Cybersecurity – Best Practices

Cybersecurity – Best Practices

Cybersecurity is the practice of ensuring:

Confidentiality, integrity, and availability of information are ensured through the effective practice of security. This involves protecting networks, devices, people, and data from unauthorized access or criminal exploitation.

Cybersecurity glossary

• Common cybersecurity terminology

• Compliance is the process of adhering to internal standards and external regulations and enables organizations to avoid fines and security breaches.
• Security frameworks are guidelines used for building plans to help mitigate risks and threats to data and privacy.
• Security controls are safeguards designed to reduce specific security risks. They are used with security frameworks to establish a strong security posture.
• Security posture is an organization’s ability to manage its defense of critical assets and data and react to change. A strong security posture leads to lower risk for the organization.
• A threat actor, or malicious attacker, is any person or group who presents a security risk. This risk can relate to computers, applications, networks, and data.
• An internal threat can be a current or former employee, an external vendor, or a trusted partner who poses a security risk. At times, an internal threat is accidental. For example, an employee who accidentally clicks on a malicious email link would be considered an accidental threat. Other times, the internal threat actor intentionally engages in risky activities, such as unauthorized data access.
• Network security is the practice of keeping an organization’s network infrastructure secure from unauthorized access. This includes data, services, systems, and devices that are stored in an organization’s network.
• Cloud security is the process of ensuring that assets stored in the cloud are properly configured, or set up correctly, and access to those assets is limited to authorized users. The cloud is a network made up of a collection of servers or computers that store resources and data in remote physical locations known as data centers that can be accessed via the internet. Cloud security is a growing subfield of cybersecurity that specifically focuses on the protection of data, applications, and infrastructure in the cloud.
• Programming is a process that can be used to create a specific set of instructions for a computer to execute tasks. These tasks can include:

  • Automation of repetitive tasks (e.g., searching a list of malicious domains)

  • Reviewing web traffic

  • Alerting suspicious activity

GLOSSARY

Adversarial artificial intelligence (AI): A technique that manipulates artificial intelligence (AI) and machine learning (ML) technology to conduct attacks more efficiently

Business Email Compromise (BEC): A type of phishing attack where a threat actor impersonates a known source to obtain financial advantage

CISSP: Certified Information Systems Security Professional is a globally recognized and highly sought-after information security certification, awarded by the International Information Systems Security Certification Consortium

Computer virus: Malicious code written to interfere with computer operations and cause damage to data and software

Cryptographic attack: An attack that affects secure forms of communication between a sender and intended recipient

Hacker: Any person who uses computers to gain access to computer systems, networks, or data

Malware: Software designed to harm devices or networks

Password attack: An attempt to access password secured devices, systems, networks, or data

Phishing: The use of digital communications to trick people into revealing sensitive data or deploying malicious software

Physical attack: A security incident that affects not only digital but also physical environments where the incident is deployed

Physical social engineering: An attack in which a threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location

Social engineering: A manipulation technique that exploits human error to gain private information, access, or valuables

Social media phishing: A type of attack where a threat actor collects detailed information about their target on social media sites before initiating the attack

Spear phishing: A malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source

Supply-chain attack: An attack that targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed

USB baiting: An attack in which a threat actor strategically leaves a malware USB stick for an employee to find and install to unknowingly infect a network

Virus: refer to “computer virus”

Vishing: The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source

Watering hole attack: A type of attack when a threat actor compromises a website frequently visited by a specific group of users

Asset: An item perceived as having value to an organization

Availability: The idea that data is accessible to those who are authorized to access it

Compliance: The process of adhering to internal standards and external regulations

Confidentiality: The idea that only authorized users can access specific assets or data

Confidentiality, integrity, availability (CIA) triad: A model that helps inform how organizations consider risk when setting up systems and security policies

Hacktivist: A person who uses hacking to achieve a political goal

Health Insurance Portability and Accountability Act (HIPAA): A U.S. federal law established to protect patients’ health information

Integrity: The idea that the data is correct, authentic, and reliable

National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF): A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk

Privacy protection: The act of safeguarding personal information from unauthorized use

Protected health information (PHI): Information that relates to the past, present, or future physical or mental health or condition of an individual

Security architecture: A type of security design composed of multiple components, such as tools and processes, that are used to protect an organization from risks and external threats

Security controls: Safeguards designed to reduce specific security risks

Security ethics: Guidelines for making appropriate decisions as a security professional

Security frameworks: Guidelines used for building plans to help mitigate risk and threats to data and privacy

Security governance: Practices that help support, define, and direct security efforts of an organization

Sensitive personally identifiable information (SPII): A specific type of PII that falls under stricter handling guidelines

Antivirus software: A software program used to prevent, detect, and eliminate malware and viruses

Database: An organized collection of information or data

Data point: A specific piece of information

Intrusion detection system (IDS): An application that monitors system activity and alerts on possible intrusions

Linux: An open-source operating system

Log: A record of events that occur within an organization’s systems

Network protocol analyzer (packet sniffer): A tool designed to capture and analyze data traffic within a network

Order of volatility: A sequence outlining the order of data that must be preserved from first to last

Programming: A process that can be used to create a specific set of instructions for a computer to execute tasks

Protecting and preserving evidence: The process of properly working with fragile and volatile digital evidence

Security information and event management (SIEM): An application that collects and analyzes log data to monitor critical activities in an organization

SQL (Structured Query Language): A query language used to create, interact with, and request information from a database

Assess: The fifth step of the NIST RMF that means to determine if established controls are implemented correctly

Authorize: The sixth step of the NIST RMF that refers to being accountable for the security and privacy risks that may exist in an organization

Business continuity: An organization’s ability to maintain their everyday productivity by establishing risk disaster recovery plans

Categorize: The second step of the NIST RMF that is used to develop risk management processes and tasks

External threat: Anything outside the organization that has the potential to harm organizational assets

Implement: The fourth step of the NIST RMF that means to implement security and privacy plans for an organization

Internal threat: A current or former employee, external vendor, or trusted partner who poses a security risk

Monitor: The seventh step of the NIST RMF that means be aware of how systems are operating

Prepare: The first step of the NIST RMF related to activities that are necessary to manage security and privacy risks before a breach occurs

Ransomware: A malicious attack where threat actors encrypt an organization’s data and demand payment to restore access

Risk: Anything that can impact the confidentiality, integrity, or availability of an asset

Risk mitigation: The process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach

Security posture: An organization’s ability to manage its defense of critical assets and data and react to change

Select: The third step of the NIST RMF that means to choose, customize, and capture documentation of the controls that protect an organization

Shared responsibility: The idea that all individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security

Social engineering: A manipulation technique that exploits human error to gain private information, access, or valuables

Vulnerability: A weakness that can be exploited by a threat

Phishing

Phishing is the use of digital communications to trick people into revealing sensitive data or deploying malicious software.

Some of the most common types of phishing attacks today include:

• Business Email Compromise (BEC): A threat actor sends an email message that seems to be from a known source to make a seemingly legitimate request for information, in order to obtain a financial advantage.

• Spear phishing: A malicious email attack that targets a specific user or group of users. The email seems to originate from a trusted source.

• Whaling: A form of spear phishing. Threat actors target company executives to gain access to sensitive data.

• Vishing: The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source.

• Smishing: The use of text messages to trick users, in order to obtain sensitive information or to impersonate a known source.

Malware

Malware is software designed to harm devices or networks. There are many types of malware. The primary purpose of malware is to obtain money, or in some cases, an intelligence advantage that can be used against a person, an organization, or a territory.

Some of the most common types of malware attacks today include:

• Viruses: Malicious code written to interfere with computer operations and cause damage to data and software. A virus needs to be initiated by a user (i.e., a threat actor), who transmits the virus via a malicious attachment or file download. When someone opens the malicious attachment or download, the virus hides itself in other files in the now infected system. When the infected files are opened, it allows the virus to insert its own code to damage and/or destroy data in the system.

• Worms: Malware that can duplicate and spread itself across systems on its own. In contrast to a virus, a worm does not need to be downloaded by a user. Instead, it self-replicates and spreads from an already infected computer to other devices on the same network.

• Ransomware: A malicious attack where threat actors encrypt an organization’s data and demand payment to restore access.

• Spyware: Malware that’s used to gather and sell information without consent. Spyware can be used to access devices. This allows threat actors to collect personal data, such as private emails, texts, voice and image recordings, and locations.

Social Engineering

Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. Human error is usually a result of trusting someone without question. It’s the mission of a threat actor, acting as a social engineer, to create an environment of false trust and lies to exploit as many people as possible.

Some of the most common types of social engineering attacks today include:

• Social media phishing: A threat actor collects detailed information about their target from social media sites. Then, they initiate an attack.

• Watering hole attack: A threat actor attacks a website frequently visited by a specific group of users.

• USB baiting: A threat actor strategically leaves a malware USB stick for an employee to find and install, to unknowingly infect a network.

• Physical social engineering: A threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location.

Social engineering principles

Social engineering is incredibly effective. This is because people are generally trusting and conditioned to respect authority. The number of social engineering attacks is increasing with every new social media application that allows public access to people’s data. Although sharing personal data—such as your location or photos—can be convenient, it’s also a risk.

Reasons why social engineering attacks are effective include:

• Authority: Threat actors impersonate individuals with power. This is because people, in general, have been conditioned to respect and follow authority figures.

• Intimidation: Threat actors use bullying tactics. This includes persuading and intimidating victims into doing what they’re told.

• Consensus/Social proof: Because people sometimes do things that they believe many others are doing, threat actors use others’ trust to pretend they are legitimate. For example, a threat actor might try to gain access to private data by telling an employee that other people at the company have given them access to that data in the past.

• Scarcity: A tactic used to imply that goods or services are in limited supply.

• Familiarity: Threat actors establish a fake emotional connection with users that can be exploited.

• Trust: Threat actors establish an emotional relationship with users that can be exploited over time. They use this relationship to develop trust and gain personal information.

• Urgency: A threat actor persuades others to respond quickly and without questioning.

Malware

A software designed to harm devices or networks

Virus

A malware program that modifies other computer programs by inserting its own code to damage and/or destroy data

Worm

Malware that self-replicates, spreading across the network and infecting computers

Ransomware

A malicious attack during which threat actors encrypt an organization’s data and demand payment to restore access

Spyware

Malicious software installed on a user’s computer without their permission, which is used to spy on and steal user data

Phishing

The use of digital communications to trick people into revealing sensitive data or deploying malicious software

Spear phishing

A malicious email attack targeting a specific user or group of users that appears to originate from a trusted source

Whaling

A form of spear phishing during which threat actors target executives in order to gain access to sensitive data

Business email compromise (BEC)

An attack in which a threat actor impersonates a known source to obtain a financial advantage

Vishing

The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source

Social engineering

A manipulation technique that exploits human error to gain unauthorized access to sensitive, private, and/or valuable data

Social media phishing

An attack in which a threat actor collects detailed information about their target on social media sites before initiating an attack

Watering hole attack

An attack in which a threat actor compromises a website frequently visited by a specific group of users

Physical social engineering

An attack in which a threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location

USB baiting

An attack in which a threat actor strategically leaves a malware USB stick for an employee to find and unknowingly infect a network

Security Domains

Security domains are a way of categorizing and organizing different aspects of security within a system or organization. These domains help in understanding and managing security risks comprehensively. While the exact categorization may vary depending on the framework or methodology being used, some common security domains include:

1. Physical Security: This domain focuses on protecting physical assets, such as buildings, hardware, and other tangible items, from unauthorized access, theft, damage, or destruction. Measures may include locks, fences, security guards, surveillance cameras, and access control systems.

2. Network Security: Network security involves safeguarding the integrity, confidentiality, and availability of data and resources transmitted over networks. This domain includes measures such as firewalls, intrusion detection and prevention systems (IDPS), encryption, virtual private networks (VPNs), and secure configurations of network devices.

3. Application Security: Application security focuses on securing software applications and the data they process. This includes identifying and mitigating vulnerabilities in code, implementing secure coding practices, conducting regular security testing (such as penetration testing and code reviews), and ensuring secure authentication and authorization mechanisms.

4. Information Security: Information security encompasses the protection of sensitive information from unauthorized access, disclosure, alteration, or destruction. This domain involves implementing policies, procedures, and technologies to classify, handle, and safeguard data appropriately. Measures may include access controls, encryption, data loss prevention (DLP), and incident response plans.

5. Operational Security (OPSEC): Operational security involves protecting critical information related to an organization’s operations, plans, and capabilities. This domain focuses on minimizing the risk of information disclosure that could be exploited by adversaries to compromise security. Measures may include limiting access to sensitive information on a need-to-know basis, controlling communication channels, and maintaining situational awareness.

6. Personnel Security: Personnel security addresses the human element of security, ensuring that individuals with access to sensitive information or critical assets are trustworthy and adequately trained. This domain involves conducting background checks, providing security awareness training, enforcing security policies and procedures, and managing access privileges based on roles and responsibilities.

7. Risk Management: Risk management involves identifying, assessing, and prioritizing security risks to the organization and implementing controls to mitigate or manage these risks effectively. This domain includes activities such as risk assessments, vulnerability management, security monitoring, and incident response planning.

By categorizing security concerns into these domains, organizations can develop a holistic approach to security that addresses various threats and vulnerabilities across different areas of their operations.

Certified Information Systems Security Professional (CISSP)

• Security and Risk Management
• Asset Security
• Security Architecture and Engineering
• Communication and Network Security
• Identity and Access Management (IAM)
• Security Assessment and Testing:
• Security Operations
• Software Development Security

This domain covers topics such as security governance, risk management, compliance, legal and regulatory issues, security policies, procedures, and business continuity planning.

Asset security focuses on protecting the confidentiality, integrity, and availability of information assets. It includes topics such as data classification, asset management, privacy protection, and information handling requirements.

This domain covers the design, implementation, and management of security controls to ensure the protection of systems, networks, and applications. It includes topics such as security models, cryptography, secure design principles, and security testing.

Communication and network security involves securing the transmission of data over networks and ensuring the availability, integrity, and confidentiality of network communications. It covers topics such as network protocols, secure network architecture, and secure communication channels.

IAM focuses on managing the identities of users and controlling their access to systems and data. It includes topics such as authentication methods, access control models, identity management systems, and privilege management.

This domain covers the methods and techniques used to assess and test the security of systems, networks, and applications. It includes topics such as security testing methodologies, vulnerability assessment, penetration testing, and security audits.

Security operations involve the day-to-day tasks and activities related to monitoring, detecting, analyzing, and responding to security incidents. This domain covers topics such as security monitoring, incident response procedures, disaster recovery planning, and security awareness training.

Software development security focuses on integrating security into the software development lifecycle (SDLC) and ensuring that software is developed securely. It includes topics such as secure coding practices, security controls in development environments, and security testing of software.

Determine the type of attack

Attack types

Password attack

A password attack is an attempt to access password-secured devices, systems, networks, or data. Some forms of password attacks that you’ll learn about later in the certificate program are:

• Brute force

• Rainbow table

Password attacks fall under the communication and network security domain.

Social engineering attack

Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. Some forms of social engineering attacks that you will continue to learn about throughout the program are:

• Phishing

• Smishing

• Vishing

• Spear phishing

• Whaling

• Social media phishing

• Business Email Compromise (BEC)

• Watering hole attack

• USB (Universal Serial Bus) baiting

• Physical social engineering

Social engineering attacks are related to the security and risk management domain.

Physical attack

A physical attack is a security incident that affects not only digital but also physical environments where the incident is deployed. Some forms of physical attacks are:

• Malicious USB cable

• Malicious flash drive

• Card cloning and skimming

Physical attacks fall under the asset security domain.

Adversarial artificial intelligence

Adversarial artificial intelligence is a technique that manipulates artificial intelligence and machine learning technology to conduct attacks more efficiently. Adversarial artificial intelligence falls under both the communication and network security and the identity and access management domains.

Supply-chain attack

A supply-chain attack targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed. Because every item sold undergoes a process that involves third parties, this means that the security breach can occur at any point in the supply chain. These attacks are costly because they can affect multiple organizations and the individuals who work for them. Supply-chain attacks can fall under several domains, including but not limited to the security and risk management, security architecture and engineering, and security operations domains.

Cryptographic attack

A cryptographic attack affects secure forms of communication between a sender and intended recipient. Some forms of cryptographic attacks are:

• Birthday

• Collision

• Downgrade

Cryptographic attacks fall under the communication and network security domain.

Understand attackers

Threat actor types

Advanced persistent threats

Advanced persistent threats (APTs) have significant expertise accessing an organization’s network without authorization. APTs tend to research their targets (e.g., large corporations or government entities) in advance and can remain undetected for an extended period of time. Their intentions and motivations can include:

• Damaging critical infrastructure, such as the power grid and natural resources

• Gaining access to intellectual property, such as trade secrets or patents

Insider threats

Insider threats abuse their authorized access to obtain data that may harm an organization. Their intentions and motivations can include:

• Sabotage

• Corruption

• Espionage

• Unauthorized data access or leaks

Hacktivists

Hacktivists are threat actors that are driven by a political agenda. They abuse digital technology to accomplish their goals, which may include:

• Demonstrations

• Propaganda

• Social change campaigns

• Fame

Hacker types

A hacker is any person who uses computers to gain access to computer systems, networks, or data. They can be beginner or advanced technology professionals who use their skills for a variety of reasons. There are three main categories of hackers:

• Authorized hackers are also called ethical hackers. They follow a code of ethics and adhere to the law to conduct organizational risk evaluations. They are motivated to safeguard people and organizations from malicious threat actors.

• Semi-authorized hackers are considered researchers. They search for vulnerabilities but don’t take advantage of the vulnerabilities they find.

• Unauthorized hackers are also called unethical hackers. They are malicious threat actors who do not follow or respect the law. Their goal is to collect and sell confidential data for financial gain.

Note: There are multiple hacker types that fall into one or more of these three categories.

New and unskilled threat actors have various goals, including:

• To learn and enhance their hacking skills

• To seek revenge

• To exploit security weaknesses by using existing malware, programming scripts, and other tactics

Other types of hackers are not motivated by any particular agenda other than completing the job they were contracted to do. These types of hackers can be considered unethical or ethical hackers. They have been known to work on both illegal and legal tasks for pay.

There are also hackers who consider themselves vigilantes. Their main goal is to protect the world from unethical hackers.

Security frameworks and controls

Security frameworks are guidelines used for building plans to help mitigate risks and threats to data and privacy.

Security frameworks provide a structured approach to implementing a security lifecycle.

The security lifecycle is a constantly evolving set of policies and standards that define how an organization manages risks, follows established guidelines, and meets regulatory compliance, or laws.

There are several security frameworks that may be used to manage different types of organizational and regulatory compliance risks.

The purpose of security frameworks include protecting personally identifiable information, known as PII, securing financial information, identifying security weaknesses, managing organizational risks, and aligning security with business goals.

Frameworks have four core components and understanding them will allow you to better manage potential risks.

The first core component is identifying and documenting security goals.

For example, an organization may have a goal to align with the E.U.’s General Data Protection Regulation, also known as GDPR.

GDPR is a data protection law established to grant European citizens more control over their personal data.

A security analyst may be asked to identify and document areas where an organization is out of compliance with GDPR.

The second core component is setting guidelines to achieve security goals.

For example, when implementing guidelines to achieve GDPR compliance, your organization may need to develop new policies for how to handle data requests from individual users.

The third core component of security frameworks is implementing strong security processes.

In the case of GDPR, a security analyst working for a social media company may help design procedures to ensure the organization complies with verified user data requests.

An example of this type of request is when a user attempts to update or delete their profile information.

The last core component of security frameworks is monitoring and communicating results.

As an example, you may monitor your organization’s internal network and report a potential security issue affecting GDPR to your manager or regulatory compliance officer.

Now that we’ve introduced the four core components of security frameworks, let’s tie them all together.

Frameworks allow analysts to work alongside other members of the security team to document, implement, and use the policies and procedures that have been created.

It’s essential for an entry-level analyst to understand this process because it directly affects the work they do and how they collaborate with others.

Next, we’ll discuss security controls.

Security controls are safeguards designed to reduce specific security risks.

For example, your company may have a guideline that requires all employees to complete a privacy training to reduce the risk of data breaches.

As a security analyst, you may use a software tool to automatically assign and track which employees have completed this training.

Security frameworks and controls are vital to managing security for all types of organizations and ensuring that everyone is doing their part to maintain a low level of risk.

Understanding their purpose and how they are used allows analysts to support an organization’s security goals and protect the people it serves.

Security Frameworks and Controls

The CIA triad is a foundational model in information security used to guide policies for information security within an organization. CIA stands for:

1. Confidentiality: This refers to ensuring that information is only accessible to those who are authorized to access it. It involves protecting sensitive data from unauthorized access, whether intentional or accidental.

2. Integrity: Integrity ensures that data is accurate, consistent, and trustworthy. It involves protecting data from being altered or tampered with by unauthorized individuals or processes. Maintaining data integrity is crucial for ensuring its reliability and usability.

3. Availability: Availability ensures that information and resources are accessible to authorized users when needed. It involves implementing measures to prevent or minimize disruptions to access, such as through system failures, attacks, or natural disasters.

These three principles form the basis of a comprehensive approach to information security, guiding organizations in implementing appropriate controls and measures to protect their assets and mitigate risks.

The CIA triad is a foundational model that helps inform how organizations consider risk when setting up systems and security policies.

CIA stands for confidentiality, integrity, and availability.

Confidentiality means that only authorized users can access specific assets or data.

For example, strict access controls that define who should and should not have access to data, must be put in place to ensure confidential data remains safe.

Integrity means the data is correct, authentic, and reliable.

To maintain integrity, security professionals can use a form of data protection like encryption

to safeguard data from being tampered with.

Availability means data is

accessible to those who are authorized to access it.

asset.

An asset is an item perceived as having value to an organization.

And value is determined by the cost

associated with the asset in question.

For example, an application that stores sensitive data, such as social security numbers or bank accounts, is a valuable asset to an organization.

It carries more risk and therefore requires tighter security controls in comparison to a website that shares publicly available news content.

As you may remember, earlier in the course, we discussed frameworks and controls in general.

Now, we’ll discuss a specific framework developed by the U.S.-based National Institute of Standards and Technology:

the Cybersecurity Framework, also referred to as the NIST CSF.

The NIST Cybersecurity Framework is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.

It’s important to become familiar with this framework because security teams use it as a baseline to manage short and long term risk.

Managing and mitigating risks and protecting an organization’s assets from threat actors are key goals for security professionals.

Understanding the different motives a threat actor may have, alongside identifying your organization’s most valuable assets is important.

Some of the most dangerous threat actors to consider are disgruntled employees.

They are the most dangerous because they often have access to sensitive information and know where to find it.

In order to reduce this type of risk, security professionals would use the principle of availability, as well as organizational guidelines

based on frameworks to ensure staff members can only access the data they need to perform their jobs.

Threat actors originate from all across the globe, and a diverse workforce of security professionals helps organizations identify attackers’ intentions.

A variety of perspectives can assist organizations in understanding and mitigating the impact of malicious activity. That concludes our introduction to

the CIA triad and NIST CSF framework, which are used to develop processes to secure organizations and the people they serve.

Controls, frameworks, and compliance

How controls, frameworks, and compliance are related

The confidentiality, integrity, and availability (CIA) triad is a model that helps inform how organizations consider risk when setting up systems and security policies.

CIA are the three foundational principles used by cybersecurity professionals to establish appropriate controls that mitigate threats, risks, and vulnerabilities.

As you may recall, security controls are safeguards designed to reduce specific security risks. So they are used alongside frameworks to ensure that security goals and processes are implemented correctly and that organizations meet regulatory compliance requirements.

Security frameworks are guidelines used for building plans to help mitigate risks and threats to data and privacy. They have four core components:

1. Identifying and documenting security goals

2. Setting guidelines to achieve security goals

3. Implementing strong security processes

4. Monitoring and communicating results

Some of the primary purposes of security frameworks include:

1. Identifying security weaknesses: Security frameworks help organizations identify vulnerabilities and weaknesses in their security posture by providing guidelines for assessing and improving security controls and practices.

2. Securing financial information: Security frameworks offer guidelines and best practices for protecting sensitive financial information, such as payment card data, financial transactions, and other financial assets, from unauthorized access, disclosure, or theft.

3. Aligning security with business goals: Security frameworks help organizations align their security initiatives and practices with their overall business objectives and priorities. By integrating security into business processes and strategies, organizations can effectively mitigate risks and support their broader business goals.

Compliance is the process of adhering to internal standards and external regulations.

Specific controls, frameworks, and compliance

The National Institute of Standards and Technology (NIST) is a U.S.-based agency that develops multiple voluntary compliance frameworks that organizations worldwide can use to help manage risk. The more aligned an organization is with compliance, the lower the risk.

Examples of frameworks include the NIST Cybersecurity Framework (CSF) and the NIST Risk Management Framework (RMF).

Note: Specifications and guidelines can change depending on the type of organization you work for.

In addition to the NIST CSF

and NIST RMF

, there are several other controls, frameworks, and compliance standards that are important for security professionals to be familiar with to help keep organizations and the people they serve safe.

The Federal Energy Regulatory Commission – North American Electric Reliability Corporation (FERC-NERC)

FERC-NERC is a regulation that applies to organizations that work with electricity or that are involved with the U.S. and North American power grid. These types of organizations have an obligation to prepare for, mitigate, and report any potential security incident that can negatively affect the power grid. They are also legally required to adhere to the Critical Infrastructure Protection (CIP) Reliability Standards defined by the FERC.

The Federal Risk and Authorization Management Program (FedRAMP®)

FedRAMP is a U.S. federal government program that standardizes security assessment, authorization, monitoring, and handling of cloud services and product offerings. Its purpose is to provide consistency across the government sector and third-party cloud providers.

Center for Internet Security (CIS®)

CIS is a nonprofit with multiple areas of emphasis. It provides a set of controls that can be used to safeguard systems and networks against attacks. Its purpose is to help organizations establish a better plan of defense. CIS also provides actionable controls that security professionals may follow if a security incident occurs.

General Data Protection Regulation (GDPR)

GDPR is a European Union (E.U.) general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and out of E.U. territory. For example, if an organization is not being transparent about the data they are holding about an E.U. citizen and why they are holding that data, this is an infringement that can result in a fine to the organization. Additionally, if a breach occurs and an E.U. citizen’s data is compromised, they must be informed. The affected organization has 72 hours to notify the E.U. citizen about the breach.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is an international security standard meant to ensure that organizations storing, accepting, processing, and transmitting credit card information do so in a secure environment. The objective of this compliance standard is to reduce credit card fraud.

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a U.S. federal law established in 1996 to protect patients’ health information. This law prohibits patient information from being shared without their consent. It is governed by three rules:

1. Privacy

2. Security

3. Breach notification

Organizations that store patient data have a legal obligation to inform patients of a breach because if patients’ Protected Health Information (PHI) is exposed, it can lead to identity theft and insurance fraud. PHI relates to the past, present, or future physical or mental health or condition of an individual, whether it’s a plan of care or payments for care. Along with understanding HIPAA as a law, security professionals also need to be familiar with the Health Information Trust Alliance (HITRUST®), which is a security framework and assurance program that helps institutions meet HIPAA compliance.

International Organization for Standardization (ISO)

ISO was created to establish international standards related to technology, manufacturing, and management across borders. It helps organizations improve their processes and procedures for staff retention, planning, waste, and services.

System and Organizations Controls (SOC type 1, SOC type 2)

The American Institute of Certified Public Accountants® (AICPA) auditing standards board developed this standard. The SOC1 and SOC2 are a series of reports that focus on an organization’s user access policies at different organizational levels such as:

• Associate

• Supervisor

• Manager

• Executive

• Vendor

• Others

They are used to assess an organization’s financial compliance and levels of risk. They also cover confidentiality, privacy, integrity, availability, security, and overall data safety. Control failures in these areas can lead to fraud.

Pro tip: There are a number of regulations that are frequently revised. You are encouraged to keep up-to-date with changes and explore more frameworks, controls, and compliance. Two suggestions to research: the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act.

United States Presidential Executive Order 14028

On May 12, 2021, President Joe Biden released an executive order related to improving the nation’s cybersecurity to remediate the increase in threat actor activity. Remediation efforts are directed toward federal agencies and third parties with ties to U.S. critical infrastructure

. For additional information, review the Executive Order on Improving the Nation’s Cybersecurity.

Ethical concepts that guide cybersecurity decisions

Security ethics are guidelines for making appropriate decisions as a security professional. Being ethical requires that security professionals remain unbiased and maintain the security and confidentiality of private data. Having a strong sense of ethics can help you navigate your decisions as a cybersecurity professional so you’re able to mitigate threats posed by threat actors’ constantly evolving tactics and techniques. In this reading, you’ll learn about more ethical concepts that are essential to know so you can make appropriate decisions about how to legally and ethically respond to attacks in a way that protects organizations and people alike.

Ethical concerns and laws related to counterattacks

United States standpoint on counterattacks

In the U.S., deploying a counterattack on a threat actor is illegal because of laws like the Computer Fraud and Abuse Act of 1986 and the Cybersecurity Information Sharing Act of 2015, among others. You can only defend. The act of counterattacking in the U.S. is perceived as an act of vigilantism. A vigilante is a person who is not a member of law enforcement who decides to stop a crime on their own. And because threat actors are criminals, counterattacks can lead to further escalation of the attack, which can cause even more damage and harm. Lastly, if the threat actor in question is a state-sponsored hacktivist, a counterattack can lead to serious international implications. A hacktivist is a person who uses hacking to achieve a political goal. The political goal may be to promote social change or civil disobedience.

For these reasons, the only individuals in the U.S. who are allowed to counterattack are approved employees of the federal government or military personnel.

International standpoint on counterattacks

The International Court of Justice (ICJ), which updates its guidance regularly, states that a person or group can counterattack if:

• The counterattack will only affect the party that attacked first.

• The counterattack is a direct communication asking the initial attacker to stop.

• The counterattack does not escalate the situation.

• The counterattack effects can be reversed.

Organizations typically do not counterattack because the above scenarios and parameters are hard to measure. There is a lot of uncertainty dictating what is and is not lawful, and at times negative outcomes are very difficult to control. Counterattack actions generally lead to a worse outcome, especially when you are not an experienced professional in the field.

To learn more about specific scenarios and ethical concerns from an international perspective, review updates provided in the Tallinn Manual online.

Ethical principles and methodologies

Because counterattacks are generally disapproved of or illegal, the security realm has created frameworks and controls—such as the confidentiality, integrity, and availability (CIA) triad and others discussed earlier in the program—to address issues of confidentiality, privacy protections, and laws. To better understand the relationship between these issues and the ethical obligations of cybersecurity professionals, review the following key concepts as they relate to using ethics to protect organizations and the people they serve.

Confidentiality means that only authorized users can access specific assets or data. Confidentiality as it relates to professional ethics means that there needs to be a high level of respect for privacy to safeguard private assets and data.

Privacy protection means safeguarding personal information from unauthorized use. Personally identifiable information (PII) and sensitive personally identifiable information (SPII) are types of personal data that can cause people harm if they are stolen. PII data is any information used to infer an individual’s identity, like their name and phone number. SPII data is a specific type of PII that falls under stricter handling guidelines, including social security numbers and credit card numbers. To effectively safeguard PII and SPII data, security professionals hold an ethical obligation to secure private information, identify security vulnerabilities, manage organizational risks, and align security with business goals.

Laws are rules that are recognized by a community and enforced by a governing entity. As a security professional, you will have an ethical obligation to protect your organization, its internal infrastructure, and the people involved with the organization. To do this:

• You must remain unbiased and conduct your work honestly, responsibly, and with the highest respect for the law.

• Be transparent and just, and rely on evidence.

• Ensure that you are consistently invested in the work you are doing, so you can appropriately and ethically address issues that arise.

• Stay informed and strive to advance your skills, so you can contribute to the betterment of the cyber landscape.

As an example, consider the Health Insurance Portability and Accountability Act (HIPAA), which is a U.S. federal law established to protect patients’ health information, also known as PHI, or protected health information. This law prohibits patient information from being shared without their consent. So, as a security professional, you might help ensure that the organization you work for adheres to both its legal and ethical obligation to inform patients of a breach if their health care data is exposed.

Tools for protecting business operations

An entry-level analyst’s toolkit

Every organization may provide a different toolkit, depending on its security needs. As a future analyst, it’s important that you are familiar with industry standard tools and can demonstrate your ability to learn how to use similar tools in a potential workplace.

Security information and event management (SIEM) tools

A SIEM tool is an application that collects and analyzes log data to monitor critical activities in an organization. A log is a record of events that occur within an organization’s systems. Depending on the amount of data you’re working with, it could take hours or days to filter through log data on your own. SIEM tools reduce the amount of data an analyst must review by providing alerts for specific types of threats, risks, and vulnerabilities.

SIEM tools provide a series of dashboards that visually organize data into categories, allowing users to select the data they wish to analyze. Different SIEM tools have different dashboard types that display the information you have access to.

SIEM tools also come with different hosting options, including on-premise and cloud. Organizations may choose one hosting option over another based on a security team member’s expertise. For example, because a cloud-hosted version tends to be easier to set up, use, and maintain than an on-premise version, a less experienced security team may choose this option for their organization.

Network protocol analyzers (packet sniffers)

A network protocol analyzer, also known as a packet sniffer, is a tool designed to capture and analyze data traffic in a network. This means that the tool keeps a record of all the data that a computer within an organization’s network encounters. Later in the program, you’ll have an opportunity to practice using some common network protocol analyzer (packet sniffer) tools.

Playbooks

A playbook is a manual that provides details about any operational action, such as how to respond to a security incident. Organizations usually have multiple playbooks documenting processes and procedures for their teams to follow. Playbooks vary from one organization to the next, but they all have a similar purpose: To guide analysts through a series of steps to complete specific security-related tasks.

For example, consider the following scenario: You are working as a security analyst for an incident response firm. You are given a case involving a small medical practice that has suffered a security breach. Your job is to help with the forensic investigation and provide evidence to a cybersecurity insurance company. They will then use your investigative findings to determine whether the medical practice will receive their insurance payout.

In this scenario, playbooks would outline the specific actions you need to take to conduct the investigation. Playbooks also help ensure that you are following proper protocols and procedures. When working on a forensic case, there are two playbooks you might follow:

• The first type of playbook you might consult is called the chain of custody playbook. Chain of custody is the process of documenting evidence possession and control during an incident lifecycle. As a security analyst involved in a forensic analysis, you will work with the computer data that was breached. You and the forensic team will also need to document who, what, where, and why you have the collected evidence. The evidence is your responsibility while it is in your possession. Evidence must be kept safe and tracked. Every time evidence is moved, it should be reported. This allows all parties involved to know exactly where the evidence is at all times.

• The second playbook your team might use is called the protecting and preserving evidence playbook. Protecting and preserving evidence is the process of properly working with fragile and volatile digital evidence. As a security analyst, understanding what fragile and volatile digital evidence is, along with why there is a procedure, is critical. As you follow this playbook, you will consult the order of volatility, which is a sequence outlining the order of data that must be preserved from first to last. It prioritizes volatile data, which is data that may be lost if the device in question powers off, regardless of the reason. While conducting an investigation, improper management of digital evidence can compromise and alter that evidence. When evidence is improperly managed during an investigation, it can no longer be used. For this reason, the first priority in any investigation is to properly preserve the data. You can preserve the data by making copies and conducting your investigation using those copies.

• Playbook
• Dashboard
• SIEM Tool
• Log

A manual that provides details about what actions to take

A tool used to visually communicate information or data

Application that collects and analyzes log data to monitor an organization’s critical activities.

A record of events that occur within an organization’s systems

The following tools includes SIEM tools, playbooks, network and cloud security, network protocol analyzers, and programming languages.

To provide a comprehensive overview, here’s a breakdown of the tools, solutions, and platforms across the specified categories: SIEM tools, playbooks, network and cloud security, network protocol analyzers, and programming languages.

1. SIEM Tools (Security Information and Event Management)

SIEM tools are designed to provide real-time analysis of security alerts generated by applications and network hardware.

• Splunk: A powerful platform for searching, monitoring, and analyzing machine-generated data.
• IBM QRadar: A SIEM tool that helps detect and prioritize threats across the enterprise.
• ArcSight: A security management solution from Micro Focus designed for large-scale enterprises.
• LogRhythm: Provides log management, security analytics, and SIEM functionalities.
• AlienVault USM: Unified Security Management (USM) platform with built-in SIEM capabilities.

1. Playbooks (Security Orchestration, Automation, and Response – SOAR)

Playbooks in the context of cybersecurity are standardized procedures for responding to various types of incidents.

• Cortex XSOAR (formerly Demisto): A SOAR platform that integrates with various security products to automate incident response.
• Splunk Phantom: Provides security orchestration, automation, and response capabilities.
• Swimlane: A SOAR platform that helps automate and streamline security operations.
• DFLabs IncMan: An incident response platform with automation and orchestration features.
• IBM Resilient: A SOAR platform designed to help security teams respond quickly to cyber threats.

1. Network and Cloud Security Tools

These tools help protect network infrastructures and cloud environments from cyber threats.

• Palo Alto Networks: Offers a range of network security solutions, including firewalls and advanced threat protection.
• Cisco Secure: A comprehensive suite of network security products including firewalls, VPNs, and intrusion prevention systems.
• AWS Security Hub: A cloud security posture management service that performs security best practice checks, aggregates alerts, and enables automated remediation.
• Azure Security Center: Provides unified security management and advanced threat protection across hybrid cloud workloads.
• Check Point: Delivers advanced threat prevention and comprehensive security management.

1. Network Protocol Analyzers

Network protocol analyzers help capture and analyze network traffic to identify and diagnose issues.

• Wireshark: A widely-used network protocol analyzer for network troubleshooting, analysis, and software and protocol development.
• tcpdump: A command-line packet analyzer; a powerful tool for capturing and analyzing network traffic.
• Microsoft Message Analyzer: An archive tool for capturing, displaying, and analyzing protocol messaging traffic and other system messages.
• SolarWinds Network Performance Monitor: Provides network traffic analysis and performance monitoring.
• Colasoft Capsa: A network analyzer that provides comprehensive visibility into network traffic.

1. Programming Languages

Certain programming languages are particularly useful in cybersecurity for developing tools, automating tasks, and analyzing data.

• Python: Widely used for automation, scripting, and building security tools due to its readability and extensive libraries.
• C/C++: Essential for low-level programming, developing exploits, and understanding system internals.
• JavaScript: Used in web application security for both offensive and defensive security measures.
• Ruby: Known for its use in Metasploit, a popular penetration testing framework.
• PowerShell: A powerful scripting language for automating tasks on Windows systems, often used in incident response and system management.
• Bash: Essential for scripting and automation in Unix/Linux environments.
• Go: Increasingly popular for building efficient and scalable security tools.

Each of these categories includes a variety of tools and platforms designed to address different aspects of cybersecurity, from monitoring and analysis to response and remediation.

Analytical thinking

Security analysts often use analytical thinking, which means to think carefully and thoroughly. Analysts use this skill when monitoring and securing computer and network systems, responding to potential threats, defining system privileges, and determining ways to mitigate risk.

Collaboration

Collaboration means working with stakeholders and other team members. Security analysts often use this skill when responding to an active threat. They’ll work with others when blocking unauthorized access and ensuring any compromised systems are restored.

Malware prevention

When a specific threat or vulnerability is identified, an analyst might install prevention software, which is software that works to proactively prevent a threat from occurring. Because malware is designed to harm devices or networks, malware prevention is essential.

Communication

As an analyst prevents and encounters threats, risks, or vulnerabilities, they document and report findings. A report might detail attempts to secure systems, test weak points, or offer solutions for system improvement. When reporting findings, strong communication skills are important.

Understanding programming languages

Analysts may sometimes work with software development teams to analyze and support security, install software, and set up appropriate processes. When involved with software development projects, it can be helpful for an analyst to understand programming languages.

Using SIEM tools

When security analysts need to review vulnerabilities, they conduct a periodic security audit. This is a review of an organization’s records, activities, and related documents. During audits, Security Information and Event Management (SIEM) tools help analysts better understand security threats, risks, and vulnerabilities.

On my first day as a cybersecurity professional, I’d be diving into a myriad of potential problems, from safeguarding sensitive data against cyberattacks to ensuring the integrity and availability of critical systems.

1. Cybersecurity Problems: Identifying and mitigating potential vulnerabilities in the organization’s network infrastructure, applications, and endpoints. This involves conducting thorough security assessments, penetration testing, and vulnerability scanning to pinpoint weaknesses before they can be exploited by malicious actors.
2. Protecting the Organization: Implementing robust security measures such as firewalls, intrusion detection systems, encryption protocols, and access controls to fortify the organization’s digital perimeter. Regularly updating software and firmware to patch known vulnerabilities and staying abreast of emerging threats through threat intelligence feeds would also be crucial.
3. Protecting People: Educating employees about cybersecurity best practices, such as creating strong passwords, recognizing phishing attempts, and exercising caution when handling sensitive information. Conducting regular security awareness training sessions can empower employees to become the first line of defense against cyber threats.
4. The Most Exciting Part of the Day: The most thrilling aspect of my day would be the constant learning and problem-solving involved in cybersecurity. Whether it’s investigating a potential security incident, devising innovative solutions to combat evolving threats, or collaborating with colleagues to strengthen our defense posture, each day would present new challenges and opportunities for growth. The adrenaline rush of thwarting a cyberattack or successfully implementing a new security measure would undoubtedly be a highlight.

Cybersecurity (or security): The practice of ensuring confidentiality, integrity, and availability of information by protecting networks, devices, people, and data from unauthorized access or criminal exploitation

Cloud security: The process of ensuring that assets stored in the cloud are properly configured and access to those assets is limited to authorized users

Internal threat: A current or former employee, external vendor, or trusted partner who poses a security risk

Network security: The practice of keeping an organization’s network infrastructure secure from unauthorized access

Personally identifiable information (PII): Any information used to infer an individual’s identity

Security posture: An organization’s ability to manage its defense of critical assets and data and react to change

Sensitive personally identifiable information (SPII): A specific type of PII that falls under stricter handling guidelines

Technical skills: Skills that require knowledge of specific tools, procedures, and policies

Threat: Any circumstance or event that can negatively impact assets

Threat actor: Any person or group who presents a security risk

Transferable skills: Skills from other areas that can apply to different careers

The “LoveLetter” attack, also known as the “ILOVEYOU” virus, was indeed a prominent example of social engineering. It spread via email in May 2000 and caused widespread damage by tricking recipients into opening an email attachment purportedly containing a love letter or romantic message. Once opened, the attachment unleashed malicious code that spread rapidly, overwriting files and sending copies of itself to the victim’s contacts.

Social engineering relies on psychological manipulation rather than technical vulnerabilities to deceive individuals into divulging sensitive information, granting access, or performing actions that benefit the attacker. In the case of the LoveLetter attack, the emotional appeal of a romantic message combined with the curiosity factor led many users to open the infected attachment without considering the potential consequences.

Social engineering attacks can take various forms, including phishing emails, pretexting (creating a false scenario to extract information), baiting (enticing victims with a promise of reward), and impersonation. They exploit human psychology, trust, and natural tendencies to make individuals more susceptible to manipulation.

To defend against social engineering attacks, organizations and individuals must prioritize cybersecurity awareness and education, recognize common tactics used by attackers, and adopt security best practices such as verifying the identity of senders before clicking on links or opening attachments, maintaining skepticism about unsolicited communications, and implementing robust security controls to detect and prevent social engineering attempts.

Use tools to protect business operations

Tools and their purposes

Programming

Programming is a process that can be used to create a specific set of instructions for a computer to execute tasks. Security analysts use programming languages, such as Python, to execute automation. Automation is the use of technology to reduce human and manual effort in performing common and repetitive tasks. Automation also helps reduce the risk of human error.

Another programming language used by analysts is called Structured Query Language (SQL). SQL is used to create, interact with, and request information from a database. A database is an organized collection of information or data. There can be millions of data points in a database. A data point is a specific piece of information.

Operating systems

An operating system is the interface between computer hardware and the user. Linux®, macOS®, and Windows are operating systems. They each offer different functionality and user experiences.

Previously, you were introduced to Linux as an open-source operating system. Open source means that the code is available to the public and allows people to make contributions to improve the software. Linux is not a programming language; however, it does involve the use of a command line within the operating system. A command is an instruction telling the computer to do something. A command-line interface is a text-based user interface that uses commands to interact with the computer. You will learn more about Linux, including the Linux kernel and GNU, in a later course.

Web vulnerability

A web vulnerability is a unique flaw in a web application that a threat actor could exploit by using malicious code or behavior, to allow unauthorized access, data theft, and malware deployment.

To stay up-to-date on the most critical risks to web applications, review the Open Web Application Security Project (OWASP) Top 10.

Antivirus software

Antivirus software is a software program used to prevent, detect, and eliminate malware and viruses. It is also called anti-malware. Depending on the type of antivirus software, it can scan the memory of a device to find patterns that indicate the presence of malware.

Intrusion detection system

An intrusion detection system (IDS) is an application that monitors system activity and alerts on possible intrusions. The system scans and analyzes network packets, which carry small amounts of data through a network. The small amount of data makes the detection process easier for an IDS to identify potential threats to sensitive data. Other occurrences an IDS might detect can include theft and unauthorized access.

Encryption

Encryption makes data unreadable and difficult to decode for an unauthorized user; its main goal is to ensure confidentiality of private data. Encryption is the process of converting data from a readable format to a cryptographically encoded format. Cryptographic encoding means converting plaintext into secure ciphertext. Plaintext is unencrypted information and secure ciphertext is the result of encryption.

Note: Encoding and encryption serve different purposes. Encoding uses a public conversion algorithm to enable systems that use different data representations to share information.

Penetration testing

Penetration testing, also called pen testing, is the act of participating in a simulated attack that helps identify vulnerabilities in systems, networks, websites, applications, and processes. It is a thorough risk assessment that can evaluate and identify external and internal threats as well as weaknesses.

Create a cybersecurity portfolio

What is a portfolio, and why is it necessary?

Cybersecurity professionals use portfolios to demonstrate their security education, skills, and knowledge. Professionals typically use portfolios when they apply for jobs to show potential employers that they are passionate about their work and can do the job they are applying for. Portfolios are more in depth than a resume, which is typically a one-to-two page summary of relevant education, work experience, and accomplishments.

Options for creating your portfolio

There are many ways to present a portfolio, including self-hosted and online options such as:

• Documents folder

• Google Drive or Dropbox™

• Google Sites

• Git repository

Option 1: Documents folder

Description: A documents folder is a folder created and saved to your computer’s hard drive. You manage the folder, subfolders, documents, and images within it.

Document folders allow you to have direct access to your documentation. Ensuring that your professional documents, images, and other information are well organized can save you a lot of time when you’re ready to apply for jobs. For example, you may want to create a main folder titled something like “Professional documents.” Then, within your main folder, you could create subfolders with titles such as:

• Resume

• Education

• Portfolio documents

• Cybersecurity tools

• Programming

Setup: Document folders can be created in multiple ways, depending on the type of computer you are using. If you’re unsure about how to create a folder on your device, you can search the internet for instructional videos or documents related to the type of computer you use.

Option 2: Google Drive or Dropbox

Description: Google Drive and Dropbox offer similar features that allow you to store your professional documentation on a cloud platform. Both options also have file-sharing features, so you can easily share your portfolio documents with potential employers. Any additions or changes you make to a document within that folder will be updated automatically for anyone with access to your portfolio.

Similar to a documents folder, keeping your Google Drive or Dropbox-based portfolio well organized will be helpful as you begin or progress through your career.

Setup: To learn how to upload and share files on these applications, visit the Google Drive and Dropbox websites for more information.

Option 3: Google Sites

Description: Google Sites and similar website hosting options have a variety of easy-to-use features to help you present your portfolio items, including customizable layouts, responsive webpages, embedded content capabilities, and web publishing.

Responsive webpages automatically adjust their content to fit a variety of devices and screen sizes. This is helpful because potential employers can review your content using any device and your media will display just as you intend. When you’re ready, you can publish your website and receive a unique URL. You can add this link to your resume so hiring managers can easily access your work.

Setup: To learn how to create a website in Google Sites, visit the Google Sites website.

Option 4: Git repository

Description: A Git repository is a folder within a project. In this instance, the project is your portfolio, and you can use your repository to store the documents, labs, and screenshots you complete during each course of the certificate program. There are several Git repository sites you can use, including:

• GitLab

• Bitbucket™

• GitHub

Each Git repository allows you to showcase your skills and knowledge in a customizable space. To create an online project portfolio on any of the repositories listed, you need to use a version of Markdown.

Setup: To learn about how to create a GitHub account and use Markdown, follow the steps outlined in the document Get started with GitHub.

Portfolio projects

As previously mentioned, you will have multiple opportunities throughout the certificate program to develop items to include in your portfolio. These opportunities include:

• Drafting a professional statement

• Conducting a security audit

• Analyzing network structure and security

• Using Linux commands to manage file permissions

• Applying filters to SQL queries

• Identifying vulnerabilities for a small business

• Documenting incidents with an incident handler’s journal

• Importing and parsing a text file in a security-related scenario

• Creating or revising a resume

Note: Do not include any private, copyrighted, or proprietary documents in your portfolio. Also, if you use one of the sites described in this reading, keep your site set to “private” until it is finalized.

Security domains cybersecurity analysts need to know

As an analyst, you can explore various areas of cybersecurity that interest you. One way to explore those areas is by understanding different security domains and how they’re used to organize the work of security professionals.

Domain one: Security and risk management

All organizations must develop their security posture. Security posture is an organization’s ability to manage its defense of critical assets and data and react to change. Elements of the security and risk management domain that impact an organization’s security posture include:

• Security goals and objectives

• Risk mitigation processes

• Compliance

• Business continuity plans

• Legal regulations

• Professional and organizational ethics

Information security, or InfoSec, is also related to this domain and refers to a set of processes established to secure information. An organization may use playbooks and implement training as a part of their security and risk management program, based on their needs and perceived risk. There are many InfoSec design processes, such as:

• Incident response

• Vulnerability management

• Application security

• Cloud security

• Infrastructure security

As an example, a security team may need to alter how personally identifiable information (PII) is treated in order to adhere to the European Union’s General Data Protection Regulation (GDPR).

Domain two: Asset security

Asset security involves managing the cybersecurity processes of organizational assets, including the storage, maintenance, retention, and destruction of physical and virtual data. Because the loss or theft of assets can expose an organization and increase the level of risk, keeping track of assets and the data they hold is essential. Conducting a security impact analysis, establishing a recovery plan, and managing data exposure will depend on the level of risk associated with each asset. Security analysts may need to store, maintain, and retain data by creating backups to ensure they are able to restore the environment if a security incident places the organization’s data at risk.

Domain three: Security architecture and engineering

This domain focuses on managing data security. Ensuring effective tools, systems, and processes are in place helps protect an organization’s assets and data. Security architects and engineers create these processes.

One important aspect of this domain is the concept of shared responsibility. Shared responsibility means all individuals involved take an active role in lowering risk during the design of a security system. Additional design principles related to this domain, which are discussed later in the program, include:

• Threat modeling

• Least privilege

• Defense in depth

• Fail securely

• Separation of duties

• Keep it simple

• Zero trust

• Trust but verify

An example of managing data is the use of a security information and event management (SIEM) tool to monitor for flags related to unusual login or user activity that could indicate a threat actor is attempting to access private data.

Domain four: Communication and network security

This domain focuses on managing and securing physical networks and wireless communications. This includes on-site, remote, and cloud communications.

Organizations with remote, hybrid, and on-site work environments must ensure data remains secure, but managing external connections to make certain that remote workers are securely accessing an organization’s networks is a challenge. Designing network security controls—such as restricted network access—can help protect users and ensure an organization’s network remains secure when employees travel or work outside of the main office.

Domain five: Identity and access management

The identity and access management (IAM) domain focuses on keeping data secure. It does this by ensuring user identities are trusted and authenticated and that access to physical and logical assets is authorized. This helps prevent unauthorized users, while allowing authorized users to perform their tasks.

Essentially, IAM uses what is referred to as the principle of least privilege, which is the concept of granting only the minimal access and authorization required to complete a task. As an example, a cybersecurity analyst might be asked to ensure that customer service representatives can only view the private data of a customer, such as their phone number, while working to resolve the customer’s issue; then remove access when the customer’s issue is resolved.

Domain six: Security assessment and testing

The security assessment and testing domain focuses on identifying and mitigating risks, threats, and vulnerabilities. Security assessments help organizations determine whether their internal systems are secure or at risk. Organizations might employ penetration testers, often referred to as “pen testers,” to find vulnerabilities that could be exploited by a threat actor.

This domain suggests that organizations conduct security control testing, as well as collect and analyze data. Additionally, it emphasizes the importance of conducting security audits to monitor for and reduce the probability of a data breach. To contribute to these types of tasks, cybersecurity professionals may be tasked with auditing user permissions to validate that users have the correct levels of access to internal systems.

Domain seven: Security operations

The security operations domain focuses on the investigation of a potential data breach and the implementation of preventative measures after a security incident has occurred. This includes using strategies, processes, and tools such as:

• Training and awareness

• Reporting and documentation

• Intrusion detection and prevention

• SIEM tools

• Log management

• Incident management

• Playbooks

• Post-breach forensics

• Reflecting on lessons learned

The cybersecurity professionals involved in this domain work as a team to manage, prevent, and investigate threats, risks, and vulnerabilities. These individuals are trained to handle active attacks, such as large amounts of data being accessed from an organization’s internal network, outside of normal working hours. Once a threat is identified, the team works diligently to keep private data and information safe from threat actors.

Domain eight: Software development security

The software development security domain is focused on using secure programming practices and guidelines to create secure applications. Having secure applications helps deliver secure and reliable services, which helps protect organizations and their users.

Security must be incorporated into each element of the software development life cycle, from design and development to testing and release. To achieve security, the software development process must have security in mind at each step. Security cannot be an afterthought.

Performing application security tests can help ensure vulnerabilities are identified and mitigated accordingly. Having a system in place to test the programming conventions, software executables, and security measures embedded in the software is necessary. Having quality assurance and pen tester professionals ensure the software has met security and performance standards is also an essential part of the software development process. For example, an entry-level analyst working for a pharmaceutical company might be asked to make sure encryption is properly configured for a new medical device that will store private patient data.

Manage common threats, risks, and vulnerabilities

Risk management

A primary goal of organizations is to protect assets. An asset is an item perceived as having value to an organization. Assets can be digital or physical. Examples of digital assets include the personal information of employees, clients, or vendors, such as:

• Social Security Numbers (SSNs), or unique national identification numbers assigned to individuals

• Dates of birth

• Bank account numbers

• Mailing addresses

Examples of physical assets include:

• Payment kiosks

• Servers

• Desktop computers

• Office spaces

Some common strategies used to manage risks include:

• Acceptance: Accepting a risk to avoid disrupting business continuity

• Avoidance: Creating a plan to avoid the risk altogether

• Transference: Transferring risk to a third party to manage

• Mitigation: Lessening the impact of a known risk

Additionally, organizations implement risk management processes based on widely accepted frameworks to help protect digital and physical assets from various threats, risks, and vulnerabilities. Examples of frameworks commonly used in the cybersecurity industry include the National Institute of Standards and Technology Risk Management Framework (NIST RMF) and Health Information Trust Alliance (HITRUST).

Following are some common types of threats, risks, and vulnerabilities you’ll help organizations manage as a security professional.

Today’s most common threats, risks, and vulnerabilities

Threats

A threat is any circumstance or event that can negatively impact assets. As an entry-level security analyst, your job is to help defend the organization’s assets from inside and outside threats. Therefore, understanding common types of threats is important to an analyst’s daily work. As a reminder, common threats include:

• Insider threats: Staff members or vendors abuse their authorized access to obtain data that may harm an organization.

• Advanced persistent threats (APTs): A threat actor maintains unauthorized access to a system for an extended period of time.

Risks

A risk is anything that can impact the confidentiality, integrity, or availability of an asset. A basic formula for determining the level of risk is that risk equals the likelihood of a threat. One way to think about this is that a risk is being late to work and threats are traffic, an accident, a flat tire, etc.

There are different factors that can affect the likelihood of a risk to an organization’s assets, including:

• External risk: Anything outside the organization that has the potential to harm organizational assets, such as threat actors attempting to gain access to private information

• Internal risk: A current or former employee, vendor, or trusted partner who poses a security risk

• Legacy systems: Old systems that might not be accounted for or updated, but can still impact assets, such as workstations or old mainframe systems. For example, an organization might have an old vending machine that takes credit card payments or a workstation that is still connected to the legacy accounting system.

• Multiparty risk: Outsourcing work to third-party vendors can give them access to intellectual property, such as trade secrets, software designs, and inventions.

• Software compliance/licensing: Software that is not updated or in compliance, or patches that are not installed in a timely manner

There are many resources, such as the NIST, that provide lists of cybersecurity risks. Additionally, the Open Web Application Security Project (OWASP) publishes a standard awareness document about the top 10 most critical security risks to web applications, which is updated regularly.

Note: The OWASP’s common attack types list contains three new risks for the years 2017 to 2021: insecure design, software and data integrity failures, and server-side request forgery. This update emphasizes the fact that security is a constantly evolving field. It also demonstrates the importance of staying up to date on current threat actor tactics and techniques, so you can be better prepared to manage these types of risks.

Vulnerabilities

A vulnerability is a weakness that can be exploited by a threat. Therefore, organizations need to regularly inspect for vulnerabilities within their systems. Some vulnerabilities include:

• ProxyLogon: A pre-authenticated vulnerability that affects the Microsoft Exchange server. This means a threat actor can complete a user authentication process to deploy malicious code from a remote location.

• ZeroLogon: A vulnerability in Microsoft’s Netlogon authentication protocol. An authentication protocol is a way to verify a person’s identity. Netlogon is a service that ensures a user’s identity before allowing access to a website’s location.

• Log4Shell: Allows attackers to run Java code on someone else’s computer or leak sensitive information. It does this by enabling a remote attacker to take control of devices connected to the internet and run malicious code.

• PetitPotam: Affects Windows New Technology Local Area Network (LAN) Manager (NTLM). It is a theft technique that allows a LAN-based attacker to initiate an authentication request.

• Security logging and monitoring failures: Insufficient logging and monitoring capabilities that result in attackers exploiting vulnerabilities without the organization knowing it

• Server-side request forgery: Allows attackers to manipulate a server-side application into accessing and updating backend resources. It can also allow threat actors to steal data.

As an entry-level security analyst, you might work in vulnerability management, which is monitoring a system to identify and mitigate vulnerabilities. Although patches and updates may exist, if they are not applied, intrusions can still occur. For this reason, constant monitoring is important. The sooner an organization identifies a vulnerability and addresses it by patching it or updating their systems, the sooner it can be mitigated, reducing the organization’s exposure to the vulnerability.

To learn more about the vulnerabilities explained in this section of the reading, as well as other vulnerabilities, explore the NIST National Vulnerability Database and CISA Known Exploited Vulnerabilities Catalog.

The relationship between frameworks and controls

Frameworks and controls

Security frameworks are guidelines used for building plans to help mitigate risk and threats to data and privacy. Frameworks support organizations’ ability to adhere to compliance laws and regulations. For example, the healthcare industry uses frameworks to comply with the United States’ Health Insurance Portability and Accountability Act (HIPAA), which requires that medical professionals keep patient information safe.

Security controls are safeguards designed to reduce specific security risks. Security controls are the measures organizations use to lower risk and threats to data and privacy. For example, a control that can be used alongside frameworks to ensure a hospital remains compliant with HIPAA is requiring that patients use multi-factor authentication (MFA) to access their medical records. Using a measure like MFA to validate someone’s identity is one way to help mitigate potential risks and threats to private data.

Specific frameworks and controls

There are many different frameworks and controls that organizations can use to remain compliant with regulations and achieve their security goals. Frameworks covered in this reading are the Cyber Threat Framework (CTF) and the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001. Several common security controls, used alongside these types of frameworks, are also explained.

Cyber Threat Framework (CTF)

According to the Office of the Director of National Intelligence, the CTF was developed by the U.S. government to provide “a common language for describing and communicating information about cyber threat activity.” By providing a common language to communicate information about threat activity, the CTF helps cybersecurity professionals analyze and share information more efficiently. This allows organizations to improve their response to the constantly evolving cybersecurity landscape and threat actors’ many tactics and techniques.

International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001

An internationally recognized and used framework is ISO/IEC 27001. The ISO 27000 family of standards enables organizations of all sectors and sizes to manage the security of assets, such as financial information, intellectual property, employee data, and information entrusted to third parties. This framework outlines requirements for an information security management system, best practices, and controls that support an organization’s ability to manage risks. Although the ISO/IEC 27001 framework does not require the use of specific controls, it does provide a collection of controls that organizations can use to improve their security posture.

Controls

Controls are used alongside frameworks to reduce the possibility and impact of a security threat, risk, or vulnerability. Controls can be physical, technical, and administrative and are typically used to prevent, detect, or correct security issues.

Examples of physical controls:

• Gates, fences, and locks

• Security guards

• Closed-circuit television (CCTV), surveillance cameras, and motion detectors

• Access cards or badges to enter office spaces

Examples of technical controls:

• Firewalls

• MFA

• Antivirus software

Examples of administrative controls:

• Separation of duties

• Authorization

• Asset classification

To learn more about controls, particularly those used to protect health-related assets from a variety of threat types, review the U.S. Department of Health and Human Services’ Physical Access Control presentation.

Use the CIA triad to protect organizations

The CIA triad for analysts

The CIA triad is a model that helps inform how organizations consider risk when setting up systems and security policies. It is made up of three elements that cybersecurity analysts and organizations work toward upholding: confidentiality, integrity, and availability. Maintaining an acceptable level of risk and ensuring systems and policies are designed with these elements in mind helps establish a successful security posture, which refers to an organization’s ability to manage its defense of critical assets and data and react to change.

Confidentiality

Confidentiality is the idea that only authorized users can access specific assets or data. In an organization, confidentiality can be enhanced through the implementation of design principles, such as the principle of least privilege. The principle of least privilege limits users’ access to only the information they need to complete work-related tasks. Limiting access is one way of maintaining the confidentiality and security of private data.

Integrity

Integrity is the idea that the data is verifiably correct, authentic, and reliable. Having protocols in place to verify the authenticity of data is essential. One way to verify data integrity is through cryptography, which is used to transform data so unauthorized parties cannot read or tamper with it (NIST, 2022). Another example of how an organization might implement integrity is by enabling encryption, which is the process of converting data from a readable format to an encoded format. Encryption can be used to prevent access and ensure data, such as messages on an organization’s internal chat platform, cannot be tampered with.

Availability

Availability is the idea that data is accessible to those who are authorized to use it. When a system adheres to both availability and confidentiality principles, data can be used when needed. In the workplace, this could mean that the organization allows remote employees to access its internal network to perform their jobs. It’s worth noting that access to data on the internal network is still limited, depending on what type of access employees need to do their jobs. If, for example, an employee works in the organization’s accounting department, they might need access to corporate accounts but not data related to ongoing development projects.

OWASP security principles

Security principles

In the workplace, security principles are embedded in your daily tasks. Whether you are analyzing logs, monitoring a security information and event management (SIEM) dashboard, or using a vulnerability scanner, you will use these principles in some way.

Previously, you were introduced to several OWASP security principles. These included:

• Minimize attack surface area: Attack surface refers to all the potential vulnerabilities a threat actor could exploit.

• Principle of least privilege: Users have the least amount of access required to perform their everyday tasks.

• Defense in depth: Organizations should have varying security controls that mitigate risks and threats.

• Separation of duties: Critical actions should rely on multiple people, each of whom follow the principle of least privilege.

• Keep security simple: Avoid unnecessarily complicated solutions. Complexity makes security difficult.

• Fix security issues correctly: When security incidents occur, identify the root cause, contain the impact, identify vulnerabilities, and conduct tests to ensure that remediation is successful.

Additional OWASP security principles

Next, you’ll learn about four additional OWASP security principles that cybersecurity analysts and their teams use to keep organizational operations and people safe.

Establish secure defaults

This principle means that the optimal security state of an application is also its default state for users; it should take extra work to make the application insecure.

Fail securely

Fail securely means that when a control fails or stops, it should do so by defaulting to its most secure option. For example, when a firewall fails it should simply close all connections and block all new ones, rather than start accepting everything.

Don’t trust services

Many organizations work with third-party partners. These outside partners often have different security policies than the organization does. And the organization shouldn’t explicitly trust that their partners’ systems are secure. For example, if a third-party vendor tracks reward points for airline customers, the airline should ensure that the balance is accurate before sharing that information with their customers.

Avoid security by obscurity

The security of key systems should not rely on keeping details hidden. Consider the following example from OWASP (2016):

The security of an application should not rely on keeping the source code secret. Its security should rely upon many other factors, including reasonable password policies, defense in depth, business transaction limits, solid network architecture, and fraud and audit controls.

Security audits

Security audits

A security audit is a review of an organization’s security controls, policies, and procedures against a set of expectations. Audits are independent reviews that evaluate whether an organization is meeting internal and external criteria. Internal criteria include outlined policies, procedures, and best practices. External criteria include regulatory compliance, laws, and federal regulations.

Additionally, a security audit can be used to assess an organization’s established security controls. As a reminder, security controls are safeguards designed to reduce specific security risks.

Audits help ensure that security checks are made (i.e., daily monitoring of security information and event management dashboards), to identify threats, risks, and vulnerabilities. This helps maintain an organization’s security posture. And, if there are security issues, a remediation process must be in place.

Goals and objectives of an audit

The goal of an audit is to ensure an organization’s information technology (IT) practices are meeting industry and organizational standards. The objective is to identify and address areas of remediation and growth. Audits provide direction and clarity by identifying what the current failures are and developing a plan to correct them.

Security audits must be performed to safeguard data and avoid penalties and fines from governmental agencies. The frequency of audits is dependent on local laws and federal compliance regulations.

Factors that affect audits

Factors that determine the types of audits an organization implements include:

• Industry type

• Organization size

• Ties to the applicable government regulations

• A business’s geographical location

• A business decision to adhere to a specific regulatory compliance

The role of frameworks and controls in audits

Along with compliance, it’s important to mention the role of frameworks and controls in security audits. Frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the international standard for information security (ISO 27000) series are designed to help organizations prepare for regulatory compliance security audits. By adhering to these and other relevant frameworks, organizations can save time when conducting external and internal audits. Additionally, frameworks, when used alongside controls, can support organizations’ ability to align with regulatory compliance requirements and standards.

There are three main categories of controls to review during an audit, which are administrative and/or managerial, technical, and physical controls. To learn more about specific controls related to each category, click the following link and select “Use Template.”

Link to template: Control categories

OR

If you don’t have a Google account, you can download the template directly from the following attachment

Control categories

DOCX File

Audit checklist

It’s necessary to create an audit checklist before conducting an audit. A checklist is generally made up of the following areas of focus:

Identify the scope of the audit

• The audit should:

  • List assets that will be assessed (e.g., firewalls are configured correctly, PII is secure, physical assets are locked, etc.)

  • Note how the audit will help the organization achieve its desired goals

  • Indicate how often an audit should be performed

  • Include an evaluation of organizational policies, protocols, and procedures to make sure they are working as intended and being implemented by employees

Complete a risk assessment

• A risk assessment is used to evaluate identified organizational risks related to budget, controls, internal processes, and external standards (i.e., regulations).

Conduct the audit

• When conducting an internal audit, you will assess the security of the identified assets listed in the audit scope.

Create a mitigation plan

• A mitigation plan is a strategy established to lower the level of risk and potential costs, penalties, or other issues that can negatively affect the organization’s security posture.

Communicate results to stakeholders

• The end result of this process is providing a detailed report of findings, suggested improvements needed to lower the organization’s level of risk, and compliance regulations and standards the organization needs to adhere to.