Professional Documents
Culture Documents
What Is Cybersecurity
What Is Cybersecurity
Integrity Integrity means making sure the information stays accurate and
Information has not been consistent, and ensuring that unauthorized people cannot makes any
altered changes to the information.
Availability Availability means timely and reliable access to and use of the
Information can be information when required.
accessed when required
The CIA triad is a model to help guide policies for information security within
an organization.
Different organizations and scenarios may mean that one objective is
prioritized over the others.
EXAMPLE
Let's look at some examples to put the information security objectives into
context for you.
Confidentiality may be the most important objective for government
intelligence agencies. Think about the lengths they go to in order to keep
information private, such as using bespoke encryption or even lead-lined
brief cases that sink if thrown into a body of water.
Integrity may be the most important objective for banks. Think about if
you spent USD $10 on a pizza. You would not be particularly concerned
about this transaction being confidential. However, if the transaction is
altered and you end up spending USD $10,000 instead, then you would
be in serious financial trouble. Should this happen at scale for your
bank, it could cease operating as a result of a loss of trust.
Availability may be the most important objective for a website. Think
about if you have a blog. You would not be particularly concerned if it
was confidential or an editor helps correct your spelling. You want it to
be there and available to you any time you want to update and publish it.
A.1.1.d. What do you think?
Let's look at how the information security objectives could relate to your day-
to-day life by evaluating assets that you likely value. In cybersecurity,
an asset is defined as something that has a value to its owner. Assets can be
digital, such as a program, or physical, such as a server. Sensitive information
such as databases, research, or records can also be called information
assets.
Consider your personal bank account, photo library, social media account, and
mobile phone. How would a loss of Confidentiality, Integrity, and
Availability impact you for each asset? Use this provided scale of 1 to 5 to
type your rating in the provided fields.
1) Low consequence: You would have no noticeable impact to day-to-day life.
3) Medium consequence: You would have minor impact resulting in a couple
of hours of lost time.
5) High consequence: You would have a life changing, massive impact that
could last for months or years.
The Highest value will calculate automatically so you can compare how you
value your assets and priorities.
EXAMPLE
There is one example already displaying for you: an online debate submission.
In this example:
A loss of Confidentiality is considered annoying, but will have only a
minor impact and is given a rating of 2.
A loss of Integrity from another person editing the submission could
start an argument, which could lead to wasted time making updates.
Integrity is therefore given a rating of 3.
Finally, should the online comment disappear entirely, or become
inaccessible, there are virtually no impacts, so a loss of Availability is
given a rating of 1.
Now, using the rating system above, try and complete your evaluations.
Confidentiality Integrity Availability Highest v
Bank account
Photo library
Mobile phone
When you are finished, you can see that certain assets matter more to you
than others. This should correspond with the Highest values you see. Do any
of your evaluations of value surprise you?
From a security perspective, it is sensible to prioritize your protections around
the assets which matter most to you. For instance, the password for your
password manager may be 20+ characters long and kept private whereas a
home wifi password may occasionally be shared with friends and family!
In cybersecurity, organizations make these decisions all of the time.
=-======================================================
These are the areas where an attacker could attack and where organizations
should focus cybersecurity efforts. Let's examine them further in this lesson.
A.1.2.a. People
As counter intuitive as it might be for a highly digital industry, people are the
most important part of cybersecurity. First, people are the end users of digital
systems and second, people are often those responsible for the design and
maintenance of digital systems. Human action is by far the leading cause of
cybersecurity incidents. When organizations design a secure system, they
must design with people in mind.
A common example of this going wrong is the case of alert fatigue. If people
receive too many notifications or alarms, then they eventually become
desensitized to it. Good systems will be designed to anticipate and make
allowances for human behavior.
A.1.2.b. Process
In business, most activities follow a clearly defined set of steps. These
processes can aid cybersecurity by considering security at each step or hinder
cybersecurity by being frustrating for the end user.
Imagine a process which makes a user complete a 20-question survey
whenever they wish to report suspicious activity. Many users, who could
contribute useful information, might be deterred and give up the process.
Good processes have the following attributes:
They are clear and as easy as possible. During the process, it should
be obvious what to do at every stage. Processes should not use
unnecessary jargon or be written in an ambiguous fashion.
They are accessible or well known. All users who could follow a
process at any stage, should know how to access the process. A good
example of this commonly being done well is with fire evacuations in
buildings. Most people know where the nearest evacuation points are
because of good signage.
They are consistent. Processes should not contradict each other, if
possible. If a process has a lot of exceptions or deviations, it increases
complexity. Later, you will learn about how cyber attackers can exploit
this during their attacks.
A.1.2.c. Technology
Technology is all of the underlying infrastructure.
Within cybersecurity, this commonly covers elements such as device
encryption, network perimeter defenses, and anti-malware technologies.
Within business, good uses of technology solve problems without creating new
ones for their users.
An example of good technical security is device management software, which
can track software patch statuses and apply updates. This is often an
essential tool for large organizations. If this is done correctly, then the
technology is non-intrusive and users will be secured in a passive manner. If
this is done poorly, then users might try to disable the software entirely. As
users of devices, you encounter this too.
The following table shows some technological leaps for security, their
perceived drawbacks, and some downsides to their introduction from the user
perspective.
Undesirable user
Technological leap Business benefit Perceived drawback responses
Automated patch All software is up-to- Interruptions to use of User does not pow
management date device down devices
Reduce The organization could decide a risk is too large to accept and aim to have it reduced in s
fashion. This could either be through reducing the likelihood or consequence.
Transfe The organization may want a third party to accept the risk, or part of it, instead of accepti
r themselves. This is done via insurance.
Reject The organization could decide a risk is too high and may withdraw from being affected b
This will have significant business impacts such as shutting down sites or avoiding mark
EXAMPLE
Let's illustrate these four responses to a risk. Imagine that you are considering
starting a cake baking business at home. There is a risk that your kitchen
could be damaged if you set your oven on fire during the baking process. Here
are several responses to this risk.
Acceptance: You could look at the risk and with faith in your baking,
take the chance that it is unlikely anything will go wrong. Should your
baking go wrong, you can repair your kitchen and are prepared to do so.
Reduction: You decide that you would prefer your kitchen and oven are
not put at a high level of risk and you decide to reduce the risk. You
could reduce the likelihood of fire-related incidents by installing a smoke
detector to provide early warning. You could reduce the consequence of
a fire by having a fire suppression system installed. Both options will
incur a small cost, but you believe they are worth it.
Transference: You go to your insurance company and upgrade your
insurance to cover home cooking related fires. They perform their own
assessment of the risk. Together you agree on a cost to pay them to
cover the risk. Should your oven catch fire, they will cover the costs.
This arrangement incurs a cost initially, but limits your liability.
Rejection: You decide that the oven-related fire risk is too high. You
could change recipes to make cakes without using an oven or not start
your business in the first place.
As you can see from this example, there are many things to consider in even a
simple example. Businesses with rapidly changing IT technology face many
continually evolving risks. Risk management is a full time occupation in many
companies and guides a lot of both strategic and tactical decision making.
A.1.3.c. Risk appetite
A risk appetite is the level of risk an organization is willing to accept.
An organization is said to have a high risk appetite if it is willing to
accept a high level of risk.
An organization is said to have a low risk appetite if it does not like
accepting risk.
background.
While most roles within cybersecurity rely on IT either in part or entirely, the
roles don’t all have a firm dependence on that background. As you should
already have noticed, since cybersecurity covers so much, there is demand for
talent in lots of areas. Skills range from people management and
communication to mathematics and data science. Having a diverse set of
experiences and skills also helps teams approach problems in new ways and
this is very valuable.
The term hacker historically refers to someone who enjoys adapting things
and discovering how they work. This definition got mixed up with people who
illegally tried to gain access to computer systems with the intent of hijacking
their operations. Today, there are thousands of computer hackers who are
employed in a variety of IT roles and contribute toward understanding IT
systems in a legal fashion as part of many businesses. Their curiosity and
drive are invaluable in ensuring IT systems are built in a safe and secure
manner.
Due to the constantly evolving areas in cybersecurity and vast scope, there is
something for everyone. The diversity of roles requires a great diversity of
skills. Those skills can range from strategic analysis and anticipating the
evolving landscape of IT businesses to vigilance and patience in system
monitoring roles. Keep in mind that there is a lot of education and training
available.
A good litmus test for the diversity of a team is to check how many decades
are covered by the team’s composition. A good team will have a diverse range
of experiences and life views. Cybersecurity needs to look at problems with
both a fresh set of eyes and an experienced view. Whether you think
approaches are great or bad, you’ve probably got half of the solution and a
great voice to add to the dialogue.
A.1.6.d. Group 2: Hacktivist
The second group is the hacktivist. Hacktivist is a term which combines
"hacker" and "activist". Hacktivists seek a political or economic change and will
use hacking to achieve it.
SUMMARY
The key, defining attribute of hacktivists is that they are driven by
ideological reasons.
The group of people who make up hacktivist groups ranges greatly. Like
the script kiddie group, they are filled with impressionable amateurs, but
when causes align on a highly topical issue, they are joined by more
experienced members within the security community.
The motivations of hacktivist groups are defined by their aims, which
vary enormously. Generally, it involves supporting one cause the
individuals believe in. This could be a side in the Middle East conflict,
political activities, and so on.
The most famous example of this group would be the hacking collective
called Anonymous. Anonymous is a decentralized international
hacktivist group that is known for cyber attacks against several
governments, government institutions and government agencies, and
corporations.
Hacktivists use a range of basic tools which can be very effective when
done at scale. Denial of Service (DoS) programs are a notable example
in this area.
While a single script kiddie poses little threat, several hundred launching
parallel attacks can be significantly more challenging to deal with.
As an organization, being astute is very important. Should an
organization operate business in a sensitive area (e.g., animal testing,
political causes), then it is possible it may come under a sustained
attack from hacktivists at some point. Having good defenses will not be
enough to deter all attacks, so organizations should plan methods to
cope with a sustained attack.
Profile of a hacktivist
Who are they? What is their objective?
Operate at scale with varying tools and Ensure defenses can cope with an
biggest attribute is size extended disruptive attack
Broad range of tools and equipment, Need to have a fully trained workforce
bought and traded on the dark web with protections around critical assets and
back-ups
Very large budgets, cutting-edge tooling, Incredibly difficult; need fully coordinated
and leading-edge research defenses around every aspect of the
organization
Staff members who work against an Seek revenge or have financial motives
organization's own interests, either
deliberately or accidentally
Note: Sometimes these descriptions of the types of cyber attackers are not
always precise. In operations, hacktivists might recruit script kiddies and
nation state hackers might recruit criminal gangs. Also, some cyber attackers
will disguise their work to appear less advanced than they are. These facts
can make it difficult to attribute threats to the correct party.
A.1.6.h. White hat hackers
We have covered the five common types of cyber attackers who have
personal motivations or threatening, often illegal motivations. But, there are
also individuals out there who are considered white hat hackers. A white hat
hacker chooses to use, and monetize, their skill set for good, rather than
criminal or exploitative activity. Often called “ethical hackers,” white hat
hackers take on a real hacker mindset to use the same methods as real-life
attackers, but with the goal of testing and fortifying systems to help clients and
consumers be better protected from the real thing.
Here are two leading cyber security experts who fall into the white hat
category and use their skill sets to offer valuable and often highly-paid advice
and knowledge to organizations around the world.
Brian Krebs Georgia Wiedman
Brian is a celebrated journalist who Georgia is a serial entrepreneur in the
investigates cyber crime. He kicked off his cybersecurity space and has worked as a
career as a reporter for The Washington Post, penetration tester, security researcher,
where he wrote for the Security Fix blog speaker, trainer, and author. She has gained a
from 1995 to 2009 and pushed the large following through her work in
boundaries of cyber security reporting. smartphone exploitation and mobile device
Today, he owns the hugely popular security as the founder and CTO of Shevirah.
blog Krebs on Security and was named
2019’s “Cyber Security Person of the Year”
by CISO MAG. Fun fact: Georgia is an angel investor and
Fun fact: Brian’s interest in cybersecurity has spoken and trained audiences around the
was ignited after his entire home network world at venues like the NSA, West Point,
was taken captive by a Chinese hacking and Black Hat.
group.
A.1.7.e. Malware
Malware is a catch-all term for malicious software. It is any software
designed to perform in a detrimental manner to a targeted user without
the user's informed consent.
It often triggers secretly when a user runs a program or downloads a file,
which can often be unintentional.
Once active, malware can block access to data and programs, steal
information, and make systems inoperable.
EXAMPLE
Within the various types of malware, you will find examples related to their
function, such as keyloggers (which captures a victim's keystrokes)
or ransomware (which holds a victim's files captive in exchange for a ransom
payment).
A.1.7.f. Man in the middle (MitM) attack
A MitM attack occurs when hackers insert themselves in the
communications between a client and a server.
This allows hackers to see what’s being sent and received by both
sides.
EXAMPLE
An attacker could set up a "free" WiFi hot spot in a popular public location.
Anyone who connects to that WiFi network could have their communications
examined by the attacker, who may redirect victims to fake log-in screens or
insert advertisements over webpages.
EXAMPLE
In the UK, two teenagers managed to target TalkTalk's website in 2015 to
steal hundreds of thousands of customer records from a database that was
remotely accessible.
2. Go to the Fortinet Threat Map Watch the attack details that scroll at the bottom of the
Figure out where most attacks are happening right
View larger before your eyes!
This is a sub-set of data. Select ? to view the legend of
attacks displayed. Select i to learn more.
3. Go to the Bitdefender Cyberthreat View the live attacks happening across the map for the
Real-Time Map country locations.
Check out the various instances of spam, threats, an
View larger Notice that there is an "attack country" and "target cou
This is the end of the lesson. Be sure to select the "I've checked it out" box to
take a mini quiz to check your understanding of this lesson. You will be
presented with three descriptions to then identify the correct type of cyber
attack that it represents. This is required for lesson completion.
Criminal Sometimes criminals offer their services to carry out illegal tasks to regular
for hire people and organizations.
This is commonly done using a denial of service (DoS) attack that attempts to
overload key parts of a service. For instance, a criminal may offer the ability for
an organization or individual to disable a competitor or rival.
In this model, the criminal does not take money from the victim. Instead, the
criminal gets paid by the organization or individual.
Another example of this is computer misuse in a mercenary style. Imagine a
person hiring a criminal to steal a competitor’s key intellectual property or
destroy a rival's databases.
Extorted In this model, the criminal gains the ability to disrupt a victim by disabling key
from victim systems or threatening to divulge sensitive data.
In recent years this has become popular with the advent of ransomware. In a
ransomware attack, a victim's key systems and files are encrypted in such a
manner that renders them inoperable. To restore the systems and files, the victim
is asked to pay the criminal a ransom to receive the decryption key.
Other extortion themed approaches can include threatening to divulge
organization or customer data such as embarrassing executive emails or customer
databases.
A.1.9.c. Cryptocurrency
Over the last few years, there has been a rapid increase in cryptographically
controlled currencies called cryptocurrencies. The original
cryptocurrency, Bitcoin, proposed a new method for monetary exchange
based on a shared ledger called a Blockchain. This concept has been built
upon by subsequent new currencies that have been built in recent years.
When using an anonymous ledger outside of government control, payments
are designed to be near impossible to regulate or block. This makes
cryptocurrencies unbelievably useful for money laundering or for other criminal
marketplace activities.
One notable consequence of cryptocurrencies was the rapid growth of
ransomware. In this business model, the victim has to pay the attacker. When
this was originally done with monetary substitutes such as gift cards, the
process was slow and unreliable. Now, with the use of cryptocurrencies, it is
easier for victims to make concealed payments.
A.1.9.d. The ecosystem in action
Let's look at a hypothetical case study drawing all of the monetary elements
together. In this scenario, we'll follow an attack campaign across the life cycle.
Follow the money trail!
1. The first stage of the journey involves a criminal gang producing a piece of malware which
records keystrokes and screen shots.
2. The malware authors buy a list of known email addresses from another party and send out
the malware as an email attachment. The objective is for the malware to work on the
victims' machines so their banking details and other passwords can be stolen and sent to the
malware authors. At this point, their work is done. They have a list of passwords and
banking logins.
3. Now, the malware author may attempt to "cash out" themselves or sell the details to another
gang to finish the process.
4. The criminal gang can attempt to login using the credentials and make transfers to money
mules they have worked with previously. In this case, the mules are typically gullible or
desperate individuals who have agreed to allow a stream of money through their accounts in
exchange for payment.
5. To finish the process, the criminal gang could force the mules to buy and transfer
cryptocurrencies to accounts controlled by the gang. As soon as this done, the campaign is
complete. Should law enforcement investigate the crime, the trail often ends with only the
money mule being traceable.
Irrational behavior
We can all exhibit irrational behavior as shown by making decisions that do
not further our long-term interests. If everyone was focused and logical, then
we would not have vices. For instance, no one would play the lottery and we
would eat healthy all the time. This is very far from the case.
In social engineering, drivers for short term gratification or greed can be
utilized to manipulate a target. These targets are putting themselves at risk
and often committing crimes unknowingly.
EXAMPLES
This is best shown when criminals persuade young adults to act as money
launderers for gangs. There are also many other get-rich-quick schemes
online. The victims in this case are baited into the scheme with false
promises.
There are also cases where idleness is a great asset for social engineering.
Taking shortcuts and the tendency to avoid rules are quite effective to use as
a social engineering tactic on a target.
EXAMPLES
Within certain organizations, employees might skip a long business process
like verifying caller identities or getting the right levels of approvals to grant
access rights.
Beware of phishing
Specifically addressing the very common phishing email attacks, here are
some tips to help you detect phishing emails, whether personal or business-
related.
1. Consider if you were expecting the email. Does it make sense that the
sender chose to contact you? Is it too good to be true or pressuring you
to act quickly?
2. Always check the sender email address. Is it from someone or a
company that you recognize?
3. Look for the salutation. Is it addressing you with a generic greeting such
as "Dear valued member" instead of your name?
4. Search for any language or grammar errors in the email. Does it have
poor grammar or a lot of spelling errors?
5. Determine what the email is requesting. Is it asking you to visit a fake or
"spoof" website? Call a fake customer service number? Open
attachments that you did not request?
6. Look for the red flags of a fake request (e.g., asks for your bank
information or password) that is typically part of the phishing email.
Secondly, don't click on a link without verifying the URL it points to.
o Does the URL include a non-secure link? To know if it is a secure
link, check that the URL begins with "https".
o Does the URL direct you to a completely different website? Some
URLs intentionally try to look like legitimate ones, for instance this
is a fake URL for PayPal: www.paypall.accountlogin.com/signin.
Notice the misspelling of "PayPal".
A.1.10.e. Important Note
If you receive an email that you believe could be phishing, don’t respond in any
way and do not click any links or open any attachments. Most email services
have a method to report an email as spam.
If you are in any doubt, you can get in touch with the sender via a trusted channel
such as a previously saved contact phone number or access the service web
address from your records.
Company website
Although it might seem too obvious, a company’s website can be
revealing in terms of what information it chooses to make publicly
available.
It can reveal helpful information such as points of contact, external social
media profiles, building addresses, and much more.
Companies might make mistakes with the information they make public,
which means information can be placed into the public domain that may
be more detailed than the company might like.
Searches can be augmented with some advanced search features often
referred to as "Google hacking" to find more advanced information and
unintentionally revealed files.
There are also options to retrieve a company’s legacy website, such as
using the Wayback Machine. This can be a powerful tool for attackers to
determine what a website was being used for at certain times.
If someone has already done the hard work, then why repeat the effort?
There are very good journalists who are skilled at processing open
information.
While it is unlikely that attackers will find an exact match for what they
are looking for, it’s likely some articles might provide help for further
investigations.
Other sources of pre-processed or foundational information may include
industry analysts, rating agencies, and other assessing bodies.
Social media
In the era of social media, people are happy to share information and
make it widely available.
Social media information can be pieced together quite effectively to get
an accurate perspective about an individual's personal and work life.
For example, employees have been known to share photos of ID
badges, network diagrams, and even sticky notes with passwords.
For cyber attackers, even small pieces of information can add credibly to
a social engineering attack.
o For example, if an attacker finds out that a target recently attended
a conference, then the attacker could start a spear phishing email
to share the attacker found the target's name on the attendee list
and wants to follow-up.
Many countries around the world keep detailed records of both citizens
and companies. These sources of information can be highly valuable for
cyber attackers.
o For example, a set of hospital records may identify an individual's
place and date of birth and an electoral roll may identify
someone’s address. The availability of this type of information is a
key reason why those facts should never form part of a security
process without other safeguards.
For companies, many stock exchanges require a certain amount of
financial information to be made available.
o For example, in the UK companies must provide information
to Companies House to operate. All of this information can be of
interest to a cyber attacker.
A.1.11.d. Good rules for gathering open information
If you are conducting an investigation using open information, here are a few
simple guidelines to follow. As you become more experienced, you will learn
additional tips and tricks, but this should be a good starting point.
1. Get lots of information: Quantity is valuable
The more information, the better.
Analyst tools that look for links between data sets operate better with more information.
Keep in mind: You never know what the key piece of information will be, so save everything initially
before refinement.
This case study was made notable for both the impact and scale of the data breach and the basic mistakes
made within the organization which made it possible. Due to the scale of the breach, it placed the idea of
data breaches into US attention.
[1] Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data
Breach, Federal Trade Commission, Press Release, July 2019
A.1.13.c. National Security Agency
An insider leaks highly sensitive, damaging information
In 2013, a National Security Agency (NSA) subcontractor named Edward Snowden released a significant
amount of classified information. He was able to access the information because of his job role, and with
few technical tools and techniques.
Once the files were made public, the impact to the US and its international allies was considerable. The
leaked files included technical capability overviews, guidance on operations, and other highly sensitive
material. Several business arrangements between the NSA and US companies were bought under a high
degree of scrutiny as a result.
This is a well known example of a malicious insider. While a public figure for the cost of the damages has
not been made available, the general understanding was the data breach was the most damaging set of
leaks the US had ever suffered.
You have learned about the basics of cybersecurity and the various types of
threats an organization may face. This module focuses on the "defensive" side
of cybersecurity, meaning organizations and their techniques and tools. How
do they detect, protect against, and respond to attacks? You will learn about
these topics:
Financial impacts of cyber crime to organizations
Security maturity
A security strategy approach that organizations can use to defend
against cyber attacks using the 10 Steps to Security by the National
Cyber Security Centre
Common approaches organizations take to:
o Prevent cyber attacks
o Detect cyber attacks
o Respond and recover from cyber attacks
Key properties for secure communications
Symmetric and asymmetric cryptography
Threat intelligence sources and benefits for organizations
B.1.1.b. Cost of data breaches
First, let's learn about how detrimental cyber attacks can be to organizations
and get a better idea about what the cost can be. The cost of cyber crime to
organizations can be both hard to predict in advance and very damaging.
The annual Cost of a Data Breach Report, conducted by the Ponemon
Institute and sponsored by IBM Security, analyzes data breach costs reported
by 507 organizations across 16 geographies and 17 industries. According to
the 2019 report, the average global total cost of a data breach is $3.92M,
with a value for the US being much higher at $8.19M. The US value has
increased significantly since 2006, from $3.54M. These and more key facts
about the average costs of data breaches are depicted in this diagram. The
amounts are in US dollars.
Processes Processes may be ad hoc or not formally Processes are documented, reviewed,
documented. measured, and tested.
Leadershi No or few cybersecurity roles are Clear job descriptions and top-down
p formally set up. Employees may have leadership supports the cybersecurity
cybersecurity as a secondary strategy.
consideration alongside their core role.
Little formal leadership exists.
Area Sign of less maturity Sign of more maturity
Tools Little investment in tooling exists. Some Cybersecurity tools are procured
cybersecurity tools may be used if they alongside other software and part of a
are free or bundled within other software structured budget.
packages.
Culture Few people think about cybersecurity. Cybersecurity is a key part of the
organization’s culture.
DETECT ATTACKS
RESPOND TO ATTACKS
Even with the best defenses, it is inevitable that all organizations will need
to respond to a cyber attack at some point. Designing systems to be resilient
through defined processes and preparation is a vital part of security planning.
In this lesson, we’ll introduce the basic concepts of incident response.
B.1.1.r. Introducing incident response
The SANS Institute provides many educational courses, events, and
resources available online. One of the documents they produced is
the Incident Handler’s Handbook by Patrick Kral, which provides a good
framework for incident management. Let's briefly review the six phases that
cybersecurity professionals can use together to respond to an incident.
1. Preparation
In this phase, an organization should start planning what it will do in the event of an
incident.
Typical steps may involve preparing resources and testing procedures.
2. Identification
3. Containment
As soon as an incident is observed, preventing the situation from worsening is the priority.
Steps may include segregating networks or shutting down access routes or certain systems.
4. Eradication
Like an illness in the human body, certain malware types or attackers must be completely
removed in order to be safe.
During the eradication step, devices might be wiped or restored to safe states.
There are countless examples where incomplete eradication results in malware re-
emerging, so being thorough is critical.
5. Recovery
6. Reflection
After the incident, it is important to have an opportunity to reflect on not only what caused
the incident, but how effective the response was.
Commonly this phase may be referred to as the "lessons learned" phase. However, "lessons
identified" may be a better title if changes are not made!
You can see this incident framework provides a good baseline to build upon.
Certain forms of attack or incidents might require the expansion of certain
stages. For example, a data breach event from a lost storage device might not
have many eradication steps, but the recovery process might be longer with a
higher number of stakeholders engaged.
B.1.1.s. Preparing for incidents
As part of standard business activities, many organizations will go through
several simulated activities to test their level of preparation. This table explains
three types of such tests.
Paper-based tests Table-top exercises Live tests
In this test, security teams are This is a more involved test The most realistic form of
surveyed and asked questions format. In this test, various key testing is to perform an
about their level of personnel are bought together, exercise within the live
preparation. This may involve and the incident response systems. Organizations may
identifying key personnel, process is simulated end-to-end. shut down key systems to
ensuring backups are taken, This form of testing allows test various failures and how
and producing process teams to interact with one their teams respond.
documents upon request. another and see how the wider
scenario would develop.
B.1.1.t. Business continuity and disaster recovery
Let's examine two key terms that you need to know about with regards to
incident response.
1. Business continuity is based on an organization’s ability to continue
operating despite an incident. This may involve having backup sites to
take over the delivery of services or a backup technology to take over
should one fail.
2. Disaster recovery is based on an organization’s ability to recover from
a disaster. A cybersecurity disaster could involve all computers in an
organization being wiped or entire databases being deleted. In this
recovery planning process, organizations need to be prepared to start
with virtually nothing.
Both continuity planning and recovery processes have high levels of overlap
with other security functions. While historic concerns were mostly around
natural disasters such as floods, earthquakes, or fire, it ha- s become
increasing evident that cyber attacks can be equally or more disruptive than
their natural counterparts. While a multinational organization is extremely
unlikely to have all its sites hit by a power cut simultaneously, a cyber attack
that shuts down key global services, such as organizational file shares or
domain management systems, is far more plausible.
B.1.1.u. Benefit of incident response teams
The benefit of incident response teams can be highlighted by the following
analysis from the 2020 Cost of a Data Breach Report conducted by the
Ponemon Institute and sponsored by IBM Security.
INTRODUCING CRYPTOGRAPHY
In this lesson, we will introduce the mathematical field of cryptography.
Cryptography is fundamental to vital concepts within information security and
something all cyber security professionals should have an understanding of to
be successful.
Cryptography is defined as the art of writing and solving codes.
At the start of this course, we shared that keeping information confidential is
one of the key objectives of information security. Keeping and sharing secrets
have been challenges that have existed for thousands of years. While
methods for achieving this have changed significantly across the years, the
objectives have remained broadly the same.
A.1.1.a. Defining secure communications
Imagine a situation with three participants: Alice, Bob, and Eve. These three
characters have been used for many years in the field of cryptography to
illustrate concepts. Alice and Bob want to communicate securely, and Eve
wants to eavesdrop on the exchange, thus her name, "Eve".
There are three key properties which must be observed to have reliable
secure communications.
Property 1: Confidentiality
Alice can send a message to Bob without Eve being able to understand the
contents. This property means that the message is private.
Property 2: Authenticity
Eve cannot send a message to Bob claiming to be Alice. This property relates
to ensuring spoofing or impersonation is impossible.
Property 3: Integrity
If Eve modifies a message between Alice and Bob, then the receiver will be
able to identify the message has been modified. It is possible to tamper with
messages without knowing the contents. For instance, people can talk loudly
to disrupt a face to face conversation in a language they do not understand.
These three properties are achieved through a range of mathematical
algorithms and other techniques. Historically, this could be locked boxes and
wax seals, but for this course, we'll be focusing more on the mathematical
options!
B.1.1.v. Encryption
Encryption is the process by which a message is converted into something
that cannot be understood, except by those who have a decryption key to
reverse the process. When a message has been converted into an unreadable
state it is said to be encrypted. At a high level, there are two forms of
encryption in use for the world today: symmetric and asymmetric.
Symmetric encryption
In symmetric encryption, the algorithm for encrypting information uses
the same key as the decryption process. Symmetric encryption is fast and
easy to implement. It relies on both the sender and receiver having access to
the same key, kind of like a password or "shared secret", to maintain a private
information link
EXAMPLE
A simple example is a rotation-based cipher in which characters are increased
or decreased by a fixed number of places in the alphabet. The number of
places to move forward and backward acts as the key. If the sender is using a
key of +1, they rotate characters forwards by 1 and the receiver then uses a -1
rotation to receive the original message. In this cipher, the word "HOLIDAY" is
encrypted by +1 shift in the alphabet to be "IPMJEBZ".
Algorithms in use today that follow symmetric models include versions of the
Advanced Encryption Standard (AES). This is likely what your browser is using
to see this page securely!
Asymmetric encryption
In asymmetric encryption, the process for encrypting information uses
a different key to decrypt the information. These keys are known
as public keys and private keys. They are generated simultaneously. Once a
public key is generated, you can share it with anyone and everyone. Anyone
who has a copy of the public key can encrypt a message, which only the
holder of the private key can decrypt.
EXAMPLE
In this diagram, Alice is the sender and Bob is the receiver. It represents the
transmission process. Alice encrypts a message using Bob's public key. Once
the message is encrypted, it can only be decrypted using Bob's private key.
The encrypted message is sent to Bob. Bob can then decrypt the message
using his private key. It is essential that Bob does not share his private key
with anyone, otherwise they would be able to read all of his incoming
messages.
Providing context Should an organization discover they were attacked from an unknown location
or group, the organization can use intelligence sources to start understanding
the attacker.
Context can include helpful pieces of information to aid attribution and
guidance on what to expect next.
Learning from peers There are some things best learned from others.
Organizations may share information about how attackers attacked them, how
they defended themselves, and how effective their approaches were.
These shared stories are an excellent method of strengthening the whole
industry.
B.1.1.y. Sources of threat intelligence
Gathering and developing threat intelligence can be a complex undertaking.
Organizations may engage in primary research in which they investigate
themselves or collect secondary information from another source. Here are
some common threat intelligence sources that organizations utilize.
Threat exchange There are a number of online platforms that allow cybersecurity
platforms professionals to access databases of gathered information and analysis.
These can range from free platforms to others which are provided on a
subscription model or to closed industry groups.
One example is the IBM X-Force Exchange platform.
Conferences Conferences are a good method for cybersecurity professionals to share the
latest developments in the industry.
Certain researchers hold off making discoveries public in order to get a
larger burst of publicity at an event.
There are also opportunities to gather information from informal
conversations at conferences and networking.
Examples of conferences include Black Hat, RSA Conference,
and CYBERUK.
Articles and news Certain media outlets devote a significant amount of effort to covering
developments within the IT world. One example is Security Intelligence.
As certain security issues have become more high profile, the amount of
coverage has increased significantly.
There is also a good collection of smaller sites in addition to traditional
media outlets who cater to a more specialist audience. Examples of blogs
include Krebs on Security and Graham Cluley.
Product vendors Organizations such as Microsoft, Google, and Apple, who produce large
amount of software, frequently produce periodic security advisories
relating to their products.
These notices can include very important information and are essential
reading for system administrators.
B.1.1.z. Job roles
Within the world of cyber threat intelligence, job roles can typically be divided
into two areas: production and interpretation.
On the production side, there is a range of job roles involved in the
collection and enrichment of information. Some of these roles are
technically-focused, such as those involved with developing scanners or
web crawlers, or conducting software analysis. Other roles might involve
more subterfuge and infiltrating criminal gangs and marketplaces.
Finally, there are roles involved in translation, linguistic analysis, and
psychometrics (the science of measuring mental capacities and
processes). All of these roles collect information and produce
intelligence from it.
On the interpretation side, unless intelligence development is done "in
house" or by commission, it is very rare that intelligence will tell analysts
everything they would like. Security analysts may receive several
warnings relating to a range of topics. They then need to review the
findings and decide the best course of action to recommend.
Interpretation must take unique, organizational attributes into account
such as proprietary or confidential information to be effective. There isn’t
a one-size-fits-all model!
B.1.1.aa. Key takeaway
In conclusion, threat intelligence allows organizations to act in a systematic
and planned way rather than using estimations or relying on standards. This
means defenses are designed to meet the attacks they will experience rather
than designing defenses to meet an industry or regulatory standard. This is
particularly important for organizations that operate in a complex or anomalous
way for which regulations are often insufficient guidance.
C. A CAREER IN CYBERSECURITY
C.1. JOB MARKET
C.1.1.a. Module overview
This module focuses on the current and growing need for cybersecurity
professionals around the world. You will learn about these topics:
The demand for cybersecurity professionals in the current job market
Core attributes and skills that cybersecurity professionals should
possess
Primary responsibilities of common cybersecurity job roles
Cybersecurity certifications that are available
Resources to learn more and potential options to consider to get started
in a cybersecurity career
C.1.1.b. Current job market
Cybersecurity is a fascinating and ever-growing field that lives at the
intersection of established technologies and emerging cybersecurity threats.
As a career path, it requires a variety of skills and personal characteristics,
some of which you may already have. Cybersecurity professionals do not
always have a traditional four-year university degree. They come from very
diverse backgrounds. You may be in a position where you are just starting out
in your career, transitioning jobs, or beginning a second career.
If you are considering a career in cybersecurity, it is important to know about
today's job market and projections, skills you need to start out and succeed in
a cybersecurity job, and some common job roles. Let's learn more about the
great demand for cybersecurity professionals around the world.
If there is one trend that everyone can agree on, it is that cybersecurity is a
fast-growing market with tremendous career opportunities. No matter how you
crunch the numbers, there’s a huge need for cybersecurity professionals over
the next decade. Here are some fast facts.
There will be 3.5 Out of the 3.5 The U.S. has a total The
million unfilled million open employed cybersecurity unemployment
cybersecurity jobs cybersecurity cybersecurity rate is at zero percent in
globally by 2021, positions expected workforce 2019, where it’s been since
up from one million by 2021, consisting of 2011.
positions in 2014. Cybersecurity 715,000 people, and
Ventures there are
estimates more currently 314,000
than 2 million unfilled positions,
openings will be in according to Cyber
the Asia- Seek, a project
Pacific region, supported by the
and nearly 400,000 National Initiative
will be in Europe. for Cybersecurity
Education (NICE), a
program of the
National Institute of
Standards and
Technology (NIST).
Source: It’s not where you start – it’s how you finish: Addressing the
cybersecurity skills gap with a new collar approach, IBM Institute for Business
Value, 2017
C.2.1.a. Skill areas to build
Cybersecurity professionals have a diverse set of backgrounds, some of them
in the IT field and some from totally different fields. The key is to build up a
set of relevant technical skills and workplace-related abilities that can give you
the basics you need to launch into a cybersecurity role. Here are some skill
areas to consider. This is not an exhaustive list, but it covers the foundational
skills to think about.
Skill Area Description
System For Linux, UNIX, and/or Windows operating systems, you need
administration to know the basics of installing, configuring, and maintaining
client and server systems. You need to understand the
underlying models for user management, permissions, file
systems, and command scripts.
Customer service You need the ability to interact with clients to help them through
diagnosing and remediating security issues.
Communications You need the ability to succinctly communicate, using verbal and
written communications, technical information about security
incidents and remediation of these incidents.
Skill Area Description
Aptitude for You need the curiosity and mindset for detecting and probing into
investigation unusual behavior. This can be demonstrated through experience
in troubleshooting IT issues or in a totally different field such as
military intelligence. The key is to demonstrate the initiative to do
the requisite detective work to get to the bottom of suspicious
situations.
Someone who works in cybersecurity should be inventive and able to come up
with solutions quickly to stop breaches from becoming massive problems for
an organization. Remember, thinking creatively is probably how the cyber
attackers got in. A cybersecurity professional must be just as creative to
realize how they got inside the system.
Note: There are many more job roles in the field of cybersecurity. This is not a
complete list. Job roles vary by company and security area, as well as by
name. These are some common roles.
C.3.1.a. SOC analyst
In the company's security operations center (SOC), there is an entry level job
role called the SOC analyst.
It is also known as a cybersecurity analyst or triage analyst.
This role is "reactive" in that the SOC analyst responds to individual
alerts and investigates, as if being a detective, based on the evidence.
You may see references to a SOC analyst role being a "Level 1"
position. The increasing numbered levels are usually used to indicate
levels of responsibility and corresponding experience requirements. You
may also see reference to a "Junior" position.
What do they do on a typical day?
Monitor computer network traffic to detect suspicious activity that may indicate the
presence of hackers or malware such as trojans and ransomware.
Investigate alerts that are triggered by a security incident and event monitoring (SIEM)
tool (such as IBM Security QRadar) when it detects suspicious events to determine if the
alert is a false positive (a false alarm) or a true positive (a real-life security incident that
needs to be addressed). If a true positive alert, then this involves identifying the context,
cause, and impacted user(s).
Evaluate the severity of security incident and assign the appropriate risk rating to these
incidents (e.g., low or high severity).
Escalate high severity incidents to the incident responder.
Let's say an alert comes in on the SIEM tool. The SOC analyst determines that it is regarding a
malware infection on the computer of one of the executives in the organization. Upon
investigation, the SOC analyst concludes it is a true positive. Since it is an attack that impacts an
executive who has access to highly sensitive information, the SOC analyst assigns it a high
severity.
Let's say a high severity incident of malware is reported on an executive's computer. The incident
responder determines if other employees are impacted by the malware, how best to respond to it,
and collaborates with others to remediate.
Let's say a brand new ransomware threat has been publicized. A threat hunter will research this
threat and implement automation to help prevent the threat from penetrating the organization and
detect the threat if it manages to penetrate.
Security consultant
Security administrator
A mid-level position that also works in the SOC, but this role is quite
different than a SOC analyst.
Like a systems administrator, but this role works with security tools, like
SIEM tools.
Keeps the security tools maintained by applying patches and tuning
them to properly perform.
Writes scripts to automate tasks in the security systems.
Does not investigate incidents.
Penetration tester
A more advanced position that is also called pen tester who emulates
the "bad guys".
Responsible for testing a computer system, network, or application to
find security vulnerabilities that a hacker could potentially exploit.
Often hired outside of the company to "break into" the company's
system to provide a level of quality control and external assessment.
Mobile administrator
Compliance analyst
CompTIA Security+
Cybersecurity organizations
The National Institute of Standards and Technology (NIST) is a unit of
the U.S. Commerce Department that maintains measurement standards.
It has a program to implement practical cybersecurity and privacy
through outreach and effective application of standards and best
practices necessary for the US to adopt cybersecurity capabilities.
The National Cyber Security Centre (NCSC) is the UK's leading
authority on cybersecurity issues. The website contains a lot of advice
documents and guidance for specific industries.
The Open Web Application Security Project (OWASP) is a worldwide,
non-profit, charitable organization focused on improving the security of
software. It provides an unbiased source of information on best practices
as well as an active body advocating open standards.
The Information Systems Security Association (ISSA) is a non-profit
organization for the information security profession. It is committed to
promoting a secure digital world. Most resources from ISSA are for
members. You can review the benefits of becoming a member and if
there are any local chapters near you. Search if there is a local chapter
near you and take a look at the chapter's website.
Women in Cybersecurity (WiCyS) is a US-based non-profit membership
organization that is dedicated to bringing together women in
cybersecurity from academia, research and industry to share
knowledge, experience, networking, and mentoring.
The Forum of Incident Response and Security Teams (FIRST) is a
global forum and recognized global leader in incident response. FIRST
provides up-to-date best practice documents, publications, and so on.
Cybersecurity blogs
Krebs on Security is a collection of blogs about computer security and
cyber crime authored by Brian Krebs, an American journalist and
investigative reporter.
Graham Cluley is a collection of blogs about the latest computer security
news, opinion, and advice authored by Graham Cluley, a British speaker
and independent analyst.
The Recorded Future blog provides cyber threat intelligence analysis,
industry perspectives, Recorded Future company updates, and more.
C.5.1.b. Getting started in the industry
What's next? What can you do to perhaps get started in the cybersecurity
industry? Depending on your interest and experience, if you are considering a
career in cybersecurity, then you could explore these different options.
Expand your knowledge! The more you become familiar with
cybersecurity, the more avenues will open up for you to explore. Try
following up your interests and discover new roles and industries that
you may not have considered before.
Continue learning! This is the beginning of your learning experience.
You can continue learning by searching online for additional
cybersecurity topics and consider some of these educational resources.
o The Cyber Security Body Of Knowledge (Cybok) aims to be a
comprehensive body of knowledge to inform and underpin
education and professional training for the cyber security sector. It
acts as an excellent reference guide for security topics
o The SANS Institute is a cooperative research and education
institution. At the heart of SANS are the many security
practitioners in varied global organizations from corporations to
universities working together to help the entire information security
community. SANS is a trusted and large source for information
security training and security certification.
o The IBM Security Learning Academy provides free technical
training on IBM Security products. You can explore the course
catalog and build your own curriculum by enrolling in courses.
Please note that you would need to create an IBM ID
account.
o And, stay tuned for more education offerings in this program!
Explore opportunities! If you are seeking employment, you can start
exploring the job marketplace. Check out job postings to identify
common requests and qualifications. Get a sense for which jobs might
appeal to you in the future, and work to meet the qualifications.
D. Q & A
She-Ra Cat is a pseudonym for a hacker who was a member of a collective
European group in 2012. The group expressed solidarity with a foreign country
during economic unrest, stating that the government “refused to listen to its
people.” The group lodged cyber attacks against the government's websites to
spread the word about the government’s failure to comply with the people’s
wishes. Which type of cyber attacker group could this represent?
This scenario represents the hacktivist. Hactivists are driven by causes and
ideologies. They seek a political or economic change and will use hacking to
achieve it.
Monica da Silva is an employee at an aeronautics company. She noticed her laptop has
started to become unresponsive ever since she went on a business trip to a foreign
country. She remembers being asked to hand the device over while at an airport and she
thinks that is when the problems started. Which type of cyber attacker group could this
represent?
This scenario represents government entities using their services to aid their objectives.
Nation state hackers have an interest in getting strategic advantages for their respective
country. This is one of the reasons most international business employees leave their device
at home.
Stephen Nguyen was laid off last month from his executive-level position at an industrial
chemical company. He worked in the research and development (R&D) department. He
downloaded his latest project's information onto a personal USB flash drive. He is bitter
about losing his job and considering selling the USB drive to another company's R&D
department. Which type of cyber attacker group could he represent?
This scenario represents the malicious insider. Malicious insiders are typically people
within organizations who are disgruntled and are motivated by money or doing damage.
This attack involves causing a system to partially crash and be unable to perform work at
normal levels. What type of cyber attack is this?
This description represents a DoS attack. A DoS attack is any type of attack that causes
a complete or partial system outage for an organization. It is often in the news.
This attack involves sending an email to an individual that appears to be from a trusted
source, but instead has the intention of getting personal information, such as a password.
What type of cyber attack is this?
This description represents a phishing attack. A phishing attack is the practice of sending
messages that appear to be from trusted sources with the goal of gaining personal
information or influencing users to do something. This type of attack is very effective.
This attack involves software designed to perform in a detrimental manner to a target,
without the target's consent. It can block access to data and programs, steal information,
and make systems inoperable. What type of cyber attack is this?
This description represents a malware attack. Malware is a catch-all term for malicious
software that is designed to perform in a detrimental manner to a targeted user without the
user's informed consent. It can block access to data and programs, steal information, and
make systems inoperable. Some malware is related to a function, such as keyloggers
(which captures a victim's keystrokes) or ransomware (which holds a victim's files captive in
exchange for a ransom payment).
Organizations should keep the attack surface as small as possible as a basic security
measure. It is becoming more difficult to secure an organization's perimeter as there are
options for remote access, guest wifi, and bring your own devices (BYODs) to work.
True or false? Over time, older software may have vulnerabilities discovered. And, new
versions of software can introduce new vulnerabilities. In general, updating software and
applications to be the latest version significantly reduces the risk of them being
successfully attacked.
True. Over time, older software may have vulnerabilities discovered. And, new versions
of software can introduce new vulnerabilities. In general, updating software and applications
to be the latest version significantly reduces the risk of them being successfully attacked.
Theresa follows various trusted sources for information about new and emerging
cybersecurity threats. She just came across news that a new variant of the EMOTET
malware has been detected on the IBM X-Force Exchange, one of her key trusted sources.
She learns that this banking trojan, first seen in 2014, has morphed into a spammer of
other software malware, and the latest variant uses stolen emails as a delivery mechanism.
Since Theresa works for a financial services company, she decides she needs to protect it
from this new variant of EMOTET. So, she finds relevant information about how to detect
EMOTET and configures her team's SIEM tool to send alerts to her team when EMOTET
is detected. What cybersecurity job role is Theresa performing?
==> Theresa is a threat hunter. On the job, the threat hunter is responsible for proactively
researching the latest threats to evaluate which new, emerging threats are a high risk to the
organization and appropriately responding to the threats.
Sam is a capital markets trader for a financial services company. He gets an urgent call
from Diego on the security team who informs Sam there is compelling evidence that
Sam's laptop has been infected with malicious malware. Diego shares that, so far, it looks
like the malware has not inflicted any serious harm, but that Sam needs to shut down his
laptop immediately and disconnect it from the network. Diego opens an IT ticket to have
Sam's laptop re-imaged and restored, and provides Sam with a temporary laptop to
continue his work in the meantime. Diego will also follow-up with Sam at a later point to
help him understand how his laptop was infected and educate him about how to avoid
future such situations. What cybersecurity job role is Diego performing?
Diego is an incident responder. On the job, the incident responder is responsible for
scoping the extent of the cybersecurity incident, planning the best remediation methods, and
implementing the remediation in a timely manner.
Marta works on the security team for a financial services company. She finds a security
alert has been generated by the team's SIEM tool and assigned to her for investigation.
She determines that a laptop may be infected with malware known as EMOTET. Marta
investigates and finds that the laptop is infected because it is continually trying to
establish a connection with a malicious "command and control" server. Fortunately the
firewalls are declining these connection requests. However, Marta also finds out that the
laptop belongs to a capital markets trader, someone who has access to sensitive financial
data. So she concludes that this infection is a top priority and needs to be fixed right
away. What cybersecurity job role is Marta performing?
Marta is a SOC analyst. On the job, the SOC analyst is responsible for monitoring and
investigating incident alerts to conclude the level of severity.