This is the fifth course of the Google Cybersecurity Certificate Course on Coursera. Again it’s a mix of my notes and definitions from the course.

Here is a link to my main page for the course.

Course 5 Overview

  • Assets organizations protect
  • Security systems and controls
  • Common vulnerabilities in systems
  • Threats to asset security

Module 1: Introduction to asset security

Practice. It takes time and dedication.

Security risk planning

  • Assets
  • Threats
  • Vulnerabilities - flaws within an asset

Risk Anything that can impact the confidentiality, integrity, or availability of an asset.

Asset inventory. Keep track of everything valuable.

Asset classification. Rate your wallet above your shoes, for example.

  • Public
  • Internal-only
  • Confidential
  • Restricted - IP, sensitive information - need-to-know

Assets in a digital world Data: information that is translated, processed, or stored by a computer.

States of data Data in use Data in transit Data at rest

InfoSec: the practice of keeping data in all states away from unauthorized users.

Elements of a security plan Everyone needs to be on board. Be prepared for risks when they happen.

  1. Policies: sets of rules that reduce risk and protect information
  2. Standards: references that inform how to set policies
  3. Procedures: step–by-step instructions for how to complete security tasks

Risk categories Damage, disclosure, loss of information

NIST Cybersecurity Framework (CSF)

  • A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.

  • Core
    • Identify
    • Protect
    • Detect
    • Respond
    • Recover
  • Tiers - a range of values
    • Level 1 - passive
    • Level 4 - exemplary
  • Profiles
    • Current state of a security plan

Note Regulations are rules that must be followed, while frameworks are voluntary resources.

Module 2: Protect organizational assets

No one is born knowing everything.

  • Effective data handling processes
  • The role of encryption and hashing in safeguarding information
  • Standard access controls

Types of security controls

  • Technical - encryption, auth, etc
  • Operational - day to day security, mainly people
  • Managerial - how the other two reduce risk - policies, procedures, etc.

Principle of least privilege: a security concept in which a user is only granted the minimum level of access and authorization required to complete a task or function.

Data owners, data custodians.

There are three common approaches to auditing user accounts:

  • Usage audits
  • Privilege audits
  • Account change audits

Data lifecyle

  • Collect
  • Store
  • Use
  • Archive

  • Destroy

  • Information privacy refers to the protection of unauthorized access and distribution of data.

  • Information security (InfoSec) refers to the practice of keeping data in all states away from unauthorized users.

The key difference: Privacy is about providing people with control over their personal information and how it’s shared. Security is about protecting people’s choices and keeping their information safe from potential threats.

Encryption methods Plaintext -> ciphertext -> plaintext

Need a cipher and a key.

Public Key Infrastructure (PKI)

  1. Exchange of encrypted information
  2. Establish trust using a system of digital certificates

Digital certificates are like digital ID badges.

Asymmetric vs symmetric encryption.

Symmetric encryption is the use of a single secret key to exchange information. Because it uses one key for encryption and decryption, the sender and receiver must know the secret key to lock or unlock the cipher. PKI uses both.

Asymmetric encryption is the use of a public and private key pair for encryption and decryption of data. It uses two separate keys: a public key and a private key. The public key is used to encrypt data, and the private key decrypts it. The private key is only given to users with authorized access.

Non-repudiation and hashing Use hash files to compare against vulns.

sha256sum

VirusTotal

Create hash values

sha256sum file1.txt

sha256sum file2.txt

sha256sum file1.txt >> file1hash

sha256sum file2.txt >> file2hash

cmp file1hash file2hash

Access controls and authentications systems AAA framework

  • Authentication
  • Authorization
  • Accounting

Authentication: who are you?

What you know - knowledge What you have - ownership What you are - characteristic

Single sign-on: a technology that combines several different logins into one

Combine SSO with MFA to improve security without sacrificing the user experience.

Authorization HTTP basic auth HTTPS OAuth - like using Google to sign into other services

*Accounting Logs monitoring Session: a sequence of network HTTP basic auth requests and responses associated with the same user. Session ID is created, attached to the user. Exchange of session cookies.

Identity and access management (IAM) is a collection of processes and technologies that helps organizations manage digital identities in their environment. Both AAA and IAM systems are designed to authenticate users, determine their access privileges, and track their activities within a system

Module 3: Vulnerabilities in systems

Vulnerability management

Finding and patching vulnerabilities

  1. Identify
  2. Consider potential exploits
  3. Prepare defenses against threats
  4. Evaluate those defenses

Zero-day an exploit that was previously unknown.

Defense-in-depth a layered approach to reduce risk. Aka the castle approach.

Five layer design

  1. Perimeter layer - usernames and passwords
  2. Network layer - firewalls
  3. Endpoint layer - laptop, desktop - anti virus
  4. Application layer - part of apps - MFA
  5. Data layer - PII - critical data

Common vulnerabilities and exposures

  • CVE list - created by MITRE, sponsored by US gov
  • CNA - an organization that volunteers to analyze and distribute information on eligible CVEs

CVE list criteria

  1. Independent of other issues
  2. Recognized as a potential security risk
  3. Submitted with supporting evidence
  4. Only affect one codebase

NIST National Vulnerabilities Database Common Vulnerability Scoring System (CVSS)

  • 4 or below is low risk
  • 9 or high should be immediate fixes

OWASP Top 10

  • Updated every few years
  • E.g. broken access control, injection, insecure design

Assessments

  • Internal review process
  • ID weak points and prevent attacks
  • Meet regulatory standards

Process

  1. Identification - current state of security system
  2. Analysis - test what’s identified
  3. Risk assessment - score each vuln and prioritize
  4. Remediation - joint effort to get best approach - enforcing new procedures

Vuln scanners analyze each of the five layers discussed above. External or internal, auth or unauth, limited or comprehensive

Module 4: Threats to asset security

  • Social engineering
  • Malware
  • Web-based exploits
  • Threat modeling

The criminal art of persuasion

Social engineering: a manipulation technique that exploits human error to gain private information, access, or valuables.

Stages of social engineering

  1. Prepare
  2. Establish trust
  3. Use persuasion tactics
  4. Disconnect from the target

Preventing social engineering

  • Implementing managerial controls
  • Staying informed of trends
  • Sharing your knowledge with others

Threat modeling: the process of identifying assets, their vulnerabilities, and how each is exposed to threats. Advance activity.

Threat modeling steps

  1. Define the scope
  2. Identify the threats
  3. Characterize the environment
  4. Analyze threats
  5. Mitigate risks
  6. Evaluate findings

PASTA: the process for attack simulation and threat analysis

  1. Define business and security objectives
  2. Define the technical scope
  3. Decompose the application
  4. Perform a threat analysis
  5. Perform a vulnerability analysis
  6. Conduct attack modeling
  7. Analyze risk and impact

Resources