What Is Cybersecurity

A.1.1. What is cybersecurity?
A.1.1.a. Module overview
This module focuses on some fundamentals about cybersecurity to get you

started within the course. You will learn about these topics:
 What is information security and cybersecurity?
 Objectives of information security, using the CIA triad
 Key elements of cybersecurity
 Risk and the methods to manage risk
 Common misconceptions about the cybersecurity industry
 Importance of laws and ethical considerations for the cybersecurity
industry
A.1.1.b. Information security
Let’s start by thinking about what cybersecurity is and what we are trying to
accomplish. Most definitions of cybersecurity tend to focus on technology, so
a typical definition might include the “security of digital systems” or “security of
communications”. These definitions tend to get blurry, very quickly. For
instance:
 What if a fraudster sends an email to a person claiming to be from their
bank and asking for their personal identification number (PIN). Is that a
cybersecurity concern?
 What if a private investigator calls an employee of a company to ask him
to print some confidential files and leave the papers in the mail room
them to collect. Is that a cybersecurity concern?
In the real world, most attacks typically have some digital elements as well as
some human factors and occasionally a physical element too. Please keep
this in mind. We should not just focus on digital elements because this limits
our thought process and gives potential attackers greater flexibility.
Let’s consider a new concept called information security. Information
security focuses on the value of the information we are trying to
protect rather than how we protect it. The following diagram shows that under
information security are the physical elements and digital elements.

 Physical security is the practice of physically protecting assets like

buildings, security cameras, equipment, and property from physical
threats such as theft, vandalism, fire, and natural disasters.
 Cybersecurity is the practice of protecting and recovering networks,
devices, and programs from any type of malicious cyber attack.
 Good security cannot have one without the other and both must work
towards the same objectives.
EXAMPLE
Let's consider this from a customer's perspective. Imagine that you go to a
travel company and share your passport details to book a trip abroad. What if
an employee of the company accidentally emails your passport details to the
wrong address or drops printed papers with your passport details from a
briefcase on a train? The result is the same. Your private information has been
compromised. In information security, the emphasis is on the
outcome rather than the exact method.
A.1.1.c. What are cybersecurity professionals trying to
accomplish?
According to the National Institute of Standards and Technology
(NIST), information security is: "The protection of information and
information systems from unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide confidentiality, integrity, and
availability."
So, information security’s objectives are often defined using the CIA triad as
a good starting point. CIA is a mnemonic for the three
objectives: Confidentiality, Integrity, and Availability.
Confidentiality Confidentiality means preventing information from falling into the
Information is private hands of people who do not have authorization to access the
information.
Integrity Integrity means making sure the information stays accurate and
Information has not been consistent, and ensuring that unauthorized people cannot makes any
altered changes to the information.
Availability Availability means timely and reliable access to and use of the
Information can be information when required.
accessed when required

The CIA triad is a model to help guide policies for information security within
an organization.
Different organizations and scenarios may mean that one objective is
prioritized over the others.
EXAMPLE
Let's look at some examples to put the information security objectives into
context for you.
 Confidentiality may be the most important objective for government
intelligence agencies. Think about the lengths they go to in order to keep
information private, such as using bespoke encryption or even lead-lined
brief cases that sink if thrown into a body of water.
 Integrity may be the most important objective for banks. Think about if
you spent USD $10 on a pizza. You would not be particularly concerned
about this transaction being confidential. However, if the transaction is
altered and you end up spending USD $10,000 instead, then you would
be in serious financial trouble. Should this happen at scale for your
bank, it could cease operating as a result of a loss of trust.
 Availability may be the most important objective for a website. Think
about if you have a blog. You would not be particularly concerned if it
was confidential or an editor helps correct your spelling. You want it to
be there and available to you any time you want to update and publish it.
A.1.1.d. What do you think?
Let's look at how the information security objectives could relate to your day-
to-day life by evaluating assets that you likely value. In cybersecurity,
an asset is defined as something that has a value to its owner. Assets can be
digital, such as a program, or physical, such as a server. Sensitive information
such as databases, research, or records can also be called information
assets.
Consider your personal bank account, photo library, social media account, and
mobile phone. How would a loss of Confidentiality, Integrity, and
Availability impact you for each asset? Use this provided scale of 1 to 5 to
type your rating in the provided fields.
1) Low consequence: You would have no noticeable impact to day-to-day life.
3) Medium consequence: You would have minor impact resulting in a couple
of hours of lost time.
5) High consequence: You would have a life changing, massive impact that
could last for months or years.
The Highest value will calculate automatically so you can compare how you
value your assets and priorities.
EXAMPLE
There is one example already displaying for you: an online debate submission.
In this example:
 A loss of Confidentiality is considered annoying, but will have only a
minor impact and is given a rating of 2.
 A loss of Integrity from another person editing the submission could
start an argument, which could lead to wasted time making updates.
Integrity is therefore given a rating of 3.
 Finally, should the online comment disappear entirely, or become
inaccessible, there are virtually no impacts, so a loss of Availability is
given a rating of 1.
Now, using the rating system above, try and complete your evaluations.
Confidentiality Integrity Availability Highest v
Online debate submission 3
Bank account
Photo library
Social media account
Mobile phone
When you are finished, you can see that certain assets matter more to you
than others. This should correspond with the Highest values you see. Do any
of your evaluations of value surprise you?
From a security perspective, it is sensible to prioritize your protections around
the assets which matter most to you. For instance, the password for your
password manager may be 20+ characters long and kept private whereas a
home wifi password may occasionally be shared with friends and family!
In cybersecurity, organizations make these decisions all of the time.
=-======================================================
A.1.2. Key elements of cybersecurity

There are many ways to secure information assets and deciding on the best
approach is an important consideration in cybersecurity.
EXAMPLE
Imagine you have an expensive painting that you need to protect. One option
could be to hire some security guards to stand by the painting and constantly
watch it. Another option could be that you require all prospective visitors to
your painting to place a monetary deposit down or seek insurance
confirmation. Finally, you could opt for laser trip wires, security cameras, and
motion sensors to detect unknown people. Each of these options has various
advantages and disadvantages. Like all great heist movies, relying on only
one option may not be enough.
There are three key elements of cybersecurity to consider:

These are the areas where an attacker could attack and where organizations
should focus cybersecurity efforts. Let's examine them further in this lesson.
A.1.2.a. People
As counter intuitive as it might be for a highly digital industry, people are the
most important part of cybersecurity. First, people are the end users of digital
systems and second, people are often those responsible for the design and
maintenance of digital systems. Human action is by far the leading cause of
cybersecurity incidents. When organizations design a secure system, they
must design with people in mind.
A common example of this going wrong is the case of alert fatigue. If people
receive too many notifications or alarms, then they eventually become
desensitized to it. Good systems will be designed to anticipate and make
allowances for human behavior.
A.1.2.b. Process
In business, most activities follow a clearly defined set of steps. These
processes can aid cybersecurity by considering security at each step or hinder
cybersecurity by being frustrating for the end user.
Imagine a process which makes a user complete a 20-question survey
whenever they wish to report suspicious activity. Many users, who could
contribute useful information, might be deterred and give up the process.
Good processes have the following attributes:
 They are clear and as easy as possible. During the process, it should
be obvious what to do at every stage. Processes should not use
unnecessary jargon or be written in an ambiguous fashion.
 They are accessible or well known. All users who could follow a
process at any stage, should know how to access the process. A good
example of this commonly being done well is with fire evacuations in
buildings. Most people know where the nearest evacuation points are
because of good signage.
 They are consistent. Processes should not contradict each other, if
possible. If a process has a lot of exceptions or deviations, it increases
complexity. Later, you will learn about how cyber attackers can exploit
this during their attacks.
A.1.2.c. Technology
Technology is all of the underlying infrastructure.
Within cybersecurity, this commonly covers elements such as device
encryption, network perimeter defenses, and anti-malware technologies.
Within business, good uses of technology solve problems without creating new
ones for their users.
An example of good technical security is device management software, which
can track software patch statuses and apply updates. This is often an
essential tool for large organizations. If this is done correctly, then the
technology is non-intrusive and users will be secured in a passive manner. If
this is done poorly, then users might try to disable the software entirely. As
users of devices, you encounter this too.
The following table shows some technological leaps for security, their
perceived drawbacks, and some downsides to their introduction from the user
perspective.
Undesirable user
Technological leap Business benefit Perceived drawback responses
Automated patch All software is up-to- Interruptions to use of User does not pow
management date device down devices
High complexity Harder for attackers to Tedious to use P@ssw0rd!

mandatory passwords guess passwords
Mandatory passwords Passwords cannot be Predictably repetitive PasswordJan to the

expire after 30 days compromised for long PasswordFeb
periods of time
Encrypted emails Attackers cannot read Additional configuration Disable encryption

emails in transit and complexity feature
You can see it is important for organizations to educate users as to why

exactly the technology has been introduced and why perceived drawbacks
might be necessary.
A.1.2.d. What do you think?
Here are some questions to think about. Please type your answer to each
question in the boxes. Reflecting and typing an answer is a good way to
process your thoughts. Your answers are just for you and are only saved in
this course for you. Be sure to click Save Text.
Think of a time when you have examined your own personal digital security for
your computer and/or devices.
1. In terms of people, did you attempt to educate yourself to improve your
security posture?

2. In terms of process, did you start any new processes, such as enabling
two-factor authentication for each login?

3. In terms of technology, did you purchase or use a new technology to help
improve your personal security?
A.1.3. Risk management

Risks are part of everyday life and something we are all instinctively familiar
with. A risk is the possibility of something happening with a negative
consequence. Managing risk is at the heart of most businesses and the core
of many industries, such as the insurance industry. Good businesses
understand and manage risks effectively to give them a competitive
advantage.
In this lesson, we'll explore some key concepts about risk and how they apply
to cybersecurity.
A.1.3.a. Risk valuation
All risks are not equally important. Certain risks may require urgent attention
whereas others may be ignored. Risks that are more significant, are known
as high risks. Here is a basic equation to calculate the value of a risk:
Risk value = Consequence x Likelihood
Consequence is the impact and associated damages.

Likelihood is how often the risk impact occurs.
Ideally, for mathematical reasons, it would be great if we had good statistical
information for every risk. If, for instance, we know on a given year that 1 in 10
cars will experience a flat tire, then the associated risk value can be easily
worked out.
EXAMPLE
An example of the risk value equation applied to the the previous flat tire
scenario could be as follows. An individual may lose a day's productivity as a
result of getting a flat tire on the way to work. The consequence of this risk
would be the loss of one day of work. While this consequence is annoying,
remember the likelihood of the risk is low - 1 in 10 cars in a given year. This
means we may assess the overall risk value to be low.
Within cybersecurity, likelihood is hard to directly measure due to the constant
evolution of technology and involvement of outside attackers. As a good rule
of thumb, the likelihood of an organization being attacked depends partly on
three attributes as follows:
Likelihood = Adversary capability x Adversary motivation x Vulnerability severity
An adversary is a general term used to describe an entity who wishes to

compromise an information system. Later in this course, you will learn more
about how adversaries can be categorized. This will enable you to assign
values for their capabilities and motivations.
Vulnerabilities are potential weaknesses within a system that could be
exploited to compromise it. For instance, a vulnerability could be a webpage
that does not authenticate a user correctly.
EXAMPLE
An example of this second equation could be as follows. Let's imagine a bank
is being targeted by a criminal gang who is interested in stealing users'
banking login details and passwords.
 The adversary capability could be assessed as medium because the
criminals could use a range of tools and develop their own tools if
required.
 Their motivation could be assessed as high because they could
attempt multiple attacks over a period of time.
 An identified vulnerability could be assessed as high because it is
comparatively easy to exploit. For example, certain vulnerabilities have
published descriptions online which enable attackers to mirror attacks
easily.
Note: Using the rating terms of "low", "medium", and "high" is an example of
qualitative analysis of risk. In an ideal world, we would use exact numbers or
percentages; however these can be hard to find so estimates are often all we
have.
A.1.3.b. Risk response
Once an organization has assessed all of its risks, the emphasis is then
placed upon risk management, or response. In general, there are four
responses to a risk that an organization could choose. The following table
describes them.
Accept The organization accepts the risk in its current form. This is a decision that will be made
senior individual within the organization, referred to as a “risk owner”.
Reduce The organization could decide a risk is too large to accept and aim to have it reduced in s
fashion. This could either be through reducing the likelihood or consequence.
Transfe The organization may want a third party to accept the risk, or part of it, instead of accepti
r themselves. This is done via insurance.
Reject The organization could decide a risk is too high and may withdraw from being affected b
This will have significant business impacts such as shutting down sites or avoiding mark

EXAMPLE
Let's illustrate these four responses to a risk. Imagine that you are considering
starting a cake baking business at home. There is a risk that your kitchen
could be damaged if you set your oven on fire during the baking process. Here
are several responses to this risk.
 Acceptance: You could look at the risk and with faith in your baking,
take the chance that it is unlikely anything will go wrong. Should your
baking go wrong, you can repair your kitchen and are prepared to do so.
 Reduction: You decide that you would prefer your kitchen and oven are
not put at a high level of risk and you decide to reduce the risk. You
could reduce the likelihood of fire-related incidents by installing a smoke
detector to provide early warning. You could reduce the consequence of
a fire by having a fire suppression system installed. Both options will
incur a small cost, but you believe they are worth it.
 Transference: You go to your insurance company and upgrade your
insurance to cover home cooking related fires. They perform their own
assessment of the risk. Together you agree on a cost to pay them to
cover the risk. Should your oven catch fire, they will cover the costs.
This arrangement incurs a cost initially, but limits your liability.
 Rejection: You decide that the oven-related fire risk is too high. You
could change recipes to make cakes without using an oven or not start
your business in the first place.
As you can see from this example, there are many things to consider in even a
simple example. Businesses with rapidly changing IT technology face many
continually evolving risks. Risk management is a full time occupation in many
companies and guides a lot of both strategic and tactical decision making.
A.1.3.c. Risk appetite
A risk appetite is the level of risk an organization is willing to accept.
 An organization is said to have a high risk appetite if it is willing to
accept a high level of risk.
 An organization is said to have a low risk appetite if it does not like
accepting risk.
A.1.4. Common misconceptions

There are a lot of misconceptions about cybersecurity in the world today. They
range from unrealistic Hollywood clichés about the process of attacking a
computer system to outdated stereotypes of people who work in the industry.
Let's examine a few common misconceptions and provide some clarity for
you.
Expand each misconception to debunk it.
Everyone who works in cybersecurity comes from an IT
background.
While most roles within cybersecurity rely on IT either in part or entirely, the
roles don’t all have a firm dependence on that background. As you should
already have noticed, since cybersecurity covers so much, there is demand for
talent in lots of areas. Skills range from people management and
communication to mathematics and data science. Having a diverse set of
experiences and skills also helps teams approach problems in new ways and
this is very valuable.
All hackers are criminals.
The term hacker historically refers to someone who enjoys adapting things
and discovering how they work. This definition got mixed up with people who
illegally tried to gain access to computer systems with the intent of hijacking
their operations. Today, there are thousands of computer hackers who are
employed in a variety of IT roles and contribute toward understanding IT
systems in a legal fashion as part of many businesses. Their curiosity and
drive are invaluable in ensuring IT systems are built in a safe and secure
manner.
Cybersecurity is something I can’t do.
Due to the constantly evolving areas in cybersecurity and vast scope, there is
something for everyone. The diversity of roles requires a great diversity of
skills. Those skills can range from strategic analysis and anticipating the
evolving landscape of IT businesses to vigilance and patience in system
monitoring roles. Keep in mind that there is a lot of education and training
available.
I'm too old or too young to work in this industry.
A good litmus test for the diversity of a team is to check how many decades
are covered by the team’s composition. A good team will have a diverse range
of experiences and life views. Cybersecurity needs to look at problems with
both a fresh set of eyes and an experienced view. Whether you think
approaches are great or bad, you’ve probably got half of the solution and a
great voice to add to the dialogue.
A.1.5. Laws and ethics

Cyber crime is quite a new concept, having only developed within the last 30
years. Before that, people who used computers maliciously had to be
prosecuted using a combination of theft and telegraphy acts, which were not
that applicable.
Today, a wide-ranging set of international laws have been created to govern
the use of computing technologies and protection of the information residing
within them. Everyone is affected by these laws and it is important that all
cybersecurity professionals have a basic understanding of them.
This lesson will provide a quick overview of common types of laws and the
importance of considering ethics.
Important Note
Laws are not the same across the world. They can vary greatly by country.
You should check and abide by the relevant laws for the country you live in
and/or travel to. Some governments have written their laws to be more
prohibitive than others so that a legal action in one may be illegal in another.
If you are in doubt, seek legal advice.
A.1.5.a. Common types of computer misuse laws
Let's review some common features or concepts that are mirrored around the
world in computer misuse laws.
Unapproved use or control of a computer device

 Many laws prohibit unauthorized or unapproved access or use of a
computing device.
 This catch-all barrier means that hijacking computers through technical
material or by forcing access to a person’s account is banned.
 These laws can catch people for circumventing broken controls such as
authentication.
EXAMPLE
Placing a fake log-in screen on a website to steal a set of user passwords and
using them to spy on someone’s account.
Preventing others from legitimate use

 These laws attempt to cover attacks on availability of computer
resources, such as networking capabilities.
 Actions that degrade the quality of service for others, or prevent it
entirely, will usually be covered within these laws.
EXAMPLE
Overloading a server or networking switch by sending it too many packets of
information to process.
Aiding other criminals or designing malware

 These laws refer to helping others commit computer misuse offenses,
such as being an accomplice.
 One such manner of helping others could be by writing malicious
software, commonly known as malware.
 These laws are intended to be used to help with breaking up criminal
gangs.
EXAMPLE
Producing a program which allows remote access to a machine without the
owner’s awareness.
In addition to the laws concerning computer misuse, you will find that a couple
of cyber crime offenses overlap with data protection laws and traditional
property laws. Should a cyber crime result in theft of intellectual property, this
may be examined as a case of theft.
The golden rule before trying anything in IT security is to get the correct
permissions in place from the owner before experimenting on a device. It is
also important to know exactly what you are doing to avoid unintentional side
effects.
A.1.5.b. Discussion on ethics
As the laws vary across the world, ethics do too. There is a lively debate about
many aspects of ethics within cybersecurity. For instance, is it permissible for
organizations to leave booby-trapped files within their infrastructure awaiting
an attacker to trigger one? Many could argue that this is ethically sound,
although under most legal frameworks, it would be argued that such an action
is illegal since the trapped files would be considered malware. Then there are
the ethical dilemmas around using techniques from the security industry to
target criminals. Could a retaliation be justifiable or defensible? What about
the rules for military action or governments?
You can see there are ethical dilemmas and they have been going on for as
long as the industry has existed. These debates are a good sign of a healthy
industry reaching maturity and its participants displaying integrity by
considering these important issues.
To illustrate the complexity of the laws and ethics of cybersecurity, this
diagram shows how the areas of legality and ethics could be seen to overlap.
A.1.6. Threat actor groups

A.1.6.a. Module overview
This module focuses on the "offensive" side of cybersecurity, meaning the

cyber attackers and their techniques. How do they hack? What could go
wrong? You will learn about these topics:
 Types of cyber attacker groups
 Types of cyber attacks
 Steps in a typical cyber attack sequence, using the Lockheed Martin
Cyber Kill Chain framework
 Attacker tactics and techniques, using the MITRE ATT&CK matrix
 How the cyber crime economy works
 Social engineering and common social engineering attacks
 Open source intelligence (OSINT) and common sources that cyber
attackers use
 Technical scanning methods
 High profile case studies of cyber attacks to recognize what is possible
and going on in the world
A.1.6.b. Threat actor groups
Cybersecurity professionals must be aware of the different types of threat
actor groups, or cyber attacker groups. These are diverse groups and they
vary substantially in motivation, resources, and techniques. Let's review and
compare the five main types of cyber attacker groups.
A.1.6.c. Group 1: Script kiddie

The first group is the least advanced, the script kiddie. The term "script kiddie"
refers to someone who uses programs, frequently basic hacking tools, without
truly understanding what is going on behind the scenes. They may display a
basic understanding of networking and programming, but lack technical skills
as well as patience or strategic intent.
SUMMARY
 In practice, this demographic is mostly teenagers or young adults, who
are self-taught via forums, videos, and experimentation.
 For many, the main motivations for their hacking efforts are reputation,
status in the eyes of the hacking community, entertainment, or settling
grudges.
 From a resourcing standpoint, script kiddies rely on off-the-shelf
penetration testing tools and publicly available exploits.
 In most cases, they are very underfunded. They tend to display little
trade-craft knowledge beyond that of basic proxies or disposable
accounts.
 From a defensive standpoint, organizations must ensure that their
patching schedule is effective. Should an easy exploit be developed, it is
very likely that it will be deployed at some point. Defenses must be
sufficient to ensure that another target appears easier which should be a
sufficient deterrent.
Profile of a script kiddie

Who are they? What is their objective?
Self-taught individuals, typically teenagers Seek reputation enhancement or attack for

fun
What resource do they have? How do you protect against them?
Little funding, little or no technical Ensure patching schedule is effective and

expertise and assistance, may use free tools basic perimeter defenses are up to date
written by others

A.1.6.d. Group 2: Hacktivist
The second group is the hacktivist. Hacktivist is a term which combines
"hacker" and "activist". Hacktivists seek a political or economic change and will
use hacking to achieve it.
SUMMARY
 The key, defining attribute of hacktivists is that they are driven by
ideological reasons.
 The group of people who make up hacktivist groups ranges greatly. Like
the script kiddie group, they are filled with impressionable amateurs, but
when causes align on a highly topical issue, they are joined by more
experienced members within the security community.
 The motivations of hacktivist groups are defined by their aims, which
vary enormously. Generally, it involves supporting one cause the
individuals believe in. This could be a side in the Middle East conflict,
political activities, and so on.
 The most famous example of this group would be the hacking collective
called Anonymous. Anonymous is a decentralized international
hacktivist group that is known for cyber attacks against several
governments, government institutions and government agencies, and
corporations.
 Hacktivists use a range of basic tools which can be very effective when
done at scale. Denial of Service (DoS) programs are a notable example
in this area.
 While a single script kiddie poses little threat, several hundred launching
parallel attacks can be significantly more challenging to deal with.
 As an organization, being astute is very important. Should an
organization operate business in a sensitive area (e.g., animal testing,
political causes), then it is possible it may come under a sustained
attack from hacktivists at some point. Having good defenses will not be
enough to deter all attacks, so organizations should plan methods to
cope with a sustained attack.
Profile of a hacktivist
Driven idealists forming loose Want to bring about a change

coalitions
Operate at scale with varying tools and Ensure defenses can cope with an
biggest attribute is size extended disruptive attack
A.1.6.e. Group 3: Criminal gang

As long as there is easy money to be made, criminals will always be a problem
for society. The internet’s creation has created a new method for criminals to
prey on victims with an unprecedented scale, range, and ease. Rather than
run risks in person, aspiring criminals can send out millions of infected emails
from halfway around the world and secure a ransom from a victim before
transferring funds into cryptocurrencies to evade conventional policing
methods. Capturing these criminals is extremely taxing and, due to
international laws, securing a prosecution is near impossible. Sadly, most
criminals are aware of these facts.
SUMMARY
 This is the fastest growing group and as a result, it is the broadest.
 Within the group, there are a range of activities. Gangs could be running
ransomware attacks (where a victim is forced to pay to secure access
back to their resources), committing extortion (where the threat of a
large attack secures protection money), committing conventional theft of
customer data or intellectual property, and so on.
 Being a cyber-based criminal is a full-time and potentially quite lucrative
proposition. Gangs can range from a few individuals all the way to
multinationals with hundreds of members. Within each gang, there are
frequently specialists and they can trade information on the dark web.
Consequently, criminal gangs are quite advanced and well-organized.
 From a resourcing standpoint, criminal gangs frequently develop and
deploy their own malware. They even in some cases rent access to
others who may be less technical. Like all software sales, they advertise,
host reviews, and even have tech support. Criminal gangs have access
to substantial amounts of infrastructure, such as servers and domains.
 To protect against a criminal gang, effective defenses should exist for
critical assets. While discovering ransomware on an employee’s laptop
may be inconvenient for the company, discovering ransomware on a
production sever could be devastating.
 From a financial perspective, the criminals will always adopt the quickest
and easiest get-rich-quick scheme.
Profile of a criminal gang

Groups of people in national and Driven by financial motivations

international teams
Broad range of tools and equipment, Need to have a fully trained workforce
bought and traded on the dark web with protections around critical assets and
back-ups
A.1.6.f. Group 4: Nation state hacker or advanced

persistent threat (APT)
The next group, and one that receives the most media attention, perhaps
unduly, is the nation state attackers. Many military organizations around the
word now consider cyberspace a fifth sphere of conflict alongside sea, land,
air, and space. Many nations have demonstrated the ability to project power
across national borders to a great and expanding variety of consequences.
SUMMARY
 The role of nation state hackers is to provide a strategic advantage to
their respective country. This may range from reconnaissance and
information collection (e.g., traditional spying/signals intelligence) all the
way to information subversion and manipulation.
 Members of these organizations are well-educated or trained and cover
a range of backgrounds. They work full-time and typically work on the
cutting edge within their respective fields.
 Their motivations are typically aligned closely with political or strategic
objectives. A recent example of this were the Russian activities
concerning the 2016 US presidential election. The aim was to interfere
with the election as well as increase political and social discord.
 From a resourcing standpoint, nation state hackers have access to
advanced research, dedicated infrastructure teams, and tremendous
political support.
 Protection against determined nation state hackers is tremendously
challenging for organizations. Doing so effectively requires fully capable
and coordinated security defenses.
Profile of a nation state hacker
Highly trained and educated specialists Follow strategic, multi-year plans on a

wide range of issues
Very large budgets, cutting-edge tooling, Incredibly difficult; need fully coordinated
and leading-edge research defenses around every aspect of the
organization
A.1.6.g. Group 5: Malicious insider

The final group that is arguably the most concerning, is that of the malicious
insider. The insider refers to a member within an organization that either
intentionally or otherwise acts against it.
SUMMARY
 Malicious insiders can either start with a negative mindset within an
organization or become resentful after a period of time.
 Motivations vary greatly and can cover just about everything, with
financial interests and bitterness being two of the most common. In other
cases, notoriety or fame can be motivators.
 A common example of an insider is an employee being blackmailed into
allowing someone access to the employee's corporate accounts.
Another common example is a disgruntled employee who steals
corporate secrets before being fired. Perhaps the most famous insider
attack of all time was Edward Snowden, who stole a large amount of
National Security Agency (NSA) files from the US before giving them to
WikiLeaks.
 Insiders do not usually rely on technical skills to execute their attacks.
While some may shoulder surf or use social engineering to gain access
from others, typically they use their own corporate access and
permissions.
 Defense against insiders is best achieved by vetting employees,
effective management, and then technical controls. Resorting to
technical controls is frequently seen as a “get out of jail free card” for
many companies and it frequently fails because you are, after all, trying
to stop users who are extremely familiar with the system. In many cases,
there are a lot of warning signs before somebody launches an inside
attack. For instance this could be working alone, expressing resentment,
failing in quality of work, or doing unexplained activities. Picking up on
these signs is very important.
Profile of a malicious insider

Staff members who work against an Seek revenge or have financial motives
organization's own interests, either
deliberately or accidentally
No budget or resources required; use Monitor staff carefully and ensure

granted access organization's culture is effective to prevent
issues
Note: Sometimes these descriptions of the types of cyber attackers are not
always precise. In operations, hacktivists might recruit script kiddies and
nation state hackers might recruit criminal gangs. Also, some cyber attackers
will disguise their work to appear less advanced than they are. These facts
can make it difficult to attribute threats to the correct party.
A.1.6.h. White hat hackers
We have covered the five common types of cyber attackers who have
personal motivations or threatening, often illegal motivations. But, there are
also individuals out there who are considered white hat hackers. A white hat
hacker chooses to use, and monetize, their skill set for good, rather than
criminal or exploitative activity. Often called “ethical hackers,” white hat
hackers take on a real hacker mindset to use the same methods as real-life
attackers, but with the goal of testing and fortifying systems to help clients and
consumers be better protected from the real thing.
Here are two leading cyber security experts who fall into the white hat
category and use their skill sets to offer valuable and often highly-paid advice
and knowledge to organizations around the world.
Brian Krebs Georgia Wiedman
Brian is a celebrated journalist who Georgia is a serial entrepreneur in the
investigates cyber crime. He kicked off his cybersecurity space and has worked as a
career as a reporter for The Washington Post, penetration tester, security researcher,
where he wrote for the Security Fix blog speaker, trainer, and author. She has gained a
from 1995 to 2009 and pushed the large following through her work in
boundaries of cyber security reporting. smartphone exploitation and mobile device
Today, he owns the hugely popular security as the founder and CTO of Shevirah.
blog Krebs on Security and was named
2019’s “Cyber Security Person of the Year”
by CISO MAG. Fun fact: Georgia is an angel investor and
Fun fact: Brian’s interest in cybersecurity has spoken and trained audiences around the
was ignited after his entire home network world at venues like the NSA, West Point,
was taken captive by a Chinese hacking and Black Hat.
group.
A.1.7. Types of cyber attacks

There are many methods in which a cyber attacker can enter and exploit a
system. Often, attacks are not technical at all, but rather an exploitation of
how humans interact with the system in a flawed and vulnerable way. In this
lesson, we have selected common types of cyber attacks. This is a
representative sample to provide you with a few illustrative examples, rather
than a comprehensive list. Let's examine these in greater depth.
A.1.7.a. Denial of service (DoS) attack
 A DoS attack is any type of attack that causes a complete or partial
system outage.
 The means to perform a DoS attack can range from causing a system to
crash to making it unreachable or incapable of continuing work due to
abnormal levels of forwarded network traffic.
EXAMPLE
An attacker could send a maliciously formatted file to a server that causes it to
overload. An example of this is a billion laugh attack, in which an XML file
references itself, expanding to a considerably larger file.
A.1.7.b. Distributed denial of service (DDoS) attack

 A DDoS attack is a DoS attack that comes from more than one source at
the same time.
 The machines used in such attacks are collectively known as “botnets”
and will have previously been infected with malicious software, so they
can be remotely controlled by the attacker.
 According to research, tens of millions of computers are likely to be
infected with botnet programs worldwide.
EXAMPLE
An attacker could send a large number of page requests to a web server in a
short space of time, overloading it. A similar impact is observed with ticket
sales websites where a spike in user demand can overload systems.
A.1.7.c. Phishing attack

 A phishing attack is the practice of sending messages that appear to be
from trusted sources with the goal of gaining personal information or
influencing users to do something.
 It combines social engineering and technical trickery.
 Unsuspecting users open the email and may provide protected
information or download malware.
EXAMPLE
An attacker could send an email with a file attachment or a link to a fake
website that loads malware onto a target's computer.
A.1.7.d. Spear phishing attack

 Spear phishing attacks are a very targeted type of phishing activity.
 Attackers take the time to conduct research into targets and create
messages that are personal and relevant, and thus likely more effective.
EXAMPLE
An attacker collects a target's details from social media and calls the target
pretending to be a representative from the bank. The attacker advises the
account is compromised and asks the target to transfer money to a "safe"
bank account. The attack is convincing because of the attacker's apparently
legitimate knowledge.
A.1.7.e. Malware
 Malware is a catch-all term for malicious software. It is any software
designed to perform in a detrimental manner to a targeted user without
the user's informed consent.
 It often triggers secretly when a user runs a program or downloads a file,
which can often be unintentional.
 Once active, malware can block access to data and programs, steal
information, and make systems inoperable.
EXAMPLE
Within the various types of malware, you will find examples related to their
function, such as keyloggers (which captures a victim's keystrokes)
or ransomware (which holds a victim's files captive in exchange for a ransom
payment).
A.1.7.f. Man in the middle (MitM) attack
 A MitM attack occurs when hackers insert themselves in the
communications between a client and a server.
 This allows hackers to see what’s being sent and received by both
sides.
EXAMPLE
An attacker could set up a "free" WiFi hot spot in a popular public location.
Anyone who connects to that WiFi network could have their communications
examined by the attacker, who may redirect victims to fake log-in screens or
insert advertisements over webpages.
A.1.7.g. Domain name system (DNS) attack

 DNS is one of the core protocols used on the internet.
 Basically, the DNS protocol allows a computer to resolve a domain to an
IP address, which allows a user to, for example, reach BMW’s main
website by typing “bmw.com” instead of writing an IP address that is
hard to remember.
 DNS is used almost everywhere. As a core protocol of the internet, lots
of attack vectors directly target DNS, including DNS spoofing, domain
hijacking, and cache poisoning (just to name a few).
EXAMPLE
In 2016, the DNS service provided by a company called Dyn was attacked.
This resulted in major outages across most of the US, leaving millions of
Americans unable to access or use internet services.
A.1.7.h. Structured query language (SQL) injection

 SQL allows users to query databases.
 SQL injection is the placement of malicious code in SQL queries, usually
via web page input. A successful attack allows common commands to
be run. This can include deleting the database itself!
 SQL injection is one of the most common web hacking techniques.
EXAMPLE
In the UK, two teenagers managed to target TalkTalk's website in 2015 to
steal hundreds of thousands of customer records from a database that was
remotely accessible.
This represents a handful of the many types of cyber attacks impacting

organizations and individuals today. You will find DoS attacks on organizations
are commonly reported in the news, phishing attacks are the most effective on
a personal basis, and malware attacks are increasing in number and
constantly evolving.
A.1.7.i. Activity
Fact: No person, organization, or country is immune to the dangers of
cyber attacks.
In this activity, you can put on your explorer hat to access the following real-
time maps and statistical visualizations of cyber attacks occurring around the
world. Take a moment to access each site. It may take a moment to load.
Check out the statistics. See just how many attacks are being documented
across the globe! Right now!
1. Go to the Kapersky Cyberthreat  Navigate around the interactive world map to click and
Real-Time Map specific country to view its latest data.
 Find the most attacked countries!
View larger  You can change the language at the top of the web pag
 Roll-over the color-coded types of threats and attacks.
2. Go to the Fortinet Threat Map  Watch the attack details that scroll at the bottom of the
 Figure out where most attacks are happening right
View larger before your eyes!
 This is a sub-set of data. Select ? to view the legend of
attacks displayed. Select i to learn more.
3. Go to the Bitdefender Cyberthreat  View the live attacks happening across the map for the
Real-Time Map country locations.
 Check out the various instances of spam, threats, an
View larger  Notice that there is an "attack country" and "target cou

This is the end of the lesson. Be sure to select the "I've checked it out" box to
take a mini quiz to check your understanding of this lesson. You will be
presented with three descriptions to then identify the correct type of cyber
attack that it represents. This is required for lesson completion.
A.1.8. Structure of a cyber attack

As computer systems change so do the ways in which they can be
compromised. For example, a cyber attack may rely on a computer running an
outdated version of a web browser to be vulnerable to a specific piece of
malware. Once the software is patched, that attack cannot be repeated in the
exact same manner. However, while individual techniques may evolve with
time, the overall structure of a typical cyber attack can be examined. In this
lesson, we'll review a couple of ways this has been done over the years so you
have a basic understanding.
Note: This is meant to provide you with a quick overview and you can choose
to explore more if you would like.
A.1.8.a. Introducing the Lockheed Martin Cyber Kill
Chain® framework
Lockheed Martin Corporation is an American global aerospace, defense,
security, and advanced technologies company. Researchers at Lockheed
Martin determined that there are parallels between the typical U.S. military
concept of a "kill chain" and intrusions within digital networks. The word
"chain" is used here to indicate a set of steps that must be completed in order,
in which each step depends on the previous step's completion. Here is a walk-
through of the seven steps in the Cyber Kill Chain framework so you
understand a typical cyber attack sequence.
Source: Lockheed Martin, the Cyber Kill Chain® framework

1. Reconnaissance: During this stage, the attacker gathers information
about the target. This can be achieved through probing digital servers,
speaking with people close to the target, or just reading the news!
2. Weaponization: Once a specific vulnerability has been identified, a
piece of malware is designed to exploit it. This process can range from
downloading a sample of a database, purchasing a tool from a 3rd party,
or developing something custom.
3. Delivery: The chosen malware must be sent to the target in some
manner. Despite progress over the years, the most common method is
still via email. Other methods can include website downloads and
infected or modified USB devices.
4. Exploitation: Once malware is given to the target, it activates and
performs a series of instructed steps. How this occurs is highly variable
and depends on many details about the programs and operating system
in use. This process is known as "exploiting a vulnerability" and the
software used to do it is known as exploit code or an exploit.
5. Installation: The malware attempts to get some element of persistence
within the target system. This can be achieved through the creation of
back doors, which can include creating new accounts, installing remote
access programs, or introducing new vulnerabilities into the system.
These factors mean that if the original vulnerability is patched, it is too
late for the defender as the attacker’s access remains.
6. Command and Control (C2): A method for the attacker to communicate
with the compromised systems must be established. This enables
instructions and upgrades to be sent to the target and for data to be sent
back to the attacker. This can be done using websites, direct
connections, and even Twitter.
7. Actions on Objectives: Once all the previous steps have been
completed, the attacker is free to complete the original intent. This could
range from stealing data, modifying data, or destroying key system
elements.
A.1.8.b. Introducing the MITRE ATT&CK matrix
MITRE is an American non-profit organization dedicated to solving problems
for a safer world. It brings forward innovative ideas in a variety of areas
including cyber threat sharing and cyber resilience. MITRE collected a set of
tactics, techniques, and procedures (TTP) that cyber attackers have been
using to develop ATT&CK. It stands for Adversarial Tactics, Techniques, and
Common Knowledge. It is pronounced as "attack". This collected knowledge is
presented in a matrix to help organizations examine cyber attacks in a
simplified form. The ATT&CK matrix is open and available to any person or
organization for use at no charge.
The following graphic is a sample of the ATT&CK matrix. You can see it is
quite comprehensive.
View larger
The column headers identify an attacker tactic. Each tactic can be
considered as an attacker's objective. Then, the list under each column are
the many techniques that the cyber attacker can use to achieve the tactic or
objective. These link to more information.
EXAMPLE
A cyber attacker may want to gain credentialed access to a system. This is a
tactic. In this scenario, if the attacker identifies poor logging and no account
lockouts are in use, the attacker could choose to use the Brute
Force technique. In this technique, a program is run, which can try millions of
username and password combinations until a successful one is identified.
Should the chosen technique be unsuccessful, an attacker can simply switch
to another approach and continue trying.
A.1.8.c. Importance of understanding cyber attacks
During a cyber attack, attackers can be quite persistent. It is rare that a single
interruption to their attack will cause them to give up. Instead, it can be quite
helpful to view cyber attacks as part of a longer campaign. Many attacks can
last for months with attackers spreading their influence and defenders trying to
identify and stop them. Good defenders will attempt to anticipate an attacker's
next move and frameworks such as the MITRE ATT&CK matrix help them to
achieve this.
A.1.9. Funding and profitability of cyber
crime
While some cyber attackers are motivated by activism or national interest, the
main driver of cyber crime is profitability. In this lesson, we'll examine a few
methods of how cyber criminals make and use their money.
A.1.9.a. Underground ecosystem
The first element that is vital to the cyber crime economy is a thriving
international marketplace made up of hundreds of forums, platforms, and
systems. Within this market environment, criminals buy and sell data,
identities, and tools to make profit. For example, a very common area of
interest is money laundering. Should cyber criminals steal some money from a
victim, they need to have a method to make the stolen money usable and
ideally untraceable. They can do this by using a 3rd party specialist in an
outsourcing-like manner.
Like a traditional economy, specialism drives efficiencies and allows criminals
to focus on what they each do best.
A.1.9.b. Initial cash injection
So, with a marketplace set up, how do criminals get money? Below are three
general methods by which they can achieve this.
Stolen from  The most direct method is criminals attempting to steal money from their
victim targeted victim.
 While this can be done through compromising banking systems or compromising
accounts, the most common manner is through fraud or deception.
 These scams are often the "tech support scam" or other similar tricks intended to
persuade a victim to give the criminal a financial benefit such as giving away
bank details and personal information.
Criminal  Sometimes criminals offer their services to carry out illegal tasks to regular
for hire people and organizations.
 This is commonly done using a denial of service (DoS) attack that attempts to
overload key parts of a service. For instance, a criminal may offer the ability for
an organization or individual to disable a competitor or rival.
 In this model, the criminal does not take money from the victim. Instead, the
criminal gets paid by the organization or individual.
 Another example of this is computer misuse in a mercenary style. Imagine a
person hiring a criminal to steal a competitor’s key intellectual property or
destroy a rival's databases.
Extorted  In this model, the criminal gains the ability to disrupt a victim by disabling key
from victim systems or threatening to divulge sensitive data.
 In recent years this has become popular with the advent of ransomware. In a
ransomware attack, a victim's key systems and files are encrypted in such a
manner that renders them inoperable. To restore the systems and files, the victim
is asked to pay the criminal a ransom to receive the decryption key.
 Other extortion themed approaches can include threatening to divulge
organization or customer data such as embarrassing executive emails or customer
databases.

A.1.9.c. Cryptocurrency
Over the last few years, there has been a rapid increase in cryptographically
controlled currencies called cryptocurrencies. The original
cryptocurrency, Bitcoin, proposed a new method for monetary exchange
based on a shared ledger called a Blockchain. This concept has been built
upon by subsequent new currencies that have been built in recent years.
When using an anonymous ledger outside of government control, payments
are designed to be near impossible to regulate or block. This makes
cryptocurrencies unbelievably useful for money laundering or for other criminal
marketplace activities.
One notable consequence of cryptocurrencies was the rapid growth of
ransomware. In this business model, the victim has to pay the attacker. When
this was originally done with monetary substitutes such as gift cards, the
process was slow and unreliable. Now, with the use of cryptocurrencies, it is
easier for victims to make concealed payments.
A.1.9.d. The ecosystem in action
Let's look at a hypothetical case study drawing all of the monetary elements
together. In this scenario, we'll follow an attack campaign across the life cycle.
Follow the money trail!
1. The first stage of the journey involves a criminal gang producing a piece of malware which
records keystrokes and screen shots.
2. The malware authors buy a list of known email addresses from another party and send out
the malware as an email attachment. The objective is for the malware to work on the
victims' machines so their banking details and other passwords can be stolen and sent to the
malware authors. At this point, their work is done. They have a list of passwords and
banking logins.
3. Now, the malware author may attempt to "cash out" themselves or sell the details to another
gang to finish the process.
4. The criminal gang can attempt to login using the credentials and make transfers to money
mules they have worked with previously. In this case, the mules are typically gullible or
desperate individuals who have agreed to allow a stream of money through their accounts in
exchange for payment.
5. To finish the process, the criminal gang could force the mules to buy and transfer
cryptocurrencies to accounts controlled by the gang. As soon as this done, the campaign is
complete. Should law enforcement investigate the crime, the trail often ends with only the
money mule being traceable.
A.1.10. Social engineering

In this course, you are learning about the importance of people when
designing secure systems. People, whether they are employees or customers,
are often mismanaged in security environments. They may be given confusing
or contradictory advice, prevented from following good practices, or just
become fatigued. All of this puts people in a vulnerable position to potentially
be taken advantage of by a prospective cyber attacker. In this lesson, we’ll
highlight social engineering and techniques that attackers use. Rather than
hacking a system, let’s examine how they hack the individual instead!
A.1.10.a. What is social engineering?
Social engineering is the art of making someone do what you want them to do.
It overlaps heavily with academic fields involving psychology, biology, and
even mathematics!
In cybersecurity, social engineering is the use of deception to manipulate
individuals into divulging confidential or personal information that could then
be used for fraudulent purposes. Basically, how could someone trick another
person into giving up something that is private? Social engineering attacks are
the dark art of using social interactions to trick someone into making a security
mistake.
Social engineering tactics can be employed in-person, over the phone, or
online through websites, email, and social media.
Once an attacker can make an individual perform a certain action, then the
attacker can gain access to sensitive systems, steal assets, or advance a
more complex attack. This notion of focusing on persuading or tricking people
may sound unreliable. But, there are many case studies that show social
engineering is an incredibly powerful technique for attackers.
EXAMPLES
Effective social engineering tactics can result in defrauding vulnerable
individuals of their savings through scams and confidence tricks. For
organizations with physical buildings, social engineering also
includes tailgating, or closely following, individuals in order to gain access to
secure areas.
A.1.10.b. Why does social engineering work?
Social engineering works because humans are imperfect. There are two key
elements to this: our decisions are irrational and our decision making is
flawed. Let’s look at each in greater detail.
Irrational behavior
We can all exhibit irrational behavior as shown by making decisions that do
not further our long-term interests. If everyone was focused and logical, then
we would not have vices. For instance, no one would play the lottery and we
would eat healthy all the time. This is very far from the case.
In social engineering, drivers for short term gratification or greed can be
utilized to manipulate a target. These targets are putting themselves at risk
and often committing crimes unknowingly.
EXAMPLES
This is best shown when criminals persuade young adults to act as money
launderers for gangs. There are also many other get-rich-quick schemes
online. The victims in this case are baited into the scheme with false
promises.
There are also cases where idleness is a great asset for social engineering.
Taking shortcuts and the tendency to avoid rules are quite effective to use as
a social engineering tactic on a target.
EXAMPLES
Within certain organizations, employees might skip a long business process
like verifying caller identities or getting the right levels of approvals to grant
access rights.
Flawed decision making

Human decision making varies greatly throughout the day and depends on
changing circumstances. For instance, the colors on display in a room, the
presence of other people, the amount of noise, and the temperature all have a
measurable, biological impact on individuals and change their decision-making
processes. Attackers benefit from affecting a target’s decision making to
achieve a result.
EXAMPLES
Attackers use time restrictions to create a sense of urgency. In addition,
attackers may confuse a target by impersonating a trusted authority figure or
even pretend to be a potential love interest. When an attacker builds up a false
reason to engage with a target this tactic can be labelled as pretexting.
All these factors impact a target's ability to make a good decision or even
identify they are being manipulated in the first place.
A.1.10.c. What makes a good social engineering
attack?
A good social engineering attack typically has a few common elements.
1. It is well researched. If a social engineering attack is attempting to
impersonate a member of a company, then attackers will make use of
the company letterhead, jargon, or format to help build credibility. Not all
methods are equally effective against everyone. Cyber attackers
research to determine the best driver.
2. It is delivered confidently. In person, good social engineers are
prepared, confident, and reassure targets. Knowing when to launch an
attack and how to develop a rapport with the target is important. Usually
a high value social engineering attack is built up over a series of
exchanges lending credibility and reducing inhibitions with each
exchange. Rushing these can backfire and be a way in which cyber
attackers reveal themselves through desperation.
3. The attack feels plausible and realistic. The best social engineering
attacks are often the ones where the victim does not even know they’ve
been tricked.
A.1.10.d. How can you defend against social
engineering?
It is important for individuals as well as employees to be aware and guard
against these common social engineering attacks.
Aside from trusting nobody ever, there is a simple rule to defend against social
engineering attacks designed to trick individuals like you. Essentially, the
golden rule is that if something seems too good to be true, it probably is. So, if
you are ever faced with a financial windfall out of the blue, a head hunting
request, or a prize from a competition you did not enter, then be aware,
inquisitive, and do not be blinded by the benefit.
In addition, don't be afraid to challenge others who make unusual requests or
appear out of place. If an unknown colleague makes a strange request or you
see someone loitering in a restricted area, you can often ask for details or
report your suspicions, as appropriate. Just because someone claims to have
been sent by an executive from the head office and they are in a hurry to get
by you into a building, you can pause to check. Often the cost of verification is
far less than letting an imposter into your office!
Beware of phishing
Specifically addressing the very common phishing email attacks, here are
some tips to help you detect phishing emails, whether personal or business-
related.
1. Consider if you were expecting the email. Does it make sense that the
sender chose to contact you? Is it too good to be true or pressuring you
to act quickly?
2. Always check the sender email address. Is it from someone or a
company that you recognize?
3. Look for the salutation. Is it addressing you with a generic greeting such
as "Dear valued member" instead of your name?
4. Search for any language or grammar errors in the email. Does it have
poor grammar or a lot of spelling errors?
5. Determine what the email is requesting. Is it asking you to visit a fake or
"spoof" website? Call a fake customer service number? Open
attachments that you did not request?
6. Look for the red flags of a fake request (e.g., asks for your bank
information or password) that is typically part of the phishing email.
Secondly, don't click on a link without verifying the URL it points to.
o Does the URL include a non-secure link? To know if it is a secure
link, check that the URL begins with "https".
o Does the URL direct you to a completely different website? Some
URLs intentionally try to look like legitimate ones, for instance this
is a fake URL for PayPal: www.paypall.accountlogin.com/signin.
Notice the misspelling of "PayPal".
A.1.10.e. Important Note
If you receive an email that you believe could be phishing, don’t respond in any
way and do not click any links or open any attachments. Most email services
have a method to report an email as spam.
If you are in any doubt, you can get in touch with the sender via a trusted channel
such as a previously saved contact phone number or access the service web
address from your records.
A.1.11. Open source intelligence

Open source intelligence (OSINT) has become a major area of interest over
the last decade, both within government activities and the private sector. The
term "open" is used to refer to intelligence operations using publicly available
information, such as information found on the open web, blogs, and websites.
OSINT is all information that can be easily collected without any active
collection methods, such as hacking, wiretaps, and so on. In this lesson, we
will examine the benefits of OSINT, sources, and a few areas of concern for
organizations and individuals. You will better understand how attackers can
collect information about a targeted organization or individual.
Open source investigations can be conducted by journalists, researchers, and
malicious attackers. Here, we will focus on attackers using these approaches
as part of a reconnaissance stage for a larger attack.
A.1.11.a. Comparing OSINT with alternative options
Traditional forms of information gathering such as bugging phones, satellite
images, and signal intelligence intercepts tend to be very expensive, complex,
and often illegal. In comparison, using open information can be virtually
free and considerably easy to acquire.
EXAMPLE
What if a journalist wants to locate where a member of a political party is at
any given time? On one hand, they could attempt to illegally place a piece of
malware on the individual's mobile phone to acquire GPS co-ordinates. On the
other hand, it may be far simpler to keep a close eye on the individual's Twitter
account. All it would take is for one of the politician’s aides to post a location
tagged message or a photo with a recognizable landmark and they would
have their answer. While this example seems simple, the same techniques
have been used by military units to track their counterparts in foreign
countries.
Another benefit of open source intelligence is that a lot of it is undetectable to
the target.
EXAMPLE
What if an attacker wants to gather information about the control systems
inside a power station? If they try to scan the power plant's external network,
the attacker may be detected and have the secrecy of their infrastructure
compromised. Alternatively, if the attacker finds a system engineer discussing
sensitive plans online, while the blogging platform might have access records,
the company would not.
A.1.11.b. Sources of open information
An attacker is about to embark on collecting basic information about an
organization or individual, where might the attacker start? Here are some
common sources to provide you with illustrative examples. There are many
more possible sources and new ones are being discovered all the time.
A.1.11.c. Expand each section to learn more about the sources.
Company website
 Although it might seem too obvious, a company’s website can be
revealing in terms of what information it chooses to make publicly
available.
 It can reveal helpful information such as points of contact, external social
media profiles, building addresses, and much more.
 Companies might make mistakes with the information they make public,
which means information can be placed into the public domain that may
be more detailed than the company might like.
 Searches can be augmented with some advanced search features often
referred to as "Google hacking" to find more advanced information and
unintentionally revealed files.
 There are also options to retrieve a company’s legacy website, such as
using the Wayback Machine. This can be a powerful tool for attackers to
determine what a website was being used for at certain times.
Media and news
 If someone has already done the hard work, then why repeat the effort?
There are very good journalists who are skilled at processing open
information.
 While it is unlikely that attackers will find an exact match for what they
are looking for, it’s likely some articles might provide help for further
investigations.
 Other sources of pre-processed or foundational information may include
industry analysts, rating agencies, and other assessing bodies.
Social media
 In the era of social media, people are happy to share information and
make it widely available.
 Social media information can be pieced together quite effectively to get
an accurate perspective about an individual's personal and work life.
For example, employees have been known to share photos of ID
badges, network diagrams, and even sticky notes with passwords.
 For cyber attackers, even small pieces of information can add credibly to
a social engineering attack.
o For example, if an attacker finds out that a target recently attended
a conference, then the attacker could start a spear phishing email
to share the attacker found the target's name on the attendee list
and wants to follow-up.
Government or public records
 Many countries around the world keep detailed records of both citizens
and companies. These sources of information can be highly valuable for
cyber attackers.
o For example, a set of hospital records may identify an individual's
place and date of birth and an electoral roll may identify
someone’s address. The availability of this type of information is a
key reason why those facts should never form part of a security
process without other safeguards.
 For companies, many stock exchanges require a certain amount of
financial information to be made available.
o For example, in the UK companies must provide information
to Companies House to operate. All of this information can be of
interest to a cyber attacker.
A.1.11.d. Good rules for gathering open information
If you are conducting an investigation using open information, here are a few
simple guidelines to follow. As you become more experienced, you will learn
additional tips and tricks, but this should be a good starting point.
1. Get lots of information: Quantity is valuable
 The more information, the better.
 Analyst tools that look for links between data sets operate better with more information.
Keep in mind: You never know what the key piece of information will be, so save everything initially
before refinement.
2. Get a range: Build a picture from many perspectives

 Do not rely on a single source.
 Not everything online is true! As a rule of thumb, a single source is easy to falsify (e.g., a
social media profile with lots of flattering photos), however falsifying multiple sources is
much more difficult to manage.
Keep in mind: If you discover a target has deleted or attempted to conceal information, then this very fact
can be of interest.
3. Do not get stuck: Be prepared to fail and do not get frustrated
 While open source intelligence is very powerful, there are many dead ends and there is an
element of luck about what a target may choose to share.
 You may need to switch to a different approach or a new area to explore.
Keep in mind: Successful investigations can take teams of trained researchers weeks to complete.
Note: There will be many occasions during an investigation where open
information is not obtainable. Some organizations and individuals will not have
as much public information as others, for instance due to good operational
security.
A.1.11.e. Why is open source intelligence an area of
interest for everyone?
We live in a highly connected world where oversharing is a frequent
occurrence. Everyone should be aware that what they share online is virtually
permanent.
Even small pieces of information can be combined into revealing something of
external interest. This process is called information aggregation. While an
individual’s place of work, commuting information, and typical evening plans
may be innocuous in isolation, together they can be used to map someone’s
life out.
EXAMPLE
This would be problematic in an organization where say hypothetically 100
employees could each reveal 1% of a sensitive piece of information. If the
disclosures are combined by an external party, then significant breakthroughs
or additional discoveries may be possible to achieve.
For organizations, the OSINT techniques that cyber attackers employ are
important to consider when designing information management policies. The
bottom line is that information leakage is bad for organizations. Organizations
must take action to ensure that as little information as possible is
unintentionally disclosed and made vulnerable for collection. Since having
information publicly accessible is frequently essential, the scope of the
information shared should be logged and understood.
A.1.11.f. Activity
One of the best ways to get started with open source intelligence is through
trial and error. Try looking yourself up online! What open source intelligence
could someone find out about you?
 Spend a few minutes now to open new internet browser windows to
access Google, social media sites, and so on to run a few searches on
your name.
o If possible, use a fresh web browser with no cookies or history to
avoid being steered back to sites based on your previous activity.
This can be done using new, private or incognito internet browser
windows.
 Could someone find your address, place of work, or other personal
information? How private is your social media?
 Once you’ve done this, you could try asking a friend or family member to
repeat the process to see what they find that you did not, and what
approaches they took.
What can you conclude? There is no need to overshare. It is important for you
to be aware.
A.1.12. Technical scanning

Technical scanning techniques are an essential part of network administration
and for network analysis at organizations. Here, we will turn our attention to
how attackers collect information about computers and networks. While
investigating a target machine on a network, an attacker may want to learn
more information about the technical configuration. This could include details
such as:
 What services are running on the machine?
 What operating system is in use?
 Are any of the services vulnerable to well known exploits?
In this lesson, you will be introduced to technical scanning techniques and
what attackers use them for. We will focus on how scanning can be used by a
malicious outsider during the reconnaissance stage of an attack.
A.1.12.a. Ping test
What is it?
In a ping test, a scanning machine sends an Internet Control Message
Protocol (ICMP) packet to the target machine’s Internet Protocol address (IP
address). This outbound packet is called an echo request packet. A packet is
a small amount of formatted data, analogous to the digital version of a
postcard. If the target machine replies with an echo reply packet, then the
scanning machine knows the target machine is most likely active and switched
on.
This diagram shows a phone "pinging" two IP addresses on its local network
and waiting for a response.
What information does it provide?

This is a basic test. It is commonly used by organizations to debug networking
issues. It identifies the status of a machine. It also provides an indication of
how "far" into a network the machine is located by using a property known as
a packet's "time to live" (TTL). Every router which forwards the packet
onwards decreases the time to live by one.
EXAMPLE
If a packet starts with a time to live of 120 and reached the destination with
108 left, then it went through 12 stages. This feature can be used in the next
scan. A ping test can be started using the command ‘ping target_name’ on
Windows machines.
A ping test tells attackers and defenders if a machine is responsive and, when
repeated in a sweep, how many devices are on a network.
A.1.12.b. Traceroute
What is it?
A traceroute between two computers can be calculated by sending out
packets that have either increasing or decreasing "times to live" (TTL). When a
packet is in transit and its "time to live" is decreased to zero, the machine
processing the packet sends back an error message to the source point
indicating the destination was not reached.
This diagram shows a device mapping out its connection between itself and a
destination address. A physical analogy for this process is skimming a series
of stones on a lake with increasing hops each time.

This behavior can be used to map out a network and determine how many
switches and routers exist between you and your destination.
EXAMPLE
Imagine a target is 12 hops away. If a packet with a "time to live" of 11 is sent
towards the target, it will fail at the final routing step. An error message packet
will be returned to the scanner, but in doing so, it will reveal the IP address of
the router 11 steps away. As the "time to live" is reduced down to one over a
few new tests, a complete list of the network nodes between the scanner and
the target can be produced.
A.1.12.c. Port scanning
What is it?
In networking, applications make themselves accessible externally through
advertising services on digital ports. You can imagine this as floors of a
building. The IP address would set the building and each of the floors would
be a different port number.
Most port scanning is based around the idea of attempting to open a
connection with a certain number of ports on the target machine. Should the
port start accepting a connection, the finding is noted by the scanning device
and the connection is rejected. A port that accepts a connection is defined as
being "open".
This diagram shows a machine scanning a server by systemically testing ports
to see if a service is available on each one. After four attempts, the scanner
has identified four ports that are rejecting connections and would be defined
as "closed" ports.

By working through the list of "well known" ports on a target device, a scanner
can often work out what the machine is being used for. Within the
Transmission Control Protocol (TCP), there are 65,536 total ports of which the
first 1,024 are "well known" ports. A "well known" or "system" port has a
specific application associated with it that is agreed upon internationally. A
common scanner, such as Network Mapper (Nmap), typically scans the most
common 1,000 ports for a given protocol. This includes some "well known"
ports and others will be higher numbered user-related ports (1,024 - 49,151).
EXAMPLE
The TCP port 80 is typically set aside for http applications or web servers. The
fact that it is "open" on a target machine may be of interest to an investigator,
since it shows a web-based application may be in use.
A.1.12.d. Network vulnerability scanning
What is it?
Another form of testing is vulnerability scanning. There are two main methods:
1. Certain actions are done to exploit the vulnerability, to determine if it
exists on the target system. This is often known as dynamic scanning if
done in real time.
2. The version numbers of software (e.g., a version of Apache or MySQL)
are compared against a database containing known application
vulnerability information.
A.1.12.e. Important Note
Please be aware that dynamic scanning may automatically perform actions
which are illegal in certain countries. You should only scan targets for which
you have the owner’s consent. A network vulnerability scan will often be
interpreted as the planning stage of an attack.

Network vulnerability scanning is a powerful tool for both organizations to
identify vulnerabilities in their own network and for attackers to find potential
victims. Certain organizations periodically run such scans to identify mistakes
which have been introduced in order to remediate them.
EXAMPLE
A scanner may attempt to connect to a server and check if it is running an
outdated version of an application. If the application is out-of-date with a
known vulnerability, then the scanner may attempt to exploit the vulnerability
to confirm its existence and report this finding.
A.1.12.f. Search engine for the internet
Another tool for technical scanning is the Shodan search engine. It describes
itself as the world's first search engine for internet-connected devices. It is of
interest to malicious attackers and security researchers alike. It offers a vast
catalogue of collected scan results spanning billions of records. These stored
records can be used to track applications at scale around the world.
A.1.12.G. CHECK THIS OUT!
If you are interested in researching and spending more time on the topic of
scanning, you can explore a popular port scanning site called Network Mapper
(Nmap). It is a free and open-source network scanner. You can start exploring
the Intro, Reference Guide, or other online materials.
Go to Nmap
A.1.13. Case studies

Cyber attacks are in the news on a daily basis, impacting individuals and
organizations, whether in the public or private sector. In this lesson, we will
review three high profile case studies of cyber attacks so you can understand
the extent of what is possible and going on in the world. Each case study
focuses on a different type of threat actor. These three case studies are part of
an ever-growing catalogue of security breaches in the international landscape.
As a participant within the security community, it is important to learn from
examples to guide future decision making.
A.1.13.a. Stuxnet
Introducing cyber weapons
When Stuxnet was identified in 2010, it was one of the most advanced and targeted malware collections
observed within the security community. Stuxnet was designed to target a specific industry control system
and modify key settings. It is widely accepted that the malware was designed to target centrifuges used
within Iranian uranium processing, which is a precursor for nuclear bomb production.
Entities related to this attack

Source: StuxNet : A malware that gave the 4th dimension to war, Medium by Shayan Anwar, July 2019
Here are a few considerations that made this attack particularly interesting.
 Stuxnet used four previously unidentified vulnerabilities, a pair of compromised digital
certificates and concealed itself at a very low level within computing systems. Technically
speaking, it was considerably more advanced than any previous malware.
 The malware was spread through infected USB drives. A common mistake within
cybersecurity is to assume that if a system is not connected to the wider internet, an
adversary could not introduce malware into the local network.
 The authors of the malware were persistent. Their targeted campaign went on for months as
they kept tweaking and upgrading the tools they were using.
In many respects, Stuxnet was the definitive example of a cyber weapon being deployed to achieve a
tangible military and political objective. It has set the international expectations for future cyber weapons
in the future.

A.1.13.b. Equifax
Preventable large-scale data breach exposes hundreds of millions of people
In 2017, the US credit rating agency, Equifax, was hacked. After the organization failed to apply a
security patch to a database, a group of hackers were able to gain access to Equifax’s network. Within the
network was a set of administrative credentials stored without encryption or basic access controls. Once
the attackers had the administrative credentials, they could control most systems and did so undetected for
months. According to the US Federal Trade Commission, the attackers stole at least 147 million names
and dates of birth, 145.5 million Social Security numbers, and 209,000 payment card numbers and
expiration dates. [1]
This case study was made notable for both the impact and scale of the data breach and the basic mistakes
made within the organization which made it possible. Due to the scale of the breach, it placed the idea of
data breaches into US attention.
[1] Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data
Breach, Federal Trade Commission, Press Release, July 2019

A.1.13.c. National Security Agency
An insider leaks highly sensitive, damaging information
In 2013, a National Security Agency (NSA) subcontractor named Edward Snowden released a significant
amount of classified information. He was able to access the information because of his job role, and with
few technical tools and techniques.
Once the files were made public, the impact to the US and its international allies was considerable. The
leaked files included technical capability overviews, guidance on operations, and other highly sensitive
material. Several business arrangements between the NSA and US companies were bought under a high
degree of scrutiny as a result.
This is a well known example of a malicious insider. While a public figure for the cost of the damages has
not been made available, the general understanding was the data breach was the most damaging set of
leaks the US had ever suffered.
B. Cybersecurity: On the Defense
B.1.1. Financial impacts

B.1.1.a. Module overview
You have learned about the basics of cybersecurity and the various types of
threats an organization may face. This module focuses on the "defensive" side
of cybersecurity, meaning organizations and their techniques and tools. How
do they detect, protect against, and respond to attacks? You will learn about
these topics:
 Financial impacts of cyber crime to organizations
 Security maturity
 A security strategy approach that organizations can use to defend
against cyber attacks using the 10 Steps to Security by the National
Cyber Security Centre
 Common approaches organizations take to:
o Prevent cyber attacks
o Detect cyber attacks
o Respond and recover from cyber attacks
 Key properties for secure communications
 Symmetric and asymmetric cryptography
 Threat intelligence sources and benefits for organizations
B.1.1.b. Cost of data breaches
First, let's learn about how detrimental cyber attacks can be to organizations
and get a better idea about what the cost can be. The cost of cyber crime to
organizations can be both hard to predict in advance and very damaging.
The annual Cost of a Data Breach Report, conducted by the Ponemon
Institute and sponsored by IBM Security, analyzes data breach costs reported
by 507 organizations across 16 geographies and 17 industries. According to
the 2019 report, the average global total cost of a data breach is $3.92M,
with a value for the US being much higher at $8.19M. The US value has
increased significantly since 2006, from $3.54M. These and more key facts
about the average costs of data breaches are depicted in this diagram. The
amounts are in US dollars.
Source: Cost of a Data Breach Report: 2020, IBM Security, study conducted

by the Ponemon Institute
Data breaches can cause devastating financial losses and affect an
organization’s reputation for years. The biggest contributor to these costs was
lost business. This is something which can linger for years after an attack. In
addition, there are regulatory fines and remediation costs that may impact an
organization.
EXAMPLE
In Europe, the recent introduction of the General Data Protection Regulation
(GDPR) has raised the stakes significantly higher for organizations. The upper
limit for fines for negligent organizations is considerably higher than previous
laws. In July 2019, the United Kingdom's Information Commissioner’s Office
tried to fine British Airways £183.39M (approximately USD $240M) for a data
breach in 2018. This is the largest proposed fine to date and sets a benchmark
for future incidents.
These rising costs from direct impacts and fines act as a key driver for the
cybersecurity industry. Over the next few years as other parts of the world
adopt similarly tough data standards to Europe, it is likely the number of high
profile cases will increase significantly.
B.1.1.c. Facing the challenge of rising attacks
Hiscox is a global specialist insurer. The Hiscox Cyber Readiness Report
2020™ gauges how prepared businesses are to combat cyber attacks. The
annual report surveyed nearly 5,400 professionals from public and private
sectors in the US, UK, Germany, Belgium, France, Spain and the Netherlands
who are responsible for their company's cybersecurity. It found that the cost
and frequency of attacks is on the rise. In fact, 61% of firms experienced a
cyber attack in the past year, compared to 45% in 2018.
While cyber attacks reach a new intensity, organizations are not ready to meet
the challenges. The Hiscox Cyber Readiness Report 2020™ also found that:
 Only 10% of responding organizations were categorized as “experts” in
terms of cyber readiness
 And nearly 74% are described as unprepared “novices", according to the
Hiscox cyber readiness model
You can see cyber attacks are an unavoidable cost of doing business today.
Organizations have some way to go before they are cyber ready and they
need to develop security strategies.
A good metaphor for a cyber attack is that of a pollutant in the environment.
The accumulation of attacks is something everyone must deal with, they
cannot be ignored forever, and the problem gets worse with inaction.
A.1.1. Security strategy

To combat cyber attacks and protect themselves, organizations must outline
and implement a security strategy. It is two sides of the same coin: How can
the organization mitigate threats as well as increase preparedness for a
breach? In this lesson, we'll explore security maturity, ten steps to consider
implementing for an organization's security strategy, and additional
considerations.
B.1.1.d. The journey of security maturity
Like individuals, organizations change over time. This is reflected within
cybersecurity as a level of maturity or experience. It is important for an
organization to consider where it is today and where it wants to strategically
be in the future in terms of its journey of security maturity.
Certain organizations may not have focused on cybersecurity and may be
immature from a system perspective. Then, there are mature organizations
that are typically more "battle hardened" because they have had cybersecurity
as a priority for a longer period.
The following table provides examples to help understand how mature an
organization's security might be across a few metrics.
Area Sign of less maturity Sign of more maturity
Processes Processes may be ad hoc or not formally Processes are documented, reviewed,
documented. measured, and tested.
Leadershi No or few cybersecurity roles are Clear job descriptions and top-down
p formally set up. Employees may have leadership supports the cybersecurity
cybersecurity as a secondary strategy.
consideration alongside their core role.
Little formal leadership exists.
Area Sign of less maturity Sign of more maturity
Tools Little investment in tooling exists. Some Cybersecurity tools are procured
cybersecurity tools may be used if they alongside other software and part of a
are free or bundled within other software structured budget.
packages.
Culture Few people think about cybersecurity. Cybersecurity is a key part of the
organization’s culture.
Note: Rather than an obvious yes or no, it is important to highlight that

cybersecurity maturity is a scale. An organization may show development in
one area while not being mature in another area.
B.1.1.E. CHECK THIS OUT!
If you would like to learn more, here is additional information about five
security maturity levels offered and described by NIST's Program Review for
Information Security Assistance, or PRISMA.
Security Maturity Levels - Program Review for Information Security
Assistance (PRISMA)
B.1.1.f. Starting point for organizations

It can be difficult for organizations to decide where to start with cybersecurity
and where to best focus their available resources, such as employees, capital,
and time. One approach is to consider following the 10 Steps to Cybersecurity
offered by the UK's National Cyber Security Centre. Understanding the cyber
environment and adopting an approach aligned to the 10 steps can be an
effective means to help organizations structure defenses against attacks.
An effective approach to cybersecurity starts with establishing an effective risk
management regime. This is displayed in the center of the following diagram.
This first step and the nine other steps that surround it are described below.
We will go over a couple of relevant steps in more detail in this module,
focusing on monitoring and incident management.
Enlarge or download this diagram and take a couple of minutes to review the
10 steps so you have an overview.
View larger
Download the infographic
Access an executive summary that describes each step to learn more
B.1.1.g. Marketplace for the security industry

Another consideration for organizations starting out with a cybersecurity
strategy is that they rarely need to start from scratch or work in isolation to
achieve their objectives. Much has been created and developed already!
There is a vast marketplace in the industry for security products and services.
Most large organizations have products from various cybersecurity vendors.
For example, they may have a data loss prevention system on a database to
prevent theft of information produced by one vendor and a firewall produced
by another. These many and varied companies each contribute to a vibrant
ecosystem supported by a range of standard authorities, charities, and
government entities.
A.1.1. Protect against attacks

An organization's first area of interest within cybersecurity is to prevent a
successful attack from occurring. In this lesson, we will go over how this can
be achieved in practice and some common approaches that organizations
take.
B.1.1.h. What is the goal?
Perfect security in the real world, defined where an attack is impossible to
complete, is sadly impractical to achieve. While small or simple computer
programs can mathematically be assured to perfection, any realistic
interconnected system is far too complex. Instead, the emphasis is placed
upon making cyber attacks frustratingly difficult. If a defender knows it costs
USD $100,000 worth of resources to compromise a system which is only
worth USD $80,000 to an attacker, then the attack is unlikely to be attempted
and the defense may "work" despite its imperfections.
The goal in cybersecurity is to reduce operational risk to an acceptable
level by introducing the correct mixture of people, processes, and
technologies.
With the goal in mind, let’s examine some overall strategies for how
organizations can prevent cyber attacks.
B.1.1.i. Examine the perimeter
One of the first concepts to consider is that of an attack surface. Within
cybersecurity, this term means the sum total of an organization’s infrastructure
and software environment that is exposed where an attacker could choose to
attack. Protecting the attack surface was a lot less complicated when
organizations had a defined "perimeter" that neatly separated its assets from
the outside world. Now, keeping the attack surface as small as possible is a
basic security measure. This can be done by limiting which services are
externally accessible, what devices can be connected, and so on.
EXAMPLE
Let's say that an organization has a payment record system. It wants
employees to be able to access it from a small number of office locations. It is
a good security strategy to restrict access to a set number of access points
that are required. Any external traffic, such as that from the wider internet, can
then be ignored at the perimeter. This simple rule dramatically shrinks the
scope of attackers. Rather than having billions of internet protocol (IP)
addresses from which to launch an attack, an attacker may be forced to
compromise one trusted device and then use that to carry out further attacks.
This increases the challenge for the attacker.
Over the last few years, organizations have become more complex with
remote access methods, guest wifi, bring your own device (BYOD) policies,
and so on. Having a secure perimeter is difficult to achieve. At a minimum,
organizations must be aware and monitor their perimeter as part of a larger,
comprehensive cybersecurity strategy.
B.1.1.j. Network segregation
An important approach when designing a more secure system is using
a demilitarized zone (DMZ). This term is copied from the military. Within
networking, it is used to refer to a middle ground area on the network which is
partly controlled and managed. Servers in the DMZ may be used by both
internal and external applications.
The architecture is often set up so that an external party can access data in
the DMZ, but not the sensitive network area. For example, an external
customer may be able to place orders for a digital payment system or access
email, but not the sensitive company information.
Should one area of an organization's network become impacted during an
attack, then the attack does not immediately spread to other more sensitive
systems. An attacker who compromises a server in the DMZ would need a
second successful attack to move further into the organization.
This diagram shows that a legitimate external user could access the teal
green servers and applications, but not the more sensitive blue servers and
applications.
B.1.1.k. Least privilege

It is important for organizations to decide the levels of permission for
applications and individuals within an organization. When doing this, a key
element is to introduce the concept of least privilege. This means that the
fewest permissions are granted to enable a role to be completed.
EXAMPLE
An organization sets up its human resources (HR) database so that managers
have read-only access to data for the job roles that they manage. If a
particular manager's credentials are stolen by an attacker, then the attacker
can only compromise the confidentiality of those specific records. The attacker
cannot modify them since they are read-only. They also cannot access
applications for other areas of the business.
By introducing this control, the organization has reduced the consequences of
a successful attack when compared to a less restricted system. In terms of
risk, we are reducing the consequence in this example. You may also hear the
military term of a "blast radius" being applied in this context, in which the
radius indicates the area of effect from an attack. Reducing permissions is a
good way to limit the "blast radius".
B.1.1.l. Patch and vulnerability management
Patch management is the process of updating software and vulnerability
management is the process of identifying flaws within software. Over time,
older software may have vulnerabilities discovered. Organizations running on
outdated software are vulnerable to older exploits. Also, new versions of
software can introduce new vulnerabilities. In general, updating software and
applications to be the latest version significantly reduces the risk of them being
successfully attacked.
When software reaches the end of its life and is no longer supported,
managing it becomes a significant issue for security employees. Should a
vulnerability be discovered, the software vendor may not issue a remediating
patch.
To assess what software is vulnerable to a specific attack, an organization
may use a vulnerability scanner. This is a piece of software that assesses if
there are any vulnerabilities within a server or application. Vulnerability
scanners can be network-based to examine vulnerabilities by active testing or
they can instead scan static source code for possible errors. Both scanners
produce valuable information for identifying flaws before an attacker does.
Linked to the idea of vulnerability management is that of compensating
controls. If a vulnerability is identified for which a patch is not available, then
there may be a temporary solution. This could include an application reverting
to a previous version or disabling a feature.
B.1.1.m. Defense in depth
A final key consideration for defense is for organizations to use a layered
approach. The term defense in depth was originally taken from the military to
refer to the idea of not using a single form of defense and
instead layering them. Within IT, this means an organization may apply
network defenses such as firewalls, device defenses such as malware
scanners, and place controls around key data by using encryption.
For a successful attack to occur, all layers within the defense would have to be
compromised or circumvented, which is quite challenging.
This diagram shows the layering concept for defense in depth.
DETECT ATTACKS
Should an organization’s defenses fail to successfully prevent a cyber attack,

an organization's next priority is to detect the cyber attack. This is ideally done
while the attack is in progress or in the best situation, when the breach has yet
to occur at all. In this lesson, we'll examine the fundamentals behind attack
detection.
A.1.1.a. Logging
The most important thing for an organization to establish for detecting attacks
is a form of logging. Logging is the process where actions are accurately
recorded in a secure location. Log records should be tamper-proof and act as
a permanent record of what has occurred within a network. This logging
process can be done on individual machines or applications
While a single log entry may not be highly valuable in isolation, an
organization can use a larger collection to track the activities of both legitimate
users and attackers.
EXAMPLE
This is an example of a log format used by the Apache web servers:
9.12.156.2 - bob [11/Jan/2020:14:16:34 -0700] "GET /index.html HTTP/1.0"
200 4066
You can see that this log entry describes a user named "bob" who is
accessing a specific webpage with the status and time noted.
B.1.1.n. Network monitoring
In addition to recording events happening on servers, organizations can also
monitor communications across their network. This approach is known
as traffic analysis. Traffic analysis can be used to identify what is being done
on a network even in a passive fashion while encryption is being used.
Certain types of malicious software that pivot from device to device can often
give themselves away to a good network monitoring solution by being too
obvious.
EXAMPLE
If a device is being used to stream video, then it will have a high
bandwidth consumption over an extended period.
By comparison, if a device is downloading a large file, a high demand
peak would be seen and then little or nothing after that point.
B.1.1.o. Security information and event management
(SIEM) tools
With all of the information being collected, correlation becomes both highly
challenging and rewarding for organizations. A security information
and event management (SIEM) product collects all of the information
throughout the organization's technology infrastructures and aggregates it so
the cybersecurity team can identify events and patterns of potential attacks, as
well as analyze them.
This is a screen shot of a SIEM service called IBM QRadar on Cloud. It is a
network security intelligence and analytics software to monitor threats and
insider attacks.
View larger
EXAMPLE
A cybersecurity team using a SIEM product could decide they want to detect a
brute force login attempt for a specific account. They may set a threshold of
five failed logins per minute. Should an attacker attempt to compromise an
account of the system by working through millions of username or password
combinations, the attacker will exceed the threshold and trigger an alert in
SIEM, which notifies the cybersecurity team.
B.1.1.p. Security operations center (SOC)
Often, the group responsible for looking after the security of an organization is
a part of the security operations center (SOC). One of the key objectives of
the SOC is to detect attacks in progress using SIEMs and other monitoring
tools.
Security analysts make up the team of people responsible for assessing an
organization’s security in the SOC. Should an attack or potential attack be
observed, the security analysts will decide how to respond to the situation
following organizational procedures.
This photograph shows the Microsoft Cyber Defense Operations Center. It
operates 24×7 to defend against cyber threats.
Source: Microsoft’s Cyber Defense Operations Center shares best practices,

Microsoft Secure Blog Staff, January 2017
B.1.1.q. False alarms
One of the fine balancing acts within a SOC is adjusting the sensitivity of
certain thresholds. There are several occasions where an alert may trigger
when the action is legitimate. This is called a false positive, in which an event
is recorded as being malicious when it was not.
Confirming if an alert is a false positive is the responsibility of a security
analyst. Should an alert trigger too many false positives, it may be worth
adjusting the thresholds to be higher.
EXAMPLE
A false positive could be caused after an employee returns to work from her
holiday and she forgets her password. If the employee tries and guesses her
password incorrectly, then her repeated attempts may exceed the threshold
and trigger an alert.
 RESPOND TO ATTACKS
Even with the best defenses, it is inevitable that all organizations will need
to respond to a cyber attack at some point. Designing systems to be resilient
through defined processes and preparation is a vital part of security planning.
In this lesson, we’ll introduce the basic concepts of incident response.
B.1.1.r. Introducing incident response
The SANS Institute provides many educational courses, events, and
resources available online. One of the documents they produced is
the Incident Handler’s Handbook by Patrick Kral, which provides a good
framework for incident management. Let's briefly review the six phases that
cybersecurity professionals can use together to respond to an incident.
1. Preparation
 In this phase, an organization should start planning what it will do in the event of an
incident.
 Typical steps may involve preparing resources and testing procedures.
2. Identification
 The first step to respond to an incident is to detect it.

 Once an incident has been confirmed, the process continues to the next phase.
3. Containment
 As soon as an incident is observed, preventing the situation from worsening is the priority.
 Steps may include segregating networks or shutting down access routes or certain systems.
4. Eradication
 Like an illness in the human body, certain malware types or attackers must be completely
removed in order to be safe.
 During the eradication step, devices might be wiped or restored to safe states.
 There are countless examples where incomplete eradication results in malware re-
emerging, so being thorough is critical.
5. Recovery
 Once the incident is resolved, moving back to standard operation is required.

 This may involve removing temporary fixes or restoring certain services.
6. Reflection
 After the incident, it is important to have an opportunity to reflect on not only what caused
the incident, but how effective the response was.
 Commonly this phase may be referred to as the "lessons learned" phase. However, "lessons
identified" may be a better title if changes are not made!
You can see this incident framework provides a good baseline to build upon.
Certain forms of attack or incidents might require the expansion of certain
stages. For example, a data breach event from a lost storage device might not
have many eradication steps, but the recovery process might be longer with a
higher number of stakeholders engaged.
B.1.1.s. Preparing for incidents
As part of standard business activities, many organizations will go through
several simulated activities to test their level of preparation. This table explains
three types of such tests.
Paper-based tests Table-top exercises Live tests
In this test, security teams are This is a more involved test The most realistic form of
surveyed and asked questions format. In this test, various key testing is to perform an
about their level of personnel are bought together, exercise within the live
preparation. This may involve and the incident response systems. Organizations may
identifying key personnel, process is simulated end-to-end. shut down key systems to
ensuring backups are taken, This form of testing allows test various failures and how
and producing process teams to interact with one their teams respond.
documents upon request. another and see how the wider
scenario would develop.

B.1.1.t. Business continuity and disaster recovery
Let's examine two key terms that you need to know about with regards to
incident response.
1. Business continuity is based on an organization’s ability to continue
operating despite an incident. This may involve having backup sites to
take over the delivery of services or a backup technology to take over
should one fail.
2. Disaster recovery is based on an organization’s ability to recover from
a disaster. A cybersecurity disaster could involve all computers in an
organization being wiped or entire databases being deleted. In this
recovery planning process, organizations need to be prepared to start
with virtually nothing.
Both continuity planning and recovery processes have high levels of overlap
with other security functions. While historic concerns were mostly around
natural disasters such as floods, earthquakes, or fire, it ha- s become
increasing evident that cyber attacks can be equally or more disruptive than
their natural counterparts. While a multinational organization is extremely
unlikely to have all its sites hit by a power cut simultaneously, a cyber attack
that shuts down key global services, such as organizational file shares or
domain management systems, is far more plausible.
B.1.1.u. Benefit of incident response teams
The benefit of incident response teams can be highlighted by the following
analysis from the 2020 Cost of a Data Breach Report conducted by the
Ponemon Institute and sponsored by IBM Security.
Companies studied that had an incident response team and

extensive testing of their response plans saved over $1.2 million.
An organization’s ability to respond effectively after a data breach was
strengthened by the presence of an incident response (IR) team that follows an
incident response plan. In this year’s research, we found that organizations with
an incident response team amplified their cost-savings by also conducting
extensive testing of their IR plan, such that the combined effect of the IR team and
IR plan testing produced a greater cost savings than any single security process.
Those organizations who conducted extensive testing of an IR plan had an
average total cost of a breach that was $1.23 million less than those that neither
had an incident response team or tested their incident response plan ($3.51
million vs. $4.74 million). Testing the incident response plan, through exercises
such as tabletop exercises or simulations of the plan in an environment such as a
cyber range, helped teams respond faster and potentially contain the breach
sooner.
 INTRODUCING CRYPTOGRAPHY
In this lesson, we will introduce the mathematical field of cryptography.
Cryptography is fundamental to vital concepts within information security and
something all cyber security professionals should have an understanding of to
be successful.
Cryptography is defined as the art of writing and solving codes.
At the start of this course, we shared that keeping information confidential is
one of the key objectives of information security. Keeping and sharing secrets
have been challenges that have existed for thousands of years. While
methods for achieving this have changed significantly across the years, the
objectives have remained broadly the same.
A.1.1.a. Defining secure communications
Imagine a situation with three participants: Alice, Bob, and Eve. These three
characters have been used for many years in the field of cryptography to
illustrate concepts. Alice and Bob want to communicate securely, and Eve
wants to eavesdrop on the exchange, thus her name, "Eve".
There are three key properties which must be observed to have reliable
secure communications.
Property 1: Confidentiality
Alice can send a message to Bob without Eve being able to understand the
contents. This property means that the message is private.
Property 2: Authenticity
Eve cannot send a message to Bob claiming to be Alice. This property relates
to ensuring spoofing or impersonation is impossible.
Property 3: Integrity
If Eve modifies a message between Alice and Bob, then the receiver will be
able to identify the message has been modified. It is possible to tamper with
messages without knowing the contents. For instance, people can talk loudly
to disrupt a face to face conversation in a language they do not understand.

These three properties are achieved through a range of mathematical
algorithms and other techniques. Historically, this could be locked boxes and
wax seals, but for this course, we'll be focusing more on the mathematical
options!
B.1.1.v. Encryption
Encryption is the process by which a message is converted into something
that cannot be understood, except by those who have a decryption key to
reverse the process. When a message has been converted into an unreadable
state it is said to be encrypted. At a high level, there are two forms of
encryption in use for the world today: symmetric and asymmetric.
Symmetric encryption
In symmetric encryption, the algorithm for encrypting information uses
the same key as the decryption process. Symmetric encryption is fast and
easy to implement. It relies on both the sender and receiver having access to
the same key, kind of like a password or "shared secret", to maintain a private
information link
EXAMPLE
A simple example is a rotation-based cipher in which characters are increased
or decreased by a fixed number of places in the alphabet. The number of
places to move forward and backward acts as the key. If the sender is using a
key of +1, they rotate characters forwards by 1 and the receiver then uses a -1
rotation to receive the original message. In this cipher, the word "HOLIDAY" is
encrypted by +1 shift in the alphabet to be "IPMJEBZ".
Algorithms in use today that follow symmetric models include versions of the
Advanced Encryption Standard (AES). This is likely what your browser is using
to see this page securely!
Asymmetric encryption
In asymmetric encryption, the process for encrypting information uses
a different key to decrypt the information. These keys are known
as public keys and private keys. They are generated simultaneously. Once a
public key is generated, you can share it with anyone and everyone. Anyone
who has a copy of the public key can encrypt a message, which only the
holder of the private key can decrypt.
EXAMPLE
In this diagram, Alice is the sender and Bob is the receiver. It represents the
transmission process. Alice encrypts a message using Bob's public key. Once
the message is encrypted, it can only be decrypted using Bob's private key.
The encrypted message is sent to Bob. Bob can then decrypt the message
using his private key. It is essential that Bob does not share his private key
with anyone, otherwise they would be able to read all of his incoming
messages.
The main benefit that asymmetric encryption offers is organizations can

communicate securely with an entity that they have not previously exchanged
a "key" with. In addition, it can provide assurance that a message is being sent
to the right receiver.
EXAMPLE
One of the benefits of asymmetric cryptography can be illustrated by online
shopping. Customers can buy goods from shops without having to physically
go to the location to create a shared, unique, symmetric key.
If symmetric cryptography was the only option, the agreed symmetric key
would have to be used to encrypt and decrypt all future transactions between
the customer and the shop.
By comparison, using asymmetric cryptography is convenient and saves time
since the in-person meeting is not needed. Without this benefit, it would be
practically impossible to use online shopping in a secure manner.
 INTRODUCING THREAT INTELLIGENCE

Historically in military operations, intelligence is often examined as a force
multiplier. It allows a commander to use the resources they have for their
greatest impact.
If you know your enemies and know yourself,
you will not be imperiled in a hundred battles;
if you do not know your enemies but do know yourself,
you will win one and lose one.
— The Art of War by Sun Tzu
In the modern world of cybersecurity, understanding your enemies is the

domain of threat intelligence.
In this lesson, we'll briefly cover how organizations benefit from staying aware
of threat intelligence and sources they commonly use.
B.1.1.w. What is threat intelligence?
In a pure form, the UK Ministry of Defence defines intelligence as, “The
directed and co-ordinated acquisition and analysis of information to assess
capabilities, intent and opportunities for exploitation by leaders at all levels.”
Source: Joint Doctrine Publication (JDP) 2-00: Understanding and intelligence
support to joint operations, 3rd edition, August 2011
Then, cyber threat intelligence is data collected and analyzed by an
organization in order to understand the motives and behavior of cyber
attackers. This is a sub-set of the intelligence landscape that we will explore
further.
Within cybersecurity, intelligence typically focuses on attacker tactics,
techniques, and procedures (TTPs) or other indicators of compromise
(IOCs). What do these terms mean?
 Tactics are the "why" meaning the adversary’s tactical goal or reason
for performing an action. For example, an adversary may want to
increase privileges.
 Techniques are the “how” meaning the ways an adversary achieves a
tactical goal by performing an action. For example, an adversary may
bypass access controls to increase privileges.
 Procedures are the specific implementation the adversary uses for
techniques. For example, an adversary may use a specific tool or
program to increase privileges.
 Indicators of compromise (IOCs) are signatures related to attacker
activity. For example, certain IP addresses might be associated with
threat groups or certain files. The presence of an IOC may indicate that
an organization has already been comprised, hence the name.
B.1.1.x. Benefits of threat intelligence
Organizations can benefit from threat intelligence across the following broad
areas.
Providing a warning  A key benefit of threat intelligence is it allows organizations to prepare for
attacks.
 Certain geopolitical or technical developments have the potential to change an
organization’s risk profile quite rapidly.
 Having some advance notice enables organizations to better prepare their
defenses to stop an attack from occurring at all.
Providing indicators  Threat intelligence aids detection activities by providing indicators of

of compromise (IOCs) compromise.
 These could be certain IP addresses used by attackers, file hashes, or domains.
 A defender within an organization can search for these signs and add detection
rules to alert when they are detected.
Providing context  Should an organization discover they were attacked from an unknown location
or group, the organization can use intelligence sources to start understanding
the attacker.
 Context can include helpful pieces of information to aid attribution and
guidance on what to expect next.
Learning from peers  There are some things best learned from others.
 Organizations may share information about how attackers attacked them, how
they defended themselves, and how effective their approaches were.
 These shared stories are an excellent method of strengthening the whole
industry.

B.1.1.y. Sources of threat intelligence
Gathering and developing threat intelligence can be a complex undertaking.
Organizations may engage in primary research in which they investigate
themselves or collect secondary information from another source. Here are
some common threat intelligence sources that organizations utilize.
Threat exchange  There are a number of online platforms that allow cybersecurity
platforms professionals to access databases of gathered information and analysis.
 These can range from free platforms to others which are provided on a
subscription model or to closed industry groups.
 One example is the IBM X-Force Exchange platform.
Conferences  Conferences are a good method for cybersecurity professionals to share the
latest developments in the industry.
 Certain researchers hold off making discoveries public in order to get a
larger burst of publicity at an event.
 There are also opportunities to gather information from informal
conversations at conferences and networking.
 Examples of conferences include Black Hat, RSA Conference,
and CYBERUK.
Articles and news  Certain media outlets devote a significant amount of effort to covering
developments within the IT world. One example is Security Intelligence.
 As certain security issues have become more high profile, the amount of
coverage has increased significantly.
 There is also a good collection of smaller sites in addition to traditional
media outlets who cater to a more specialist audience. Examples of blogs
include Krebs on Security and Graham Cluley.
Product vendors  Organizations such as Microsoft, Google, and Apple, who produce large
amount of software, frequently produce periodic security advisories
relating to their products.
 These notices can include very important information and are essential
reading for system administrators.

B.1.1.z. Job roles
Within the world of cyber threat intelligence, job roles can typically be divided
into two areas: production and interpretation.
 On the production side, there is a range of job roles involved in the
collection and enrichment of information. Some of these roles are
technically-focused, such as those involved with developing scanners or
web crawlers, or conducting software analysis. Other roles might involve
more subterfuge and infiltrating criminal gangs and marketplaces.
Finally, there are roles involved in translation, linguistic analysis, and
psychometrics (the science of measuring mental capacities and
processes). All of these roles collect information and produce
intelligence from it.
 On the interpretation side, unless intelligence development is done "in
house" or by commission, it is very rare that intelligence will tell analysts
everything they would like. Security analysts may receive several
warnings relating to a range of topics. They then need to review the
findings and decide the best course of action to recommend.
Interpretation must take unique, organizational attributes into account
such as proprietary or confidential information to be effective. There isn’t
a one-size-fits-all model!
B.1.1.aa. Key takeaway
In conclusion, threat intelligence allows organizations to act in a systematic
and planned way rather than using estimations or relying on standards. This
means defenses are designed to meet the attacks they will experience rather
than designing defenses to meet an industry or regulatory standard. This is
particularly important for organizations that operate in a complex or anomalous
way for which regulations are often insufficient guidance.
C. A CAREER IN CYBERSECURITY
C.1. JOB MARKET
C.1.1.a. Module overview
This module focuses on the current and growing need for cybersecurity
professionals around the world. You will learn about these topics:
 The demand for cybersecurity professionals in the current job market
 Core attributes and skills that cybersecurity professionals should
possess
 Primary responsibilities of common cybersecurity job roles
 Cybersecurity certifications that are available
 Resources to learn more and potential options to consider to get started
in a cybersecurity career
C.1.1.b. Current job market
Cybersecurity is a fascinating and ever-growing field that lives at the
intersection of established technologies and emerging cybersecurity threats.
As a career path, it requires a variety of skills and personal characteristics,
some of which you may already have. Cybersecurity professionals do not
always have a traditional four-year university degree. They come from very
diverse backgrounds. You may be in a position where you are just starting out
in your career, transitioning jobs, or beginning a second career.
If you are considering a career in cybersecurity, it is important to know about
today's job market and projections, skills you need to start out and succeed in
a cybersecurity job, and some common job roles. Let's learn more about the
great demand for cybersecurity professionals around the world.
If there is one trend that everyone can agree on, it is that cybersecurity is a
fast-growing market with tremendous career opportunities. No matter how you
crunch the numbers, there’s a huge need for cybersecurity professionals over
the next decade. Here are some fast facts.
There will be 3.5 Out of the 3.5 The U.S. has a total The
million unfilled million open employed cybersecurity unemployment
cybersecurity jobs cybersecurity cybersecurity rate is at zero percent in
globally by 2021, positions expected workforce 2019, where it’s been since
up from one million by 2021, consisting of 2011.
positions in 2014. Cybersecurity 715,000 people, and
Ventures there are
estimates more currently 314,000
than 2 million unfilled positions,
openings will be in according to Cyber
the Asia- Seek, a project
Pacific region, supported by the
and nearly 400,000 National Initiative
will be in Europe. for Cybersecurity
Education (NICE), a
program of the
National Institute of
Standards and
Technology (NIST).
Source: Cybersecurity Talent Crunch To Create 3.5 Million Unfilled Jobs

Globally By 2021, Cybersecurity Ventures, October 2019
C.2. CORE ATTRIBUTES AND SKILLS

According to ISACA’s State of Cybersecurity 2019 Report, 69 percent of
companies reported having understaffed cybersecurity teams. The short
supply of qualified cybersecurity professionals has led to unfilled positions and
a widening work skills gap. You might be wondering what skills you need to
face down security threats. If you like a challenge and solving hard problems,
then this could be a great area of work for you. Let's explore the typical
personal characteristics and skills you need to succeed in cybersecurity.
What skills should new cybersecurity professionals focus on? No matter the
educational background of the professional, there are some essential
elements. These elements can be classified into two groups: core attributes
and skills.
 Core attributes can be considered a general disposition beneficial to
security professionals — a set of common personality traits and learned
behaviors.
 Skills include both technical and workplace-related abilities.
A new security professional may not have all these skills at first, but focusing
on them over time will provide greater career path flexibility and the foundation
for technical or business-focused leadership positions.
This table shows the core attributes and skills cybersecurity professionals
should have. Does this sound like you? Take a moment to please review.
Source: It’s not where you start – it’s how you finish: Addressing the
cybersecurity skills gap with a new collar approach, IBM Institute for Business
Value, 2017
C.2.1.a. Skill areas to build
Cybersecurity professionals have a diverse set of backgrounds, some of them
in the IT field and some from totally different fields. The key is to build up a
set of relevant technical skills and workplace-related abilities that can give you
the basics you need to launch into a cybersecurity role. Here are some skill
areas to consider. This is not an exhaustive list, but it covers the foundational
skills to think about.
Skill Area Description
System For Linux, UNIX, and/or Windows operating systems, you need
administration to know the basics of installing, configuring, and maintaining
client and server systems. You need to understand the
underlying models for user management, permissions, file
systems, and command scripts.
Network You need to understand protocols such as TCP/IP, FTP, and

administration SMTP. In particular, you need to know what they mean and how
they're used at a practical, hands-on level.
Customer service You need the ability to interact with clients to help them through
diagnosing and remediating security issues.
Communications You need the ability to succinctly communicate, using verbal and
written communications, technical information about security
incidents and remediation of these incidents.
Skill Area Description
Aptitude for You need the curiosity and mindset for detecting and probing into
investigation unusual behavior. This can be demonstrated through experience
in troubleshooting IT issues or in a totally different field such as
military intelligence. The key is to demonstrate the initiative to do
the requisite detective work to get to the bottom of suspicious
situations.

Someone who works in cybersecurity should be inventive and able to come up
with solutions quickly to stop breaches from becoming massive problems for
an organization. Remember, thinking creatively is probably how the cyber
attackers got in. A cybersecurity professional must be just as creative to
realize how they got inside the system.
C.3. CYBERSECURITY JOB ROLES

Cybersecurity professionals are on the front line of cyber crime defense to
protect vital computer systems from internal and external threats such as
malware, hackers, and social engineering.
All organizations have some form of information security needs. Data needs to
be protected everywhere! Cybersecurity crosses all industries. Financial
institutions as well as government, education, and retail sectors are some of
the biggest players because of their size.
There are many different cybersecurity opportunities, and within those areas
are dozens of positions requiring different skills and experience. Some roles
may require travel while others are at a fixed location such as a security
operations center (SOC). This centralized team monitors an organization for
potential security incidents, investigates these incidents, and (if necessary)
remediates such incidents. In this lesson, we will go over some of the
interesting job roles in cybersecurity.
Note: There are many more job roles in the field of cybersecurity. This is not a
complete list. Job roles vary by company and security area, as well as by
name. These are some common roles.
C.3.1.a. SOC analyst
In the company's security operations center (SOC), there is an entry level job
role called the SOC analyst.
 It is also known as a cybersecurity analyst or triage analyst.
 This role is "reactive" in that the SOC analyst responds to individual
alerts and investigates, as if being a detective, based on the evidence.
 You may see references to a SOC analyst role being a "Level 1"
position. The increasing numbered levels are usually used to indicate
levels of responsibility and corresponding experience requirements. You
may also see reference to a "Junior" position.
What do they do on a typical day?
 Monitor computer network traffic to detect suspicious activity that may indicate the
presence of hackers or malware such as trojans and ransomware.
 Investigate alerts that are triggered by a security incident and event monitoring (SIEM)
tool (such as IBM Security QRadar) when it detects suspicious events to determine if the
alert is a false positive (a false alarm) or a true positive (a real-life security incident that
needs to be addressed). If a true positive alert, then this involves identifying the context,
cause, and impacted user(s).
 Evaluate the severity of security incident and assign the appropriate risk rating to these
incidents (e.g., low or high severity).
 Escalate high severity incidents to the incident responder.
What is an example of what a SOC analyst will do?
Let's say an alert comes in on the SIEM tool. The SOC analyst determines that it is regarding a
malware infection on the computer of one of the executives in the organization. Upon
investigation, the SOC analyst concludes it is a true positive. Since it is an attack that impacts an
executive who has access to highly sensitive information, the SOC analyst assigns it a high
severity.
What are key skills to have for this job role?
 Computer networking and systems administration skills

o For instance, how does the connection flow through an IP address, and flow through
a network, router, and devices associated with networking? How to administer a
Windows server and Linux server? What is a database server? How to look at and
understand system logs of all events and transactions for a device, router, firewall,
and so on?
Note: This role does not require skills in computer programming. Coding is not a requirement for this role.

C.3.1.b. Incident responder
Next, also in the SOC, is a mid level job role called the incident responder.
 It is also known as incident response analyst.
 This role determines if a reported alert is an organizational attack or a
persistent threat on a company's network and ensures it is remediated.
 Scope the extent of a cybersecurity incident. For example, if malware is detected on one

person's workstation computer in a human resources department, then has it spread to any
other computers in that department? Has it spread to other parts of the company? Has its
malicious behavior been contained by automated defenses (such as anti-virus software and
firewalls) or has it compromised company assets?
 Plan remediation based on the scope of the cybersecurity incident. This involves
researching the nature of the incident (e.g., what type of malicious behavior is targeted by
malware) and determining how best to respond to it.
 Implement remediation with appropriate teams such as opening IT tickets to re-image
infected computers, educating end users on how to avoid clicking on phishing email
attachments, or communicating the extent of a data breach to appropriate executives in a
timely manner.
What is an example of what an incident responder will do?
Let's say a high severity incident of malware is reported on an executive's computer. The incident
responder determines if other employees are impacted by the malware, how best to respond to it,
and collaborates with others to remediate.

 Familiarity with the company and corporate policies (e.g., data, privacy, legal)
 Remediation skills to select the right technical and non-technical corrective actions

C.3.1.c. Threat hunter
Next, also in the SOC, is another mid level job role called the threat hunter.
 It is also known as a threat analyst.
 This role is "proactive" in that the threat hunter does research to stay
current about latest threats, how they have evolved, and codes rules for
triggering alerts in the SIEM tool for the company.
 Proactively research the "threat landscape" by continuously monitoring various threat

resources, such as IBM X-Force Exchange.
 Evaluate which new and emerging threats are highest risk to their organization based on
criteria such as the industries targeted, vulnerabilities exploited, and tactics employed by
the threats.
 Respond to these threats by:
o Implementing system configuration changes.
o Programming automation in security tools to automatically detect activity that is
characteristic of these threats.
o Sensitizing the organization to potential attacks.
What is an example of what a threat hunter will do?
Let's say a brand new ransomware threat has been publicized. A threat hunter will research this
threat and implement automation to help prevent the threat from penetrating the organization and
detect the threat if it manages to penetrate.

 Understanding sources of threat intelligence information and implementing automation to
detect suspicious behavior
Note: Threat hunters often have experience in other security roles such as a SOC analyst, incident
responder, penetration tester, or vulnerability testing analyst.

C.3.1.d. Possible career progression
It is possible to enter the cybersecurity profession without a degree by starting
in an entry-level IT position. You could then work your way up to a
cybersecurity role.
In terms of career progression, there are various scenarios that could play out.
For instance:
 You could start out as a systems administrator and, over time, make a
lateral move into a SOC analyst role.
 You could begin as a SOC analyst and continue in that career for a long
time.
 You could begin as a SOC analyst and perhaps become a SOC team
lead or advance to becoming an incident responder.
 You could potentially perform a combination of the responsibilities of a
SOC analyst, incident responder, and threat hunter.
 As a SOC analyst you can make a lateral move into a systems
administrator or identity and access management (IAM) administrator
role.
Note: This depends on the maturity of the company. More mature
organizations may hire for all three job roles (SOC analyst, incident responder,
threat analyst). A less mature organization might have one individual
dedicated to a combination of all three job roles.
C.3.1.e. Additional job roles
Here are some other roles to be familiar with.
Expand each job role to view a description.
Security consultant
 An entry-level or mid-level position who is responsible for solving

cybersecurity problems under the guidance of a senior consultant.
 Perform tasks that are needed throughout the life cycle of a project.
 Often hired outside of the company as a source of expertise.
 There are many specializations, such as a strategy consultant,
operations consultant, and so on.
Security administrator
 A mid-level position that also works in the SOC, but this role is quite
different than a SOC analyst.
 Like a systems administrator, but this role works with security tools, like
SIEM tools.
 Keeps the security tools maintained by applying patches and tuning
them to properly perform.
 Writes scripts to automate tasks in the security systems.
 Does not investigate incidents.
Identity and access management (IAM) administrator

 An entry-level or mid-level position that supports different groups in a
company.
 Responsible for managing application/system authorities and privileges,
single sign-on, reporting on applications, and working with developers to
implement identity and access management capabilities for new
applications.
 Must be skilled in using IAM tools and networking administration.
Penetration tester
 A more advanced position that is also called pen tester who emulates
the "bad guys".
 Responsible for testing a computer system, network, or application to
find security vulnerabilities that a hacker could potentially exploit.
 Often hired outside of the company to "break into" the company's
system to provide a level of quality control and external assessment.
Mobile administrator
 An entry-level position that manages the security protection for

employees' mobile devices.
 Need a system administrator background.
Compliance analyst
 An entry-level position in a large company that does internal auditing of

whether a company is following its security policies, privacy policies, and
country laws.
 Also helps organizations get ready for an external audit, which are
required depending on the industry (e.g., healthcare, finance, and so
on).
C.4. UNDERSTANDING CERTIFICATIONS
There are a lot of cybersecurity related certifications out there and many are
being developed. Staying on top of these qualifications might require studying
itself!
Certifications may be product-specific or they may relate to industry concepts.
Certifications exist within the industry to allow standards to be maintained with
regards to skills and knowledge. Roles requiring specific qualifications tend to
be more specialist. If a role requires a certain skill set, you may see
certifications listed in its job posting.
Having a certification can increase the range of job roles available and be a
good way to demonstrate certain levels of proficiency when applying for jobs.
Let's help make sense of some of the common certifications that are available
in this field.
Note: Some of the following certifications are for industry professionals with
years of experience. These are qualifications you could consider working
towards in the years after you get a security-related role. They are included
here to highlight the progression pathway.
C.4.1.a. Expand each certification to learn key information.
CompTIA Security+
 This is a global certification that validates the baseline skills practitioners

need to perform core security functions and pursue an IT security
career.
 This is the best certification for entry level cybersecurity job roles.
 CompTIA Security+ certification is targeted at these job roles: systems
administrator, network administrator, security administrator, junior IT
auditor or penetration tester, security specialist, security consultant, and
security engineer.
 Recommended experience is to have CompTIA Network+ and two years
of experience in IT administration with a security focus.
Find out more information about CompTIA Security+.
CompTIA Cybersecurity Analyst (CySA+)

 This is an IT workforce certification that applies behavioral analytics to
networks and devices to prevent, detect, and combat cybersecurity
threats.
 CySA+ is the most up-to-date security analyst certification that covers
advanced persistent threats in a post-2014 cybersecurity environment.
 CompTIA CySA+ certification is targeted at these job roles: IT security
analyst, SOC analyst, vulnerability analyst, cybersecurity specialist,
threat intelligence analyst, security engineer, cybersecurity analyst, and
security monitoring.
 Recommended experience is to have Network+, Security+ or equivalent
knowledge. Minimum of 3-4 years of hands-on information security or
related experience. While there is no required prerequisite, CySA+ is
intended to follow CompTIA Security+ or equivalent experience and has
a technical, hands-on focus.
Find out more information about the CompTIA Cybersecurity Analyst
(CySA+).
IT Infrastructure Library (ITIL) Certification
 ITIL is a globally accepted framework of best practice for IT Service

Management (ITSM).
 The ITIL certification scheme provides a modular approach to the ITIL
framework. There is a tiered structure of multiple certifications, for
instance from Foundation to Master level. This offers flexibility relating to
the different disciplines and areas of ITIL and the ability to focus studies
on key areas of interest.
 There are entry level certifications to consider that are relevant only if a
particular role requires it.
Find out more about IT Infrastructure Library (ITIL) Certification.
Certified Ethical Hacker (CEH)
 A Certified Ethical Hacker is a skilled professional who understands and

knows how to look for weaknesses and vulnerabilities in target systems
and uses the same knowledge and tools as a malicious hacker, but in a
lawful and legitimate manner to assess the security posture of a target
system(s).
 The CEH credential certifies individuals in the specific network security
discipline of Ethical Hacking from a vendor-neutral perspective.
 This trusted and respected program can benefit any cybersecurity
professional.
Find out more information about the Certified Ethical Hacker (CEH).
Certified Information Systems Security Professional (CISSP)
 The CISSP certification validates a practitioner's skills and expertise to

effectively design, implement, and manage a cybersecurity program.
 It is ideal for experienced security practitioners, managers, and
executives interested in proving their knowledge across a wide array of
security practices and principles, including those in the following
positions: chief information security officer, director of security, security
analyst, security architect, security consultant, and many more.
 Note: Five years of experience is required.
Find out more information about the Certified Information Systems Security
Professional (CISSP).
Certified Information Security Manager (CISM)
 ISACA offers the CISM certification for practitioners to demonstrate their

proven, multifaceted expertise and ability to understand complex,
challenging security management issues for enterprises.
 Recent independent studies consistently rank CISM as one of the
highest paying and sought after IT certifications.
 Note: Five years of experience is required.
Find out more about the Certified Information Security Manager (CISM).
C.4.1.b. Security clearance
In addition to certifications, many roles within government agencies or
organizations working with the public sector may require individuals to
undergo a set of background checks. These vary by countries and have
different levels depending on the sensitivity of the job role. If a clearance
check is required, then this will typically be highlighted in the job listing.
In certain countries, if an individual already holds a previously issued
clearance, then the re-application process is slightly streamlined. Or, at least
the individual is more likely to pass the required checks. Due to the costs
around certain checks and the reluctance or inability of individuals to get
checked, there is a measurable salary premium in the marketplace for those
with security clearance.
C.5. HELPFUL RESOURCES ANF GETTING STARTED

Hopefully you've found this course to be informative, interesting, and
educational in equal measures. This can be a part of your cybersecurity
journey. This lesson will provide you with inspiration for future exploration.
C.5.1.a. Helpful resources
First, here are some resources you can check out, bookmark, and keep in
mind if you would like to explore more about cybersecurity and stay in touch
with the latest developments in the field. This is a curated listing. There are a
lot of organizations and websites out there to check out depending on your
interests.
Cybersecurity organizations
 The National Institute of Standards and Technology (NIST) is a unit of
the U.S. Commerce Department that maintains measurement standards.
It has a program to implement practical cybersecurity and privacy
through outreach and effective application of standards and best
practices necessary for the US to adopt cybersecurity capabilities.
 The National Cyber Security Centre (NCSC) is the UK's leading
authority on cybersecurity issues. The website contains a lot of advice
documents and guidance for specific industries.
 The Open Web Application Security Project (OWASP) is a worldwide,
non-profit, charitable organization focused on improving the security of
software. It provides an unbiased source of information on best practices
as well as an active body advocating open standards.
 The Information Systems Security Association (ISSA) is a non-profit
organization for the information security profession. It is committed to
promoting a secure digital world. Most resources from ISSA are for
members. You can review the benefits of becoming a member and if
there are any local chapters near you. Search if there is a local chapter
near you and take a look at the chapter's website.
 Women in Cybersecurity (WiCyS) is a US-based non-profit membership
organization that is dedicated to bringing together women in
cybersecurity from academia, research and industry to share
knowledge, experience, networking, and mentoring.
 The Forum of Incident Response and Security Teams (FIRST) is a
global forum and recognized global leader in incident response. FIRST
provides up-to-date best practice documents, publications, and so on.
Cybersecurity publications and platforms

 Cybersecurity Ventures is the home of Cybercrime Magazine.
Cybersecurity Ventures is the world’s leading researcher for the global
cyber economy, and a trusted source for cybersecurity facts, figures,
and statistics. It provides the latest cyber economic market data,
insights, and ground-breaking predictions to a global audience of
cybersecurity professionals.
 Security Intelligence is a site that provides analysis and insights from
across the cybersecurity industry. You will find the latest news, research,
podcasts, and so on.
 SC Media shares industry expert guidance and insight, in-depth features
and timely news, and independent product reviews in various content
forms in partnership with and for top-level information security
executives and their technical teams.
 Wired Threat Level is a series of cybersecurity articles from Wired
magazine.
 The IBM X-Force Exchange is a public threat intelligence platform that
advises about critical alerts regarding new attacks, vulnerabilities, and
campaigns. It provides a real-time geographic view of live threat activity.
You can search or submit a file to scan, keep your own investigations,
and see what others are sharing.
Cybersecurity blogs
 Krebs on Security is a collection of blogs about computer security and
cyber crime authored by Brian Krebs, an American journalist and
investigative reporter.
 Graham Cluley is a collection of blogs about the latest computer security
news, opinion, and advice authored by Graham Cluley, a British speaker
and independent analyst.
 The Recorded Future blog provides cyber threat intelligence analysis,
industry perspectives, Recorded Future company updates, and more.
C.5.1.b. Getting started in the industry
What's next? What can you do to perhaps get started in the cybersecurity
industry? Depending on your interest and experience, if you are considering a
career in cybersecurity, then you could explore these different options.
 Expand your knowledge! The more you become familiar with
cybersecurity, the more avenues will open up for you to explore. Try
following up your interests and discover new roles and industries that
you may not have considered before.
 Continue learning! This is the beginning of your learning experience.
You can continue learning by searching online for additional
cybersecurity topics and consider some of these educational resources.
o The Cyber Security Body Of Knowledge (Cybok) aims to be a
comprehensive body of knowledge to inform and underpin
education and professional training for the cyber security sector. It
acts as an excellent reference guide for security topics
o The SANS Institute is a cooperative research and education
institution. At the heart of SANS are the many security
practitioners in varied global organizations from corporations to
universities working together to help the entire information security
community. SANS is a trusted and large source for information
security training and security certification.
o The IBM Security Learning Academy provides free technical
training on IBM Security products. You can explore the course
catalog and build your own curriculum by enrolling in courses.
 Please note that you would need to create an IBM ID
account.
o And, stay tuned for more education offerings in this program!
 Explore opportunities! If you are seeking employment, you can start
exploring the job marketplace. Check out job postings to identify
common requests and qualifications. Get a sense for which jobs might
appeal to you in the future, and work to meet the qualifications.
D. Q & A
She-Ra Cat is a pseudonym for a hacker who was a member of a collective
European group in 2012. The group expressed solidarity with a foreign country
during economic unrest, stating that the government “refused to listen to its
people.” The group lodged cyber attacks against the government's websites to
spread the word about the government’s failure to comply with the people’s
wishes. Which type of cyber attacker group could this represent?
 This scenario represents the hacktivist. Hactivists are driven by causes and
ideologies. They seek a political or economic change and will use hacking to
achieve it.
Monica da Silva is an employee at an aeronautics company. She noticed her laptop has
started to become unresponsive ever since she went on a business trip to a foreign
country. She remembers being asked to hand the device over while at an airport and she
thinks that is when the problems started. Which type of cyber attacker group could this
represent?
This scenario represents government entities using their services to aid their objectives.
Nation state hackers have an interest in getting strategic advantages for their respective
country. This is one of the reasons most international business employees leave their device
at home.
Stephen Nguyen was laid off last month from his executive-level position at an industrial
chemical company. He worked in the research and development (R&D) department. He
downloaded his latest project's information onto a personal USB flash drive. He is bitter
about losing his job and considering selling the USB drive to another company's R&D
department. Which type of cyber attacker group could he represent?
 This scenario represents the malicious insider. Malicious insiders are typically people
within organizations who are disgruntled and are motivated by money or doing damage.
This attack involves causing a system to partially crash and be unable to perform work at
normal levels. What type of cyber attack is this?
 This description represents a DoS attack. A DoS attack is any type of attack that causes
a complete or partial system outage for an organization. It is often in the news.
This attack involves sending an email to an individual that appears to be from a trusted
source, but instead has the intention of getting personal information, such as a password.
What type of cyber attack is this?
 This description represents a phishing attack. A phishing attack is the practice of sending
messages that appear to be from trusted sources with the goal of gaining personal
information or influencing users to do something. This type of attack is very effective.
This attack involves software designed to perform in a detrimental manner to a target,
without the target's consent. It can block access to data and programs, steal information,
and make systems inoperable. What type of cyber attack is this?
 This description represents a malware attack. Malware is a catch-all term for malicious
software that is designed to perform in a detrimental manner to a targeted user without the
user's informed consent. It can block access to data and programs, steal information, and
make systems inoperable. Some malware is related to a function, such as keyloggers
(which captures a victim's keystrokes) or ransomware (which holds a victim's files captive in
exchange for a ransom payment).
Which prevention concept do organizations introduce in order to grant the fewest

permission levels necessary to enable a role to function in a system?
 Organizations decide the levels of permission for applications and individuals within an
organization. A key element is to introduce the concept of least privilege. This means that
the fewest permissions are granted to enable a role to be completed.
Organizations should keep the attack surface as small as possible as a basic security
measure. It is becoming more difficult to secure an organization's perimeter as there are
options for remote access, guest wifi, and bring your own devices (BYODs) to work.
True or false? Over time, older software may have vulnerabilities discovered. And, new
versions of software can introduce new vulnerabilities. In general, updating software and
applications to be the latest version significantly reduces the risk of them being
successfully attacked.
 True. Over time, older software may have vulnerabilities discovered. And, new versions
of software can introduce new vulnerabilities. In general, updating software and applications
to be the latest version significantly reduces the risk of them being successfully attacked.
Theresa follows various trusted sources for information about new and emerging
cybersecurity threats. She just came across news that a new variant of the EMOTET
malware has been detected on the IBM X-Force Exchange, one of her key trusted sources.
She learns that this banking trojan, first seen in 2014, has morphed into a spammer of
other software malware, and the latest variant uses stolen emails as a delivery mechanism.
Since Theresa works for a financial services company, she decides she needs to protect it
from this new variant of EMOTET. So, she finds relevant information about how to detect
EMOTET and configures her team's SIEM tool to send alerts to her team when EMOTET
is detected. What cybersecurity job role is Theresa performing?
==> Theresa is a threat hunter. On the job, the threat hunter is responsible for proactively
researching the latest threats to evaluate which new, emerging threats are a high risk to the
organization and appropriately responding to the threats.
Sam is a capital markets trader for a financial services company. He gets an urgent call
from Diego on the security team who informs Sam there is compelling evidence that
Sam's laptop has been infected with malicious malware. Diego shares that, so far, it looks
like the malware has not inflicted any serious harm, but that Sam needs to shut down his
laptop immediately and disconnect it from the network. Diego opens an IT ticket to have
Sam's laptop re-imaged and restored, and provides Sam with a temporary laptop to
continue his work in the meantime. Diego will also follow-up with Sam at a later point to
help him understand how his laptop was infected and educate him about how to avoid
future such situations. What cybersecurity job role is Diego performing?
 Diego is an incident responder. On the job, the incident responder is responsible for
scoping the extent of the cybersecurity incident, planning the best remediation methods, and
implementing the remediation in a timely manner.
Marta works on the security team for a financial services company. She finds a security
alert has been generated by the team's SIEM tool and assigned to her for investigation.
She determines that a laptop may be infected with malware known as EMOTET. Marta
investigates and finds that the laptop is infected because it is continually trying to
establish a connection with a malicious "command and control" server. Fortunately the
firewalls are declining these connection requests. However, Marta also finds out that the
laptop belongs to a capital markets trader, someone who has access to sensitive financial
data. So she concludes that this infection is a top priority and needs to be fixed right
away. What cybersecurity job role is Marta performing?
 Marta is a SOC analyst. On the job, the SOC analyst is responsible for monitoring and
investigating incident alerts to conclude the level of severity.

What Is Cybersecurity

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

What Is Cybersecurity

Uploaded by

Copyright:

Available Formats

A.1.1. What is cybersecurity?

A.1.1.a. Module overview

This module focuses on some fundamentals about cybersecurity to get you

 Physical security is the practice of physically protecting assets like

Online debate submission 3

Social media account

A.1.2. Key elements of cybersecurity

High complexity Harder for attackers to Tedious to use P@ssw0rd!

Mandatory passwords Passwords cannot be Predictably repetitive PasswordJan to the

Encrypted emails Attackers cannot read Additional configuration Disable encryption

You can see it is important for organizations to educate users as to why

A.1.3. Risk management

Consequence is the impact and associated damages.

An adversary is a general term used to describe an entity who wishes to

A.1.4. Common misconceptions

Everyone who works in cybersecurity comes from an IT

All hackers are criminals.

Cybersecurity is something I can’t do.

I'm too old or too young to work in this industry.

A.1.5. Laws and ethics

Unapproved use or control of a computer device

Preventing others from legitimate use

Aiding other criminals or designing malware

A.1.6. Threat actor groups

This module focuses on the "offensive" side of cybersecurity, meaning the

A.1.6.c. Group 1: Script kiddie

Profile of a script kiddie

Self-taught individuals, typically teenagers Seek reputation enhancement or attack for

Little funding, little or no technical Ensure patching schedule is effective and

Driven idealists forming loose Want to bring about a change

What resource do they have? How do you protect against them?

A.1.6.e. Group 3: Criminal gang

Profile of a criminal gang

Groups of people in national and Driven by financial motivations

What resource do they have? How do you protect against them?

A.1.6.f. Group 4: Nation state hacker or advanced

Highly trained and educated specialists Follow strategic, multi-year plans on a

What resource do they have? How do you protect against them?

A.1.6.g. Group 5: Malicious insider

Profile of a malicious insider

What resource do they have? How do you protect against them?

No budget or resources required; use Monitor staff carefully and ensure

A.1.7. Types of cyber attacks

A.1.7.b. Distributed denial of service (DDoS) attack

A.1.7.c. Phishing attack

A.1.7.d. Spear phishing attack

A.1.7.g. Domain name system (DNS) attack

A.1.7.h. Structured query language (SQL) injection

This represents a handful of the many types of cyber attacks impacting

A.1.8. Structure of a cyber attack

Source: Lockheed Martin, the Cyber Kill Chain® framework

A.1.10. Social engineering

Flawed decision making

A.1.11. Open source intelligence

Media and news

Government or public records

2. Get a range: Build a picture from many perspectives

A.1.12. Technical scanning

What information does it provide?

What information does it provide?

What information does it provide?

What information does it provide?

A.1.13. Case studies