immediately

A healthcare provider must ensure that sensitive patient records comply with regulations that require such data to be stored within the country’s borders. Which concept should the organization prioritize to meet this requirement?

• Encryption
• Obfuscation
• Data classification

• Data sovereignty

A global software company is adopting a new security model to improve the protection of sensitive customer data. Instead of trusting internal networks, the company dynamically verifies every user’s identity and continuously adjusts access based on risk levels. Which Zero Trust feature is the company implementing?

• Continuous identity verification

• Network segmentation
• Implicit trust
• Role-based access control

You are managing a new BYOD policy at your company. The IT team is tasked with ensuring that personal employee devices used for work are secure while allowing employees to maintain their privacy. The goal is to separate company data from personal data on these devices. Which of the following security measures best addresses this need?

• Full device encryption
• Mandatory VPN usage

• Containerization

• Remote wipe capabilities

A university is introducing automation into its campus security management system. What is a crucial consideration they must address to ensure their automated systems remain secure?

• Resource allocation
• Reaction time improvements
• Guard rails in the system

• Ongoing supportability

A tech company is designing a system to ensure their services remain operational during unexpected outages. Which strategy should they prioritize to enhance high availability?

• Geographic dispersion
• Site considerations
• Load balancing

• Clustering

A financial institution is evaluating the potential loss from a cyberattack on its online banking platform. Which method should the institution apply to determine the cost of a successful breach?

• Annualized Loss Expectancy (ALE)
• Annualized Rate of Occurrence (ARO)
• Impact Factor

• Single Loss Expectancy (SLE)

A coordinated attack targets a company, flooding its network with excessive traffic and rendering services unavailable. What type of attack is this? Domain Name System (DNS) attack Distributed denial-of-service (DDoS) Credential replay Wireless attack

An organization is targeted by a distributed denial-of-service (DDoS) attack, causing its website to become inaccessible. What is the primary goal of such an attack?

• Credential harvesting
• Data theft

• Service disruption

• Malware installation

An online gaming company wants to secure all communication between players and the company’s servers to prevent data breaches during gameplay. The company implemented SSL/TLS to encrypt all data sent between players and servers. Which type of encryption is the company using?

• File-level encryption
• Full-disk encryption

• Transport encryption

• Symmetric encryption

An educational institution is implementing a new asset management strategy for its computer labs. What approach should the institution take regarding asset assignments and classifications?

• Classifying assets only during the annual audit process
• Using a single classification for all assets to streamline processes
• Ignoring classification altogether and simply tracking asset locations

• Developing a multi-tier classification system based on data sensitivity and usage context

A company is looking to streamline its onboarding process for new employees. They want to ensure user accounts are automatically provisioned with appropriate security group memberships. What is the primary benefit of automating this process?

• Complexity
• Ongoing supportability

• Efficiency and time-saving

• Technical debt

A telecommunications company plans to launch new services globally and must decide how much risk it can manage to balance innovation with security. What concept best describes this decision-making process?

• Risk appetite

• Risk tolerance
• Risk register
• Risk mitigation

A cybersecurity team is conducting an incident response drill to prepare for potential breaches. Which phase of the incident response process focuses on learning from the drill to improve future responses?

• Lessons learned

• Preparation
• Detection
• Containment

A company has detected a critical vulnerability but cannot immediately patch it due to operational constraints. What is a valid approach they could take to manage the risk temporarily?

• Insurance

• Apply compensating controls

• Leave the vulnerability as is
• Segmentation

A healthcare organization is restructuring its network to prevent unauthorized access between departments. Which security measure would best support this goal?

• Logical segmentation

• Proxy server
• Fail-closed configuration
• Sensors

Your cybersecurity team has set up a system designed to mimic real servers on your company’s network. These decoy servers are intentionally vulnerable and used to attract hackers to study their behavior and understand potential threats. What type of security technology is being used?

• Firewall
• Data Loss Prevention (DLP)
• Intrusion Prevention System (IPS)

• oneypot

A business is deploying a new wireless network and wants to enhance its security. Which wireless security setting should they prioritize?

• Implementing Wi-Fi Protected Access 3 (WPA3)

• Configuring the network to use default settings provided by the router manufacturer
• Leaving the network open to allow easy access for guests
• Using Wired Equivalent Privacy (WEP) for backward compatibility

A large healthcare company stores sensitive patient data in its database. Rather than storing patient passwords in plaintext or encrypted format, the company converts each password into a unique string of characters that cannot be reversed or deciphered. What method is the company using to store passwords?

• Hashing

• Encryption
• Tokenization
• Key management

An organization is deploying SCADA systems for its industrial processes. Which security risk is most relevant to this scenario?

• Cyber-attacks on legacy components

• Increased operating costs
• Difficulty in scaling operations
• Physical isolation of systems

A cybersecurity team performs penetration testing on an organization’s network with prior knowledge of its existing security measures and configurations. What type of penetration testing are they conducting?

• Active reconnaissance
• Defensive penetration testing

• Known environment

• Unknown environment

A logistics company is adopting a hybrid cloud architecture. What is a critical security concern for this type of deployment?

• Inability to scale services
• Limited vendor support

• Secure data flow between environments

• High energy consumption

A company is looking to implement a Mobile Device Management (MDM) solution for employees who frequently travel for work. What essential consideration should be prioritized in a corporate-owned, personally enabled (COPE) deployment model?

• Configuring the devices to enforce security policies while allowing personal use

• Allowing employees to install any app they desire on their devices
• Requiring employees to use only corporate applications without exceptions
• Not requiring any security measures to enhance user experience

An attacker uses a counterfeit USB drive distributed at a tech conference to infect systems with malware. What type of threat vector is being employed in this instance?

• Network vulnerability
• Remote access

• Physical device

• Social engineering

A financial institution is reviewing its alert management system because the team is overwhelmed by false positives. What action should they take to reduce the number of unnecessary alerts?

• Perform a system audit
• Quarantine infected systems

• Alert tuning

• Rescanning the network

A security analyst notices simultaneous login attempts from different continents on the same user account, suggesting potential unauthorized access. What does this activity likely indicate?

• Account sharing
• Scheduled updates
• Routine usage

• Impossible travel

After reviewing logs, a security team finds patterns of failed login attempts followed by a successful login. What could this suggest?

• Insider threat
• Network instability

• Brute force attack

• Data redundancy

A company’s internal audit reveals that sensitive data is being transmitted over an unsecured network. What is the primary risk associated with this practice?

• Data interception

• Compliance violations
• Enhanced collaboration
• Increased transmission speed

An organization is concerned about the security of its sensitive data and is looking to enforce multifactor authentication (MFA) for all users. Which factor is considered something you have?

• Your location
• A fingerprint

• A hardware security key

• A password

An organization implements strict access controls to limit data access based on user roles and responsibilities. Which mitigation technique is this an example of?

• Least privilege

• Patching
• Encryption
• Monitoring

An employee receives a suspicious phone call from someone claiming to be from IT, asking for their login credentials for verification. What type of attack does this scenario represent?

• Vishing

• Phishing
• Social engineering
• Spoofing

A healthcare organization invites an independent auditor to examine its compliance with HIPAA regulations regarding patient data security. What type of audit is being performed?

• Risk assessment audit
• Internal compliance audit
• Regulatory audit

• External compliance audit

When a cloud service provider updates its policies to align with new international data protection laws, what key area should the provider prioritize to ensure compliance?

• Service-level agreements
• User interface design

• Data subject rights

• Employee training programs

A financial institution wants to ensure that only authorized personnel can access sensitive investment data while allowing analysts to work with less sensitive metrics. Which strategy would best serve this purpose?

• Obfuscation
• Data classification

• Permission restrictions

• Tokenization

A financial institution needs to maintain constant access to its critical online banking systems. In the event of a network appliance failure, they want to ensure continued service availability while addressing security concerns. Which failure mode configuration should they implement?

• Fail-closed
• Inline monitoring
• Port security

• Fail-open

A financial institution is assessing a potential vendor for its payment processing services. What should the institution include in its contract to ensure ongoing compliance with regulatory standards?

• Service-Level Agreement (SLA)
• Due diligence

• Right-to-audit clause

• Independent assessments

A logistics company has equipped its main office with multiple layers of security. This includes motion detectors that can sense movement behind walls and a team of security guards who patrol the premises. These measures are designed to detect and prevent unauthorized access. What types of security controls are being used?

• Technical and corrective
• Operational and compensating

• Physical and detective

• Managerial and preventive

A healthcare provider wants to block access to malicious websites and prevent employees from visiting sites categorized as high-risk. What solution should they implement for web traffic filtering?

• Web filter

• Email gateway
• File integrity monitoring
• IDS/IPS

A financial institution undergoes an independent third-party audit to evaluate its risk management practices. What is the primary purpose of conducting this type of audit?

• To improve customer service
• To enhance employee morale

• To assess regulatory compliance

• To gather market intelligence

A healthcare organization is retiring several old servers that store patient records. What is the most effective method to ensure that all sensitive data is properly disposed of?

• Performing a quick format on the servers before disposal
• Storing the servers in a warehouse indefinitely while deciding on a plan
• Donating the servers to a local charity without data destruction

• Implementing a thorough data sanitization process followed by physical destruction of the servers

As a security engineer, you ensure that every user in your organization is verified before accessing sensitive systems, even if they are already inside the company’s private network. This includes frequent identity checks throughout a session. Which principle of the Zero Trust model are you implementing?

• Continuous verification

• Implicit trust
• Multi-factor authentication
• Single sign-on (SSO)

A healthcare provider wants to share non-sensitive patient information with researchers while protecting all sensitive health data. Which method would be most effective in achieving this?

• Data masking

• Encryption
• Segmentation
• Hashing

An online retailer faces penalties after failing to comply with GDPR, resulting in customer backlash. What might be a significant consequence of this non-compliance?

• Increased brand loyalty

• Fines

• New investment opportunities
• Expanded market reach

After completing a vulnerability scan on their cloud infrastructure, an IT team identified several critical vulnerabilities. However, some results seem questionable. What should their immediate action be before proceeding with remediation?

• Perform a system reboot
• Patch all detected vulnerabilities

• Validate and confirm findings

• Notify the executive team

An energy company is facing potential cybersecurity threats targeting its operational technology systems. They need a solution that provides real-time monitoring and incident response for these systems. What should they deploy?

• Patch management system
• Data loss prevention (DLP)
• Network segmentation

• XDR/EDR solution

A multinational organization is selecting a third-party vendor for cloud storage services. Which method would be most appropriate to confirm the vendor’s compliance with industry standards?

• Right-to-audit clause
• Vendor monitoring

• Independent assessments

• Penetration testing

A retail company needs to monitor their servers and applications for unusual activity in real-time. Which activity ensures the security team receives immediate notifications of any potential security breaches?

• Alerting

• Reporting incidents
• Archiving logs
• Scanning systems

An online travel agency discovers numerous fraudulent bookings using stolen credit cards from multiple countries. What attack surface is likely being exploited here?

• Vulnerable software

• Unsupported applications
• Public Wi-Fi networks
• Open service ports

An organization is setting up a cloud-based infrastructure. What should be the primary concern regarding third-party vendors?

• Difficulty in managing on-premises systems
• Lack of scalability options
• Increased cost of operations

• Responsibility for security controls

An organization has established a policy requiring all passwords to be changed every 90 days and to include special characters. What security principle is being reinforced?

• Confidentiality
• Availability
• Data integrity

• Authentication

When a healthcare organization chooses a vendor for its electronic health record (EHR) system, which type of agreement should it focus on to ensure that the vendor meets specific performance and availability standards?

• Master Service Agreement (MSA)
• Non-Disclosure Agreement (NDA)

• Service-Level Agreement (SLA)

• Memorandum of Understanding (MOU)

A city government is deploying a new public Wi-Fi network for residents. Which security measure should be prioritized to protect users?

• Using older encryption methods for compatibility with older devices

• Implementing WPA3 encryption to secure the network traffic

• Leaving the network open to encourage maximum usage
• Configuring the network with a single shared password for all users

A financial services company is implementing a new customer relationship management (CRM) system to manage sensitive client data. They need to ensure that access to this data is restricted based on each employee’s responsibilities. Which access control model should they prioritize?

• Discretionary access control (DAC)
• Attribute-based access control (ABAC)

• Role-based access control (RBAC)

• Mandatory access control (MAC)

A startup is implementing multifactor authentication (MFA) to protect access to its proprietary software. What factor does a smartphone app generating a time-based one-time password (TOTP) represent?

• Something you are
• Somewhere you are
• Something you know

• Something you have

During a routine security audit, a firm discovers that a critical application has not been updated for several years, increasing the risk of exploitation. What type of vulnerability is this classified as?

• Supply chain
• Mobile device

• Unsupported systems

• Configuration

An e-commerce platform faces a significant increase in customer complaints about suspicious emails containing links to phishing sites. What kind of threat vector is being utilized in this case?

• Network vulnerabilities
• Removable media

• Email

• Website exploit

A healthcare provider is expanding its operations across several countries and needs to ensure compliance with international health data protection laws. Which element should they prioritize to maintain legal compliance across regions?

• Password policies
• Business continuity policies

• Regulatory requirements

• Physical security standards

A company is reviewing its procurement process for new hardware to ensure security implications are addressed. What should be a key consideration during the acquisition phase?

• Relying solely on internal reviews and ignoring external assessments
• Standardizing all hardware without considering the specific needs of departments

• Evaluating security features and vendor reputation before purchase

• Choosing the cheapest available option without assessing security features

A government agency wants to implement a solution to aggregate logs from multiple systems and provide real-time analysis of potential threats. Which tool is most appropriate for this purpose?

• NetFlow

• SIEM

• SCAP
• Antivirus

A government agency is implementing a privileged access management (PAM) solution to safeguard sensitive information from unauthorized access. Which feature should they utilize to allow users access only, when necessary, thereby enhancing security?

• Just-in-time permissions

• Password vaulting
• Least privilege
• Ephemeral credentials

An employee recently received a call from someone claiming to be from IT, asking them to verify their password for security reasons. What type of social engineering attack is this scenario describing?

• Pretexting
• Smishing
• Phishing

• Vishing

A healthcare organization is preparing for an internal compliance audit to assess its adherence to HIPAA regulations. Which type of assessment is focused on evaluating compliance with these specific legal requirements?

• External audit
• Attestation
• Self-assessment

• Compliance assessment

A company implements two-factor authentication (2FA) for all employees accessing sensitive data. What is the primary benefit of this security measure?

• Enhanced data integrity
• Increased employee productivity

• Reduced risk of unauthorized access

• Faster access to data

A financial institution is implementing a privileged access management (PAM) solution to control access to sensitive systems. Which feature should they use to ensure that users have the necessary permissions only when needed?

• Least privilege

• Just-in-time permissions

• Password vaulting
• Ephemeral credentials

A retail company is defining the roles of its employees in managing customer data across multiple systems. Which role should the company assign to the individual responsible for managing and safeguarding their data?

• Data steward

• Data processor
• Data owner
• Data controller

An organization handles legal information that must be secured during transmission between its internal systems. Which method would provide the most effective protection?

• Encryption

• Hashing
• Data segmentation
• Tokenization

You work in the IT department of an e-commerce company. The company handles sensitive customer information such as credit card details and personal addresses. To meet industry compliance requirements and secure sensitive records, you are tasked with implementing encryption for the company’s database. Which encryption level is most appropriate in this scenario?

• Full-disk encryption
• Partition encryption

• Database encryption

• Transport encryption

A tech startup conducts a compliance audit to ensure its new software product meets industry standards for data privacy. What is the primary goal of this compliance audit?

• To assess the effectiveness of internal controls
• To evaluate potential security vulnerabilities in the software
• To assess employee training programs

• To verify adherence to industry standards for data privacy

An online retail company faces frequent but small disruptions to its logistics systems that do not significantly impact operations. What is the most cost-effective strategy for managing these risks?

• Avoid
• Mitigate

• Accept

• Transfer

An e-commerce company must ensure its website is resilient to attacks and high traffic. Which security feature would help distribute traffic while also monitoring for potential threats?

• Jump server

• Load balancer

• Layer 7 firewall
• Fail-closed configuration

A global technology company wants to ensure that the security team is immediately notified if any unusual activity is detected on its servers. What activity should they prioritize to achieve this?

• Reporting

• Alerting

• Log archiving
• Scanning

A healthcare provider is required to keep an audit trail of who accessed patient data and what actions were taken with it. This helps ensure accountability and security. Which concept is the provider implementing?

• Confidentiality
• Availability

• Non-repudiation

• Encryption

A technology firm wants to formalize how it manages changes to its infrastructure. What security governance element will provide the most structured guidance?

• Change management policies

• Disaster recovery policies
• Business continuity policies
• Playbooks

CySA: An endpoint was flagged for suspicious behavior. Which EDR feature would you use to investigate the processes running on the endpoint?

• User activity monitoring

• Process tree

• Network traffic analysis
• File integrity monitoring

A malware alert has been triggered. Which SOAR capability would help you streamline the investigation and response process?

• Incident prioritization
• Compliance management
• Threat intelligence enrichment

• Workflow automation

You notice an unusual spike in outbound traffic from a specific IP address within your network to an external IP address. What could this indicate?

• A scheduled backup process

• Data exfiltration

• Normal network activity
• Routine software update

Which type of insider threat includes employees who unintentionally perform risky actions because of a lack of awareness?

• Negligent insider
• Professional Insider
• Malicious Insider

• Oblivious insider

What is spear phishing?

• Fishing for spears
• A term for hunting large marine predators

• A targeted attack directed at specific individuals or organizations

• A general phishing attempt sent to millions

What protection does a secure DNS provide against phishing?

• It filters out and blocks known malicious sites

• It increases internet speed
• It encrypts all DNS requests
• It anonymizes user identity

Which of the following is the best metric for an organization to focus on given recent investments in SIEM, SOAR, and a ticketing system?

• Number of exploits by tactic
• Quantity of intrusion attempts
• Alert volume

• Mean time to detect

You must identify all devices connected to your network to ensure comprehensive vulnerability scanning. Which tool would you use for asset discovery?

• Nessus
• Wireshark

• Nmap

• Metasploit

After a security breach, you need to restore the affected systems. Which type of control is most appropriate?

• Corrective

• Deterrent
• Preventive
• Detective

You need to monitor your network for new vulnerabilities continuously. Which approach is most effective?

• Security awareness training

• Attack surface management

• Periodic audits
• Penetration testing

You are configuring a vulnerability scan for a set of systems that contain highly sensitive financial data. Which of the following scan configurations is the most appropriate?

• A scan scheduled during peak business hours
• A generic scan using default settings

• A high-intensity scan with frequent intervals

• A low-intensity scan with irregular intervals

An analyst finds that an IP address outside the company network is used to run network and vulnerability scans across external-facing assets. Which of the following steps of an attack framework is the analyst witnessing?

• Command and control

• Reconnaissance

• Exploitation
• Actions on objectives

You need to ensure that your code is free from common vulnerabilities. Which practice should you follow?

• Code minification
• Code obfuscation

• Input validation

• Code formatting

You must understand the stages an attacker goes through to compromise a system. Which framework would you use?

• Cyber Kill Chain

• MITRE ATT&CK
• Diamond Model
• OWASP Testing Guide

What incident response activity focuses on removing any artifacts of the incident that may remain on the organization’s network?

• Post-incident activities
• Recovery

• Eradication

• Containment

Alice is responding to a cybersecurity incident and notices that a system she suspects has been compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is Alice pursuing?

• Segmentation

• Isolation

• Eradication
• Removal

You must analyze an intrusion by examining the relationships between adversary, capability, infrastructure, and victim. Which model would you use?

• Diamond Model

• OWASP Testing Guide
• MITRE ATT&CK
• Cyber Kill Chain

You need to inform key stakeholders about a security incident. Which group should you prioritize for immediate communication?

• Senior management

• Customers
• IT Team
• Regulatory authorities

You need to ensure that your incident report is effective. Which element is most crucial to include?

• Unverified information
• Marketing material

• Incident timeline

• Personal opinions

Why is it essential for an organization to conduct regular vulnerability management reporting?

• Increases the number of customers
• Improves employee morale

• Helps in identifying and prioritizing system vulnerabilities

• Boosts the company’s stock price

[CySA MOCK] How does understanding network architecture help in optimizing log ingestion for security operations?

• It helps identify the best storage solutions for logs.

• It allows for the efficient placement of log collectors and sensors.

• It ensures that logs are encrypted during transmission.
• It reduces the need for log analysis.

You need to identify a potential security incident. To do so, you correlate events from multiple sources. Which SIEM feature would you use?

• Log aggregation

• Event correlation

• Dashboard visualization
• Incident response automation

A user has reported unusual activity on their account. Which SIEM capability would help you investigate the user’s login patterns and detect anomalies?

• User and Entity Behavior Analytics (UEBA)

• Compliance reporting
• Threat hunting
• Log parsing

If you need to automate the response to a phishing email detected in your organization, which SOAR feature would you use?

• Playbook automation

• Case management
• Incident reporting
• Threat intelligence sharing

How does on-premises network architecture influence the implementation of security controls?

• It ensures that all users have administrative access.
• It reduces the complexity of network management.

• It determines the placement of firewalls and intrusion detection systems.

• It eliminates the need for network segmentation.

Why is understanding cloud network architecture essential for maintaining security in cloud environments?

• It helps implement adequate access controls and network segmentation.

• It ensures that all data is stored on local servers.
• It allows for the installation of more physical firewalls.
• It reduces the need for encryption.

Why is understanding system and network architecture important for implementing a Zero Trust model?

• It reduces the need for encryption.

• It helps design granular access controls based on user roles and device states.

• It allows for the installation of more physical security devices.
• It ensures that all users have unrestricted access to resources.

Why is understanding system and network architecture important for implementing effective multifactor authentication (MFA)?

• It allows for the installation of more physical security devices.

• It helps integrate MFA seamlessly with existing systems and applications.

• It ensures that all users have the same password.
• It reduces the need for user training.

A user reports that their computer is running unusually slow, and you observe multiple unknown processes consuming high CPU and memory resources. What could this indicate?

• The presence of malware or a rootkit.

• The operating system needs an update.
• The user is running resource-intensive applications.
• The computer needs a hardware upgrade.

During a routine security check, a web application generates many failed login attempts from various IP addresses. What could this indicate?

• A brute-force attack

• Normal user activity
• A misconfigured authentication system
• Users forgetting their passwords

Why is understanding system and network architecture important for implementing effective Data Loss Prevention (DLP) strategies?

• It allows for the installation of more physical security devices.
• It ensures that all data is stored on local servers.

• It helps identify critical data flow paths and potential leakage points.

• It reduces the need for encryption.

Why is understanding system and network architecture important for protecting Personally Identifiable Information (PII)?

• It helps identify and secure all locations where PII is stored and transmitted.

• It reduces the need for PII encryption.
• It allows for the installation of more physical security devices.
• It ensures that all PII is stored in the cloud.

Your network monitoring tools have detected a significant and sustained increase in bandwidth consumption from a single internal IP address during off-peak hours. What could be a potential indicator of malicious activity in this scenario?

• The IP address is involved in a Distributed Denial of Service (DDoS) attack.

• The user is downloading large files for a legitimate project.
• The network is undergoing routine maintenance.
• The user is streaming high-definition videos.

Your network monitoring tools have detected an unknown device generating unusual traffic patterns and attempting to access sensitive files. What could be a potential indicator of malicious activity in this scenario?

• The device is undergoing routine software updates.
• The device is a printer sending print jobs.
• The device is a new employee’s laptop being set up.

• The device is a rogue device attempting unauthorized access.

Your network monitoring tools have detected a sudden and significant spike in outbound traffic from a server that typically has low traffic. What could be a potential indicator of malicious activity in this scenario?

• The server is exfiltrating data to an unauthorized external destination.

• The server is backing up data to an external storage service.
• The server is undergoing routine maintenance.
• The server is experiencing a temporary increase in legitimate user activity.

Your security team notices unusual traffic on port 4444, which is not commonly used in your network, originating from multiple internal devices. What could be a potential indicator of malicious activity in this scenario?

• The devices are syncing data with a cloud service.
• The devices are communicating with a legitimate internal service.

• The devices are part of a coordinated backdoor attack.

• The devices are undergoing routine maintenance.

Your security team notices several workstations are experiencing unusually high CPU usage, even when no resource-intensive applications are running. What could be a potential indicator of malicious activity in this scenario?

• The workstations are running background updates.
• The workstations are being used for legitimate high-performance computing tasks.
• The workstations are idle and not in use.

• The workstations are part of a botnet performing distributed tasks.

Your monitoring tools have detected a sudden and significant increase in drive capacity usage on a server with stable storage consumption. What could be a potential indicator of malicious activity in this scenario?

• The server is being used to store unauthorized data, such as pirated content.

• The server is storing large backup files.
• The server is hosting a new application.
• The server is undergoing routine maintenance.

Your monitoring tools have detected a process running on a server that consumes an unusually high amount of CPU and memory resources, which was not present during the last system audit. What could be a potential indicator of malicious activity in this scenario?

• The process is a scheduled system backup.
• The process is a new application installed by the IT department.

• The process is a malicious program, such as a cryptocurrency miner.

• The process is part of a legitimate software update.

Your security team notices that several workstations send large amounts of data to an external server during off-peak hours, which is unusual for your network’s normal operations. What could be a potential indicator of malicious activity in this scenario?

• The workstations are exfiltrating data to an unauthorized external server.

• The workstations are downloading software updates.
• The workstations are idle and not in use.
• The workstations are performing scheduled data backups.

Your security team has noticed unexpected changes in file permissions on several workstations and new hidden files appearing in system directories. What could be a potential indicator of malicious activity in this scenario?

• The changes are from a scheduled disk cleanup.

• The changes indicate a malware infection attempting to gain persistence.

• The changes are due to IT’s new software installation.
• The changes are part of a legitimate system optimization process.

After an in-depth forensic review, you determine that a rootkit had modified the web server’s BIOS. After removing the rootkit and reflashing the BIOS, what should you do to prevent the malicious actor from affecting the BIOS again?

• Install a host-based IDS

• Use secure boot

• Install an anti-malware application
• Use file integrity monitoring

Why do legacy systems pose challenges for organizations regarding patching and remediation?

• Legacy systems are more secure and less susceptible to vulnerabilities.

• Legacy systems often lack support and compatibility with newer patches.

• Legacy systems are easier to patch due to their simplified architecture.
• Legacy systems have built-in security mechanisms that prevent the need for patching

Your network monitoring tools have detected a sudden increase in outbound traffic from a workstation to an unfamiliar external IP address. What could be a potential indicator of malicious activity in this scenario?

• The workstation is downloading updates from a legitimate source.

• The workstation is exfiltrating data to an unauthorized external destination.

• The workstation is performing a scheduled backup.
• The workstation is syncing files with a known internal server.

Your security team notices a spike in HTTP traffic from a server to multiple external IP addresses. You use Wireshark to analyze the traffic. What could be a potential indicator of malicious activity in this scenario?

• The HTTP traffic indicates a command-and-control communication from malware.

• The HTTP traffic is from a routine data backup.
• The HTTP traffic is part of a legitimate web application update.
• The HTTP traffic is from users accessing a popular website.

Your SIEM system has flagged unusual activity where a user account is accessing sensitive files it usually does not interact with. What could be a potential indicator of malicious activity?

• The user account has been compromised and is being used for unauthorized access.

• The user is performing a legitimate task assigned by their manager.
• The user is performing a scheduled system backup.
• The user is undergoing routine training.

Your SOAR system has flagged an unusual spike in outbound traffic from a server to an external IP address known for malicious activity. What could be a potential indicator of malicious activity in this scenario?

• The server is syncing data with a cloud service.

• The server is exfiltrating data to a command and control server.

• The server is performing a legitimate data backup.
• The server is undergoing routine software updates.

Your EDR system has flagged an application attempting to modify system files and registry settings without proper authorization. What could be a potential indicator of malicious activity in this scenario?

• The application is a legitimate user-installed software.

• The application is a malicious program attempting to gain persistence.

• The application is performing a legitimate system update.
• The application is part of a scheduled maintenance task.

Your network monitoring tools have detected HTTP requests with uncommon header types from an internal server to an external IP address. What could be a potential indicator of malicious activity in this scenario?

• The server is performing a legitimate software update.
• The server is undergoing routine maintenance.
• The server is syncing data with a cloud service.

• The server is infected with malware attempting to communicate with a command and control server.

Which of the following tools would work best to prevent the exposure of PII outside of an organization?

• PAM
• PKI
• IDS

• DLP

After identifying all assets in your network, you need to perform a vulnerability scan to ensure no critical vulnerabilities are present. Which phase of the vulnerability management lifecycle involves identifying and cataloging all assets before scanning for vulnerabilities?

• Discovery

• Reporting
• Assessment
• Remediation

Your organization is preparing for an external audit and must ensure all internet-facing assets are secure from potential external threats. Which vulnerability scan should you perform to identify weaknesses that external attackers could exploit?

• Credentialed Scan

• External Vulnerability Scan

• Non-Credentialed Scan
• Internal Vulnerability Scan

Your organization has many remote workers using various devices. You need to ensure continuous vulnerability assessment regardless of the devices’ locations. Which scanning method would be most effective in this scenario?

• Manual scanning

• Agent-based scanning

• Agentless scanning
• Network-based scanning

You need to assess the security posture of your internal network. Which scanning method would be most appropriate?

• Internal scan

• Penetration test
• Social engineering test
• External scan

You need to identify vulnerabilities without impacting network performance. Which scanning method should you use?

• Passive scanning

• Non-credentialed scanning
• Active scanning
• Credentialed scanning

An analyst is reviewing a vulnerability report and must make recommendations to the executive team. The analyst finds that most systems can be upgraded with a reboot, resulting in a single downtime window. However, two critical systems cannot be upgraded due to a vendor appliance that the company cannot access. Which of the following inhibitors to remediation do these systems and associated vulnerabilities best represent?

• Legacy systems
• Unsupported operating systems
• Lack of maintenance windows

• Proprietary systems

Your organization wants to enhance the security of its web application by implementing additional layers of defense against XSS attacks. Which of the following is a recommended control to mitigate XSS vulnerabilities?

• Implementing strong password policies

• Using a Web Application Firewall (WAF)

• Enabling browser caching
• Disabling cookies

Your organization has identified a critical vulnerability in its web application. To prevent exploitation, you implement a control restricting access to vulnerable components. Which type of control is being implemented in this scenario?

• Technical control

• Operational control
• Managerial control
• Preventative control

After deploying a patch to fix a critical vulnerability, your organization needs to ensure that the patch was applied correctly, and that the vulnerability is no longer present. Which step in the patch management process involves confirming that the patch has been successfully applied and the vulnerability has been mitigated?

• Rollback
• Implementation
• Testing

• Validation

Your organization is concerned about a critical vulnerability in a third-party service that could lead to significant data breaches. You decide to purchase cyber insurance to cover potential losses. Which risk management principle is applied in this scenario?

• Accept
• Mitigate
• Avoid

• Transfer

Your organization has set a target for the maximum allowable time to respond to critical vulnerabilities. This target is part of your service level objectives (SLOs). Which aspect of SLOs does this target represent?

• Service availability

• Response time

• Error rate
• Uptime percentage

You need to identify all potential entry points for attackers in your network. Which process would you use?

• Incident response
• Threat intelligence
• Vulnerability scanning

• Attack surface management

You need to ensure that your code is free from common vulnerabilities. Which practice should you follow?

• Code obfuscation
• Code minification

• Input validation

• Code formatting

If you want to prevent unauthorized access to sensitive data in your application, which secure coding practice would you implement?

• Using secure APIs

• Disabling logging
• Hardcoding credentials
• Ignoring exceptions

Which phase of the Cyber Kill Chain involves the attacker gathering information about the target to identify vulnerabilities?

• Exploitation
• Delivery
• Weaponization

• Reconnaissance

In the MITRE ATT&CK framework, which component describes adversaries’ specific methods to achieve their objectives?

• Techniques

• Tactics
• Infrastructure
• Procedures

Which of the following is least effective in protecting a network from packet sniffing?

• Deploying network segmentation and access controls
• Regularly patching and updating all systems

• Relying solely on password strength to protect sensitive data

• Implementing robust encryption for data transmission

After successfully containing a malware outbreak, what is the next step in the incident response process?

• Recovery

• Eradication

• Analysis
• Documentation

Which of the following activities is a critical component of the preparation phase in an incident response plan?

• Restoring affected systems to regular operation
• Conducting a post-incident review
• Analyzing the root cause of the incident

• Identifying and training the incident response team

The IT team is planning to set up recurrent vulnerability scans. When is the ideal time to schedule these scans to minimize organizational disruption?

• During the busiest hours, to simulate an attack under load

• During off-peak hours to avoid impacting productivity

• Randomly, to catch any time-based vulnerabilities
• Right before the monthly IT maintenance window

What is a crucial benefit of effective communication in vulnerability management?

• It ensures that only the IT team is aware of vulnerabilities.
• It eliminates the need for a risk score in reports.
• It reduces the need for regular vulnerability scans.

• It helps in the timely mitigation of identified vulnerabilities.

What is a key benefit of reporting on vulnerabilities and configuration management actions?

• It reduces the need for manual security checks.

• It ensures compliance with security policies and standards.

• It helps in identifying new software updates.
• It increases the speed of incident response.

What is the key benefit of communicating patching action plans to all relevant stakeholders?

• It eliminates the need for automated patch management tools.
• It allows stakeholders to apply patches manually.
• It reduces the overall number of vulnerabilities in the system.

• It ensures that all stakeholders are aware of potential downtime and security improvements.

What is a key benefit of communicating compensating controls to relevant stakeholders?

• It allows stakeholders to bypass security protocols.

• It ensures stakeholders are aware of temporary measures and their limitations.

• It eliminates the need for future patching.
• It reduces the overall number of vulnerabilities in the system.

Why is it important to include security awareness training in vulnerability management action plans?

• To monitor network traffic for suspicious activity
• To ensure all software is updated to the latest version

• To educate employees on recognizing and responding to potential threats

• To automate the patching process

What is a crucial benefit of communicating changes in vulnerability management action plans to stakeholders?

• It ensures stakeholders are aware of new risks and mitigation strategies.

• It allows stakeholders to ignore new security protocols.
• It reduces the overall number of vulnerabilities in the system.
• It eliminates the need for future updates to the action plan.

What is a key benefit of effective communication with stakeholders during an incident?

• It eliminates the need for post-incident reviews.

• It ensures coordinated efforts and informed decision-making.

• It reduces the need for incident response teams.
• It allows stakeholders to ignore the incident.

Which of the following items should be included in a vulnerability scan report? (Choose two.)

• Education plan
• Service-level agreement
• Playbook

• Risk score

• Lessons learned

• Affected hosts

What is a key benefit of communicating SLA metrics to stakeholders during an incident?

• It reduces the need for incident response teams.
• It allows stakeholders to ignore the incident.
• It eliminates the need for post-incident reviews.

• It ensures transparency and sets clear expectations for incident resolution.

What is a crucial benefit of communicating the status and risks of legacy systems to stakeholders?

• It reduces the overall number of legacy systems in use.

• It ensures stakeholders are aware of potential risks and necessary mitigation strategies.

• It allows stakeholders to ignore legacy systems.
• It eliminates the need for future incident response plans.

What is a key benefit of communicating the status and risks of proprietary systems to stakeholders?

• It reduces the overall number of proprietary systems in use.

• It ensures stakeholders are aware of potential risks and necessary mitigation strategies.

• It eliminates the need for future incident response plans.
• It allows stakeholders to ignore proprietary systems.

What is a key benefit of effective communication with stakeholders during an incident?

• It ensures coordinated efforts and informed decision-making.

• It reduces the need for incident response teams.
• It eliminates the need for post-incident reviews.
• It allows stakeholders to ignore the incident.

Why is it essential to have a straightforward incident declaration process in place?

• To ensure incidents are resolved without documentation

• To quickly identify and communicate the occurrence of an incident

• To limit the number of people involved in the response
• To avoid involving senior management in incident response

Why is the executive summary an essential part of an incident response report?

• To provide a detailed technical analysis of the incident
• To include all raw data and logs collected during the incident
• To list all the vulnerabilities found during the incident

• To offer a high-level overview for stakeholders and decision-makers

What is a key benefit of communicating the impact of an incident to stakeholders?

• It reduces the need for incident response teams.
• It eliminates the need for post-incident reviews.
• It allows stakeholders to ignore the incident

• It ensures stakeholders understand the severity and necessary actions.

What is a key benefit of clear legal communication during an incident response?

• It reduces the need for technical analysis.
• It eliminates the need for incident response teams.
• It allows the organization to ignore regulatory requirements.

• It ensures accurate and compliant public disclosures.

Why is regulatory reporting critical in incident response?

• To avoid documenting the incident

• To ensure compliance with legal and regulatory requirements

• To limit the number of people involved in the response
• To reduce the need for technical analysis

What is a key benefit of effective communication with law enforcement during an incident?

• It eliminates the need for incident response teams.
• It allows the organization to ignore the incident.

• It ensures timely and accurate information sharing, enhancing public safety.

• It reduces the need for technical analysis.

Why is Mean Time to Detect (MTTD) a critical metric in incident response?

• To evaluate the effectiveness of post-incident reviews
• To determine the total downtime caused by an incident

• To assess how quickly an organization can identify a security incident

• To measure the time taken to repair an incident

What is a key benefit of reducing an organization’s Mean Time to Respond (MTTR)?

• It reduces the need for incident response teams.
• It eliminates the need for regular security assessments.
• It allows the organization to ignore minor incidents.

• It minimizes the impact and potential damage of security incidents.

After a phishing attack led to a data breach, the incident response team successfully contained and eradicated the threat. What is the most essential post-incident activity to ensure organizational resilience against future attacks?

• Conducting a company-wide phishing simulation
• Increasing the cybersecurity budget for the next fiscal year

• Reviewing and updating the incident response plan based on lessons learned

• Rewarding the incident response team for their successful mitigation efforts

What is the primary purpose of threat intelligence?

• To predict and prevent cyberthreats

• To manage user access controls
• To perform data backups
• To identify vulnerabilities in software

Which of the following will most likely ensure that mission-critical services are available in the event of an incident?

• Vulnerability management plan
• Asset management plan
• Disaster recovery plan

• Business continuity plan

During which phase of incident response is the root cause analysis performed?

• Detection
• Containment
• Recovery

• Eradication

What is the primary function of a Security Information and Event Management (SIEM) system?

• User authentication

• Log aggregation and analysis

• Network monitoring
• Data encryption

What is the primary purpose of a compliance audit?

• To ensure adherence to policies and regulations

• To train employees
• To monitor network traffic
• To identify security vulnerabilities

Which of the following is a common technique used in threat hunting?

• Social engineering

• Anomaly detection

• Data masking
• Phishing

Tamara is a cybersecurity analyst for a private business that suffered a security breach. She believes the attackers compromised a database containing sensitive information. Which one of the following activities should be Tamara’s priority?

• Identifying the source of the attack
• Eradication
• Recovery

• Containment

Which of the following is a common feature of EDR solutions?

• User training
• Data masking
• Network segmentation

• Real-time monitoring

Which of the following is a method for implementing multifactor authentication (MFA)?

• IP address verification
• Password only
• Username only

• Biometric and password

After resolving an incident, you need to create a report. What is the primary purpose of this report?

• To archive the incident

• To document the incident and response

• To notify the media
• To blame the responsible party

Which type of firewall filters traffic based on packet attributes?

• Stateful firewall
• Proxy firewall
• Application firewall

• Packet-filtering firewall

Which model describes shared security responsibilities between cloud providers and customers?

• Zero-trust model

• Shared responsibility model

• Least privilege model
• Defense-in-depth model

After an incident, you need to review what went well and what didn’t. Which process would you use?

• Risk assessment
• Threat modeling

• Lessons learned

• Incident declaration

Which of the following is not a potential issue with live imaging of a system?

• Malware might be detected by the imaging tool and work to avoid it.
• Remnant data from the imaging tool will remain.
• Memory or drive contents might change during the imaging process.

• Unallocated space will be captured.

ipconfig /flushdns

ipconfig /release

theZoo: repository of LIVE malwares for your own joy and pleasure. theZoo is a project created to make the possibility of malware analysis open and available to the public.

MSRC https://msrc.microsoft.com/update-guide/vulnerability

https://ubuntu.com/security/cves

https://cloud.google.com/support/bulletins

https://support.apple.com/en-us/HT201222

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

https://www.linkedin.com/posts/cyber-threat-intel_osimodel-cybersecurity-networksecurity-activity-7339282956391235587-OBwn/?utm_source=share&utm_medium=member_desktop&rcm=ACoAADcninMBbnWM7Hs5T_f96h06MeEbRSZlSck

https://www.linkedin.com/posts/e-learn-cybersecurity_cybersecurity-infosec-securitystack-activity-7349505260828205056-L-z7/?utm_source=share&utm_medium=member_desktop&rcm=ACoAADcninMBbnWM7Hs5T_f96h06MeEbRSZlSck

Resources to follow: https://www.darkreading.com/ https://krebsonsecurity.com/ https://www.csoonline.com/

Autopsy: premier open source forensics platform (PAID).

Anchore: Automate container vulnerability scanning.

Argo CD: declarative, GitOps continuous delivery tool for Kubernetes.

https://www.reddit.com/r/cybersecurity/comments/x5c45j/cybersecurity_on_twitter_which_channelspersons_do/

https://owasp.org/www-project-top-ten/

NIST (National Institute of Standards and Technology): 

NIST Cybersecurity Framework

This is the official website for this comprehensive framework that outlines best practices for managing cybersecurity risks. 

    CIS (Center for Internet Security):

     Cybersecurity Best Practices: https://www.cisecurity.org/cybersecurity-best-practices 

     This website provides current cybersecurity best practice recommendations.

         OWASP (Open Web Application Security Project): 

         OWASP Top Ten

         This informative site lists the top ten security risks for web applications, which is crucial for understanding vulnerabilities relevant to the Security+ exam. 

             ENISA (European Union Agency for Cybersecurity):

              ENISA Publications

             This website offers reports, guidelines, and best practices in cybersecurity that can help you understand European standards. 

                 CISA (Cybersecurity and Infrastructure Security Agency): 

                 CISA Cybersecurity Resources

                 This website provides a collection of resources, tools, and guidelines for improving cybersecurity preparedness. 

                     NIST Special Publications:

                      NIST SP 800 Series

                     This site provides guidelines and recommendations on various aspects of cybersecurity, including risk management and security controls. 

                         MITRE ATT&CK Framework:

                          MITRE ATT&CK

                          

                          A comprehensive knowledge base of adversary tactics and techniques based on real-world observations that are valuable for understanding threat landscapes.

                          These additional resources can also help you keep up with the latest cybersecurity news

                              Krebs on Security

                              Krebs on Security

                              This website, written by Brian Krebs, who has authored more than 1,300 blog posts for the Security Fix blog, delivers the latest cybersecurity news, including valuable information about who and how the cybersecurity incident occurred.

                                  Dark Reading

                                  Dark Reading

                                  This website compiles information from multiple other sites related to cybersecurity incidents,  technologies professional links. Note that some links do lead to advertiser-sponsored articles.

                                      The Internet Storm Center

                                      The Internet Storm Center

                                      This website includes relevant articles, podcasts, tool listings, jobs, and more. This organization also has an extensive social media presence.

                                          Reddit

                                          Reddit/Cybersecurity

                                          Reddit is a popular social website. The cybersecurity sub-thread is a location where prospective and current cybersecurity professionals network, exchange knowledge, brainstorm on current issues, and share career advice.