Introduction to Cybersecurity PDF

Security domains cybersecurity analysts need to know As an analyst, you can explore various areas of cybersecurity that interest you. One way to explore those areas is by understanding different security domains and how they’re used to organize the work of security professionals. In this reading you will learn more about CISSP’s eight security domains and how they relate to the work you’ll do as a security analyst. Domain one: Security and risk management All organizations must develop their security posture. Security posture is an organization’s ability to manage its defense of critical assets and data and react to change. Elements of the security and risk management domain that impact an organization's security posture include: Security goals and objectives (Planned short-term and long-term diserable outcomes to support providence of organziation/ entity) Risk mitigation processes (An organizations best practices to handle incidents or high risk environments/ threat scenarios) Compliance (Industry requirements- can be set by trade organizations, professional associations and/or government bodies) Business continuity plans (Within a corporation or department(s) of an organizations) Legal regulations (As outlined by governing bodies) Professional and organizational ethics (example: Sensitive information sharing agreements- intraorganizational data confidence, 2nd example- sharing of trade secrets/ financial initiatives, upcoming joint projects.* Making sure all staff and shareholders uphold the cooperation agreements inthe utmost confidence) Information security, or InfoSec, is also related to this domain and refers to a set of processes established to secure information. An organization may use playbooks and implement training as a part of their security and risk management program, based on their needs and perceived risk. There are many InfoSec design processes, such as: Incident response Vulnerability management Application security Cloud security Infrastructure security As an example, a security team may need to alter how personally identifiable information (PII) is treated in order to adhere to the European Union's General Data Protection Regulation (GDPR). Domain two: Asset security Asset security involves managing the cybersecurity processes of organizational assets, including the storage, maintenance, retention, and destruction of physical and virtual data. Because the loss or theft of assets can expose an organization and increase the level of risk, keeping track of assets and the data they hold is essential. Conducting a security impact analysis, establishing a recovery plan, and managing data exposure will depend on the level of risk associated with each asset. Security analysts may need to store, maintain, and retain data by creating backups to ensure they are able to restore the environment if a security incident places the organization’s data at risk. Domain three: Security architecture and engineering This domain focuses on managing data security. Ensuring effective tools, systems, and processes are in place helps protect an organization’s assets and data. Security architects and engineers create these processes. One important aspect of this domain is the concept of shared responsibility. Shared responsibility means all individuals involved take an active role in lowering risk during the design of a security system. Additional design principles related to this domain, which are discussed later in the program, include: Threat modeling Least privilege Defense in depth Fail securely Separation of duties Keep it simple Zero trust Trust but verify An example of managing data is the use of a security information and event management (SIEM) tool to monitor for flags related to unusual login or user activity that could indicate a threat actor is attempting to access private data. Domain four: Communication and network security This domain focuses on managing and securing physical networks and wireless communications. This includes on-site, remote, and cloud communications. Organizations with remote, hybrid, and on-site work environments must ensure data remains secure, but managing external connections to make certain that remote workers are securely accessing an organization’s networks is a challenge. Designing network security controls—such as restricted network access—can help protect users and ensure an organization’s network remains secure when employees travel or work outside of the main office. Domain five: Identity and access management The identity and access management (IAM) domain focuses on keeping data secure. It does this by ensuring user identities are trusted and authenticated and that access to physical and logical assets is authorized. This helps prevent unauthorized users, while allowing authorized users to perform their tasks. Essentially, IAM uses what is referred to as the principle of least privilege, which is the concept of granting only the minimal access and authorization required to complete a task. As an example, a cybersecurity analyst might be asked to ensure that customer service representatives can only view the private data of a customer, such as their phone number, while working to resolve the customer's issue; then remove access when the customer's issue is resolved. Domain six: Security assessment and testing The security assessment and testing domain focuses on identifying and mitigating risks, threats, and vulnerabilities. Security assessments help organizations determine whether their internal systems are secure or at risk. Organizations might employ penetration testers, often referred to as “pen testers,” to find vulnerabilities that could be exploited by a threat actor. This domain suggests that organizations conduct security control testing, as well as collect and analyze data. Additionally, it emphasizes the importance of conducting security audits to monitor for and reduce the probability of a data breach. To contribute to these types of tasks, cybersecurity professionals may be tasked with auditing user permissions to validate that users have the correct levels of access to internal systems. Domain seven: Security operations The security operations domain focuses on the investigation of a potential data breach and the implementation of preventative measures after a security incident has occurred. This includes using strategies, processes, and tools such as: Training and awareness Reporting and documentation Intrusion detection and prevention SIEM tools Log management Incident management Playbooks Post-breach forensics Reflecting on lessons learned The cybersecurity professionals involved in this domain work as a team to manage, prevent, and investigate threats, risks, and vulnerabilities. These individuals are trained to handle active attacks, such as large amounts of data being accessed from an organization's internal network, outside of normal working hours. Once a threat is identified, the team works diligently to keep private data and information safe from threat actors. Domain eight: Software development security The software development security domain is focused on using secure programming practices and guidelines to create secure applications. Having secure applications helps deliver secure and reliable services, which helps protect organizations and their users. Security must be incorporated into each element of the software development life cycle, from design and development to testing and release. To achieve security, the software development process must have security in mind at each step. Security cannot be an afterthought. Performing application security tests can help ensure vulnerabilities are identified and mitigated accordingly. Having a system in place to test the programming conventions, software executables, and security measures embedded in the software is necessary. Having quality assurance and pen tester professionals ensure the software has met security and performance standards is also an essential part of the software development process. For example, an entry-level analyst working for a pharmaceutical company might be asked to make sure encryption is properly configured for a new medical device that will store private patient data. Key takeaways In this reading, you learned more about the focus areas of the eight CISSP security domains. In addition, you learned about InfoSec and the principle of least privilege. Being familiar with these security domains and related concepts will help you gain insight into the field of cybersecurity. NIST MANAGEMENT FRAMEWORK Step #1.) Prepare- Activities that are necessary to manage security and privacy risks before a breach occurs. Step #2.) Catagorize- Used to develop risk management processes and tasks. Step #3.) Select- Choose, Customize and Capture documentation of the controls that protect an organization. ( Example: keeping a playbook up to date) Step #4.) Implement- Implement security and rivacy plans for the organization. Step #5.) Assess- Determine if established controls are implemented correctly- take time to see if the protocols in place are meeting organizational needs. Step #6.) Authorize- Being accountable for the security and privacy risks that may exist in an organization Step #7.) Monitor- Awareness of how systems are operating. Manage common threats, risks, and vulnerabilities Previously, you learned that security involves protecting organizations and people from threats, risks, and vulnerabilities. Understanding the current threat landscapes gives organizations the ability to create policies and processes designed to help prevent and mitigate these types of security issues. In this reading, you will further explore how to manage risk and some common threat actor tactics and techniques, so you are better prepared to protect organizations and the people they serve when you enter the cybersecurity field. Risk management A primary goal of organizations is to protect assets. An asset is an item perceived as having value to an organization. Assets can be digital or physical. Examples of digital assets include the personal information of employees, clients, or vendors, such as: Social Security Numbers (SSNs), or unique national identification numbers assigned to individuals Dates of birth Bank account numbers Mailing addresses Examples of physical assets include: Payment kiosks Servers Desktop computers Office spaces Some common strategies used to manage risks include: Acceptance: Accepting a risk to avoid disrupting business continuity Avoidance: Creating a plan to avoid the risk altogether Transference: Transferring risk to a third party to manage Mitigation: Lessening the impact of a known risk Additionally, organizations implement risk management processes based on widely accepted frameworks to help protect digital and physical assets from various threats, risks, and vulnerabilities. Examples of frameworks commonly used in the cybersecurity industry include the National Institute of Standards and Technology Risk Management Framework (NIST RMF) and Health Information Trust Alliance (HITRUST). Following are some common types of threats, risks, and vulnerabilities you’ll help organizations manage as a security professional. Today’s most common threats, risks, and vulnerabilities Threats A threat is any circumstance or event that can negatively impact assets. As an entry-level security analyst, your job is to help defend the organization’s assets from inside and outside threats. Therefore, understanding common types of threats is important to an analyst’s daily work. As a reminder, common threats include: Insider threats: Staff members or vendors abuse their authorized access to obtain data that may harm an organization. Advanced persistent threats (APTs): A threat actor maintains unauthorized access to a system for an extended period of time. Risks A risk is anything that can impact the confidentiality, integrity, or availability of an asset. A basic formula for determining the level of risk is that risk equals the likelihood of a threat. One way to think about this is that a risk is being late to work and threats are traffic, an accident, a flat tire, etc. There are different factors that can affect the likelihood of a risk to an organization’s assets, including: External risk: Anything outside the organization that has the potential to harm organizational assets, such as threat actors attempting to gain access to private information Internal risk: A current or former employee, vendor, or trusted partner who poses a security risk Legacy systems: Old systems that might not be accounted for or updated, but can still impact assets, such as workstations or old mainframe systems. For example, an organization might have an old vending machine that takes credit card payments or a workstation that is still connected to the legacy accounting system. Multiparty risk: Outsourcing work to third-party vendors can give them access to intellectual property, such as trade secrets, software designs, and inventions. Software compliance/licensing: Software that is not updated or in compliance, or patches that are not installed in a timely manner There are many resources, such as the NIST, that provide lists of cybersecurity risks. Additionally, the Open Web Application Security Project (OWASP) publishes a standard awareness document about the top 10 most critical security risks to web applications, which is updated regularly. Note: The OWASP’s common attack types list contains three new risks for the years 2017 to 2021: insecure design, software and data integrity failures, and server-side request forgery. This update emphasizes the fact that security is a constantly evolving field. It also demonstrates the importance of staying up to date on current threat actor tactics and techniques, so you can be better prepared to manage these types of risks. Vulnerabilities A vulnerability is a weakness that can be exploited by a threat. Therefore, organizations need to regularly inspect for vulnerabilities within their systems. Some vulnerabilities include: ProxyLogon: A pre-authenticated vulnerability that affects the Microsoft Exchange server. This means a threat actor can complete a user authentication process to deploy malicious code from a remote location. ZeroLogon: A vulnerability in Microsoft’s Netlogon authentication protocol. An authentication protocol is a way to verify a person's identity. Netlogon is a service that ensures a user’s identity before allowing access to a website's location. Log4Shell: Allows attackers to run Java code on someone else’s computer or leak sensitive information. It does this by enabling a remote attacker to take control of devices connected to the internet and run malicious code. PetitPotam: Affects Windows New Technology Local Area Network (LAN) Manager (NTLM). It is a theft technique that allows a LAN-based attacker to initiate an authentication request. Security logging and monitoring failures: Insufficient logging and monitoring capabilities that result in attackers exploiting vulnerabilities without the organization knowing it Server-side request forgery: Allows attackers to manipulate a server-side application into accessing and updating backend resources. It can also allow threat actors to steal data. As an entry-level security analyst, you might work in vulnerability management, which is monitoring a system to identify and mitigate vulnerabilities. Although patches and updates may exist, if they are not applied, intrusions can still occur. For this reason, constant monitoring is important. The sooner an organization identifies a vulnerability and addresses it by patching it or updating their systems, the sooner it can be mitigated, reducing the organization’s exposure to the vulnerability. To learn more about the vulnerabilities explained in this section of the reading, as well as other vulnerabilities, explore the NIST National Vulnerability Database and CISA Known Exploited Vulnerabilities Catalog. Key takeaways In this reading, you learned about some risk management strategies and frameworks that can be used to develop organization-wide policies and processes to mitigate threats, risks, and vulnerabilities. You also learned about some of today’s most common threats, risks, and vulnerabilities to business operations. Understanding these concepts can better prepare you to not only protect against, but also mitigate, the types of security-related issues that can harm organizations and people alike. Terms and definitions from Course 2, Module 1 Assess: The fifth step of the NIST RMF that means to determine if established controls are implemented correctly Authorize: The sixth step of the NIST RMF that refers to being accountable for the security and privacy risks that may exist in an organization Business continuity: An organization's ability to maintain their everyday productivity by establishing risk disaster recovery plans Categorize: The second step of the NIST RMF that is used to develop risk management processes and tasks External threat: Anything outside the organization that has the potential to harm organizational assets Implement: The fourth step of the NIST RMF that means to implement security and privacy plans for an organization Internal threat: A current or former employee, external vendor, or trusted partner who poses a security risk Monitor: The seventh step of the NIST RMF that means be aware of how systems are operating Prepare: The first step of the NIST RMF related to activities that are necessary to manage security and privacy risks before a breach occurs Ransomware: A malicious attack where threat actors encrypt an organization’s data and demand payment to restore access Risk: Anything that can impact the confidentiality, integrity, or availability of an asset Risk mitigation: The process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach Security posture: An organization’s ability to manage its defense of critical assets and data and react to change Select: The third step of the NIST RMF that means to choose, customize, and capture documentation of the controls that protect an organization Shared responsibility: The idea that all individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security Social engineering: A manipulation technique that exploits human error to gain private information, access, or valuables Vulnerability: A weakness that can be exploited by a threat The relationship between frameworks and controls Previously, you learned how organizations use security frameworks and controls to protect against threats, risks, and vulnerabilities. This included discussions about the National Institute of Standards and Technology’s (NIST’s) Risk Management Framework (RMF) and Cybersecurity Framework (CSF), as well as the confidentiality, integrity, and availability (CIA) triad. In this reading, you will further explore security frameworks and controls and how they are used together to help mitigate organizational risk. Frameworks and controls Security frameworks are guidelines used for building plans to help mitigate risk and threats to data and privacy. Frameworks support organizations’ ability to adhere to compliance laws and regulations. For example, the healthcare industry uses frameworks to comply with the United States’ Health Insurance Portability and Accountability Act (HIPAA), which requires that medical professionals keep patient information safe. Security controls are safeguards designed to reduce specific security risks. Security controls are the measures organizations use to lower risk and threats to data and privacy. For example, a control that can be used alongside frameworks to ensure a hospital remains compliant with HIPAA is requiring that patients use multi-factor authentication (MFA) to access their medical records. Using a measure like MFA to validate someone’s identity is one way to help mitigate potential risks and threats to private data. Specific frameworks and controls There are many different frameworks and controls that organizations can use to remain compliant with regulations and achieve their security goals. Frameworks covered in this reading are the Cyber Threat Framework (CTF) and the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001. Several common security controls, used alongside these types of frameworks, are also explained. Cyber Threat Framework (CTF) According to the Office of the Director of National Intelligence, the CTF was developed by the U.S. government to provide “a common language for describing and communicating information about cyber threat activity.” By providing a common language to communicate information about threat activity, the CTF helps cybersecurity professionals analyze and share information more efficiently. This allows organizations to improve their response to the constantly evolving cybersecurity landscape and threat actors' many tactics and techniques. International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 27001 An internationally recognized and used framework is ISO/IEC 27001. The ISO 27000 family of standards enables organizations of all sectors and sizes to manage the security of assets, such as financial information, intellectual property, employee data, and information entrusted to third parties. This framework outlines requirements for an information security management system, best practices, and controls that support an organization’s ability to manage risks. Although the ISO/IEC 27001 framework does not require the use of specific controls, it does provide a collection of controls that organizations can use to improve their security posture. Controls Controls are used alongside frameworks to reduce the possibility and impact of a security threat, risk, or vulnerability. Controls can be physical, technical, and administrative and are typically used to prevent, detect, or correct security issues. Examples of physical controls: Gates, fences, and locks Security guards Closed-circuit television (CCTV), surveillance cameras, and motion detectors Access cards or badges to enter office spaces Examples of technical controls: Firewalls MFA Antivirus software Examples of administrative controls: Separation of duties Authorization Asset classification To learn more about controls, particularly those used to protect health-related assets from a variety of threat types, review the U.S. Department of Health and Human Services’ Physical Access Control presentation. Key takeaways Cybersecurity frameworks and controls are used together to establish an organization’s security posture. They also support an organization’s ability to meet security goals and comply with laws and regulations. Although these frameworks and controls are typically voluntary, organizations are strongly encouraged to implement and use them to help ensure the safety of critical assets. CIA triad: A model that helps organizations consider risk when setting up systems and security policies. Confidentiality: Only authorized users can access specific assets or data OWASP SECURITY PRINCIPLES Open Web Applications Security Project 1. Minimize Surface Attack Area- refers to all the potential vulnerabilities that a threat actor could exploit; such as attack vectors- which are pathways attackers use to penetrate security defenses. Example: phishing tactics or weak passwords within an organization. 2. Principal of least privilege - making sure users have least amount of access required to complete daily tasks; main reasons for limiting access to organizational information and resources is to reduce the amount of damage a security breach could cause. Example: if an employee’s credentials are hijacked by a threat actor then only a portion of the system is compromised- thus restricting access to the most sensitive information. 3. Defense in Depth- making sure that an organization should have multiple security controls to manage different risk & threats; an example of such a tool is MFA, firewalls, permission settings and intrusion detection systems. These different levels of defense work in tandem to help keep an organization secure by making it more difficult for a threat actor to breach & hijack a system. 4. Separation of Duties- Ensuring that no single individual has sole, vast access to sensitive information & assets across a system, therefore it prevents individuals from carrying out fraudulent, illegal activites that could harm an organization if an inner threat actor seeks to misuse the system. Example- the person who signs company paychecks shouldn’t be the same person who prepares the paychecks. 5. Keep Security Simple- When implementing security controls, unnecessarily complicated solutions should be avoided because it become unmanageable- which can make it difficult for teams to work collaboratively. 6. Fix Security Issues Correctly-Security professionals are expected to resolve breach incidents and technological issues quickly and identify root causes that lead to an adverse event. Then security professionals have to make sure those root causes are permanently fixed. To make sure that the organization is no longer impacted from those vulnerabilities. OWASP security principles: continued Previously, you learned that cybersecurity analysts help keep data safe and reduce risk for an organization by using a variety of security frameworks, controls, and security principles. In this reading, you will learn about more Open Web Application Security Project, recently renamed Open Worldwide Application Security Project® (OWASP), security principles and how entry-level analysts use them. Security principles In the workplace, security principles are embedded in your daily tasks. Whether you are analyzing logs, monitoring a security information and event management (SIEM) dashboard, or using a vulnerability scanner, you will use these principles in some way. Previously, you were introduced to several OWASP security principles. These included: Minimize attack surface area: Attack surface refers to all the potential vulnerabilities a threat actor could exploit. Principle of least privilege: Users have the least amount of access required to perform their everyday tasks. Defense in depth: Organizations should have varying security controls that mitigate risks and threats. Separation of duties: Critical actions should rely on multiple people, each of whom follow the principle of least privilege. Keep security simple: Avoid unnecessarily complicated solutions. Complexity makes security difficult. Fix security issues correctly: When security incidents occur, identify the root cause, contain the impact, identify vulnerabilities, and conduct tests to ensure that remediation is successful. Additional OWASP security principles Next, you’ll learn about four additional OWASP security principles that cybersecurity analysts and their teams use to keep organizational operations and people safe. Establish secure defaults This principle means that the optimal security state of an application is also its default state for users; it should take extra work to make the application insecure. Fail securely Fail securely means that when a control fails or stops, it should do so by defaulting to its most secure option. For example, when a firewall fails it should simply close all connections and block all new ones, rather than start accepting everything. Don’t trust services Many organizations work with third-party partners. These outside partners often have different security policies than the organization does. And the organization shouldn’t explicitly trust that their partners’ systems are secure. For example, if a third-party vendor tracks reward points for airline customers, the airline should ensure that the balance is accurate before sharing that information with their customers. Avoid security by obscurity The security of key systems should not rely on keeping details hidden. Consider the following example from OWASP (2016): OWASP Mobile Top 10. The security of an application should not rely on keeping the source code secret. Its security should rely upon many other factors, including reasonable password policies, defense in depth, business transaction limits, solid network architecture, and fraud and audit controls. Key takeaways: Cybersecurity professionals are constantly applying security principles to safeguard organizations and the people they serve. As an entry-level security analyst, you can use these security principles to promote safe development practices that reduce risks to companies and users alike. Security Audit: A review of an organization’s security controls, policies and and procedures against a set of expectations. - There are 2 main types of security audits: External & Internal Entry-level cybersecurity analysts work on internal audits with other IT staff, these audits are typically conducted as a team- which might include an organization’s compliance officer, cybersecurity manager and other team members. Internal security audits are done to help improve an organization’s security posture and as a due diligence measure to help avoid fines from governing agencies due to lack of compliance with latest best security practices. Purposes of Internal Security Audits 1.) Indentify organizational risks 2.) Assess controls 3.) Correct compliance issues. Common Elements of Internal Security Audits 1. Establishing scope and goals on an Organizations cybersecurity plan Scope: refers to the specific criteria of an internal security audit. Scope requires organizations to identify people, assets, policies, procedures and technologies that might impact an organization’s security posture. Goals: are an outline of an organization’s security objectives- what an organization wants to achieve in order to achieve improved security posture. -Although senior cybersecurity professionals and an organization’s upper management will create the scope and goals of an internal security audit; an entry level analyst must review and understand the outlined scope & goals in order to complete other elements of the Internal Security Audit. 2. Conducting a risk assessment: Focus on identifying potential threats, risks and vulnerabilities an organization could be faced with. This helps organizations consider what secuirty measures should be implemented and monitored to ensure the safety of assets. Often time completed my managers and other senior stakeholders, however entry level cybersecurity professionals will be asked to analyze details provided by the risk assessment and to give feedback on what kind of controls and compliance regulations need to be implemented so as to improve an organization’s security posture. Audit Sample Questions: What is the audit meant to achieve? What assets are most at risk? Are the current controls sufficient to protect those assets? - If not, what security tools can be put into place to supplement the current controls and develop a more robust cybersecurity apparatus? What controls and compliance regulations need to be implemented? 3. Completing a controls assessment- closely reviewing an organization’s existing assets, and then evaluating potential risks to those assets to ensure internal controls processes are effective. - To do this entry level analysts will be tasked with classifying controls into the following categories: Administrative Controls: related to the human component of cybersecurity- policies and proceedures on how an organization handles data, ie.e password controls Technical Controls: Hardware and software solutions used to protect assets, i.e. firewalls, encryption, intrusion directions systems Physical Controls: measures put in place to physically protect assets, such as security cameras and locks on data centers access doors 4. Assessing compliance 5. Communicating results: Stakeholder Communications Summarizes scope and goals Lists existing risks Details how quickly those risks need to be addressed Identifies compliance regulations Provides strategic reccomendations Audit checklist It’s necessary to create an audit checklist before conducting an audit. A checklist is generally made up of the following areas of focus: Identify the scope of the audit The audit should: ○ List assets that will be assessed (e.g., firewalls are configured correctly, PII is secure, physical assets are locked, etc.) ○ Note how the audit will help the organization achieve its desired goals ○ Indicate how often an audit should be performed ○ Include an evaluation of organizational policies, protocols, and procedures to make sure they are working as intended and being implemented by employees Complete a risk assessment A risk assessment is used to evaluate identified organizational risks related to budget, controls, internal processes, and external standards (i.e., regulations). Conduct the audit When conducting an internal audit, you will assess the security of the identified assets listed in the audit scope. Create a mitigation plan A mitigation plan is a strategy established to lower the level of risk and potential costs, penalties, or other issues that can negatively affect the organization’s security posture. Communicate results to stakeholders The end result of this process is providing a detailed report of findings, suggested improvements needed to lower the organization's level of risk, and compliance regulations and standards the organization needs to adhere to. Key takeaways In this reading you learned more about security audits, including what they are; why they’re conducted; and the role of frameworks, controls, and compliance in audits. Although there is much more to learn about security audits, this introduction is meant to support your ability to complete an audit of your own for a self-reflection portfolio activity later in this course. Terms and definitions from Course 2, Module 2 Asset: An item perceived as having value to an organization Attack vectors: The pathways attackers use to penetrate security defenses Authentication: The process of verifying who someone is Authorization: The concept of granting access to specific resources in a system Availability: The idea that data is accessible to those who are authorized to access it Biometrics: The unique physical characteristics that can be used to verify a person’s identity Confidentiality: The idea that only authorized users can access specific assets or data Confidentiality, integrity, availability (CIA) triad: A model that helps inform how organizations consider risk when setting up systems and security policies Detect: A NIST core function related to identifying potential security incidents and improving monitoring capabilities to increase the speed and efficiency of detections Encryption: The process of converting data from a readable format to an encoded format Identify: A NIST core function related to management of cybersecurity risk and its effect on an organization’s people and assets Integrity: The idea that the data is correct, authentic, and reliable National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF): A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk National Institute of Standards and Technology (NIST) Special Publication (S.P.) 800-53: A unified framework for protecting the security of information systems within the U.S. federal government Open Web Application Security Project/Open Worldwide Application Security Project (OWASP): A non-profit organization focused on improving software security Protect: A NIST core function used to protect an organization through the implementation of policies, procedures, training, and tools that help mitigate cybersecurity threats Recover: A NIST core function related to returning affected systems back to normal operation Respond: A NIST core function related to making sure that the proper procedures are used to contain, neutralize, and analyze security incidents, and implement improvements to the security process Risk: Anything that can impact the confidentiality, integrity, or availability of an asset Security audit: A review of an organization's security controls, policies, and procedures against a set of expectations Security controls: Safeguards designed to reduce specific security risks Security frameworks: Guidelines used for building plans to help mitigate risk and threats to data and privacy Security posture: An organization’s ability to manage its defense of critical assets and data and react to change Threat: Any circumstance or event that can negatively impact assets Module 2: Course 3 Logs Types 1. Firewall logs- a record of attempted or established connections for incoming traffic from the internet. It also includes outbound requests to the internet from within the network. 2. Network log- a record of all computers and devices that enter and leave a network. It also records connections between devices and services on the network. 3. Server log- a record of events related to services, such as websites, emails, or file shares. It includes actions such as login, password and username requests. Metrics: Key technical attributes, such as response time, availability, and failure rate, which are used to assess the performance of a software application. SIEM Dashboards can be customized to display specific metrics or other data that are relevant to different members of an organizations Current SIEM solutions A SIEM tool is an application that collects and analyzes log data to monitor critical activities in an organization. SIEM tools offer real-time monitoring and tracking of security event logs. The data is then used to conduct a thorough analysis of any potential security threat, risk, or vulnerability identified. SIEM tools have many dashboard options. Each dashboard option helps cybersecurity team members manage and monitor organizational data. However, currently, SIEM tools require human interaction for analysis of security events. The future of SIEM tools As cybersecurity continues to evolve, the need for cloud functionality has increased. SIEM tools have and continue to evolve to function in cloud-hosted and cloud-native environments. Cloud-hosted SIEM tools are operated by vendors who are responsible for maintaining and managing the infrastructure required to use the tools. Cloud-hosted tools are simply accessed through the internet and are an ideal solution for organizations that don’t want to invest in creating and maintaining their own infrastructure. Similar to cloud-hosted SIEM tools, cloud-native SIEM tools are also fully maintained and managed by vendors and accessed through the internet. However, cloud-native tools are designed to take full advantage of cloud computing capabilities, such as availability, flexibility, and scalability. Yet, the evolution of SIEM tools is expected to continue in order to accommodate the changing nature of technology, as well as new threat actor tactics and techniques. For example, consider the current development of interconnected devices with access to the internet, known as the Internet of Things (IoT). The more interconnected devices there are, the larger the cybersecurity attack surface and the amount of data that threat actors can exploit. The diversity of attacks and data that require special attention is expected to grow significantly. Additionally, as artificial intelligence (AI) and machine learning (ML) technology continues to progress, SIEM capabilities will be enhanced to better identify threat-related terminology, dashboard visualization, and data storage functionality. The implementation of automation will also help security teams respond faster to possible incidents, performing many actions without waiting for a human response. Security orchestration, automation, and response (SOAR) is a collection of applications, tools, and workflows that uses automation to respond to security events. Essentially, this means that handling common security-related incidents with the use of SIEM tools is expected to become a more streamlined process requiring less manual intervention. This frees up security analysts to handle more complex and uncommon incidents that, consequently, can’t be automated with a SOAR. Nevertheless, the expectation is for cybersecurity-related platforms to communicate and interact with one another. Although the technology allowing interconnected systems and devices to communicate with each other exists, it is still a work in progress. Key takeaways SIEM tools play a major role in monitoring an organization’s data. As an entry-level security analyst, you might monitor SIEM dashboards as part of your daily tasks. Regularly researching new developments in SIEM technology will help you grow and adapt to the changes in the cybersecurity field. Cloud computing, SIEM-application integration, and automation are only some of the advancements security professionals can expect in the future evolution of SIEM tools. Different kinds of SIEM Tools Self-hosted SIEM tools require organizations to install, operate and maintain the tool using their own physical infrastructure, such as server capacity. - These assets are then managed and maintained by an organization’s IT department rather than a 3rd party vendor. - Self-hosted SIEM tools are Ideal when an organization is required to maintain independent physical Control over Confidential Data. Cloud-hosted SIEM tools are hosted, maintained and managed by the SIEM Providers- making them accessible via the internet. This option is preferred by organizations that don’t want to invest in creating and maintaining their own SIEM infrastructure. Hybrid SIEM tools: some organizations choose to utlize a combination of both self-hosted SIEM Tools and cloud-hosted SIEM tools. (Known as a Hybrid Solution) Ideal for organizations that want to maintain physical control over data assets, but want to utilize the full services offered by the cloud. 1. Splunk Enterprise: A self-hosted tool used to retain, analyze and search an organization’s log data to provide security information and alerts in real time. 2. Splunk Cloud: A cloud-hosted tool used to collect, search and monitor log data. 3. Google Chronicle: A cloud-native tool designed to retain, analyze and seach data. Provides log monitoring, data collection and analysis. Open-source tools Open-source tools are often free to use and can be user friendly. The objective of open-source tools is to provide users with software that is built by the public in a collaborative way, which can result in the software being more secure. Additionally, open-source tools allow for more customization by users, resulting in a variety of new services built from the same open-source software package. Software engineers create open-source projects to improve software and make it available for anyone to use, as long as the specified license is respected. The source code for open-source projects is readily available to users, as well as the training material that accompanies them. Having these sources readily available allows users to modify and improve project materials. Proprietary tools Proprietary tools are developed and owned by a person or company, and users typically pay a fee for usage and training. The owners of proprietary tools are the only ones who can access and modify the source code. This means that users generally need to wait for updates to be made to the software, and at times they might need to pay a fee for those updates. Proprietary software generally allows users to modify a limited number of features to meet individual and organizational needs. Examples of proprietary tools include Splunk® and Chronicle SIEM tools. Common misconceptions There is a common misconception that open-source tools are less effective and not as safe to use as proprietary tools. However, developers have been creating open-source materials for years that have become industry standards. Although it is true that threat actors have attempted to manipulate open-source tools, because these tools are open source it is actually harder for people with malicious intent to successfully cause harm. The wide exposure and immediate access to the source code by well-intentioned and informed users and professionals makes it less likely for issues to occur, because they can fix issues as soon as they’re identified. Examples of open-source tools In security, there are many tools in use that are open-source and commonly available. Two examples are Linux and Suricata. Linux Linux is an open-source operating system that is widely used. It allows you to tailor the operating system to your needs using a command-line interface. An operating system is the interface between computer hardware and the user. It’s used to communicate with the hardware of a computer and manage software applications. There are multiple versions of Linux that exist to accomplish specific tasks. Linux and its command-line interface will be discussed in detail, later in the certificate program. Suricata Suricata is an open-source network analysis and threat detection software. Network analysis and threat detection software is used to inspect network traffic to identify suspicious behavior and generate network data logs. The detection software finds activity across users, computers, or Internet Protocol (IP) addresses to help uncover potential threats, risks, or vulnerabilities. Suricata was developed by the Open Information Security Foundation (OISF). OISF is dedicated to maintaining open-source use of the Suricata project to ensure it’s free and publicly available. Suricata is widely used in the public and private sector, and it integrates with many SIEM tools and other security tools. Suricata will also be discussed in greater detail later in the program. Key takeaways: Open-source tools are widely used in the cybersecurity profession. Throughout the certificate program, you will have multiple opportunities to learn about and explore both open-source and proprietary tools in more depth. Splunk Splunk offers different SIEM tool options: Splunk® Enterprise and Splunk® Cloud. Both allow you to review an organization's data on dashboards. This helps security professionals manage an organization's internal infrastructure by collecting, searching, monitoring, and analyzing log data from multiple sources to obtain full visibility into an organization’s everyday operations. Review the following Splunk dashboards and their purposes: Security posture dashboard The security posture dashboard is designed for security operations centers (SOCs). It displays the last 24 hours of an organization’s notable security-related events and trends and allows security professionals to determine if security infrastructure and policies are performing as designed. Security analysts can use this dashboard to monitor and investigate potential threats in real time, such as suspicious network activity originating from a specific IP address. Executive summary dashboard The executive summary dashboard analyzes and monitors the overall health of the organization over time. This helps security teams improve security measures that reduce risk. Security analysts might use this dashboard to provide high-level insights to stakeholders, such as generating a summary of security incidents and trends over a specific period of time. Incident review dashboard The incident review dashboard allows analysts to identify suspicious patterns that can occur in the event of an incident. It assists by highlighting higher risk items that need immediate review by an analyst. This dashboard can be very helpful because it provides a visual timeline of the events leading up to an incident. Risk analysis dashboard The risk analysis dashboard helps analysts identify risk for each risk object (e.g., a specific user, a computer, or an IP address). It shows changes in risk-related activity or behavior, such as a user logging in outside of normal working hours or unusually high network traffic from a specific computer. A security analyst might use this dashboard to analyze the potential impact of vulnerabilities in critical assets, which helps analysts prioritize their risk mitigation efforts. Chronicle Chronicle is a cloud-native SIEM tool from Google that retains, analyzes, and searches log data to identify potential security threats, risks, and vulnerabilities. Chronicle allows you to collect and analyze log data according to: A specific asset A domain name A user An IP address Chronicle provides multiple dashboards that help analysts monitor an organization’s logs, create filters and alerts, and track suspicious domain names. Review the following Chronicle dashboards and their purposes: Enterprise insights dashboard The enterprise insights dashboard highlights recent alerts. It identifies suspicious domain names in logs, known as indicators of compromise (IOCs). Each result is labeled with a confidence score to indicate the likelihood of a threat. It also provides a severity level that indicates the significance of each threat to the organization. A security analyst might use this dashboard to monitor login or data access attempts related to a critical asset—like an application or system—from unusual locations or devices. Data ingestion and health dashboard The data ingestion and health dashboard shows the number of event logs, log sources, and success rates of data being processed into Chronicle. A security analyst might use this dashboard to ensure that log sources are correctly configured and that logs are received without error. This helps ensure that log related issues are addressed so that the security team has access to the log data they need. IOC matches dashboard The IOC matches dashboard indicates the top threats, risks, and vulnerabilities to the organization. Security professionals use this dashboard to observe domain names, IP addresses, and device IOCs over time in order to identify trends. This information is then used to direct the security team’s focus to the highest priority threats. For example, security analysts can use this dashboard to search for additional activity associated with an alert, such as a suspicious user login from an unusual geographic location. Main dashboard The main dashboard displays a high-level summary of information related to the organization’s data ingestion, alerting, and event activity over time. Security professionals can use this dashboard to access a timeline of security events—such as a spike in failed login attempts— to identify threat trends across log sources, devices, IP addresses, and physical locations. Rule detections dashboard The rule detections dashboard provides statistics related to incidents with the highest occurrences, severities, and detections over time. Security analysts can use this dashboard to access a list of all the alerts triggered by a specific detection rule, such as a rule designed to alert whenever a user opens a known malicious attachment from an email. Analysts then use those statistics to help manage recurring incidents and establish mitigation tactics to reduce an organization's level of risk. User sign in overview dashboard The user sign in overview dashboard provides information about user access behavior across the organization. Security analysts can use this dashboard to access a list of all user sign-in events to identify unusual user activity, such as a user signing in from multiple locations at the same time. This information is then used to help mitigate threats, risks, and vulnerabilities to user accounts and the organization’s applications. Key takeaways SIEM tools provide dashboards that help security professionals organize and focus their security efforts. This is important because it allows analysts to reduce risk by identifying, analyzing, and remediating the highest priority items in a timely manner. Later in the program, you’ll have an opportunity to practice using various SIEM tool features and commands for search queries. Terms and definitions from Course 2, Module 3 Chronicle: A cloud-native tool designed to retain, analyze, and search data Incident response: An organization’s quick attempt to identify an attack, contain the damage, and correct the effects of a security breach Log: A record of events that occur within an organization’s systems Metrics: Key technical attributes such as response time, availability, and failure rate, which are used to assess the performance of a software application Operating system (OS): The interface between computer hardware and the user Playbook: A manual that provides details about any operational action Security information and event management (SIEM): An application that collects and analyzes log data to monitor critical activities in an organization Security orchestration, automation, and response (SOAR): A collection of applications, tools, and workflows that use automation to respond to security events SIEM tools: A software platform that collects, analyzes, and correlates security data from various sources across your IT infrastructure that helps identify and respond to security threats in real-time, investigate security incidents, and comply with security regulations Splunk Cloud: A cloud-hosted tool used to collect, search, and monitor log data Splunk Enterprise: A self-hosted tool used to retain, analyze, and search an organization's log data to provide security information and alerts in real-time Incident Response: An organization’s quick attempt to identify an attack, contain the damage, and correct the effects of a security breach. - An Incident Response Playbook is a guide with 6 phases used to help mitigate and manage security incidents from beginnning to end. Playbooks are accompanied by a strategy. The strategy outlines expectations of team members who are assigned a task, and some playbooks also list the individuals responsible. The outlined expectations are accompanied by a plan. The plan dictates how the specific task outlined in the playbook must be completed. Playbooks should be treated as living documents, which means that they are frequently updated by security team members to address industry changes and new threats. Playbooks are generally managed as a collaborative effort, since security team members have different levels of expertise. Updates are often made if: A failure is identified, such as an oversight in the outlined policies and procedures, or in the playbook itself. There is a change in industry standards, such as changes in laws or regulatory compliance. The cybersecurity landscape changes due to evolving threat actor tactics and techniques. Types of playbooks Playbooks sometimes cover specific incidents and vulnerabilities. These might include ransomware, vishing, business email compromise (BEC), and other attacks previously discussed. Incident and vulnerability response playbooks are very common, but they are not the only types of playbooks organizations develop. Each organization has a different set of playbook tools, methodologies, protocols, and procedures that they adhere to, and different individuals are involved at each step of the response process, depending on the country they are in. For example, incident notification requirements from government-imposed laws and regulations, along with compliance standards, affect the content in the playbooks. These requirements are subject to change based on where the incident originated and the type of data affected. Incident and vulnerability response playbooks Incident and vulnerability response playbooks are commonly used by entry-level cybersecurity professionals. They are developed based on the goals outlined in an organization’s business continuity plan. A business continuity plan is an established path forward allowing a business to recover and continue to operate as normal, despite a disruption like a security breach. These two types of playbooks are similar in that they both contain predefined and up-to-date lists of steps to perform when responding to an incident. Following these steps is necessary to ensure that you, as a security professional, are adhering to legal and organizational standards and protocols. These playbooks also help minimize errors and ensure that important actions are performed within a specific timeframe. When an incident, threat, or vulnerability occurs or is identified, the level of risk to the organization depends on the potential damage to its assets. A basic formula for determining the level of risk is that risk equals the likelihood of a threat. For this reason, a sense of urgency is essential. Following the steps outlined in playbooks is also important if any forensic task is being carried out. Mishandling data can easily compromise forensic data, rendering it unusable. Common steps included in incident and vulnerability playbooks include: 1.) Preparation: Before incidents occur, mitigate potential impacts on the organization by documenting, establishing staffing plans, and educating users. 2.) Detection & Analysis: Detect and analyze events by implementing defined processes and appropriate technology. 3.) Containment: Prevent further damage and reduce immediate impact of incidents. 4.) Eradication & Recovery: Completely remove artifacts (malicous code, malware & fix vulnerabilities) of the incident so that an organization can return to normal operations. 5.) Post-Incident Activity: Document the incident, inform organizational leadership, and apply lessons learned. 6.) Coordination: Report incidents and share information throughout the response process, based on established standards. Additional steps include performing post-incident activities, and a coordination of efforts throughout the investigation and incident and vulnerability response stages. Key takeaways It is essential to refine processes and procedures outlined in a playbook. With every documented incident, cybersecurity teams need to consider what was learned from the incident and what improvements should be made to handle incidents more effectively in the future. Playbooks create structure and ensure compliance with the law. Playbooks, SIEM tools, and SOAR tools Previously, you learned that security teams encounter threats, risks, vulnerabilities, and incidents on a regular basis and that they follow playbooks to address security-related issues. In this reading, you will learn more about playbooks, including how they are used in security information and event management (SIEM) and security orchestration, automation, and response (SOAR). Playbooks and SIEM tools Playbooks are used by cybersecurity teams in the event of an incident. Playbooks help security teams respond to incidents by ensuring that a consistent list of actions are followed in a prescribed way, regardless of who is working on the case. Playbooks can be very detailed and may include flow charts and tables to clarify what actions to take and in which order. Playbooks are also used for recovery procedures in the event of a ransomware attack. Different types of security incidents have their own playbooks that detail who should take what action and when. Playbooks are generally used alongside SIEM tools. If, for example, unusual user behavior is flagged by a SIEM tool, a playbook provides analysts with instructions about how to address the issue. Playbooks and SOAR tools Playbooks are also used with SOAR tools. SOAR tools are similar to SIEM tools in that they are used for threat monitoring. SOAR is a piece of software used to automate repetitive tasks generated by tools such as a SIEM or managed detection and response (MDR). For example, if a user attempts to log into their computer too many times with the wrong password, a SOAR would automatically block their account to stop a possible intrusion. Then, analysts would refer to a playbook to take steps to resolve the issue. Key takeaways What is most important to know is that playbooks, also sometimes referred to as runbooks, provide detailed actions for security teams to take in the event of an incident. Knowing exactly who needs to do what and when can help reduce the impact of an incident and reduce the risk of damage to an organization’s critical assets. Hello and welcome to Connect and Protect: Networks and Network Security, the third course in the Google Cybersecurity Certificate. You’re on an exciting journey! Technical Learning Objectives 🎯 Course 3: Connect & Protect: Networks & Network Security Module 1: Network Architecture Define types of networks Describe physical components of a network Understand how the TCP/IP model provides a framework for network communication Explain how data is sent and received over a network Explain network architecture Module 2: Network Operations Recognize network protocols Describe the protocol(s) used to transmit and access data over wireless networks Describe a firewall Identify common network security measures and protocols Learn More About Network Devices Explain the difference in function between various components of a network, such as Hosts, Repeaters, Hubs, Switches, Routers and Bridges Explain how devices on a network connect with each other, and the purpose of IP Addresses Learn More About the OSI Model Explain the roles and differences between the different layers of the OSI model, including the Physical, Data Link, Network, Transport, Session, Presentation and Application layers Explain how the different layers work together Learn More About Network Protocols Explain what protocols are and what some of the most common ones are Explain how some common protocols work, such as FTP, SMTP, SSL, HTTP, HTTPS, DNS, DHCP Module 1: Network architecture You'll be introduced to network security and explain how it relates to ongoing security threats and vulnerabilities. You will learn about network architecture and mechanisms to secure a network. Module 2: Network operations You will explore network protocols and how network communication can introduce vulnerabilities. In addition, you'll learn about common security measures, like firewalls, that help network operations remain safe and reliable. Module 3: Secure against network intrusions You will understand types of network attacks and techniques used to secure compromised network systems and devices. You'll explore the many ways that malicious actors exploit vulnerabilities in network infrastructure and how cybersecurity professionals identify and close potential loopholes. Module 4: Security hardening You will become familiar with network hardening practices that strengthen network systems. You'll learn how security hardening helps defend against malicious actors and intrusion methods. You'll also learn how to use security hardening to address the unique security challenges posed by cloud infrastructures. Network: group of connected devices Local Area Network (LAN): A network that spans a small area such as an office building, school or home. Wide Area Network (WAN): A network that covers a large geographical area- like a city, state or country. Hub: A network device that broadcasts information to every device on the network. Think of a hub like a radio tower that broadcasts a signal to any radio tuned to the correct frequency. Switch: A device that makes connections between specific devices on a network by sending and receiving data between them. A switch is more intelligent than a hub. It only passes data to the intended destination. This makes switches more secure than hubs, and enables them to control the flow of traffic and improve network performance. Router: A router is a network device that connects multiple networks together. For example, if a computer in one network wants to send information to a tablet on another network, then the information will be transferred as follows: 1. First, the information travels from the computer to the router. 2. Then, the router reads the destination address, and forwards the data to the intended network's router. 3. Finally, the receiving router directs that information to the tablet. Modem: A modem is a device that connects your router to the internet, and brings internet access to the LAN. For example, if a computer from one network wants to send information to a device on a network in a different geographic location, it would be transferred as follows: 1. The computer would send information to the router, and the router would then transfer the information through the modem to the internet. 2. The intended recipient's modem receives the information, and transfers it to the router. 3. Finally, the recipient's router forwards that information to the destination device. Network tools such as hubs, switches, routers, and modems are physical devices. However, many functions performed by these physical devices can be completed by virtualization tools. Virtualization tools: Are pieces of software that perform network operations. Virtualization tools carry out operations that would normally be completed by a hub, switch, router, or modem, and they are offered by Cloud service providers. These tools provide opportunities for cost savings and scalability. Network devices Network devices maintain information and services for users of a network. These devices connect over wired and wireless connections. After establishing a connection to the network, the devices send data packets. The data packets provide information about the source and the destination of the data. This is how the information is sent and received via different devices on a network. The network is the overall infrastructure that allows devices to communicate with each other. Network devices are specialized vehicles like routers and switches that manage what is being sent and received over the network. Additionally, devices like computers and phones connect to the network via network devices. Note: In this diagram, a router connects to the internet through a modem, which is provided by your internet service provider (ISP). The firewall is a security device that monitors incoming and outgoing traffic on your network. The router then directs traffic to the devices on your home network, which can include computers, laptops, smartphones, tablets, printers, and other devices. You can imagine here that the server is a file server. All devices on this network can access the files in this server. This diagram also includes a switch which is an optional device that can be used to connect more devices to your network by providing additional ports and Ethernet connections. Additionally, there are 2 routers connected to the switch here for load balancing purposes which will improve the performance of the network. Devices and desktop computers Most internet users are familiar with everyday devices, such as personal computers, laptops, mobile phones, and tablets. Each device and desktop computer has a unique MAC address and IP address, which identify it on the network. They also have a network interface that sends and receives data packets. These devices can connect to the network via a hard wire or a wireless connection. Firewalls A firewall is a network security device that monitors traffic to or from your network. It is like your first line of defense. Firewalls can also restrict specific incoming and outgoing network traffic. The organization configures the security rules of the firewall. Firewalls often reside between the secured and controlled internal network and the untrusted network resources outside the organization, such as the internet. Remember, though, firewalls are just one line of defense in the cybersecurity landscape. Servers Servers provide information and services for devices like computers, smart home devices, and smartphones on the network. The devices that connect to a server are called clients. The following graphic outlines this model, which is called the client-server model. In this model, clients send requests to the server for information and services. The server performs the requests for the clients. Common examples include DNS servers that perform domain name lookups for internet sites, file servers that store and retrieve files from a database, and corporate mail servers that organize mail for a company. Hubs and Switches Hubs and switches both direct traffic on a local network. A hub is a device that provides a common point of connection for all devices directly connected to it. Hubs additionally repeat all information out to all ports. From a security perspective, this makes hubs vulnerable to eavesdropping. For this reason, hubs are not used as often on modern networks; most organizations use switches instead. Hubs are more commonly used for a limited network setup like a home office. Switches are the preferred choice for most networks. A switch forwards packets between devices directly connected to it. They analyze the destination address of each data packet and send it to the intended device. Switches maintain a MAC address table that matches MAC addresses of devices on the network to port numbers on the switch and forwards incoming data packets according to the destination MAC address. Switches are a part of the data link layer in the TCP/IP model. Overall, switches improve performance and security. Routers connect networks and direct traffic, based on the IP address of the destination network. Routers allow devices on different networks to communicate with each other. In the TCP/IP model, routers are a part of the network layer. The IP address of the destination network is contained in the IP header. The router reads the IP header information and forwards the packet to the next router on the path to the destination. This continues until the packet reaches the destination network. Routers can also include a firewall feature that allows or blocks incoming traffic based on information in the transmission. This stops malicious traffic from entering the private network and damaging the local area network. Modems and wireless access points Modems usually connect your home or office with an internet service provider (ISP). ISPs provide internet connectivity via telephone lines or coaxial cables. Modems receive transmissions or digital signals from the internet and translate them into analog signals that can travel through the physical connection provided by your ISP. Usually, modems connect to a router that takes the decoded transmissions and sends them on to the local network. Note: Enterprise networks used by large organizations to connect their users and devices often use other broadband technologies to handle high-volume traffic, instead of using a modem. Wireless access point A wireless access point sends and receives digital signals over radio waves creating a wireless network. Devices with wireless adapters connect to the access point using Wi-Fi. Wi-Fi refers to a set of standards that are used by network devices to communicate wirelessly. Wireless access points and the devices connected to them use Wi-Fi protocols to send data through radio waves where they are sent to routers and switches and directed along the path to their final destination. Using network diagrams as a security analyst Network diagrams allow network administrators and security personnel to imagine the architecture and design of their organization’s private network. Network diagrams are maps that show the devices on the network and how they connect. Network diagrams use small representative graphics to portray each network device and dotted lines to show how each device connects to the other. By studying network diagrams, security analysts develop and refine their strategies for securing network architectures. Cloud Network: A collection of servers or computers that store resources and data in remote data centers that can be accessed by the internet- referred to as being hosted “ In the cloud” Cloud Service Providers Offer- (via cloud computing) On demand storage and processings, web analytics that customers can used to monitor their network traffic (access and identity) and sales power that customers pay for as needed- which saves organizations money and simplify operations. Cloud Security is a significant aspect of network security. Cloud computing and software-defined networks In this section of the course, you’ve been learning the basic architecture of networks. You’ve learned about how physical network devices like workstations, servers, routers, and switches connect to each other to create a network. Networks may cover small geographical areas, as is the case in a local area network (LAN). Or they may span a large geographic area, like a city, state, or country, as is the case in a wide area network (WAN). You also learned about cloud networks and how cloud computing has grown in recent years. In this reading, you will further examine the concepts of cloud computing and cloud networking. You’ll also learn about hybrid networks and software-defined networks, as well as the benefits they offer. This reading will also cover the benefits of hosting networks in the cloud and why cloud-hosting is beneficial for large organizations. Computing processes in the cloud Traditional networks are called on-premise networks, which means that all of the devices used for network operations are kept at a physical location owned by the company, like in an office building, for example. Cloud computing, however, refers to the practice of using remote servers, applications, and network services that are hosted on the internet instead of at a physical location owned by the company. A cloud service provider (CSP) is a company that offers cloud computing services. These companies own large data centers in locations around the globe that house millions of servers. Data centers provide technology services, such as storage, and compute at such a large scale that they can sell their services to other companies for a fee. Companies can pay for the storage and services they need and consume them through the CSP’s application programming interface (API) or web console. CSPs provide three main categories of services: Software as a service (SaaS) refers to software suites operated by the CSP that a company can use remotely without hosting the software. Infrastructure as a service (IaaS) refers to the use of virtual computer components offered by the CSP. These include virtual containers and storage that are configured remotely through the CSP’s API or web console. Cloud-compute and storage services can be used to operate existing applications and other technology workloads without significant modifications. Existing applications can be modified to take advantage of the availability, performance, and security features that are unique to cloud provider services. Platform as a service (PaaS) refers to tools that application developers can use to design custom applications for their company. Custom applications are designed and accessed in the cloud and used for a company’s specific business needs. Hybrid cloud environments When organizations use a CSP’s services in addition to their on-premise computers, networks, and storage, it is referred to as a hybrid cloud environment. When organizations use more than one CSP, it is called a multi-cloud environment. The vast majority of organizations use hybrid cloud environments to reduce costs and maintain control over network resources. Software-defined networks CSPs offer networking tools similar to the physical devices that you have learned about in this section of the course. Next, you’ll review software-defined networking in the cloud. Software-defined networks (SDNs) are made up of virtual network devices and services. Just like CSPs provide virtual computers, many SDNs also provide virtual switches, routers, firewalls, and more. Most modern network hardware devices also support network virtualization and software-defined networking. This means that physical switches and routers use software to perform packet routing. In the case of cloud networking, the SDN tools are hosted on servers located at the CSP’s data center. Benefits of cloud computing and software-defined networks Three of the main reasons that cloud computing is so attractive to businesses are reliability, decreased cost, and increased scalability. Reliability Reliability in cloud computing is based on how available cloud services and resources are, how secure connections are, and how often the services are effectively running. Cloud computing allows employees and customers to access the resources they need consistently and with minimal interruption. Cost Traditionally, companies have had to provide their own network infrastructure, at least for internet connections. This meant there could be potentially significant upfront costs for companies. However, because CSPs have such large data centers, they are able to offer virtual devices and services at a fraction of the cost required for companies to install, patch, upgrade, and manage the components and software themselves. Scalability Another challenge that companies face with traditional computing is scalability. When organizations experience an increase in their business needs, they might be forced to buy more equipment and software to keep up. But what if business decreases shortly after? They might no longer have the business to justify the cost incurred by the upgraded components. CSPs reduce this risk by making it easy to consume services in an elastic utility model as needed. This means that companies only pay for what they need when they need it. Changes can be made quickly through the CSPs, APIs, or web console—much more quickly than if network technicians had to purchase their own hardware and set it up. For example, if a company needs to protect against a threat to their network, web application firewalls (WAFs), intrusion detection/protection systems (IDS/IPS), or L3/L4 firewalls can be configured quickly whenever necessary, leading to better network performance and security. Key takeaways In this reading, you learned more about cloud computing and cloud networking. You learned that CSPs are companies that own large data centers that house millions of servers in locations all over the globe and then provide modern technology services, including compute, storage, and networking, through the internet. SDNs are an approach to network management. SDNs enable dynamic, programmatically efficient network configurations to improve network performance and monitoring. This makes it more like cloud computing than traditional network management. Organizations can improve reliability, save costs, and scale quickly by using CSPs to provide networking services instead of building and maintaining their own network infrastructure. Data Packet: A basic unit of information that travels from one device to another within a network. - When data is sent from one device to another across a network, it is sent as a packet that contains information about where the packet is going, where it's coming from, and the content of the message. - A data packet is very similar to a physical letter. It contains a header that includes the internet protocol address, the IP address, and the media access control, or MAC, address of the destination device. It also includes a protocol number that tells the receiving device what to do with the information in the packet. Then there's the body of the packet, which contains the message that needs to be transmitted to the receiving device. Finally, at the end of the packet, there's a footer, similar to a signature on a letter, the footer signals to the receiving device that the packet is finished. The movement of data packets across a network can provide an indication of how well the network is performing. Network performance can be measured by bandwidth. 1. Bandwidth: Refers to the amount of data a devices receives every second. - You can calculate bandwidth by dividing the quantity of data by the time in seconds. - Speed refers to the rate at which data packets are received or downloaded. - Security personnel are interested in network bandwidth and speed because if either are irregular, it could be an indication of an attack. Packet sniffing is the practice of capturing and inspecting data packets across the network. 2. Packet sniffing is the practice of capturing and inspecting data packets across the network. Now that we've discussed the structure of a network and how communications takes place, it's important for you to know how the security professionals identify problems that might arise. TCP/IP Model: A framework used to visualize how data is organized and transmitted across a network. 4 Layers of the TCP/IP Model 1. Network Access Layer - Creation of data packets and their transmission across a network - This includes hardware devices connected to physical cables and switches that direct the data to its destination. 2. Internet Layer - Where IP address are attached to data packets to indicate the location of the sender and reciever - Also focuses on how networks will connect to each other- Decides if an data packets will stay on the LAN (Local Area Network) or sent over to the WAN (Wide Area Network) 3. Transport Layer - Protocols to control the flow of traffic across a network. - These protocols permit or deny communication with other devices, and includes information about the status of a connection. - Activities at this layer include Error Control- which is to ensure/determine if data is moving correctly across a network 4. Application Layer - How the data packets will interact with receiving devices - Functions that are organized at this level include: File Transfers & Email Services Learn more about the TCP/IP model In this reading, you will build on what you have learned about the Transmission Control Protocol/Internet Protocol (TCP/IP) model, consider the differences between the Open Systems Interconnection (OSI) model and TCP/IP model, and learn how they’re related. Then, you’ll review each layer of the TCP/IP model and go over common protocols used in each layer. ---------------------------------------------------------------------------------------------------------------------------- As a security professional, it's important that you understand the TCP/IP model because it describes the functions of various network protocols. The TCP/IP model is based on the TCP/IP protocols suite that includes all network protocols that support the main TCP/IP protocol. To reiterate from previous lessons, a network protocol, also known as an internet protocol, is a set of standards used for routing and addressing data packets as they travel between devices on a network. In this reading, you will learn which network protocols operate on which communication layers of the TCP/IP model. The two most common models available are the TCP/IP and the OSI model. These models are a representative guideline of how hosts communicate across a network. The examples provided in this course will follow the TCP/IP model. The TCP/IP model The TCP/IP model is a framework used to visualize how data is organized and transmitted across a network. This model helps network engineers and network security analysts conceptualize processes on the network and communicate where disruptions or security threats occur. The TCP/IP model has four layers: the network access layer, internet layer, transport layer, and application layer. When troubleshooting issues on the network, security professionals can analyze which layers were impacted by an attack based on what processes were involved in an incident. Network access layer The network access layer, sometimes called the data link layer, deals with the creation of data packets and their transmission across a network. This layer corresponds to the physical hardware involved in network transmission. Hubs, modems, cables, and wiring are all considered part of this layer. The address resolution protocol (ARP) is part of the network access layer. Since MAC addresses are used to identify hosts on the same physical network, ARP is needed to map IP addresses to MAC addresses for local network communication. Internet layer The internet layer, sometimes referred to as the network layer, is responsible for ensuring the delivery to the destination host, which potentially resides on a different network. It ensures IP addresses are attached to data packets to indicate the location of the sender and receiver. The internet layer also determines which protocol is responsible for delivering the data packets and ensures the delivery to the destination host. Here are some of the common protocols that operate at the internet layer: Internet Protocol (IP). IP sends the data packets to the correct destination and relies on the Transmission Control Protocol/User Datagram Protocol (TCP/UDP) to deliver them to the corresponding service. IP packets allow communication between two networks. They are routed from the sending network to the receiving network. TCP in particular retransmits any data that is lost or corrupt. Internet Control Message Protocol (ICMP). The ICMP shares error information and status updates of data packets. This is useful for detecting and troubleshooting network errors. The ICMP reports information about packets that were dropped or that disappeared in transit, issues with network connectivity, and packets redirected to other routers. Transport layer The transport layer is responsible for delivering data between two systems or networks and includes protocols to control the flow of traffic across a network. TCP and UDP are the two transport protocols that occur at this layer. Transmission Control Protocol The Transmission Control Protocol (TCP) is an internet communication protocol that allows two devices to form a connection and stream data. It ensures that data is reliably transmitted to the destination service. TCP contains the port number of the intended destination service, which resides in the TCP header of a TCP/IP packet. User Datagram Protocol The User Datagram Protocol (UDP) is a connectionless protocol that does not establish a connection between devices before transmissions. It is used by applications that are not concerned with the reliability of the transmission. Data sent over UDP is not tracked as extensively as data sent using TCP. Because UDP does not establish network connections, it is used mostly for performance sensitive applications that operate in real time, such as video streaming. Application layer The application layer in the TCP/IP model is similar to the application, presentation, and session layers of the OSI model. The application layer is responsible for making network requests or responding to requests. This layer defines which internet services and applications any user can access. Protocols in the application layer determine how the data packets will interact with receiving devices. Some common protocols used on this layer are: Hypertext transfer protocol (HTTP) Simple mail transfer protocol (SMTP) Secure shell (SSH) File transfer protocol (FTP) Domain name system (DNS) Application layer protocols rely on underlying layers to transfer the data across the network. The OSI visually organizes network protocols into different layers. Network professionals often use this model to communicate with each other about potential sources of problems or security threats when they occur. The TCP/IP model combines multiple layers of the OSI model. There are many similarities between the two models. Both models define standards for networking and divide the network communication process into different layers. The TCP/IP model is a simplified version of the OSI model. Key takeaways Both the TCP/IP and OSI models are conceptual models that help network professionals visualize network processes and protocols in regards to data transmission between two or more systems. The TCP/IP model contains four layers, and the OSI model contains seven layers. The OSI model So far in this section of the course, you learned about the components of a network, network devices, and how communication occurs across a network. You also studied the TCP/IP model to understand how network communication is organized across different layers of the internet. All communication on a network is organized using network protocols. Previously, you learned about the Transmission Control Protocol (TCP), which establishes connections between two devices, and the Internet Protocol (IP), which is used for routing and addressing data packets as they travel between devices on a network. These protocols are used on specific internet layers in the TCP/IP model. The 4-layer TCP/IP model is a condensed form of the OSI (open Systems Interconnection) model, which is made up of 7 layers. The OSI model will provide a more in depth understanding of the processes that occur at each layer. We will work backwards from layer seven to layer one, going from the processes that involve direct user interaction with the network to those that involve the physical connection to the internet via network components like cables and switches. This reading will also review the main differences between the TCP/IP and OSI models. The TCP/IP model vs. the OSI model The TCP/IP model is a framework used to visualize how data is organized and transmitted across a network. This model helps network engineers and security analysts conceptualize processes on the network and communicate where disruptions or security threats occur. The TCP/IP model has four layers: the network access layer, internet layer, transport layer, and application layer. When analyzing network events, security professionals can determine what layer or layers an attack occurred in based on what processes were involved in the incident. The OSI model is a standardized concept that describes the seven layers computers use to communicate and send data over the network. Network and security professionals often use this model to communicate with each other about potential sources of problems or security threats when they occur. Some organizations rely heavily on the TCP/IP model, while others prefer to use the OSI model. As a security analyst, it’s important to be familiar with both models. Both the TCP/IP and OSI models are useful for understanding how networks work. Layer 7: Application layer The application layer includes processes that directly involve the everyday user. This layer includes all of the networking protocols that software applications use to connect a user to the internet. This characteristic is the identifying feature of the application layer—user connection to the internet via applications and requests. An example of a type of communication that happens at the application layer is using a web browser. The internet browser uses HTTP or HTTPS to send and receive information from the website server. The email application uses simple mail transfer protocol (SMTP) to send and receive email information. Also, web browsers use the domain name system (DNS) protocol to translate website domain names into IP addresses which identify the web server that hosts the information for the website. Layer 6: Presentation layer Functions at the presentation layer involve data translation and encryption for the network. This layer adds to and replaces data with formats that can be understood by applications (layer 7) on both sending and receiving systems. Formats at the user end may be different from those of the receiving system. Processes at the presentation layer require the use of a standardized format. Some formatting functions that occur at layer 6 include encryption, compression, and confirmation that the character code set can be interpreted on the receiving system. One example of encryption that takes place at this layer is SSL, which encrypts data between web servers and browsers as part of websites with HTTPS. Layer 5: Session layer A session describes when a connection is established between two devices. An open session allows the devices to communicate with each other. Session layer protocols keep the session open while data is being transferred and terminate the session once the transmission is complete. The session layer is also responsible for activities such as authentication, reconnection, and setting checkpoints during a data transfer. If a session is interrupted, checkpoints ensure that the transmission picks up at the last session checkpoint when the connection resumes. Sessions include a request and response between applications. Functions in the session layer respond to requests for service from processes in the presentation layer (layer 6) and send requests for services to the transport layer (layer 4). Layer 4: Transport layer The transport layer is responsible for delivering data between devices. This layer also handles the speed of data transfer, flow of the transfer, and breaking data down into smaller segments to make them easier to transport. Segmentation is the process of dividing up a large data transmission into smaller pieces that can be processed by the receiving system. These segments need to be reassembled at their destination so they can be processed at the session layer (layer 5). The speed and rate of the transmission also has to match the connection speed of the destination system. TCP and UDP are transport layer p

Introduction to Cybersecurity PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue