This is the second course of the Google Cybersecurity Certificate Course on Coursera. Again it’s a mix of my notes and definitions from the course.

Here is a link to my main page for the course.

Course 2 Overview

  • CISSP’s eight security domains
  • Security frameworks and controls
  • Basic security tools
  • Use playbooks to respond to incidents

Module 1: Security domains

More on the eight CISSP security domains

Eight CISSP domains. Security teams use them to organize daily task and identify gaps in security. So it’s very important to know and understand the domains.

Security posture: An organization’s ability to manage its defense of critical assets and data, and react to change.

Domain 1: Security and risk management: Focused on defining security goals and objectives, risk mitigation, compliance, business continuity, and legal regulations.

E.g. infosec playbooks. Includes cloud security and infrastructure security.

Risk mitigation: The process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach.

Business continuity: An organization’s ability to maintain their everyday productivity by establishing risk disaster recovery plans.

Domain 2: Asset Security: Focused on securing digital and physical assets. It’s also related to the storage, maintenance, retention, and destruction of data.

E.g. you might have to oversee the destruction of data. Also includes things like security impact analysis, recovery plans, etc.

Domain 3: Security architecture and engineering: Focused on optimizing data security by ensuring effective tools, systems, and processes are in place to protect an organization’s assets and data.

Shared responsibility: All individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security.

Includes concepts like zero trust, defense in depth, least privilege, etc.

Domain 4: Communication and network security: Focused on managing and securing physical networks and wireless communications.

E.g. employees working remotely at a public cafe.

Domain 5: Identity and access management (IAM): Focused on access and authorization to keep data secure, by making sure users follow established policies to control and manage assets.

Components of IAM

  • Identification (user verifies who they are)
  • Authentication (verification process)
  • Authorization (id confirmed)
  • Accountability (e.g. login attempts)

Least privilege: granting only the minimal access and authorization required to complete a task.

Domain 6: Security assessment and testing: Focused on conducting security control testing, collecting and analyzing data, and conducting security audits to monitor for risks, threats, and vulnerabilities.

Essentially it’s testing to see if current controls work, what can be improved, etc. E.g. MFA. Pen testing as well.

Domain 7: Security operations: Focused on conducting investigations and implementing preventative measures. E.g. forensic investigations.

Training and awareness, SIEM tools, log management, playbooks, etc.

Domain 8: Software development security: Focused on using secure coding practices. E.g. secure design all the way through, including pen testing, so that security is embedded.

Tip: Be like a t-shape. Tech skills and soft skills. Also analysis skills. You work with people and processes for the most part. Don’t be discouraged if they’re something you’re not great at.

Another tip: Get real familiar with the eight security domains. You’ll need to be cozy with these concepts.

Threats, risks, and vulnerabilities

Threat: Any circumstance or event that can negatively impact assets.

Social engineering: A manipulation technique that exploits human error to gain private information, access, or valuables. E.g. phishing.

Risk: Anything that can impact the confidentiality integrity, or availability of an asset. I.e. the likelihood of a threat occurring.

Low-risk asset: Information that would not harm the organization’s reputation or ongoing operations, and would not cause financial damage if compromised.

Medium-risk asset: Information that’s not available to the public and may cause some damage to the organization’s finances, reputation, or ongoing operations.

High-risk asset: Information protected by regulations or laws, which if compromised would have a severe negative impact on an organization’s finances, ongoing operations, or reputation. E.g. leaked PII, SPII, or IP.

Vulnerability: A weakness that can be exploited by a threat. Note: vulnerability + risk = threat. People can be a vulnerability.

Tip: Educating people on security best practices is part of the job.

Impacts of threats, risks, and vulnerabilities

Ransomware: A malicious attack where threat actors encrypt an organization’s data and demand payment to restore access.

Layers of the web

  • Surface web
    • Most people use it. Web browser.
  • Deep web
    • Usually requires authorization to access it. E.g. an organization’s intranet.
  • Dark web
    • Can only be accessed by using special software. Preferred by criminals.

Key impacts

  • Financial
    • Interrupted services, costs to return to business
  • Identity theft
    • Storing any kind of sensitive data is a risk for an organization.
  • Reputation
    • When a company gets pwned, people will look for alternatives.

NIST’s Risk Management Framework (RMF)

Important to be familiar with it.

RMF

  • Prepare
    • Activities that are necessary to manage security and privacy risks before a breach occurs.
  • Categorize
    • Used to develop risk management processes and tasks.
  • Select
    • Choose, customize, and capture documentation of the controls that protect an organization. E.g. keeping a playbook up to date.
  • Implement
    • Implement security and privacy plans for the organization. E.g. employees constantly need password resets.
  • Assess
    • Determine if established controls are implemented correctly. E.g. identify potential weaknesses.
  • Authorize
    • Being accountable for the security and privacy risks that may exist in an organization. E.g. generating reports.
  • Monitor
    • Be aware of how systems are operating. E.g. knowing how the current systems meet the security goals.

Tip: You might not be in charge of setting up the framework, but it’s good to be aware of it in your day-to-day.

Recap

  • CISSP’s eight security domains
  • Threats, risks, and vulnerabilities
  • Layers of the web
  • NIST RMF

Module 2: More about frameworks and controls

  • Frameworks
  • Controls
  • Design principles
  • Security audits

Security frameworks: Guidelines used for building plans to help mitigate risk and threats to data and privacy.

Includes digital and physical assets.

People are the biggest threat to security.

Security controls: Safeguards designed to reduce specific security risks.

Three common types:

  • Encryption: The process of converting data from a readable format to an encoded format. E.g. plain text to cipher text.
  • Authentication: The process of verifying who someone or something is. E.g. logging into a website with your username and password. MFA.
    • Biometrics: Unique physical characteristics that can be used to verify a person’s identity. E.g. fingerprint, eye scan, palm scan.
      • Vishing: The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source. Authorization: The concept of granting access to specific resources within a system. E.g. used to verify that a person has permission to access a resource.

Physical controls:

  • Gates, fences, and locks
  • Security guards
  • CCTV, cams
  • Access card or badges

Technical controls:

  • Firewalls
  • MFA
  • Antivirus software

Admin controls:

  • Separation of duties
  • Authorization
  • Asset classification

Explore the CIA triad: A model that helps inform how organizations consider risk when setting up systems and security policies.

Confidentiality: Only authorized users can access specific assets or data. Need to know basis.

Integrity: The data is correct, authentic, and reliable.

Availability: Data is accessible to those who are authorized to access it.

NIST frameworks

NIST Cybersecurity Framework (CSF): A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

NIST S.P. 800-53: A unified framework for protecting the security of information systems within the federal government (US).

Five functions of the NIST Cybersecurity Framework (CSF)

  • Identify: The management of cybersecurity risk and its effect on an organization’s people and assets. E.g. monitor systems and devices.
  • Protect: The strategy used to protect an organization through the implementation of policies, procedures, training, and tools that help mitigate cybersecurity threats. E.g. see new threats, study historical data.
  • Detect: Identifying potential security incidents and improving monitoring capabilities to increase the speed and efficiency of detections. E.g. review a new tool setup - low / med / high risk.
  • Respond: Making sure the proper procedures are used to contain, neutralize, and analyze security incidents, and implement improvements to the security process.
  • Recover: The process of returning affected systems back to normal operation.

OWASP security principles

  • Minimize attack surface area. E.g. attack vectors. Could disable features, etc.
  • Principle of least privilege. Least amount of access required.
  • Defense in depth. Multiple security controls. E.g. MFA, firewalls, permission settings.
  • Separation of duties. Prevent individuals. No one should be given so many privileges.
  • Keep security simple. KISS.
  • Fix security issues correctly.

Tip: Research security trends. E.g. Medium. Network, go to conferences.

Plan and complete a security audit Put it all together.

It’s a review of an organization’s security controls, policies, and procedures against a set of expectations.

External and internal. We’ll focus on internal.

Usually conducted by a team of people.

Purposes

  • Identify organizational risk
  • Asses controls
  • Compliance issues

Common elements

  • Establish the scope and goals
  • Conduct a risk assessment
  • Complete a controls assessment
  • Assess compliance
  • Communicate results

Audit questions

  • What is the audit meant to achieve?
  • Which assets are most at risk?
  • Are current controls sufficient to protect those assets?
  • What controls and compliance regulations need to be implemented?

Control categories

  • Administrative. Policies and procedures. E.g. password policies.
  • Technical. Hardware and software solutions.
  • Physical. CCTV, locks.

Stakeholder communication

  • Summarizes scope and goals
  • Lists existing risks
  • Notes how quickly those risks need to be addressed
  • Identifies compliance regulations
  • Provides recommendations

Recap

  • Frameworks
  • Controls
  • Design principles
  • Security audits

Module 3: Security information and event management (SIEM) dashboards

  • Logs
  • SIEM dashboards
  • Common SIEM tools

Log: A record of events that occur within an organization’s systems and networks.

Common log sources

  • Firewall logs
  • Network logs
  • Server logs

Firewall log: A record of attempted or established connections for incoming traffic from the internet. It also includes outbound requests to the internet from within the network.

Network log: A record of all computers and devices that enter and leave the network. It also records connections between devices and services on the network.

Server log: A record of events related to services, such as websites, emails, or file shares. It includes actions such as login, password, and username requests.

SIEM tool: An application that collects and analyzes log data to monitor critical activities in an organization.

  • Need to continually tweaked.

SIEM dashboards

  • It’s like a weather app. Makes things easy to see and analyze.

Common SIEM tools Types:

  • Self-hosted. Ideal for when you need to physically control the data
  • Cloud-hosted. Ideal for orgs that don’t want to invest in their own infrastructure
  • Hybrid. A mix

Splunk Enterprise: A self-hosed tool

Splunk cloud: cloud-hosted. Good for hybrid or cloud-hosted environment.

Open source: Suricata

Module 4: Playbooks

  • Playbooks
  • Six phases of an incident response playbook
    • Prepare
    • Detect
    • Analyze
    • Contain
    • Eradicate
    • Recover

Course 2 recap

  • CISSP’s eight security domains
  • Security frameworks and controls (CIA triad, NIST framework, design principles)
  • Security audits
  • Basic security tools (SIEM dashboards)
  • Protect assets and data with playbooks

Resources

Google Cybersecurity Certificate

NIST Cybersecurity Framework (CSF)

NIST Risk Management Framework (RMF)

NIST - Cybersecurity Risks

OWASP Top Ten

CISA Common Vulnerabilities and Exposures (CVE’s)

Physical Access Control - presentation by the US Department of Health and Human Services

NIST - Assessment & Auditing Resources

U.S. DHS - IT Disaster Recovery Plan

Glossary terms

Assess: The fifth step of the NIST RMF that means to determine if established controls are implemented correctly

Authorize: The sixth step of the NIST RMF that refers to being accountable for the security and privacy risks that may exist in an organization

Business continuity: An organization’s ability to maintain their everyday productivity by establishing risk disaster recovery plans

Categorize: The second step of the NIST RMF that is used to develop risk management processes and tasks

Confidentiality, integrity, availability (CIA) triad: A model that helps inform how organizations consider risk when setting up systems and security policies

External threat: Anything outside the organization that has the potential to harm organizational assets

Implement: The fourth step of the NIST RMF that means to implement security and privacy plans for an organization

Internal threat: A current or former employee, external vendor, or trusted partner who poses a security risk

Monitor: The seventh step of the NIST RMF that means be aware of how systems are operating

National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF): A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk

Prepare: The first step of the NIST RMF related to activities that are necessary to manage security and privacy risks before a breach occurs

Ransomware: A malicious attack where threat actors encrypt an organization’s data and demand payment to restore access

Risk: Anything that can impact the confidentiality, integrity, or availability of an asset

Risk mitigation: The process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach

Security posture: An organization’s ability to manage its defense of critical assets and data and react to change

Select: The third step of the NIST RMF that means to choose, customize, and capture documentation of the controls that protect an organization

Shared responsibility: The idea that all individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security

Security orchestration, automation, and response (SOAR): A collection of applications, tools, and workflows that use automation to respond to security events

Social engineering: A manipulation technique that exploits human error to gain private information, access, or valuables

Vulnerability: A weakness that can be exploited by a threat