Cybersecurity

Cybersecurity ( also known as security ) is the practice of ensuring confidentiality, integrity. And
availability of information by protecting networks, devices, people, and data from unauthorized access or
criminal exploitation. (imp.)

The entry-level security analysts is :

1-protecting computer and network systems.
2-installing prevention software.
3-examining in house-security issues.

Key cybersecurity terms and concepts :

>A security analyst or cybersecurity focuses on monitoring networks for breaches.
-compliance is the process of adhering to internal standards and external regulations and enables
organizations to avoid fines and security breaches.

-security framework are guidelines used for building planes to help mitigate risks and threats to data
and privacy.

-security controls are safeguards designed to reduce specific security risks. They are used with security
frameworks to establish a strong security posture.

-security posture is an organization’s ability to manage its defense of critical assets and data and react
to change. A strong security posture leads to lower risk for the organization.

-threat actor or malicious attacker, is any person or group who presents a security risk. This risk can
relate to computers, applications, networks, and data.

An internal threat can be a current or former employee, an external vendor, or a trusted partner who
poses a security risk. At times, an internal is accidental. For example, an employee who accidentally
clicks on a malicious email link would be considered an accidental threat. Other times, the internal
threat actor intentionally engages in risky activities, such as unauthorized data access.

-Network security is the practice of keeping on organization’s network infrastructure secure from
unauthorized access. This include data, services, systems, and devices that are stored in an
organization’s network.

-Cloud security is the process of ensuring that assets stored in the cloud are properly configured, or set
up correctly, and access to those assets is limited to authorized users. The cloud is a network made up of
a collection of servers of computers that store resources and data in remote physical locations known as
data centers that can be accessed via the internet. Cloud security is growing subfield of cybersecurity
that specifically focuses on the protection of data, applications, and infrastructure in the cloud.
-programming is a process that can be used to create a specific set of instructions for a computer to
execute tasks.

Notes from the video : ^Transferable skills > skills from other areas that can apply to different careers.
> Communication : As a cybersecurity analyst, you will need to communicate and collaborate with
others. Understanding others’ questions or concern and communicating information clearly to
individuals with technical and non-technical knowledge will help you mitigates security issues quickly.
> Collaboration
> Analysis
> Problem solving : one of your main tasks as cybersecurity analyst will be to proactivity

^Technical skills > skills require knowledge of specific tools, procedure, and policies.
> programming language
> security information and event management (SIEM) tools
> intrusion detection system (IDS)
> threat landscape knowledge
> incident response

The importance of cybersecurity :

- personally identifiable information (PII) -> Any information used to infer an individual’s
identity. Example : someone’s full name and date of birth, physical address and IP address and
similar information.
-Sensitive Personally Identifiable Information (SPII) -> A specific type of PII that falls under
stricter handing guidelines. Example : social security numbers, medicals or financial information,
and biometric data. If the SPII is stolen, this has the potential to be significantly more damaging
to an individual than if PII is stolen.

Keep the organization secure

Analytical thinking : Security analysts often use analytical thinking. Which means to think
carefully and thoroughly. Analysts use this skill when monitoring and securing computer and
network system, responding to potential threats, defining system privileges, and determining
ways to mitigate risk.

Collaboration : means working with stakeholders and the other team members. Security analysts
often use this skill when responding to an active threat. They’ll work with other when blocking
unauthorized access and ensuring any compromised system are restored.

Malware prevention : when a specific threats or vulnerability is identified, an analyst might

install prevention software, which is software that works to proactively prevent a threat from
occurring. Because malware is designed to harm device or networks, malware prevention is
essential.

Communication : As an analyst prevent and encounter threats, risks, or vulnerabilities, they

document and report findings. A report might details attempts to secure systems, test weak
points, or offer solution for system improvement. When reporting findings, strong
communication skills are important.

Understanding programming language : Analysts may sometimes work with software

development team to analyze and support security, install software, and set up appropriate
processes. When involved with software development projects, it can be helpful for an analyst to
understand programming languages.

Using SIEM tools : When security analysts need to review vulnerabilities, they conduct a
periodic security audit. This is a review of an organization’s records, activities, and related
documents. During audits, Security Information and Event Management (SIEM) tools help
analysts better understand security threats, risks, and vulnerabilities.  identifying

The terms and definitions from previous :

cybersecurity : the practice of ensuring confidentiality, integrity, and availability of information by
protecting networks, devices, people, and date from unauthorized access or criminal exploitation.

Cloud security : the process of ensuring that assets stored in the cloud are properly configured and
access to those assets is limited to authorized users.

Internal threats : a current or former employee, external vendor, or trusted partner who poses a security
risk.

network security : the practice of keeping an organization’s network infrastructure secure from
unauthorized access.

personally identifiable information PII : any information used to infer an individual’s identity.

security posture : an organization’s ability to manage its defense of critical assets and data and react to
change.
sensitive personally identifiable information SPII : a specific type of PII that falls under stricter
handling guidelines.

technical skills : skills that require knowledge of specific tools, procedures, and policies.
ex: -Automating tasks with programming.
-applying computer forensics.

threat : any circumstance or event that can negatively impact assets.

threat actor : any person or group who presents a security risk.

Transferable skills : skills from other areas that can apply to different careers.

if the someone outside of an organization attempts to gain access to its private information. What type
of threat does called → external threats.

Past cybersecurity attacks :

in 1986 the alvi brothers created the brain virus. Was all about once person used a pirated copy of the
software, the virus-infected that computers. Then, any disk was inserted into the computer was infected.
in 1988 robert morris developed a virus called morris worm that assess the size of the internet.

This part about common attacks and their effectiveness :

Phishing : is the use of digital communications to trick people into revealing sensitive data or deploying
malicious software.

Common types of phishing attacks :

-business email compromise (BEC): a threat actor sends an email message that seems to be from a
known source to make a seemingly legitimate request for information, in order to obtain a financial
advantage.
-spear phishing : a malicious email attack that targets a specific user or group of users. The email seems
to originate from a trusted source.
-whaling : a form of spear phishing. Threat actors target company executives to gain access to sensitive
data.
vishing : the exploitation of electronic voice communication to obtain sensitive information or to
impersonate known source.
-smishing : the use of text messages to trick users, in order to obtain sensitive information or to
impersonate a known source.

Malware : is software designed to harm device or networks. There are many types of malware. The
primary purpose of malware is to obtain money, or in some case, an intelligence advantage that can be
used against a person, an organization, or a territory.
The common type of malware attacks :
Viruses : malicious code written to interfere with computer operation ad cause damage to data and
software. A virus needs to be initiated by user i.e. threat actor, who transmits virus via a malicious
attachment or file download. When someone opens the malicious attachment or download, the virus
hides itself in other files in the now infected system. When the infected file are opened, it allow the virus
to insert its own code to damage and/or destroy data in the system.

worms : malware that can duplicated and spread itself across system on its own. In contrast to a virus, a
worm does not need to be downloaded by a user. Instead, it self-replicates and spreads from an already
infected computer to other devices on the same network.

ransomware : a malicious attack where threat actors encrypt an organization’s data and demand
payment to restore access.

Spyware : malware that’s used to gather and sell information without consent. Spyware can be used to
access devices. This allows threat actors to collect personal data, such as private email, text, voice and
image recordings, and locations.

Social engineering : is a manipulation technique that exploits human error to gain private information,
access, or valuables. Human error is usually a result of trusting someone without question. It’s the
mission of a threat actor, acting as a social engineer, to create an environment of false trust and lies to
exploit as many people as possible.
The common type of social engineering attacks :
Social media phishing : a threat actor collects detailed information about their target from social media
sites. Then, they initiate an attack.

Watering hole attack : a threat actor attacks a website frequently visited by specific group of users.

USB baiting : a threat actor strategically leaves a malware USB stick for an employee to find and install,
to unknowingly infect a network.

Physical social engineering : a threat actor impersonate a employee, customer, or vendor to obtain
unauthorized access to physical location.

The 8 CISSP domains : Certified Information System Security Professional qualification is one the most
respected certification in the information security industry, demonstrating an advanced knowledge of
cyber security 8 CISSP domains
[Link] and risk management [Link] Security [Link] Architecture and engineering
[Link] and network security [Link] and access management [Link] assessment and
testing [Link] operations [Link] developing security.
Attack types :

Password attack : an attempt to access password-secured devices, system, networks, or data.

• Brute force.

• Rainbows table
Password attacks fall under the communication and network security domain.

Social engineering attack.

Physical attack : is a security incident that affects not only digitals but also physical environments
where the incident is deployed. Some forms of physical attacks are :

• Malicious USB cable

• Malicious flash drive

• Card cloning and skimming

Physical attacks fall under the assets security domains.

Adversarial artificial intelligence : is a technique that manipulates artificial intelligence and machine
learning technology to conduct attacks ore efficiently. Adversarial artificial intelligence falls under both
the communication and network security and the identity and access management domains.

Supply-chain attack : a target systems, applications, hardware, and/or software to locate a

vulnerability where malware can be deployed. Because every items sold undergoes a process that
involves third parties, this means that the security breach can occur at any point in the supply chain.
These attacks are costly because they can affect multiple organizations and the individuals who work for
them. Supply-chain attacks can fall under several domains, including but not limited to the security and
risk management, security architecture and engineering, and security operations domains.

Cryptographic attack : a affects secure forms of communication between a sender and intended
recipient. Attacks are :

• Birthday

• Collision

• Downgrade
Cryptographic attack fall under the communication and network security domain.
Understand attackers : as a reminder a threat actor is any or group who presents a security risk.

Threat actor types :

Advanced persistent threats : (APTs) have significant expertise accessing an organization’s network
without authorization. APTs tend to research their targets e.g. large corporations or government
entities in advance and can remain undetected for an extended period of time. Their intention and
motivations can include :

• Damaging critical infrastructure, such as the power grid and natural resources

• Gaining access to intellectual property, such as trade secrets or patents

Insider threats
Insider threats abuse their authorized access to obtain data that may harm an organization. Their
intentions and motivations can include:
• Sabotage
• Corruption
• Espionage
• Unauthorized data access or leaks

Hacktivists
Hacktivists are threat actors that are driven by a political agenda. They abuse digital technology to
accomplish their goals, which may include:
• Demonstrations
• Propaganda
• Social change campaigns
• Fame

A hacker is any person who uses computers to gain access to computer systems, networks, or data.
They can be beginner or advanced technology professionals who use their skills for a variety of reasons.
There are three main categories of hackers:
• Authorized hackers are also called ethical hackers. They follow a code of ethics and adhere to
the law to conduct organizational risk evaluations. They are motivated to safeguard people and
organizations from malicious threat actors.
 • Semi-authorized hackers are considered researchers. They search for vulnerabilities but don’t
take advantage of the vulnerabilities they find.
• Unauthorized hackers are also called unethical hackers. They are malicious threat actors who do
not follow or respect the law. Their goal is to collect and sell confidential data for financial
gain.

Note: There are multiple hacker types that fall into one or more of these three categories.
New and unskilled threat actors have various goals, including:
• To learn and enhance their hacking skills
• To seek revenge
• To exploit security weaknesses by using existing malware, programming scripts, and other
tactics
Other types of hackers are not motivated by any particular agenda other than completing the job they
were contracted to do. These types of hackers can be considered unethical or ethical hackers. They have
been known to work on both illegal and legal tasks for pay.
There are also hackers who consider themselves vigilantes. Their main goal is to protect the world from
unethical hackers.

Questions :
1- What is term for software hat is deigned to harm devices or networks : malware
2- What is historical event used a malware attachment to steal user information and passwords :
LoveLetter attack.
3- Is a manipulation technique that exploits human error to gain private information, access, or
valuables : Social engineering
4- A security professional is asked to teach employees how to avoid inadvertently revealing
sensitive data. What type of training should they conduct : Training about social engineering
5- A security professional is researching compliance and the law in order to define security goals.
Which domains does this scenario describe : security and risk management
6- Domains involve securing digital and physical assets, as well as managing the storage,
maintenance, retention, and destruction of data : asset security
7- A security professional receives an alert that an unknown device has connected o their
organization’s internal network. They follow policies and procedures to quickly stop the
potential threat : security operation
 Controls, framework, and compliance
(CIA) triad : is a model that helps inform how organization consider risk when setting up systems and
security policies. -> Confidentiality, integrity, and availability

Security framework: are guideline used for building plans to help mitigate risks and threats to data and
privacy. They have four core components :
1. Identifying and documenting security goals
2. Setting guidelines to achieve security goals
3. Implementing strong security processes
4. Monitoring and communicating results
Compliance is the process of adhering to internal standards and external regulations.

NIST the national institute of standards and technology is U.S based agency that develops multiple
voluntary compliance frameworks that organization worldwide can use to help manage risk. The more
aligned an organization is with compliance, the lower the risk.
Ex: CSF cybersecurity framework and the NIST risk management framework RMF
The Federal Energy Regulatory Commission - North American Electric Reliability Corporation
(FERC-NERC)
FERC-NERC is a regulation that applies to organizations that work with electricity or that are involved
with the U.S. and North American power grid. These types of organizations have an obligation to
prepare for, mitigate, and report any potential security incident that can negatively affect the power
grid. They are also legally required to adhere to the Critical Infrastructure Protection (CIP) Reliability
Standards defined by the FERC.
The Federal Risk and Authorization Management Program (FedRAMP®)
FedRAMP is a U.S. federal government program that standardizes security assessment, authorization,
monitoring, and handling of cloud services and product offerings. Its purpose is to provide consistency
across the government sector and third-party cloud providers.
Center for Internet Security (CIS®)
CIS is a nonprofit with multiple areas of emphasis. It provides a set of controls that can be used to
safeguard systems and networks against attacks. Its purpose is to help organizations establish a better
plan of defense. CIS also provides actionable controls that security professionals may follow if a security
incident occurs.
General Data Protection Regulation (GDPR)
GDPR is a European Union (E.U.) general data regulation that protects the processing of E.U.
residents’ data and their right to privacy in and out of E.U. territory. For example, if an organization is
not being transparent about the data they are holding about an E.U. citizen and why they are holding
that data, this is an infringement that can result in a fine to the organization. Additionally, if a breach
occurs and an E.U. citizen’s data is compromised, they must be informed. The affected organization has
72 hours to notify the E.U. citizen about the breach.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is an international security standard meant to ensure that organizations storing, accepting,
processing, and transmitting credit card information do so in a secure environment. The objective of
this compliance standard is to reduce credit card fraud.
The Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a U.S. federal law established in 1996 to protect patients' health information. This law
prohibits patient information from being shared without their consent. It is governed by three rules:
1. Privacy
2. Security
3. Breach notification
Organizations that store patient data have a legal obligation to inform patients of a breach because if
patients' Protected Health Information (PHI) is exposed, it can lead to identity theft and insurance
fraud. PHI relates to the past, present, or future physical or mental health or condition of an individual,
whether it’s a plan of care or payments for care. Along with understanding HIPAA as a law, security
professionals also need to be familiar with the Health Information Trust Alliance (HITRUST®), which
is a security framework and assurance program that helps institutions meet HIPAA compliance.
International Organization for Standardization (ISO)
ISO was created to establish international standards related to technology, manufacturing, and
management across borders. It helps organizations improve their processes and procedures for staff
retention, planning, waste, and services.
System and Organizations Controls (SOC type 1, SOC type 2)
The American Institute of Certified Public Accountants® (AICPA) auditing standards board developed
this standard. The SOC1 and SOC2 are a series of reports that focus on an organization's user access
policies at different organizational levels such as:
• Associate
• Supervisor
• Manager
• Executive
• Vendor
• Others
They are used to assess an organization’s financial compliance and levels of risk. They also cover
confidentiality, privacy, integrity, availability, security, and overall data safety. Control failures in these
areas can lead to fraud.
Pro tip: There are a number of regulations that are frequently revised. You are encouraged to keep
up-to-date with changes and explore more frameworks, controls, and compliance. Two suggestions to
research: the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act.
United States Presidential Executive Order 14028
On May 12, 2021, President Joe Biden released an executive order related to improving the nation’s
cybersecurity to remediate the increase in threat actor activity. Remediation efforts are directed toward
federal agencies and third parties with ties to U.S.

Ethical principles and methodologies

Because counterattacks are generally disapproved of our illegal, the security realm has created
frameworks and controls-such as the confidentiality, integrity, and availability (CIA) triad and the
others discussed earlier in the program-to address issues of confidentiality, privacy protections, and
laws.

Confidentiality means that only authorized users can access specific assets or data. Confidentiality as it
relates to professional ethics means that there needs to be a high level of respect for privacy to safeguard
private assets and data.
Privacy protection means safeguarding personal information from unauthorized use. (PII) personally
identifiable information data is any information used to infer an individual’s identity, like their name and
phone number. (SPII) sensitive personally identifiable information data is specific type PII that falls
under stricter handling guidelines, including social security numbers and credit card numbers. To
effectively safeguard PII and SPII data, security professionals hold an ethical obligation to secure
private information, identify security vulnerabilities, manage organizational risks, and align security
with business goals.
Laws are rules that are recognized by a community and enforced by governing entity.

Use ethic to make decisions :

Option 1 : example that related to work in etc. academic and volunteer setting and should focus on a
time when you chose an ethical course of action.
This discussion prompt, consider the following :
-what was the situation ?
-how did you use ethics to make a decision?
-what was the impact and result of your decision?
Ans:
Situation : worked as an IT support technician for a small company. One day, while troubleshooting an
employee's computer, I stumbled upon a file containing sensitive customer information that had been
mistakenly left accessible.
How I used ethics to make a decision: I knew that accessing and potentially using this information
without authorization would be unethical and could lead to serious consequences for both the company
and its customers.
my decision: Instead of accessing or sharing the information, I immediately reported the issue to my
supervisor. We worked together to secure the file and notify the appropriate individuals within the
company about the incident. While it was a challenging situation, my decision to prioritize ethics helped
to maintain trust with both the company and its customers, and prevented any potential harm resulting
from unauthorized access to sensitive data.

What we cover in this part :

-Security frameworks and controls
-Ethics of security
Assets : an items perceived as having value to an organization
Availability : the idea that data is accessible to those who are authorized to access it
Compliance : the process of adhering to internal standards and external regulations
Confidentiality : the idea that only authorized users can access specific assets or data
CIA : a model that helps inform how organization consider risk when setting up system and security
policies
Hacktivist : a person who use hacking to achieve a political goal
HIPAA : a U.S. federal law established to protect patients health information
Integrity : the idea that the data is correct, authentic, and reliable
National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) : a voluntary
framework that consists of standards, guidelines, and best practices to manage cybersecurity risk
Privacy protection : the act of safeguarding personal information from unauthorized use
Protect health information (PHI) : information that relates to the past, present, or future physical or
mental health or condition or an individual
Security architecture : A type of security design composed of multiple components, such as tools and
processes, that are used to protect an organization from risks and external threats
Security controls : Safeguards designed to reduce specific security risks
Security ethics : Guidelines for making appropriate decisions as a security professional
Security frameworks : Guidelines used for building plans to help mitigate risk and threats to data and
privacy
Security governance : Practices that help support, define, and direct security efforts of an organization
Sensitive personally identifiable information (SPII) : A specific type of PII that falls under stricter
handling guidelines
 Common cybersecurity tools

Security Information and Event Management (SIEM) tool : An application that collects and analyzes
log data to monitor critical activities in an organization.

Network protocol analyzer (packet sniffers) : A network protocol analyzer, also known as a packet
sniffers, is a tool designed to capture and analyze data traffic in a network. This means that tool keeps a
record of all the data that a computer within an organization’s network encounter.

Playbooks : A playbooks is manual that provides details about any operational action, such as how to
respond to security incident. Organization usually have multiple playbooks documenting processes and
procedures for their teams to follow. Playbooks vary from one organization to the next, but they all
have a similar purpose:
To guide analysts through a series of steps to complete specific security-related tasks.

Tools and their purpose

Dashboard : Application that collect and analyzes log data to monitor an organization’s critical
activities.

Programming : used to create a specific set of instructions for a computer to execute tasks.

Structured Query Language (SQL) : A programming language used to create, interact with, and request
information from a database.
Database : An organized collection of information or data.

Intrusion detection system : (IDS) is an application that monitor system activity and alerts on possible
intrusion. The system scans and analyzes network packets, which carry small amounts of data through a
network. The small amount of data makes the detection process easier for an IDS to identify potential
threats to sensitive data. Other occurrence an IDS might detect can include theft and unauthorized
access.
Encryption : makes data unreadable and difficult to decode for an unauthorized user; its main goal is to
ensure confidentiality of private data. Encryption is the process of converting data from a readable
format to a cryptographically encoded format.
Penetration testing : also called pen testing, is the act of participating in simulating attack that helps
identity vulnerabilities in system, networks, websites, applications, and processes. It is a thorough risk
assessment that can evaluate and identify external and internal threats as well as weaknesses.

NOTE 2

Security domains cybersecurity analysts :

Domain one : Security and risk management

All organizations must develop their security posture. Security posture is an organization ‘s ability to
manage its defense of critical assets and data and react to change. Elements of the security and risk
management domain that impact an organization’s security posture :
• Security goals and objectives
• Risk mitigation processes
• Compliance
• Business continuity plans
• Legal regulations
• Professional and organizational ethics

Information security :
• Incident response
• Vulnerability management
• Application security
• Cloud security
• Infrastructure security
As an example a security team may need to alter how personally identifiable information (PII) is treated.

Domain two : Asset security

Involved in managing the cybersecurity processes pf organizational asset, including the storage,
maintenance, retention, and destruction of physical and virtual data.

Domain three : Security architecture and engineering

Managing data security. Ensuring effective tools, systems, and process are in the place helps protect an
organization’s asset and data security. Security architects and engineers create these processes.

Principles :
• Threat modeling
• Least privilege
• Defense in depth
• Fail security separation of duties
• Keep its simple
• Zero trust
• Trust but verify
An example of managing data is the use of a security information and event management (SIEM) tool to
monitor for flags related to unusual login or user activity that could indicate a threat actor is attempting
to access private data.

Domain four : Communication and network security

Focuses on managing and securing physical networks and wireless communication. This includes on
site, remote, and cloud communications.

Domain five : Identity and access management

The identity and access management domain focuses on keeping data secure. It does this by ensuring
user identities are trusted and authenticated and that access to the physical and logical assets is
authorized. This help prevent unauthorized user. While allowing authorized users to perform their
tasks.

Domain six : Security assessment and testing

The domain focuses on identifying and mitigating risks, threats, and vulnerabilities. Security assessment
help organizations determine whether their internal systems are secure or at risk. Organization might
employ penetration testers, often referred to as “pen tester“, to find vulnerabilities that could be
exploited by a threat actor.

Domain seven : Security operation

The security operation domains focuses on the investigation of a potential data breach and the
implementation of prevention measure after a security a security incident has occurred. This includes
using strategies, processes, and tools such as:
 • Training and awareness
• Reporting and documentation
• Intrusion detection and prevention
• SIEM tools
• Log management
• Incident management
• Playbooks
• Post-breach forensics
• Reflecting on lesson learned
The cybersecurity professionals involved in this domain work as a team to manage, prevent, and
investigate threats, risks, and vulnerabilities. These individuals are trained to handle active attacks, such
as large amounts of data being accessed from an organization’s internal network, outside of normal
working hours. Once a threat is identified, the team works diligently to keep private data and
information safe from threat actors.

Domain eight : software development security

Focused on using secure programming practices and guidelines to create secure applications. Having
secure applications help deliver secure and reliable service, which helps protect organizations and their
users.
Security must be incorporated into each element of the software development life cycle, from design and
development to testing and release. To achieve security, the software development process must have
security in mind at each step. Security cannot be an afterthought.
Performing application security tests can help ensure vulnerabilities are identified and mitigated
accordingly. Having a system in place to test the programming conventions, software executables, and
security measures embedded in the software is necessary. Having quality assurance and pen tester
professionals ensure the software has met security and performance standards is also an essential part of
the software development process. For example, an entry-level analyst working for a pharmaceutical
company might be asked to make sure encryption is properly configured for a new medical device that
will store private patient data.

Threat : Any circumstance or event that can negatively impact assets.

Phishing : exploits humans error to acquire sensitive data and private information. It is one method of
social engineering.

Risk management
A primary goal of organizations is to protect assets. An asset is an item perceived as having value to an
organization. Assets can be digital or physical. Examples of digital assets include the personal
information of employees, clients, or vendors, such as:
• Social Security Numbers (SSNs), or unique national identification numbers assigned to
individuals
• Dates of birth
• Bank account numbers
• Mailing addresses
Examples of physical assets include:
• Payment kiosks
• Servers
• Desktop computers
• Office spaces
Some common strategies used to manage risks include:
• Acceptance: Accepting a risk to avoid disrupting business continuity
• Avoidance: Creating a plan to avoid the risk altogether
• Transference: Transferring risk to a third party to manage
• Mitigation: Lessening the impact of a known risk

Threats
A threat is any circumstance or event that can negatively impact assets. As an entry-level security
analyst, your job is to help defend the organization’s assets from inside and outside threats. Therefore,
understanding common types of threats is important to an analyst’s daily work. As a reminder, common
threats include:
• Insider threats: Staff members or vendors abuse their authorized access to obtain data that may
harm an organization.
• Advanced persistent threats (APTs): A threat actor maintains unauthorized access to a
system for an extended period of time.
Risks
A risk is anything that can impact the confidentiality, integrity, or availability of an asset. A basic
formula for determining the level of risk is that risk equals the likelihood of a threat. One way to think
about this is that a risk is being late to work and threats are traffic, an accident, a flat tire, etc.
There are different factors that can affect the likelihood of a risk to an organization’s assets, including:
 • External risk: Anything outside the organization that has the potential to harm organizational
assets, such as threat actors attempting to gain access to private information
• Internal risk: A current or former employee, vendor, or trusted partner who poses a security
risk
• Legacy systems: Old systems that might not be accounted for or updated, but can still impact
assets, such as workstations or old mainframe systems. For example, an organization might
have an old vending machine that takes credit card payments or a workstation that is still
connected to the legacy accounting system.
• Multiparty risk: Outsourcing work to third-party vendors can give them access to intellectual
property, such as trade secrets, software designs, and inventions.
• Software compliance/licensing: Software that is not updated or in compliance, or patches that
are not installed in a timely manner

Vulnerabilities
A vulnerability is a weakness that can be exploited by a threat. Therefore, organizations need to
regularly inspect for vulnerabilities within their systems. Some vulnerabilities include:
• ProxyLogon: A pre-authenticated vulnerability that affects the Microsoft Exchange server.
This means a threat actor can complete a user authentication process to deploy malicious code
from a remote location.
• ZeroLogon: A vulnerability in Microsoft’s Netlogon authentication protocol. An authentication
protocol is a way to verify a person's identity. Netlogon is a service that ensures a user’s identity
before allowing access to a website's location.
• Log4Shell: Allows attackers to run Java code on someone else’s computer or leak sensitive
information. It does this by enabling a remote attacker to take control of devices connected to
the internet and run malicious code.
• PetitPotam: Affects Windows New Technology Local Area Network (LAN) Manager
(NTLM). It is a theft technique that allows a LAN-based attacker to initiate an authentication
request.
• Security logging and monitoring failures: Insufficient logging and monitoring capabilities
that result in attackers exploiting vulnerabilities without the organization knowing it
• Server-side request forgery: Allows attackers to manipulate a server-side application into
accessing and updating backend resources. It can also allow threat actors to steal data.
As an entry-level security analyst, you might work in vulnerability management, which is monitoring a
system to identify and mitigate vulnerabilities. Although patches and updates may exist, if they are not
applied, intrusions can still occur. For this reason, constant monitoring is important. The sooner an
organization identifies a vulnerability and addresses it by patching it or updating their systems, the
sooner it can be mitigated, reducing the organization’s exposure to the vulnerability.
 Frameworks and controls
Security frameworks are guidelines used for building plans to help mitigate risk and threats to
data and privacy. Frameworks support organizations’ ability to adhere to compliance laws and
regulations. For example, the healthcare industry uses frameworks to comply with the United
States’ Health Insurance Portability and Accountability Act (HIPAA), which requires that
medical professionals keep patient information safe.
Security controls are safeguards designed to reduce specific security risks. Security controls
are the measures organizations use to lower risk and threats to data and privacy. For example, a
control that can be used alongside frameworks to ensure a hospital remains compliant with
HIPAA is requiring that patients use multi-factor authentication (MFA) to access their medical
records. Using a measure like MFA to validate someone’s identity is one way to help mitigate
potential risks and threats to private data.

Specific frameworks and controls

There are many different frameworks and controls that organizations can use to remain
compliant with regulations and achieve their security goals. Frameworks covered in this reading
are the Cyber Threat Framework (CTF) and the International Organization for
Standardization/International Electrotechnical Commission (ISO/IEC) 27001. Several common
security controls, used alongside these types of frameworks, are also explained.
Cyber Threat Framework (CTF)
According to the Office of the Director of National Intelligence, the CTF was developed by the
U.S. government to provide “a common language for describing and communicating information
about cyber threat activity.” By providing a common language to communicate information
about threat activity, the CTF helps cybersecurity professionals analyze and share information
more efficiently. This allows organizations to improve their response to the constantly evolving
cybersecurity landscape and threat actors' many tactics and techniques.

International Organization for Standardization/International

Electrotechnical Commission (ISO/IEC) 27001
An internationally recognized and used framework is ISO/IEC 27001. The ISO 27000 family of
standards enables organizations of all sectors and sizes to manage the security of assets, such as
financial information, intellectual property, employee data, and information entrusted to third
parties. This framework outlines requirements for an information security management system,
best practices, and controls that support an organization’s ability to manage risks. Although the
ISO/IEC 27001 framework does not require the use of specific controls, it does provide a
collection of controls that organizations can use to improve their security posture.

Controls
Controls are used alongside frameworks to reduce the possibility and impact of a security threat,
risk, or vulnerability. Controls can be physical, technical, and administrative and are typically
used to prevent, detect, or correct security issues.
Examples of physical controls:
• Gates, fences, and locks
• Security guards
• Closed-circuit television (CCTV), surveillance cameras, and motion detectors
• Access cards or badges to enter office spaces
Examples of technical controls:
• Firewalls
• MFA
• Antivirus software
Examples of administrative controls:
• Separation of duties
• Authorization
• Asset classification

Note 3

he TCP/IP model
The TCP/IP model is a framework used to visualize how data is organized and transmitted
across a network. This model helps network engineers and network security analysts
conceptualize processes on the network and communicate where disruptions or security threats
occur.
The TCP/IP model has four layers: the network access layer, internet layer, transport layer, and
application layer. When troubleshooting issues on the network, security professionals can
analyze which layers were impacted by an attack based on what processes were involved in an
incident.

Network access layer

The network access layer, sometimes called the data link layer, deals with the creation of data
packets and their transmission across a network. This layer corresponds to the physical hardware
involved in network transmission. Hubs, modems, cables, and wiring are all considered part of
this layer. The address resolution protocol (ARP) is part of the network access layer. Since MAC
addresses are used to identify hosts on the same physical network, ARP is needed to map IP
addresses to MAC addresses for local network communication.

Internet layer
The internet layer, sometimes referred to as the network layer, is responsible for ensuring the
delivery to the destination host, which potentially resides on a different network. It ensures IP
addresses are attached to data packets to indicate the location of the sender and receiver. The
internet layer also determines which protocol is responsible for delivering the data packets and
 ensures the delivery to the destination host. Here are some of the common protocols that operate
at the internet layer:
• Internet Protocol (IP). IP sends the data packets to the correct destination and relies on
the Transmission Control Protocol/User Datagram Protocol (TCP/UDP) to deliver them to the
corresponding service. IP packets allow communication between two networks. They are routed
from the sending network to the receiving network. TCP in particular retransmits any data that is
lost or corrupt.
• Internet Control Message Protocol (ICMP). The ICMP shares error information and
status updates of data packets. This is useful for detecting and troubleshooting network errors.
The ICMP reports information about packets that were dropped or that disappeared in transit,
issues with network connectivity, and packets redirected to other routers.

Transport layer
The transport layer is responsible for delivering data between two systems or networks and
includes protocols to control the flow of traffic across a network. TCP and UDP are the two
transport protocols that occur at this layer.
Transmission Control Protocol
The Transmission Control Protocol (TCP) is an internet communication protocol that allows
two devices to form a connection and stream data. It ensures that data is reliably transmitted to
the destination service. TCP contains the port number of the intended destination service, which
resides in the TCP header of a TCP/IP packet.

User Datagram Protocol

The User Datagram Protocol (UDP) is a connectionless protocol that does not establish a
connection between devices before transmissions. It is used by applications that are not
concerned with the reliability of the transmission. Data sent over UDP is not tracked as
extensively as data sent using TCP. Because UDP does not establish network connections, it is
used mostly for performance sensitive applications that operate in real time, such as video
streaming.

Application layer
The application layer in the TCP/IP model is similar to the application, presentation, and session
layers of the OSI model. The application layer is responsible for making network requests or
responding to requests. This layer defines which internet services and applications any user can
access. Protocols in the application layer determine how the data packets will interact with
receiving devices. Some common protocols used on this layer are:
• Hypertext transfer protocol (HTTP)
• Simple mail transfer protocol (SMTP)
• Secure shell (SSH)
• File transfer protocol (FTP)
• Domain name system (DNS)
Application layer protocols rely on underlying layers to transfer the data across the network.
The OSI model is a standardized concept that describes the seven layers computers use to
communicate and send data over the network. Network and security professionals often use this
model to communicate with each other about potential sources of problems or security threats when
they occur.

Layer 7: Application layer

The application layer includes processes that directly involve the everyday user. This layer
includes all of the networking protocols that software applications use to connect a user to the
internet. This characteristic is the identifying feature of the application layer—user connection to
the internet via applications and requests.
An example of a type of communication that happens at the application layer is using a web
browser. The internet browser uses HTTP or HTTPS to send and receive information from the
website server. The email application uses simple mail transfer protocol (SMTP) to send and
receive email information. Also, web browsers use the domain name system (DNS) protocol to
translate website domain names into IP addresses which identify the web server that hosts the
information for the website.

Layer 6: Presentation layer

Functions at the presentation layer involve data translation and encryption for the network. This
layer adds to and replaces data with formats that can be understood by applications (layer 7) on
both sending and receiving systems. Formats at the user end may be different from those of the
receiving system. Processes at the presentation layer require the use of a standardized format.
Some formatting functions that occur at layer 6 include encryption, compression, and
confirmation that the character code set can be interpreted on the receiving system. One example
of encryption that takes place at this layer is SSL, which encrypts data between web servers and
browsers as part of websites with HTTPS.

Layer 5: Session layer

A session describes when a connection is established between two devices. An open session
allows the devices to communicate with each other. Session layer protocols keep the session
open while data is being transferred and terminate the session once the transmission is complete.
The session layer is also responsible for activities such as authentication, reconnection, and
setting checkpoints during a data transfer. If a session is interrupted, checkpoints ensure that the
transmission picks up at the last session checkpoint when the connection resumes. Sessions
include a request and response between applications. Functions in the session layer respond to
requests for service from processes in the presentation layer (layer 6) and send requests for
services to the transport layer (layer 4).
 Layer 4: Transport layer
The transport layer is responsible for delivering data between devices. This layer also handles the
speed of data transfer, flow of the transfer, and breaking data down into smaller segments to
make them easier to transport. Segmentation is the process of dividing up a large data
transmission into smaller pieces that can be processed by the receiving system. These segments
need to be reassembled at their destination so they can be processed at the session layer (layer 5).
The speed and rate of the transmission also has to match the connection speed of the destination
system. TCP and UDP are transport layer protocols.

Layer 3: Network layer

The network layer oversees receiving the frames from the data link layer (layer 2) and delivers
them to the intended destination. The intended destination can be found based on the address that
resides in the frame of the data packets. Data packets allow communication between two
networks. These packets include IP addresses that tell routers where to send them. They are
routed from the sending network to the receiving network.

Layer 2: Data link layer

The data link layer organizes sending and receiving data packets within a single network. The
data link layer is home to switches on the local network and network interface cards on local
devices.
Protocols like network control protocol (NCP), high-level data link control (HDLC), and
synchronous data link control protocol (SDLC) are used at the data link layer.

Layer 1: Physical layer

As the name suggests, the physical layer corresponds to the physical hardware involved in
network transmission. Hubs, modems, and the cables and wiring that connect them are all
considered part of the physical layer. To travel across an ethernet or coaxial cable, a data packet
needs to be translated into a stream of 0s and 1s. The stream of 0s and 1s are sent across the
physical wiring and cables, received, and then passed on to higher levels of the OSI model.

Three categories of network protocols :

Communication protocols :
govern the exchange of information in network transmission. They dictate how the data is
transmitted between devices and the timing of the communication. They also include methods to
recover data lost in transit. Here are a few of them.
• Transmission Control Protocol (TCP) is an internet communication protocol that
allows two devices to form a connection and stream data. TCP uses a three-way handshake
process. First, the device sends a synchronize (SYN) request to a server. Then the server
responds with a SYN/ACK packet to acknowledge receipt of the device's request. Once the
 server receives the final ACK packet from the device, a TCP connection is established. In the
TCP/IP model, TCP occurs at the transport layer.
• User Datagram Protocol (UDP) is a connectionless protocol that does not establish a
connection between devices before a transmission. This makes it less reliable than TCP. But it
also means that it works well for transmissions that need to get to their destination quickly. For
example, one use of UDP is for sending DNS requests to local DNS servers. In the TCP/IP
model, UDP occurs at the transport layer.
• Hypertext Transfer Protocol (HTTP) is an application layer protocol that provides a
method of communication between clients and website servers. HTTP uses port 80. HTTP is
considered insecure, so it is being replaced on most websites by a secure version, called HTTPS
that uses encryption from SSL/TLS for communication. However, there are still many websites
that use the insecure HTTP protocol. In the TCP/IP model, HTTP occurs at the application layer.
• Domain Name System (DNS) is a protocol that translates internet domain names into
IP addresses. When a client computer wishes to access a website domain using their internet
browser, a query is sent to a dedicated DNS server. The DNS server then looks up the IP address
that corresponds to the website domain. DNS normally uses UDP on port 53. However, if the
DNS reply to a request is large, it will switch to using the TCP protocol. In the TCP/IP model,
DNS occurs at the application layer.

Management Protocols
The next category of network protocols is management protocols. Management protocols are
used for monitoring and managing activity on a network. They include protocols for error
reporting and optimizing performance on the network.
• Simple Network Management Protocol (SNMP) is a network protocol used for
monitoring and managing devices on a network. SNMP can reset a password on a network
device or change its baseline configuration. It can also send requests to network devices for a
report on how much of the network’s bandwidth is being used up. In the TCP/IP model, SNMP
occurs at the application layer.
• Internet Control Message Protocol (ICMP) is an internet protocol used by devices to
tell each other about data transmission errors across the network. ICMP is used by a receiving
device to send a report to the sending device about the data transmission. ICMP is commonly
used as a quick way to troubleshoot network connectivity and latency by issuing the “ping”
command on a Linux operating system. In the TCP/IP model, ICMP occurs at the internet layer.

Security Protocols
Security protocols are network protocols that ensure that data is sent and received securely across
a network. Security protocols use encryption algorithms to protect data in transit. Below are
some common security protocols.
• Hypertext Transfer Protocol Secure (HTTPS) is a network protocol that provides a
secure method of communication between clients and website servers. HTTPS is a secure
version of HTTP that uses secure sockets layer/transport layer security (SSL/TLS) encryption on
all transmissions so that malicious actors cannot read the information contained. HTTPS uses
port 443. In the TCP/IP model, HTTPS occurs at the application layer.
• Secure File Transfer Protocol (SFTP) is a secure protocol used to transfer files from
one device to another over a network. SFTP uses secure shell (SSH), typically through TCP port
22. SSH uses Advanced Encryption Standard (AES) and other types of encryption to ensure that
unintended recipients cannot intercept the transmissions. In the TCP/IP model, SFTP occurs at
the application layer. SFTP is used often with cloud storage. Every time a user uploads or
downloads a file from cloud storage, the file is transferred using the SFTP protocol.
Note: The encryption protocols mentioned do not conceal the source or destination IP address of
network traffic. This means a malicious actor can still learn some basic information about the
network traffic if they intercept it.

Common network protocols

Network protocols are used to direct traffic to the correct device and service depending on the
kind of communication being performed by the devices on the network. Protocols are the rules
used by all network devices that provide a mutually agreed upon foundation for how to transfer
data across a network.
There are three main categories of network protocols: communication protocols, management
protocols, and security protocols.
1. Communication protocols are used to establish connections between servers. Examples
include TCP, UDP, and Simple Mail Transfer Protocol (SMTP), which provides a framework for
email communication.
2. Management protocols are used to troubleshoot network issues. One example is the
Internet Control Message Protocol (ICMP).
3. Security protocols provide encryption for data in transit. Examples include IPSec and
SSL/TLS.
Some other commonly used protocols are:
• Hypertext Transfer Protocol (HTTP). HTTP is an application layer communication
protocol. This allows the browser and the web server to communicate with one another.
• Domain Name System (DNS). DNS is an application layer protocol that translates, or
maps, host names to IP addresses.
• Address Resolution Protocol (ARP). ARP is a network layer communication protocol that
maps IP addresses to physical machines or a MAC address recognized on the local area network.

Wi-Fi
This section of the course also introduced various wireless security protocols, including WEP,
WPA, WPA2, and WPA3. WPA3 encrypts traffic with the Advanced Encryption Standard
(AES) cipher as it travels from your device to the wireless access point. WPA2 and WPA3 offer
two modes: personal and enterprise. Personal mode is best suited for home networks while
enterprise mode is generally utilized for business networks and applications.

Network security tools and practices

Firewalls
 Previously, you learned that firewalls are network virtual appliances (NVAs) or hardware
devices that inspect and can filter network traffic before it’s permitted to enter the private
network. Traditional firewalls are configured with rules that tell it what types of data packets are
allowed based on the port number and IP address of the data packet.
There are two main categories of firewalls.
• Stateless: A class of firewall that operates based on predefined rules and does not keep
track of information from data packets
• Stateful: A class of firewall that keeps track of information passing through it and
proactively filters out threats. Unlike stateless firewalls, which require rules to be configured in
two directions, a stateful firewall only requires a rule in one direction. This is because it uses a
"state table" to track connections, so it can match return traffic to an existing session
Next generation firewalls (NGFWs) are the most technologically advanced firewall protection.
They exceed the security offered by stateful firewalls because they include deep packet
inspection (a kind of packet sniffing that examines data packets and takes actions if threats exist)
and intrusion prevention features that detect security threats and notify firewall administrators.
NGFWs can inspect traffic at the application layer of the TCP/IP model and are typically
application aware. Unlike traditional firewalls that block traffic based on IP address and ports,
NGFWs rules can be configured to block or allow traffic based on the application. Some NGFWs
have additional features like Malware Sandboxing, Network Anti-Virus, and URL and DNS
Filtering.

Proxy servers
A proxy server is another way to add security to your private network. Proxy servers utilize
network address translation (NAT) to serve as a barrier between clients on the network and
external threats. Forward proxies handle queries from internal clients when they access resources
external to the network. Reverse proxies function opposite of forward proxies; they handle
requests from external systems to services on the internal network. Some proxy servers can also
be configured with rules, like a firewall. For example, you can create filters to block websites
identified as containing malware.

Virtual Private Networks (VPN)

A VPN is a service that encrypts data in transit and disguises your IP address. VPNs use a
process called encapsulation. Encapsulation wraps your unencrypted data in an encrypted data
packet, which allows your data to be sent across the public network while remaining anonymous.
Enterprises and other organizations use VPNs to help protect communications from users’
devices to corporate resources. Some of these resources include servers or virtual machines that
host business applications. Individuals also use VPNs to increase personal privacy. VPNs protect
user privacy by concealing personal information, including IP addresses, from external servers.
A reputable VPN also minimizes its own access to user internet activity by using strong
encryption and other security measures. Organizations are increasingly using a combination of
VPN and SD-WAN capabilities to secure their networks. A software-defined wide area network
(SD-WAN) is a virtual WAN service that allows organizations to securely connect users to
applications across multiple locations and over large geographical distances.
 Network interception attacks
Network interception attacks work by intercepting network traffic and stealing valuable
information or interfering with the transmission in some way.
Malicious actors can use hardware or software tools to capture and inspect data in transit. This is
referred to as packet sniffing. In addition to seeing information that they are not entitled to,
malicious actors can also intercept network traffic and alter it. These attacks can cause damage to
an organization’s network by inserting malicious code modifications or altering the message and
interrupting network operations. For example, an attacker can intercept a bank transfer and
change the account receiving the funds to one that the attacker controls.
Later in this course you will learn more about malicious packet sniffing, and other types of
network interception attacks: on-path attacks and replay attacks.

Backdoor attacks
A backdoor attack is another type of attack you will need to be aware of as a security analyst.
An organization may have a lot of security measures in place, including cameras, biometric scans
and access codes to keep employees from entering and exiting without being seen. However, an
employee might work around the security measures by finding a backdoor to the building that is
not as heavily monitored, allowing them to sneak out for the afternoon without being seen.
In cybersecurity, backdoors are weaknesses intentionally left by programmers or system and
network administrators that bypass normal access control mechanisms. Backdoors are intended
to help programmers conduct troubleshooting or administrative tasks. However, backdoors can
also be installed by attackers after they’ve compromised an organization to ensure they have
persistent access.
Once the hacker has entered an insecure network through a backdoor, they can cause extensive
damage: installing malware, performing a denial of service (DoS) attack, stealing private
information or changing other security settings that leaves the system vulnerable to other attacks.
A DoS attack is an attack that targets a network or server and floods it with network traffic.

Possible impacts on an organization

As you’ve learned already, network attacks can have a significant negative impact on an
organization. Let’s examine some potential consequences.
• Financial: When a system is taken offline with a DoS attack or some other tactic, they
prevent a company from performing tasks that generate revenue. Depending on the size of an
organization, interrupted operations can cost millions of dollars. Reparation costs to rebuild
software infrastructure and to pay large sums associated with potential ransomware can be
financially difficult. In addition, if a malicious actor gets access to the personal information of
the company’s clients or customers, the company may face heavy litigation and settlement costs
if customers seek legal recourse.
• Reputation: Attacks can also have a negative impact on the reputation of an
organization. If it becomes public knowledge that a company has experienced a cyber attack, the
public may become concerned about the security practices of the organization. They may stop
 trusting the company with their personal information and choose a competitor to fulfill their
needs.
• Public safety: If an attack occurs on a government network, this can potentially impact
the safety and welfare of the citizens of a country. In recent years, defense agencies across the
globe are investing heavily in combating cyber warfare tactics. If a malicious actor gained access
to a power grid, a public water system, or even a military defense communication system, the
public could face physical harm due to a network intrusion attack.

Read tcpdump logs

A network protocol analyzer, sometimes called a packet sniffer or a packet analyzer, is a tool
designed to capture and analyze data traffic within a network. They are commonly used as
investigative tools to monitor networks and identify suspicious activity. There are a wide variety of
network protocol analyzers available, but some of the most common analyzers include:
• SolarWinds NetFlow Traffic Analyzer
• ManageEngine OpManager
• Azure Network Watcher
• Wireshark
• tcpdump
This reading will focus exclusively on tcpdump, though you can apply what you learn here to many of
the other network protocol analyzers you'll use as a cybersecurity analyst to defend against any
network intrusions. In an upcoming activity, you’ll review a tcpdump data traffic log and identify a
DoS attack to practice these skills.
tcpdump
tcpdump is a command-line network protocol analyzer. It is popular, lightweight–meaning it uses
little memory and has a low CPU usage–and uses the open-source libpcap library. tcpdump is text
based, meaning all commands in tcpdump are executed in the terminal. It can also be installed on
other Unix-based operating systems, such as macOS®. It is preinstalled on many Linux distributions.
tcpdump provides a brief packet analysis and converts key information about network traffic into
formats easily read by humans. It prints information about each packet directly into your terminal.
tcpdump also displays the source IP address, destination IP addresses, and the port numbers being
used in the communications.

Interpreting output
tcpdump prints the output of the command as the sniffed packets in the command line, and
optionally to a log file, after a command is executed. The output of a packet capture contains many
pieces of important information about the network traffic.
 Some information you receive from a packet capture includes:
• Timestamp: The output begins with the timestamp, formatted as hours, minutes, seconds,
and fractions of a second.
• Source IP: The packet’s origin is provided by its source IP address.
• Source port: This port number is where the packet originated.
• Destination IP: The destination IP address is where the packet is being transmitted to.
• Destination port: This port number is where the packet is being transmitted to.
Note: By default, tcpdump will attempt to resolve host addresses to hostnames. It'll also replace port
numbers with commonly associated services that use these ports.

Common uses
tcpdump and other network protocol analyzers are commonly used to capture and view network
communications and to collect statistics about the network, such as troubleshooting network
performance issues. They can also be used to:
• Establish a baseline for network traffic patterns and network utilization metrics.
• Detect and identify malicious traffic
• Create customized alerts to send the right notifications when network issues or security
threats arise.
• Locate unauthorized instant messaging (IM), traffic, or wireless access points.
However, attackers can also use network protocol analyzers maliciously to gain information about a
specific network. For example, attackers can capture data packets that contain sensitive information,
such as account usernames and passwords. As a cybersecurity analyst, It’s important to understand
the purpose and uses of network protocol analyzers.

Brute force attacks

A brute force attack is a trial-and-error process of discovering private information. There are
different types of brute force attacks that malicious actors use to guess passwords, including:
• Simple brute force attacks. When attackers try to guess a user's login credentials, it’s
considered a simple brute force attack. They might do this by entering any combination of
usernames and passwords that they can think of until they find the one that works.
• Dictionary attacks use a similar technique. In dictionary attacks, attackers use a list of
commonly used passwords and stolen credentials from previous breaches to access a system.
These are called “dictionary” attacks because attackers originally used a list of words from the
dictionary to guess the passwords, before complex password rules became a common security
practice.
Using brute force to access a system can be a tedious and time consuming process, especially
when it’s done manually. There are a range of tools attackers use to conduct their attacks.

Assessing vulnerabilities
Before a brute force attack or other cybersecurity incident occurs, companies can run a series of
tests on their network or web applications to assess vulnerabilities. Analysts can use virtual
machines and sandboxes to test suspicious files, check for vulnerabilities before an event occurs,
or to simulate a cybersecurity incident.
Virtual machines (VMs)
Virtual machines (VMs) are software versions of physical computers. VMs provide an additional
layer of security for an organization because they can be used to run code in an isolated
environment, preventing malicious code from affecting the rest of the computer or system. VMs
can also be deleted and replaced by a pristine image after testing malware.
VMs are useful when investigating potentially infected machines or running malware in a
constrained environment. Using a VM may prevent damage to your system in the event its tools
are used improperly. VMs also give you the ability to revert to a previous state. However, there
are still some risks involved with VMs. There’s still a small risk that a malicious program can
escape virtualization and access the host machine.
You can test and explore applications easily with VMs, and it’s easy to switch between different
VMs from your computer. This can also help in streamlining many security tasks.

Sandbox environments
A sandbox is a type of testing environment that allows you to execute software or programs
separate from your network. They are commonly used for testing patches, identifying and
addressing bugs, or detecting cybersecurity vulnerabilities. Sandboxes can also be used to
evaluate suspicious software, evaluate files containing malicious code, and simulate attack
scenarios.
Sandboxes can be stand-alone physical computers that are not connected to a network; however,
it is often more time- and cost-effective to use software or cloud-based virtual machines as
sandbox environments. Note that some malware authors know how to write code to detect if the
malware is executed in a VM or sandbox environment. Attackers can program their malware to
behave as harmless software when run inside these types of testing environments.

Prevention measures
Some common measures organizations use to prevent brute force attacks and similar attacks
from occurring include:
• Salting and hashing: Hashing converts information into a unique value that can then be
used to determine its integrity. It is a one-way function, meaning it is impossible to decrypt and
obtain the original text. Salting adds random characters to hashed passwords. This increases the
length and complexity of hash values, making them more secure.
• Multi-factor authentication (MFA) and two-factor authentication (2FA): MFA is
a security measure which requires a user to verify their identity in two or more ways to access a
system or network. This verification happens using a combination of authentication factors: a
username and password, fingerprints, facial recognition, or a one-time password (OTP) sent to a
phone number or email. 2FA is similar to MFA, except it uses only two forms of verification.
• CAPTCHA and reCAPTCHA: CAPTCHA stands for Completely Automated Public
Turing test to tell Computers and Humans Apart. It asks users to complete a simple test that
proves they are human. This helps prevent software from trying to brute force a password.
reCAPTCHA is a free CAPTCHA service from Google that helps protect websites from bots and
malicious software.
• Password policies: Organizations use password policies to standardize good password
practices throughout the business. Policies can include guidelines on how complex a password
should be, how often users need to update passwords, whether passwords can be reused or not,
and if there are limits to how many times a user can attempt to log in before their account is
suspended.

Network security applications

This section of the course covers the topic of network hardening and monitoring. Each device, tool,
or security strategy put in place by security analysts further protects—or hardens—the network until
the network owner is satisfied with the level of security. This approach of adding layers of security to
a network is referred to as defense in depth.
In this reading, you are going to learn about the role of four devices used to secure a
network—firewalls, intrusion detection systems, intrusion prevention systems, and security incident
and event management tools. Network security professionals have the choice to use any or all of
these devices and tools depending on the level of security that they hope to achieve.
This reading will discuss the benefits of layered security. Each tool mentioned is an additional layer
of defense that can incrementally harden a network, starting with the minimum level of security
(provided by just a firewall), to the highest level of security (provided by combining a firewall, an
intrusion detection and prevention device, and security event monitoring).
Take note of where each tool is located on the network. Each tool has its own place in the network’s
architecture. Security analysts are required to understand the network topologies shown in the
diagrams throughout this reading.
Firewall
So far in this course, you learned about stateless firewalls, stateful firewalls, and next-generation
firewalls (NGFWs), and the security advantages of each of them.
Most firewalls are similar in their basic functions. Firewalls allow or block traffic based on a set of
rules. As data packets enter a network, the packet header is inspected and allowed or denied based
on its port number. NGFWs are also able to inspect packet payloads. Each system should have its
own firewall, regardless of the network firewall.

Intrusion Detection System

An intrusion detection system (IDS) is an application that monitors system activity and alerts on
possible intrusions. An IDS alerts administrators based on the signature of malicious traffic.
The IDS is configured to detect known attacks. IDS systems often sniff data packets as they move
across the network and analyze them for the characteristics of known attacks. Some IDS systems
review not only for signatures of known attacks, but also for anomalies that could be the sign of
malicious activity. When the IDS discovers an anomaly, it sends an alert to the network administrator
who can then investigate further.
The limitations to IDS systems are that they can only scan for known attacks or obvious anomalies.
New and sophisticated attacks might not be caught. The other limitation is that the IDS doesn’t
actually stop the incoming traffic if it detects something awry. It’s up to the network administrator to
catch the malicious activity before it does anything damaging to the network.

When combined with a firewall, an IDS adds another layer of defense. The IDS is placed behind the
firewall and before entering the LAN, which allows the IDS to analyze data streams after network
traffic that is disallowed by the firewall has been filtered out. This is done to reduce noise in IDS
alerts, also referred to as false positives.

Intrusion Prevention System

An intrusion prevention system (IPS) is an application that monitors system activity for intrusive
activity and takes action to stop the activity. It offers even more protection than an IDS because it
actively stops anomalies when they are detected, unlike the IDS that simply reports the anomaly to a
network administrator.
An IPS searches for signatures of known attacks and data anomalies. An IPS reports the anomaly to
security analysts and blocks a specific sender or drops network packets that seem suspect.

The IPS (like an IDS) sits behind the firewall in the network architecture. This offers a high level of
security because risky data streams are disrupted before they even reach sensitive parts of the
network. However, one potential limitation is that it is inline: If it breaks, the connection between the
private network and the internet breaks. Another limitation of IPS is the possibility of false positives,
which can result in legitimate traffic getting dropped.

Full packet capture devices

Full packet capture devices can be incredibly useful for network administrators and security
professionals. These devices allow you to record and analyze all of the data that is transmitted over
your network. They also aid in investigating alerts created by an IDS.

Security Information and Event Management

A security information and event management system (SIEM) is an application that collects and
analyzes log data to monitor critical activities in an organization. SIEM tools work in real time to
report suspicious activity in a centralized dashboard. SIEM tools additionally analyze network log
 data sourced from IDSs, IPSs, firewalls, VPNs, proxies, and DNS logs. SIEM tools are a way to
aggregate security event data so that it all appears in one place for security analysts to analyze. This
is referred to as a single pane of glass.
Below, you can review an example of a dashboard from Google Cloud’s SIEM tool, Chronicle.
Chronicle is a cloud-native tool designed to retain, analyze, and search data.

Splunk is another common SIEM tool. Splunk offers different SIEM tool options: Splunk Enterprise
and Splunk Cloud. Both options include detailed dashboards which help security professionals to
review and analyze an organization's data. There are also other similar SIEM tools available, and it's
important for security professionals to research the different tools to determine which one is most
beneficial to the organization.
A SIEM tool doesn’t replace the expertise of security analysts, or of the network- and
system-hardening activities covered in this course, but they’re used in combination with other
security methods. Security analysts often work in a Security Operations Center (SOC) where they
can monitor the activity across the network. They can then use their expertise and experience to
determine how to respond to the information on the dashboard and decide when the events meet the
criteria to be escalated to oversight.

Key takeaways
Devices / Tools Advantages Disadvantages
A firewall allows
or blocks traffic A firewall is only able to filter packets based on information provided i
Firewall
based on a set of header of the packets.
rules.
An IDS detects and
alerts admins about
An IDS can only scan for known attacks or obvious anomalies; new and sophisticated
Intrusion Detection System (IDS) possible intrusions,
might not be caught. It doesn’t actually stop the incoming traffic.
attacks, and other
malicious traffic.
An IPS monitors
system activity for
Intrusion Prevention System An IPS is an inline appliance. If it fails, the connection between the private network a
intrusions and
(IPS) internet breaks. It might detect false positives and block legitimate traffic.
anomalies and takes
action to stop them.
A SIEM tool collects
and analyzes log data
from multiple network
Security Information and Event A SIEM tool only reports on possible security issues. It does not take any actions to st
machines. It aggregates
Management (SIEM) prevent suspicious events.
security events for
monitoring in a central
dashboard.
Each of these devices or tools cost money to purchase, install, and maintain. An organization might
need to hire additional personnel to monitor the security tools, as in the case of a SIEM.
Decision-makers are tasked with selecting the appropriate level of security based on cost and risk to
the organization. You will learn more about choosing levels of security later in the course.
Cloud security considerations
Many organizations choose to use cloud services because of the ease of deployment, speed of
deployment, cost savings, and scalability of these options. Cloud computing presents unique
security challenges that cybersecurity analysts need to be aware of.
Identity access management
Identity access management (IAM) is a collection of processes and technologies that helps
organizations manage digital identities in their environment. This service also authorizes how
users can use different cloud resources. A common problem that organizations face when using
the cloud is the loose configuration of cloud user roles. An improperly configured user role
increases risk by allowing unauthorized users to have access to critical cloud operations.

Configuration
The number of available cloud services adds complexity to the network. Each service must be
carefully configured to meet security and compliance requirements. This presents a particular
challenge when organizations perform an initial migration into the cloud. When this change
occurs on their network, they must ensure that every process moved into the cloud has been
configured correctly. If network administrators and architects are not meticulous in correctly
configuring the organization’s cloud services, they could leave the network open to compromise.
Misconfigured cloud services are a common source of cloud security issues.

Attack surface
Cloud service providers (CSPs) offer numerous applications and services for organizations at a
low cost.
Every service or application on a network carries its own set of risks and vulnerabilities and
increases an organization’s overall attack surface. An increased attack surface must be
compensated for with increased security measures.
Cloud networks that utilize many services introduce lots of entry points into an organization’s
network. However, if the network is designed correctly, utilizing several services does not
introduce more entry points into an organization’s network design. These entry points can be
used to introduce malware onto the network and pose other security vulnerabilities. It is
important to note that CSPs often defer to more secure options, and have undergone more
scrutiny than a traditional on-premises network.

Zero-day attacks
Zero-day attacks are an important security consideration for organizations using cloud or
traditional on-premise network solutions. A zero day attack is an exploit that was previously
unknown. CSPs are more likely to know about a zero day attack occurring before a traditional IT
organization does. CSPs have ways of patching hypervisors and migrating workloads to other
virtual machines. These methods ensure the customers are not impacted by the attack. There are
also several tools available for patching at the operating system level that organizations can use.

Visibility and tracking

Network administrators have access to every data packet crossing the network with both
on-premise and cloud networks. They can sniff and inspect data packets to learn about network
performance or to check for possible threats and attacks.
This kind of visibility is also offered in the cloud through flow logs and tools, such as packet
mirroring. CSPs take responsibility for security in the cloud, but they do not allow the
organizations that use their infrastructure to monitor traffic on the CSP’s servers. Many CSPs
offer strong security measures to protect their infrastructure. Still, this situation might be a
concern for organizations that are accustomed to having full access to their network and
operations. CSPs pay for third-party audits to verify how secure a cloud network is and identify
potential vulnerabilities. The audits can help organizations identify whether any vulnerabilities
originate from on-premise infrastructure and if there are any compliance lapses from their CSP.

Things change fast in the cloud

CSPs are large organizations that work hard to stay up-to-date with technology advancements.
For organizations that are used to being in control of any adjustments made to their network, this
can be a potential challenge to keep up with. Cloud service updates can affect security
considerations for the organizations using them. For example, connection configurations might
need to be changed based on the CSP’s updates.
Organizations that use CSPs usually have to update their IT processes. It is possible for
organizations to continue following established best practices for changes, configurations, and
other security considerations. However, an organization might have to adopt a different approach
in a way that aligns with changes made by the CSP.
Cloud networking offers various options that might appear attractive to a small
company—options that they could never afford to build on their own premises. However, it is
important to consider that each service adds complexity to the security profile of the
organization, and they will need security personnel to monitor all of the cloud services.

Shared responsibility model

A commonly accepted cloud security principle is the shared responsibility model. The shared
responsibility model states that the CSP must take responsibility for security involving the
cloud infrastructure, including physical data centers, hypervisors, and host operating systems.
The company using the cloud service is responsible for the assets and processes that they store or
operate in the cloud.
The shared responsibility model ensures that both the CSP and the users agree about where their
responsibility for security begins and ends. A problem occurs when organizations assume that
the CSP is taking care of security that they have not taken responsibility for. One example of this
is cloud applications and configurations. The CSP takes responsibility for securing the cloud, but
it is the organization’s responsibility to ensure that services are configured properly according to
the security requirements of their organization.
 Note 4

Tools of the trade : Linux and SQL.

Talks about compare between types of operating system like (macOS, windows, Linux).

When you boot, or turn on, your computer, either a BIOS or UEFI microchip is activated. The
Basic Input/output System (BIOS) is a microchip that contains loading instructions for the
computer and is prevalent in older systems. The Unified Extensible Firmware Interface
(UEFI) is a microchip that contains loading instructions for the computer and replaces BIOS on
more modern systems.
The BIOS and UEFI chips both perform the same function for booting the computer. BIOS was
the standard chip until 2007, when UEFI chips increased in use. Now, most new computers
include a UEFI chip. UEFI provides enhanced security features.
The BIOS or UEFI microchips contain a variety of loading instructions for the computer to
follow. For example, one of the loading instructions is to verify the health of the computer’s
hardware.
The last instruction from the BIOS or UEFI activates the bootloader. The bootloader is a
software program that boots the operating system. Once the operating system has finished
booting, your computer is ready for use.

User
The first part of the process is the user. The user initiates the process by having something they
want to accomplish on the computer. Right now, you’re a user! You’ve initiated the process of
accessing this reading.

Application
The application is the software program that users interact with to complete a task. For example,
if you want to calculate something, you would use the calculator application. If you want to write
a report, you would use a word processing application. This is the second part of the process.

Operating system
The operating system receives the user’s request from the application. It’s the operating system’s
job to interpret the request and direct its flow. In order to complete the task, the operating system
sends it on to applicable components of the hardware.

Hardware
The hardware is where all the processing is done to complete the tasks initiated by the user. For
example, when a user wants to calculate a number, the CPU figures out the answer. As another
example, when a user wants to save a file, another component of the hardware, the hard drive,
handles this task.
After the work is done by the hardware, it sends the output back through the operating system to
the application so that it can display the results to the user.

Virtualization technology

What is a virtual machine?

A virtual machine (VM) is a virtual version of a physical computer. Virtual machines are one
example of virtualization. Virtualization is the process of using software to create virtual
representations of various physical machines. The term “virtual” refers to machines that don’t
exist physically, but operate like they do because their software simulates physical hardware.
Virtual systems don’t use dedicated physical hardware. Instead, they use software-defined
versions of the physical hardware. This means that a single virtual machine has a virtual CPU,
virtual storage, and other virtual hardware. Virtual systems are just code.

You can run multiple virtual machines using the physical hardware of a single computer. This
involves dividing the resources of the host computer to be shared across all physical and virtual
components. For example, Random Access Memory (RAM) is a hardware component used for
short-term memory. If a computer has 16GB of RAM, it can host three virtual machines so that
the physical computer and virtual machines each have 4GB of RAM. Also, each of these virtual
machines would have their own operating system and function similarly to a typical computer.

Benefits of virtual machines

Security professionals commonly use virtualization and virtual machines. Virtualization can
increase security for many tasks and can also increase efficiency.
Security
One benefit is that virtualization can provide an isolated environment, or a sandbox, on the
physical host machine. When a computer has multiple virtual machines, these virtual machines
are “guests” of the computer. Specifically, they are isolated from the host computer and other
guest virtual machines. This provides a layer of security, because virtual machines can be kept
separate from the other systems. For example, if an individual virtual machine becomes infected
with malware, it can be dealt with more securely because it’s isolated from the other machines. A
security professional could also intentionally place malware on a virtual machine to examine it in
a more secure environment.
Note: Although using virtual machines is useful when investigating potentially infected
machines or running malware in a constrained environment, there are still some risks. For
example, a malicious program can escape virtualization and access the host machine. This is why
you should never completely trust virtualized systems.
Efficiency
Using virtual machines can also be an efficient and convenient way to perform security tasks.
You can open multiple virtual machines at once and switch easily between them. This allows you
to streamline security tasks, such as testing and exploring various applications.
You can compare the efficiency of a virtual machine to a city bus. A single city bus has a lot of
room and is an efficient way to transport many people simultaneously. If city buses didn’t exist,
then everyone on the bus would have to drive their own cars. This uses more gas, cars, and other
resources than riding the city bus.
Similar to how many people can ride one bus, many virtual machines can be hosted on the same
physical machine. That way, separate physical machines aren't needed to perform certain tasks.

Managing virtual machines

Virtual machines can be managed with a software called a hypervisor. Hypervisors help users
manage multiple virtual machines and connect the virtual and physical hardware. Hypervisors
also help with allocating the shared resources of the physical host machine to one or more virtual
machines.
One hypervisor that is useful for you to be familiar with is the Kernel-based Virtual Machine
(KVM). KVM is an open-source hypervisor that is supported by most major Linux distributions.
It is built into the Linux kernel, which means it can be used to create virtual machines on any
machine running a Linux operating system without the need for additional software.

The command line in use :

CLI vs. GUI

A graphical user interface (GUI) is a user interface that uses icons on the screen to manage
different tasks on the computer. A command-line interface (CLI) is a text-based user
interface that uses commands to interact with the computer.

Function
These two interfaces also differ in how they function. A GUI is an interface that only allows you
to make one request at a time. However, a CLI allows you to make multiple requests at a time.

Advantages of a CLI in cybersecurity

The choice between using a GUI or CLI is partly based on personal preference, but security
analysts should be able to use both interfaces. Using a CLI can provide certain advantages.

Efficiency
Some prefer the CLI because it can be used more quickly when you know how to manage this
interface. For a new user, a GUI might be more efficient because they’re easier for beginners to
navigate.
Because a CLI can accept multiple requests at one time, it’s more powerful when you need to
perform multiple tasks efficiently. For example, if you had to create multiple new files in your
system, you could quickly perform this task in a CLI. If you were using a GUI, this could take
much longer, because you have to repeat the same steps for each new file.

History file
For security analysts, using the Linux CLI is helpful because it records a history file of all the
commands and actions in the CLI. If you were using a GUI, your actions are not necessarily
saved in a history file.
For example, you might be in a situation where you’re responding to an incident using a
playbook. The playbook’s instructions require you to run a series of different commands. If you
used a CLI, you’d be able to go back to the history and ensure all of the commands were
correctly used. This could be helpful if there were issues using the playbook and you had to
review the steps you performed in the command line.
Additionally, if you suspect an attacker has compromised your system, you might be able to
trace their actions using the history file.