DA'QUESHIA: What do
you picture when you think about the security field? This might make you think
of a dark room with people hunched over their computers. Maybe you picture a person
in a lab carefully analyzing evidence. Or maybe you imagine
a guard standing watch in front of a building. The truth is, no matter what
thoughts crossed your mind, all of these examples are part
of the wide world of security. Hi, my name is Da'Queshia. I have worked as a security
engineer for four years. I'm excited to be your
instructor for this course and share some of my
experience with you. At Google, I'm part of a diverse
team of security professionals who all have
different backgrounds and unique perspectives. For example, in my role,
I work to secure Gmail. Part of my daily
activities include developing new security features
and fixing vulnerabilities in the application to make
emails safer for our users. Some members of my team
begin working in security after graduating from college. Many others found their
way into the field after years of working
in another industry. Security teams come in all
different shapes and sizes. Each member of a team
has a role to play. While our specific functions
within the group differ, we all share the same
objective-- protecting valuable assets from harm. Accomplishing this mission
involves a combination of people, processes, and tools. In this course, you'll learn
about each of these in detail. First, you'll be introduced to
the world of asset security. You'll learn about
the variety of assets that organizations
protect and how these factor into a company's
overall approach to security. Then you'll begin exploring
the security systems and controls that teams
use to proactively protect people and their information. All systems have weaknesses
that can be improved upon. When those weaknesses
are neglected or ignored, they can lead to
serious problems. In this section
of the course, you focus on common
vulnerabilities and systems and the way security teams stay
ahead of potential problems. Finally, you'll learn about
the threats to asset security. You'll also be introduced to
the threat modeling process that security teams use
to stay one step ahead of potential attacks. In this field, we
try to do everything possible to avoid being put
in a compromised position. By the end of this
course, you'll have a clearer picture
of the ways people, processes, and
technology work together to protect all that's important. Throughout the
course, you'll also get an idea of the site
and career opportunities available to you. Security truly is an
interdisciplinary field. Your background and
perspective is an asset. Whether you're a recent
college graduate or starting a new career path,
the security field presents a wide range
of possibilities. So what do you say? Are you ready to go on
this journey with me? We all depend on technology
so much nowadays. Examples of this
are all around us. Personal devices
like smartphones help keep us in touch
with friends and families across the globe. Wearable technologies help
us achieve personal goals and be more productive. Businesses have also come
to embrace technology in everyday life. From streamlining operations
to automating processes, our world is more connected
because of technology. The more we rely on technology,
the more information we share. As a result, an enormous amount
of data is created every day. This huge surge in data creation
presents unique challenges. As businesses become more
reliant on technology, cybercriminals become
more sophisticated in how they affect organizations. Data breaches are
becoming increasingly serious due to all the sensitive
data businesses are storing. One positive aspect
of these challenges is a growing need for
individuals like you. Security is a team effort. Unique perspectives
like yours are an asset to any organization. A team filled with diverse
backgrounds, cultures, and experiences is more likely
to solve problems and be innovative. As breach after breach
hits the headlines, it's clear that organizations
need more professionals focused on security. Companies around the
globe are working hard to keep up with the
demands of a rapidly changing digital landscape. As the environment
continues to transform, the more your personal
experience is valuable. In this section, we'll
start by exploring how assets, threats, and
vulnerabilities factor into security plans. After that, we'll discuss
the use of asset inventories and protecting the wide range
of assets that companies have. Then we'll consider
the challenges in this rapidly
changing digital world. And finally, you'll gain an
understanding of the building blocks of a security plan,
its policies, standards, and procedures. We'll examine the NIST
cybersecurity framework that companies use to
create security plans that protects their customers
and their brands. I hope you're as excited
to go on this journey into this world of
security as I am. Now, let's get started. Painting a portrait, perfecting
a new basketball move, playing a solo on guitar. They all share
something in common. Can you guess what it is? If you thought practice,
you're absolutely correct. It takes time, dedication, and
focus to improve these skills. The security profession
is no different. Planning for the
future is a core skill that you'll need to practice
all the time in security. We all deal with uncertainty
by trying to solve problems before they arise. For example, if you're
going on a trip, you might think about
the length of the trip and how much to pack. Maybe you're traveling
somewhere cold. You might bring coats and
sweaters to help keep you warm. We all want to feel the
security of knowing that there's a plan if something goes wrong. Businesses are no different. Just like you, organizations
try their best to plan ahead by analyzing risks. Security teams help companies
by focusing on risks. In security, a risk
is anything that can impact the
confidentiality, integrity, or availability of an asset. Our primary focus as
security practitioners is to maintain confidentiality,
integrity, and availability, which are the three
components of the CIA triad. The process of
security risk planning is the first step towards
protecting these cornerstones. Each organization has their
own unique security plan based on the risks they face. Thankfully, you don't
need to be familiar with every possible
security plan to be a good security
practitioner. All you really need
to know are the basis of how these plans
are put together. Security plans are
based on the analysis of three elements-- assets,
threats, and vulnerabilities. Organizations
measure security risk by analyzing how each can have
an effect on confidentiality, integrity, and availability of
their information and systems. Basically, they each
represent the what, why, and how of security. Let's spend a little
time exploring each of these in more detail. As you might
imagine, an asset is an item perceived as having
value to an organization. This often includes a
wide range of things. Buildings, equipment,
data, and people are all examples of assets that
businesses want to protect. Let's examine this idea more by
analyzing the assets of a home. Inside a home, there's a wide
range of assets, like people and personal belongings. The outside structure of a
home is made of assets too, like the walls, roof,
windows, and doors. All of these assets have
value, but they differ in how they might be protected. Someone might place
a lower priority on protecting the outside
walls than on the front door, for example. This is because
a burglar is more likely to enter through
the front door than a wall. That's why we have locks. With so many types of
assets to think of, security plans need to
prioritize resources. After all, no matter how
large a security team is, it would be impossible to
monitor every single asset at all hours of the day. Security teams can prioritize
their efforts based on threats. In security, a thread is any
circumstance or event that can negatively impact assets. Much like assets, threats
include a wide range of things. Going back to the
example of a home, a threat can be a burglar
who's trying to gain access. Burglars aren't the
only type of threats that affect the security
of windows and doors. What if either
broke by accident? Strong winds can blow the
door open during a bad storm, or kids playing with a ball
nearby can accidentally damage a window. If any of these thoughts
crossed your mind, great job. You're already demonstrating
a security mindset. The final element of a security
plan that we're going to cover are vulnerabilities. In security, a vulnerability
is a weakness that can be exploited by a threat. A weak lock on a front
door, for example, is a vulnerability that can
be exploited by a burglar. And old, cracked wood is
a different vulnerability on that same front
door that can increase the chances of storm damage. In other words, think
of vulnerabilities as flaws within an asset. Assets can have
many different types of vulnerabilities that are
an easy target for attackers. We'll explore different types
of threats and vulnerabilities in greater detail later. For now, just understand
that security teams need to account for a wide
range of assets, threats, and vulnerabilities
to effectively plan for the future. It can be really stressful
when you have trouble finding something important. You're late to an appointment
and can't find your keys. We all find ourselves
in situations like these at one time or another. Believe it or not,
organizations deal with the same kind of trouble. Take a few seconds to think of
the number of important assets you have nearby. I'm thinking of my phone,
wallet, and keys, for example. Next, imagine that you're
just joining the security team for a small online retailer. The company has been growing
over the past few years, adding more and more customers. As a result, they're expanding
their security department to protect the increasing
numbers of assets they have. Let's say each of you are
responsible for 10 assets. That's a lot of assets. Even in the small
business setting, that's an incredible amount of
things that needs protecting. A fundamental truth
of security is you can only protect the
things you account for. Asset management is the
process of tracking assets and the risk that affects them. All security plans revolve
around asset management. Recall that assets include any
item perceived as having value to our organization. Equipment, data, and
intellectual property are just a few of the
wide range of assets businesses want to protect. A critical part of every
organization's security plan is keeping track of its assets. Asset management
starts with having an asset inventory,
a catalog of assets that need to be protected. This is an essential
part of protecting organizational assets. Without this record,
organizations run the risk of losing track of
all that's important to them. A good way to think of asset
inventories is as a shepherd protecting sheep. Having an accurate count
of the number of sheep helped in a lot of ways. For example, it would be easier
to allocate resources like food to take care of them. Another benefit
of asset inventory might be that you get an alert
if one of them goes missing. Once more, think of
the important assets you have nearby. Just like me, you're probably
able to rate them according to the level of importance. I would rank my wallet ahead
of my shoes, for example. In security, this practice is
known as asset classification. In general, asset
classification is the practice of labeling assets based on
the sensitivity and importance to an organization. Organizations label
assets differently. Many of them follow a basic
classification scheme-- public, internal-only,
confidential, and restricted. Public assets can be
shared with anyone. Internal-only can be shared
with anyone in the organization, but should not be
shared outside of it. And confidential
assets should only be accessed by those working
on a specific project. Assets classified as restricted
are typically highly sensitive and must be protected. Assets with this label are
considered need-to-know. Examples include intellectual
property and health or payment information. For example, a growing
online retailer might mark internal emails about
a new product as confidential because those working on the new
product should know about it. They might also label the
doors at their offices with a restricted
sign to keep everyone out who doesn't have a
specific reason to be in there. These are just a couple
of everyday examples that you may be familiar with
from your prior experience. For the most part,
classification determines whether an asset
can be disclosed, altered, or destroyed. Asset management is
a continuous process, one that helps uncover
unexpected gaps in security for potential risks. Keeping track of all that's
important to an organization is an essential part
of security planning. Welcome back. We've covered a lot
of information so far. I hope you're having as much fun
exploring the world of security as I am. We have explored what
organization assets are and why they need protection. You've also gotten a sense of
the tremendous amount of assets security teams protect. Previously, we begin examining
security asset management and the importance of keeping
track of everything that's important to an organization. Security teams classify
assets based on value. Next, let's suspend
our security mindset and think about this question. What exactly is
valuable about an asset? These days, the answer
is often information. Most information is
in a digital form. We call this data. Data is information that
is translated, processed, or stored by a computer. We live in a connected world. Billions of devices
around the world are linked to the internet
and are exchanging data with each other all the time. In fact, millions
of pieces of data are being passed to
your device right now. When compared to
physical assets, digital assets have
additional challenges. What you will need to understand
is that protecting data depends on where that data
is and what it's doing. Security teams protect data
in three different states-- in use, in transit, and at rest. Let's investigate this
idea in greater detail. Data in use is data being
accessed by one or more users. Imagine being at a
park with your laptop. It's a nice, sunny
day, and you stop at a bench to check your email. This is an example
of data in use. As soon as you
log in, your inbox is considered to be in use. Next is data in transit. Data in transit is data
traveling from one point to another. While you're signed
into your account, a message from one of
your friends appear. They sent you an interesting
article about the growing security industry. You decide to reply, thanking
them for sending this to you. When you click Send, this is now
an example of data in transit. Finally, there's data at rest. Data at rest is data not
currently being accessed. In this state, data is typically
stored on a physical device. An example of data
at rest would be when you finish checking your
email and close your laptop. You then decide
to pack up and go to a nearby cafe for breakfast. As you make your way from
the park towards the cafe, the data in your
laptop is at rest. So now that we understand
these states of data, let's connect this back
to asset management. Earlier, I mentioned
that information is one of the most valuable
assets that companies can have. Information
security, or InfoSec, is the practice of
keeping data in all states away from unauthorized users. Weak information security
is a serious problem. It can lead to things like
identity theft, financial loss, and reputational damage. These events have
potential to harm organizations, their
partners, and their customers. And there's more to
consider in your work as a security analyst. As our digital world
continually changes, we are adapting our
understanding of data at rest. Physical devices,
like our smartphones, more commonly stored
data in the cloud, meaning that our information
isn't necessarily at rest just because our phone
is resting on a table. We should always be mindful
of new vulnerabilities as our world becomes
increasingly connected. Remember, protecting data
depends on where the data is and what it's doing. Keeping track of information
is part of the puzzle that companies solve when
considering their security plan. Understanding the
three states of data enables security teams to
analyze risks and determine an asset management plan
for different situations. Security is all about people,
processes, and technology. It's a team effort. And I mean that literally. Protecting assets extends well
beyond one person or a group of people in an IT department. The truth of the matter is
that security is a culture. It's a shared set
of values that spans all levels of an organization. These values touch everyone,
from employees to vendors to customers. Protecting digital
and physical assets requires everyone
to participate, which can be a challenge. That's what security
plans are for. Plans come in many shapes
and sizes, but they all share a common goal-- to be prepared for
risks when they happen. Placing the focus
on people is what leads to the most
effective security plans. Considering the diverse
backgrounds and perspectives of everyone involved ensure
that no one is left out when something goes wrong. We talked earlier
about the risks as being anything that can
impact the confidentiality, integrity, or
availability of an asset. Most security
plans address risks by breaking them down according
to categories and factors. Some common risk
categories might include the damage, disclosure,
or loss of information. Any of these can
be due to factors like the physical damage or
malfunctions of a device. There are also factors like
attacks and human error. For example, a
new school teacher may be asked to sign a
contract before their first day of class. The agreement may warn against
some common risks associated with human error, like
using a personal email to send sensitive information. A security plan may require
that all new hires sign off on this agreement,
effectively spreading the values that ensure
everyone's in alignment. This is just one example of
the types and causes of risk that a plan might address. These things vary widely
depending on the company, but how these plans
are communicated is similar across industries. Security plans consist
of three basic elements-- policies, standards,
and procedures. These three elements are how
companies share their security plans. These words tend to be
used interchangeably outside of security,
but you'll soon discover that they each
have a very specific meaning and function in this context. A policy in security
is a set of rules that reduce risks and
protects information. Policies are the foundation
of every security plan. They give everyone in and out
of an organization guidance by addressing questions like,
what are we protecting and why? Policies focus on the
strategic side of things by identifying the scope,
objectives, and limitations of a security plan. For instance, newly hired
employees at many companies are required to sign off on an
acceptable use policy, or AUP. These provisions
outline secure ways that an employee may
access corporate systems. Standards are the next part. These have a tactical function,
as they concern how well we're protecting assets. In security, standards
are references that inform how to set policies. A good way to think of
standards is that they create a point of reference. For example, many companies
use the password management standard identified in this
special publication, 800-63B, to improve their security
policies by specifying that employees'
passwords must be at least eight characters long. The last part of a
plan is its procedures. Procedures are
step-by-step instructions to perform a specific
security task. Organizations usually keep
multiple procedure documents that are used
throughout the company, like how employees can
choose secure passwords, or how they can securely reset
a password if it's been locked. Sharing clear and actionable
procedures with everyone creates accountability,
consistency, and efficiency across an organization. Policies, standards,
and procedures vary widely from one
company to another because they are tailored to
each organization's goals. Simply understanding the
structure of security plans is a great start. For now, I hope you
have a clearer picture of what policies, standards,
and procedures are and how they are essential to
making security a team effort. Having a plan is just one
part of securing assets. Once the plan is in
action, the other part is making sure everyone's
following along. In security, we call
this compliance. Compliance is the process of
adhering to internal standards and external regulations. Small companies and large
organizations around the world place security
compliance at the top of their list of priorities. At a high level, maintaining
trust, reputation, safety, and the integrity of your
data are just a few reasons to be concerned
about compliance. Fines, penalties, and
lawsuits are other reasons. This is particularly true for
companies in highly regulated industries, like health
care, energy, and finance. Being out of compliance
with the regulation can cause long-lasting financial
and reputational effects that can seriously
impact a business. Regulations are rules set by a
government or other authority to control the way
something is done. Like policies, regulations
exist to protect people and their information,
but on a larger scale. Compliance can be
a complex process because of the many
regulations that exist all around the world. For our purpose,
we're going to focus on a framework of security
compliance, the US-based NIST Cybersecurity Framework. Earlier in the program, you
learned the National Institute of Standards and
Technology, or NIST. One of the primary
roles of NIST is to openly provide companies
with a set of frameworks and security
standards that reflect key security-related
regulations. The NIST cybersecurity framework
is a voluntary framework that consists of standards,
guidelines, and best practices to manage cybersecurity risks. Commonly known as the
CSF, this framework was developed to help businesses
secure one of their most important assets-- information. The CSF consists of three
main components, the core, its tiers, and its profiles. Let's explore each
of these together to build a better understanding
of how NIST CSF is used. The core is basically
a simplified version of the functions, or
duties, of a security plan. The CSF core identifies
five broad functions-- identify, protect, detect,
respond, and recover. Think of these categories of the
core as a security checklist. After the core, the next
NIST component we'll discuss is its tiers. These provide security
teams with a way to measure performance
across each of the five functions of the core. Tiers range from
level 1 to level 4. Level 1, or passive, indicates
a function is reaching bare minimum standards. Level 4, or adaptive,
is an indication that a function
is being performed at an exemplary standard. You may have noticed that
CSF tiers aren't a yes or no proposition. Instead, there's
a range of values. That's because
tiers are designed as a way of showing
an organization what is and isn't working with
their security plans. Lastly, profiles are the
final component of CSF. These provide insight
into the current state of a security plan. One way to think of
profiles is like photos capturing a moment in time. Comparing photos
of the same subject taken at different times
can provide useful insights. For example, without
these photos, you might not notice how
this tree has changed. It's the same with
NIST profiles. Good security practice is
about more than avoiding fines and attacks. It demonstrates that
you care about people and their information. Before we go, let's visit
the core's functions one more time to look at where we've
been and where we're going. The first function is identify. Our previous discussions
on asset management and risk assessment
relate to that function. Coming up, we're
going to focus on many of the categories of the second
function, the protect function. Meet you there. Well done. You made it to the
end of this section. Being a security practitioner
takes commitment and a desire to learn. A big part of the
job involves keeping current with best practices
and emerging trends. Thinking back on my own journey
into the world of security, I'm so proud of you for
your continued commitment. We've covered a lot
of material this week, and this is a good time
to reflect and look back on the key concepts
we explored together. We covered the building
blocks of organizational risk management, assets, threats,
and vulnerabilities. We also spent some time
demonstrating the importance of asset inventories. It's much easier to
protect companies' assets if you know where they are and
who's responsible for them. After that, we moved on
to explore the challenges in a rapidly changing
digital world. Part of protecting
data in this world is understanding if it's in
use, in transit, or at rest. Finally, in our
high-level exploration of policies, standards,
and procedures, we talked about how
each of them factor into achieving security goals. There is no one-size-fits-all
approach to achieving security. While exploring the NIST
Cybersecurity Framework, you gained an appreciation of
how it supports good security practices. Attackers are also constantly
building their skills and finding new ways to break
through the defenses we put up. Remember, the landscape
is always changing. There's always more to learn. If you want to be a good
security practitioner. Next up, we're going to
expand our security mindset by learning more about the
different systems security teams use to protect
organizational assets. I'm looking forward to it. I was fascinated by
a worldwide malware event that happened in 2017. I started watching videos and
preparing to take certification tests just like you. I felt overwhelmed at first,
but my curiosity and passion has driven me to continue
learning in this field. I always remind myself that no
one is born knowing everything, and everyone is on
a learning journey. Even now, I still
remember what it was like to start out
in this profession. So believe me when I
tell you that you're making great progress, and
I am proud of your effort. Now, before looking
ahead to where we're headed on our journey
into the world of security, let's take a moment to look
back on where we've been. Previously, we focused mostly on
the concept of assets and risk in security. We covered topics like the
importance of managing assets and keeping them safe. We discussed how the digital
world presents new challenges and opportunities in
the field of security. We also spent some time
exploring security plans. With this solid
foundation, we're ready to keep expanding
our security mindset. In this section, we'll
cover the security controls that are used to proactively
keep assets safe. I use the word "proactively"
there on purpose. As you will soon
discover, these controls are the protections that we
put in place to stop problems before they happen. We're going to begin by taking
an in-depth look at privacy. Here, you'll learn about
the effective data handling processes that keep
information safe. Next, you'll explore the role
of encryption and hashing in safeguarding information. Finally, you will learn about
the standard access controls that companies use to authorize
and authenticate users. Are you ready to
keep moving ahead? I know I am. These days, information is
in so many places at once. As a result, organizations
are under a lot of pressure to implement effective
security controls that protects everyone's information
from being stolen or exposed. Security controls are
safeguards designed to reduce specific
security risks. They include a
wide range of tools that protect assets before,
during, and after an event. Security controls can be
organized into three types-- technical, operational,
and managerial. Technical control types
include the many technologies used to protect assets. This includes encryption,
authentication systems, and others. Operational controls
relate to maintaining the day-to-day
security environment. Generally, people perform
these controls, like awareness training and incident response. Managerial controls
are centered around how the other two reduce risks. Examples of management controls
include policies, standards, and procedures. Typically, an organization's
security policy outlines of controls needed
to achieve their goals. Information privacy plays a
key role in these decisions. Information privacy
is the protection of unauthorized access
and distribution of data. Information privacy is
about the right to choose. People and organizations
alike deserve the right to decide when,
how, and to what extent private information
about them is shared. Security controls
are the technologies used to regulate
information privacy. For example, imagine using a
travel app to book a flight. You might browse through
a list of flights and find one at a good price. To reserve a seat, you enter
some personal information, like your name, email, and
credit card number for payment. The transaction goes
through successfully, and you've booked your flight. Now, your reasonably
expect the airline company to access this information
you enter when signing up to complete the reservation. However, should
everyone at the company have access to your information? A person working in the
marketing department shouldn't need access to
your credit card information. It makes sense to share that
information with a customer support agent, except
they should only need to access it while
helping with your reservation. To maintain privacy,
security controls are intended to
limit access based on the user and situation. This is known as the
principle of least privilege. Security controls should be
designed with the principle of least privilege in mind. When they are, they rely on
differentiating between data owners and data custodians. A data owner is a
person who decides who can access, edit, use,
or destroy their information. The idea is very
straightforward, except in cases where
there are multiple owners. For example, the intellectual
property of an organization can have multiple data owners. A data custodian is
anyone or anything that's responsible for the
safe handling, transport, and storage of information. Did you notice that
I mentioned anything? That's because,
aside from people, organizations in their
systems are also custodians of people's information. There are other considerations
besides these when implementing security controls. Remember that data is an asset. Like any other asset,
information privacy requires proper
classification and handling. As we progress in
this section, we'll continue exploring other
security controls that make this possible. The internet is an
open, public system with a lot of data
flowing through it. Even though we all send and
store information online, there's some information that
we choose to keep private. In security, this
type of data is known as personally
identifiable information. Personally identifiable
information, or PII, is any information that can be
used to infer an individual's identity. This can include things
like someone's name, medical and financial
information, photos, emails, or fingerprints. Maintaining the privacy of
PII online is difficult. It takes the right
security controls to do so. One of the main
security controls used to protect information
online is cryptography. Cryptography is the process
of transforming information into a form that unintended
readers can't understand. Data of any kind is kept secret
using a two-step process-- encryption to hide
the information and decryption to unhide it. Imagine sending an
email to a friend. The process starts
by taking data in its original and readable
form, known as plaintext. Encryption takes
that information and scrambles it into
an unreadable form known as ciphertext. We then use decryption to
unscramble the ciphertext back into plaintext form,
making it readable again. Hiding and unhiding
private information is a practice that's been
around for a long time, way before computers. One of the earliest
cryptographic methods is known as Caesar's cipher. This method is named after a
Roman general, Julius Caesar, who ruled the Roman Empire near
the end of the first century BCE. He used it to keep
messages between him and his military
generals private. Caesar's cipher is a
pretty simple algorithm that works by shifting
letters in the Roman alphabet forward by a fixed
number of spaces. An algorithm is a set of
rules that solve a problem. Specifically, in
cryptography, a cipher is an algorithm that
encrypts information. For example, a message
encoded with Caesar's cipher using a shift of three
would encode an A as a D, a a B as an E, a C
as an F, and so on. In this example, you could send
a friend a message that said "hello" using a shift of three
and it would read "K-H-O-O-R." Now, you might be
wondering, how would you know the shift a message
encrypted with Caesar's cipher is using? The answer to that
is, you need the key. A cryptographic
key is a mechanism that decrypts ciphertext. In our example, the
key would tell you that message is encrypted
by three shifts. With that information, you
can unlock the hidden message. Every form of encryption
relies on both a cipher and key to secure the exchange
of information. Caesar's cipher is not
widely used today because of a couple of major flaws. One concerns the cipher itself. The other relates to the key. This particular
cipher relies entirely on the characters of the Roman
alphabet to hide information. For example, consider
a message written using the English alphabet,
which is only 26 characters. Even without the key,
it's pretty simple to crack a message secured
with Caesar's cipher by shifting letters
26 different ways. In information
security, this tactic is known as brute force
attack, a trial and error process of discovering
private information. The other major flaw
of Caesar's cipher is that it relies
on a single key. If that key was lost
or stolen, there's nothing stopping someone from
accessing private information. Properly keeping track
of cryptographic keys is an important
part of security. To start, it's important to
ensure that these keys are not stored in public places,
and to share them separately from the information
they will decrypt. Caesar's cipher is just
one of many algorithms used to protect people's privacy. Due to its limitations, we
rely on more complex algorithms to secure information online. Our next focus is exploring
how modern algorithms work to keep information private. Computers use a lot of
encryption algorithms to send and store
information online. They're all helpful
when it comes to hiding private
information, but only as long as their keys are protected. Can you imagine having to keep
track of the encryption keys protecting all of your
personal information online? Neither can I. And we don't
have to, thanks to something known as public
key infrastructure. Public key
infrastructure, or PKI, is an encryption framework
that secures the exchange of information online. It's a broad system that makes
access and information fast, easy, and secure. So how does it all work? PKI is a two-step process. It all starts with the change
of encrypted information. This involves either
asymmetric encryption, symmetric encryption, or both. Asymmetric encryption
involves the use of a public and private key pair
for encryption and decryption of data. Let's imagine this as a box that
can be opened with two keys. One key, the public key, can
only be used to access the slot and add items to the box. Since the public key can't
be used to remove items, it can be copied and shared
with people all around the world to add items. On the other hand, the
second key, the private key, opens the box fully so that the
items inside can be removed. Only the owner of the box
has access to the private key that unlocks it. Using a public key allows
the people and servers you're communicating
with to see and send you encrypted information
that only you can decrypt with your private key. This two-key system makes
asymmetric encryption a secure way to exchange
information online. However, it also slows
down the process. Symmetric encryption,
on the other hand, is a faster and simpler
approach to key management. Symmetric encryption involves
the use of a single secret key to exchange information. Let's imagine the lockbox again. Instead of two keys, symmetric
encryption uses the same key. The owner can use
it to open the box, add items, and close it again. When they want to share access,
they can give the secret key to anyone else to do the same. Exchanging a single secret key
may make web communications faster, but it also
makes it less secure. PKI uses both asymmetric
and symmetric encryption, sometimes, in conjunction
with one another. It all depends on whether speed
or security is the priority. For example, mobile
chat applications use asymmetric
encryption to establish a connection between people at
the start of a conversation, when security is the priority. Afterwards, when the
speed of communications back and forth is the
priority, symmetric encryption takes over. While both have their own
strengths and weaknesses, they share a common
vulnerability-- establishing trust between
the sender and receiver. Both processes rely on sharing
keys that can be misused, lost, or stolen. This isn't a problem when we
exchange information in person, because we can use
our senses to tell the difference between those we
trust and those we don't trust. Computers, on the other hand,
aren't naturally equipped to make this distinction. That's where the second
step of PKI applies. PKI addresses the
vulnerability of key sharing by establishing trust using a
system of digital certificates between computers and networks. A digital certificate
is a file that verifies the identity
of a public key holder. Most online information
is exchanged using digital certificates. Users, companies, and networks
hold one and exchange them when communicating
information online as a way of signaling trust. Let's look at an example of
how digital certificates are created. Let's say an online business is
about to launch their website and they want to obtain
a digital certificate. When they register their
domain, the hosting company sends certain information
over to a trusted certificate authority, or CA. The information provided
is usually basic things, like the company name
and the country where its headquarters are located. A public key for the
site is also provided. The certificate
authority then uses this data to verify
the company's identity. When it's confirmed,
the CA encrypts the data with its own private key. Finally, they create
a digital certificate that contains the
encrypted company data. It also contains CA
digital signature to prove that it's authentic. Digital certificates are
a lot like a digital ID badge that's used online
to restrict or grant access to information. This is how PKI solves
the trust issue. Combined with asymmetric
and symmetric encryption, this two-step approach to
exchanging secure information between trusted sources
is what makes PKI such a useful security control. Security professionals
are always thinking about vulnerabilities. It's how we stay
ahead of threats. We spent some time
together exploring a couple forms of encryption. The two types we've
discussed produce keys that are shared when
communicating information. Encryption keys are vulnerable
to being lost or stolen, which can lead to sensitive
information at risk. Let's explore another security
control that helps companies address this weakness. A hash function is an
algorithm that produces a code that can't be decrypted. Unlike asymmetric and
symmetric algorithms, hash functions are one-way
processes that do not generate decryption keys. Instead, these algorithms
produce a unique identifier, known as a hash value or digest. Here's an example
to demonstrate this. Imagine a company has an
internal application that is used by employees and is
stored in a shared drive. After passing through
a hashing function, the program receives
is hash value. For example purposes, we created
this relatively short hash value with the MD5
hashing function. Generally, standard
hash functions that produce longer
hashes are preferred for being more secure. Next, let's imagine an
attacker replaces the program with a modified version that
performs malicious actions. The malicious program may
work like the original. However, if so much
as one line of code is different from
the original, it will produce a
different hash value. By comparing the
hash values, we can validate that the
programs are different. Attackers use tricks like this
often because they're easily overlooked. Fortunately, hash values help
us identify when something like this is happening. In security, hashes are
primarily used as a way to determine the integrity
of files and applications. Data integrity relates to
the accuracy and consistency of information. This is known as
non-repudiation, the concept that authenticity of
information can be denied. Hash functions are
important security controls that make proving data
integrity possible. Analysts use them frequently. One way to do this is by
finding the hash value of files or applications
and comparing them against known malicious files. For example, we can
use the Linux command line to generate the hash value
for any file on your computer. We just launch a shell
and type the name of the hashing algorithm
we want to use. In this case, we're using a
common one known as SHA-256. Next, we need to
enter the file name of any file we want to hash. Let's hash the contents
of newfile.txt. Now, we'll press Enter. The terminal generates this
unique hash value for the file. These tools can be compared
with the hash values of known online viruses. One such database is VirusTotal. This is a popular tool
among security practitioners that's useful for analyzing
suspicious files, domains, IPs, and URLs. As we've explored, even the
slightest change in input results in a totally
different hash value. Hash functions are
intentionally designed this way to assist with matters
of non-repudiation. They equip computers
with a quick and easy way to compare input
and output values and validate data integrity. Pretty cool, right? Protecting data is a fundamental
feature of security controls. When it comes to keeping
information safe and secure, hashing and encryption are
powerful yet limited tools. Managing who or what has
access to information is also key to
safeguarding information. The next series of controls
that we'll be exploring are access controls,
the security controls that manage
access, authorization, and accountability
of information. When done well, access controls
maintain data confidentiality, integrity, and availability. They also get users the
information they need quickly. These systems are
commonly broken down into three separate yet
related functions known as the authentication,
authorization, and accounting framework. Each control has its
own protocol and systems that make them work. In this video, let's get
comfortable with the basics of the first one on the
list, authentication. Authentication systems
are access controls that serve a very basic purpose. They ask anything attempting
to access information this simple question-- who are you? Organizations go about
collecting answers to these questions differently
depending on the objectives of their security policy. Some are more
thorough than others. But in general, responses
to this question can be based on three
factors of authentication. The first is knowledge. Authentication by
knowledge refers to something the user knows,
like a password or the answer to a security question
they provided previously. Another factor is ownership,
referring to something the user possesses. A commonly used type of
authentication by ownership is a one-time passcode, or OTP. You probably experienced
these at one time or another. They're a random number sequence
that an application or website will send you via text or
email and ask you to provide. Last is characteristic. Authentication by this factor
is something the user is. Biometrics, like fingerprint
scans on your smartphone, are an example of this
type of authentication. While not used everywhere,
this form of authentication is becoming more common, because
it's much tougher for criminals to impersonate
someone if they have to mimic a fingerprint or facial
scan as opposed to a password. The information provided
during authentication needs to match the
information on file for these access
controls to work. When the credentials
don't match, authentication fails
and access is denied. When they match,
access is granted. Incorrectly denying access
can be frustrating to anyone. To make access systems
more convenient, many organizations these
days rely on single sign-on. Single sign-on, or
SSO, is a technology that combines several
different logins into one. Can you imagine having to
reintroduce yourself every time you meet up with a friend? That's exactly the sort
of problem SSO solves. Instead of requiring users
to authenticate over and over again, SSO establishes
their identity once, allowing them to gain access
to company resources faster. While SSO systems
are helpful when it comes to speeding up
the authentication process, they present a significant
vulnerability when used alone. Denying access to authorized
users can be frustrating, but you know what's even worse? Incorrectly granting
access to the wrong user. SSO technology is
great, but not if it relies on just a single
factor of authentication. Adding more
authentication factors strengthen these systems. Multifactor
authentication, or MFA, is a security measure
which requires a user to verify their identity
in two or more ways to access a system or network. MFA combines two or more
independent credentials, like knowledge and ownership,
to prove that someone is who they claim to be. SSO and MFA are often used in
conjunction with one another to layer the defense
capabilities of authentication systems. When both are
used, organizations can ensure convenient
access that is also secure. Now that we covered
authentication, we're ready to explore the
second part of the framework. Next, we'll learn
about authorization. Access is as much
about authorization as it is about authentication. One of the most important
functions of access controls is how they assign
responsibility for certain systems
and processes. Next up in our exploration
of access control systems are the mechanisms
of authorization. These protocols actually
work closely together with authentication
technologies. While one validates
who the user is, the other determines what
they're allowed to do. Let's take a look at the
next part of authentication, authorization, and
accounting framework that protects
private information. Earlier, we learned about the
principle of least privilege. Authorization is linked to the
idea that access to information only lasts as long as needed. Authorization systems are
also heavily influenced by this idea, in addition to
another important security principle-- the
separation of duties. Separation of duties
is the principle that users should not be given
levels of authorization that will allow them to
misuse a system. Separating duties reduces
the risk of system failures and inappropriate
behavior from users. For example, a person
responsible for providing customer service shouldn't
also be authorized to rate their own performance. In this position, they could
easily neglect their duties while continuing
to give themselves high marks with no oversight. Similarly, if one person was
authorized to develop and test a security system,
they're much more likely to be unaware
of its weaknesses. Both the principle
of least privilege and the concept of
separating duties apply to more than just people. They apply to all systems,
including networks, databases, processes, and any other
aspect of an organization. Ultimately,
authorization depends on a system or user's role. When it comes to securing
data over a network, there are a couple of
frequently used access controls that you should
be familiar with, HTTP Basic Auth and OAuth. Have you ever wondered what
the HTTP in web addresses stood for? It stands for hypertext
transfer protocol, which is how communications
are established over a network. HTTP uses what is
known as basic auth, the technology used to
establish a user's request to access a server. Basic auth works by
sending an identifier every time a user
communicates with a web page. Some websites still
use basic auth to tell whether or not someone
is authorized to access information on that site. However, the protocol
is considered to be vulnerable to
attacks because it transmits usernames
and passwords openly over the network. Most websites today
use HTTPS instead, which stands for hypertext
transfer protocol secure. This protocol doesn't expose
sensitive information, like access credentials, when
communicating over the network. Another secure authentication
technology used today is OAuth. OAuth is an open-standard
authorization protocol that shares designated
access between applications. For example, you can
tell Google that it's OK for another website
to access your profile to create an account. Instead of requesting and
sending sensitive usernames and passwords over
the network, OAuth uses API tokens to verify
access between you and a service provider. An API token is a small
block of encrypted code that contains
information about a user. These tokens contain
things like your identity, site permissions, and more. OAuth sends and
receives access requests using API tokens by
passing them from a server to a user's device. Let's explore what's going
on behind the scenes. When you authorize a site
to create an account using your Google profile, all of
Google's usual login protocols are still active. If you have multifactor
authentication enabled on your account-- and you should-- you'll still
have the security benefits that it provides. API tokens minimize
risk in a major way. These APIs tokens serve as an
additional layer of encryption that helps to keep
your Google password safe in the event of a
breach on another platform. Basic auth and OAuth are
just a couple examples of authorization tools
that are designed with the principles
of least privilege and separation of duty in mind. There are many
other controls that help limit the risk
of unauthorized access to information. In addition to
controlling access, it's also important
to monitor it. In our next video, we'll focus
on the third and final part of the authentication,
authorization, and accounting framework. Have you ever wondered
if your employer is keeping a record when you
log into company systems? Well, they are if
they're implementing the third and final function
of the authentication, authorization, and
accounting framework. Accounting is the
practice of monitoring the access logs of a system. These logs contain information
like who accessed the system, and when they accessed it,
and what resources they used. Security analysts use
access logs a lot. The data they contain
is a helpful way to identify trends, like
failed login attempts. They're also used to uncover
hackers who have gained access to a system, and for
detecting an incident, like a data breach. In this field, access
logs are essential. Oftentimes, analyzing them
is the first procedure you'll follow when
investigating a security event. So how do access logs compile
all this useful information? Let's examine this more closely. Any time a user
accesses a system, they initiate what's
called a session. A session is a
sequence of network HTTP basic auth requests
and responses associated with the same user, like
when you visit a website. SS logs are essentially
records of sessions that captured the moment
a user enters a system and to the moment they leave it. Two actions are triggered
when the session begins. The first is the
creation of a session ID. A session ID is a
unique token that identifies a user
and their device while accessing the system. Session IDs are
attached to the user until they either close their
browser or the session times out. The second action that takes
place at the start of a session is an exchange of session
cookies between the server and a user's device. A session cookie is
a token that websites use to validate a
session and determine how long that session should last. When cookies are exchanged
between your computer and a server, your
session ID is read to determine what information
the website should show you. Cookies make web sessions
safer and more efficient. The exchange of tokens mean
that no sensitive information, like usernames and
passwords, are shared. Session cookies
prevent attackers from obtaining sensitive data. However, there's other
damage that they can do. With a stolen
cookie, an attacker can impersonate a user
using their session token. This kind of attack is
known as session hijacking. Session hijacking is an
event when attackers obtain a legitimate user's session ID. During these kinds of
attacks, cybercriminals impersonate the user,
causing all sorts of harm. Money or private
data can be stolen. If, for example,
hijackers obtain a single sign-on credential
from stolen cookies, they can even gain access
to additional systems that otherwise seem secure. This is one reason why
accounting and monitoring session logs is so important. Unusual activity on access
logs can be an indication that information has been
improperly accessed or stolen. At the end of the
day, accounting is how we gain valuable insight
that makes information safer. Our focus in this section was
on a major theme of security, protecting assets. A large part of this
relates to privacy. We should all enjoy
the right to decide who can access our information. As we learned, there are
several controls in place that help secure assets. We begin this section by
exploring effective data handling processes
that are founded on the principle
of least privilege. We then explored the role
of encryption and hashing in safeguarding information. We explored how asymmetric and
asymmetric encryption works and how hashes further
safeguard data from harm. We then turned our attention
to standard access controls. Properly authenticating
and authorizing users is what maintaining the
CIA triad of information is all about. We use the AAA
framework of security to take a detailed tour of
identity and access management systems and the access controls
that validate whether or not someone is who they claim to be. Well done making it through
the first half of the course. You're making great progress so
far, and I hope you keep it up. Remember, your background
and experiences are valuable in this field. This, combined with the
concepts we're covering, will make you a valuable
contributor to any security team. Up until this point,
we've been exploring the defensive side of security. But security isn't all about
planning ahead and waiting for something to happen. In the next part of
our journey, we're going to continue developing
a security mindset by taking a more proactive
look at security, from the perspective
of attackers. I'll meet you there. Wow. We've covered a lot together. It's hard to believe
we've reached the midpoint of this course. I hope you're getting
a clearer picture of this exciting field
and all the opportunities it has to offer. And most importantly, I hope
you're having fun doing it. We've come a long ways
from where we started. When we began our
journey together, we were introduced
to the three building blocks of every security
program, assets, threats, and vulnerabilities. We focused a lot
on assets early on, and the wide range of things
security professionals work to protect. We then turned our attention
to a core component of asset security, protecting assets. You learned about the
importance of guarding sensitive information. You also learned about
some security controls that protect information
from being lost or stolen. On the next part of
our journey, we're going to turn our focus
to vulnerabilities. Every asset we
protect has a series of vulnerabilities, or flaws,
that we need to be aware of. Staying informed of these
things is a critical part of protecting people and
organizations from harm. In this next part
of the course, you will gain an understanding of
the vulnerability management process. First, you will explore
a common approach to vulnerability management,
the defense in depth model. Then you'll learn about
how vulnerabilities are documented in online
libraries like the CVE list. We'll discuss the
attack surfaces security teams protect. And lastly, you will expand
your attacker mindset by exploring the common attack
vectors cybercriminals try to exploit. Security analysts
play an important role in identifying and correcting
vulnerabilities in systems. I know I'm excited
to keep exploring. Are you? Then let's go. For every asset that
needs protecting, there are dozens
of vulnerabilities. Finding those vulnerabilities
and fixing them before they become a problem is
the key to keeping assets safe. We've already covered
what a vulnerability is. Recall that a vulnerability
is a weakness that can be exploited by a threat. That word "can" is an important
part of this description. Why is that? Let's explore that
together to find out more. Imagine I handed you
an important document and asked you to keep it safe. How would you do that? Some of you might first
think about locking it up in a safe place. Behind this is the understanding
that because documents can be easily moved, they
are vulnerable to theft. When other vulnerabilities
come to mind, like how paper burns easily
or doesn't resist water, you might add other protections. Similar to this
example, security teams plan to protect assets according
to their vulnerabilities and how they can be exploited. In security, an exploit
is a way of taking advantage of a vulnerability. Besides finding vulnerabilities,
security planning relies a lot on
thinking of exploits. For example, there
are burglars out there who want to cause harm. Homes have vulnerable
systems that can be exploited by a burglar. An example are the windows. Glass is vulnerable
to being broken. A burglar can exploit
this vulnerability by using a rock to
break the window. Thinking of this vulnerability
and exploit ahead of time allows us to plan ahead. We can have an alarm
system in place to scare the burglar away
and alert the police. Security teams
spend a lot of time finding vulnerabilities
and thinking of how they can be exploited. They do this with
a process known as vulnerability management. Vulnerability management is the
process of finding and patching vulnerabilities. Vulnerability management
helps keep assets safe. It's a method of stopping
threats before they can become a problem. Vulnerability management
is a four-step process. The first step is to
identify vulnerabilities. The next step is to
consider potential exploits of those vulnerabilities. Third is to prepare
defenses against threats. And finally, the fourth step
is to evaluate those defenses. When the last step ends,
the process starts again. Vulnerability management
happens in a cycle. It's a regular part of
what security teams do, because there are always
new vulnerabilities to be concerned about. This is exactly why a diverse
set of perspectives is useful. Having a wide range of
backgrounds and experiences only strengthens security
teams and their ability to find exploits. However, even large and
diverse security teams can't keep track of everything. New vulnerabilities are
constantly being discovered. These are known as
zero-day exploits. A zero day is an exploit
that was previously unknown. The term "zero day"
refers to the fact that the exploit is happening
in real time with zero days to fix it. These kind of exploits
are dangerous. They represent threats that
haven't been planned for yet. For example, we can anticipate
the possibility of a burglar breaking into our home. We can plan for
this type of threat by having defenses
in place, like locks on the doors and windows. A zero-day exploit would be
something totally unexpected, like the lock on the door
falling off from intense heat. Zero-day exploits are
things that don't normally come to mind. For example, this might
be a new form of spyware infecting a popular website. When zero-day
exploits happen, they can leave assets even
more vulnerable to threats than they already are. Vulnerability management
is the process of finding vulnerabilities
and fixing their exploits. That's why the process
is performed regularly at most organizations. Perhaps the most important
step of the process is identifying vulnerabilities. We'll explore this step
in more details next time we get together. I'll meet you again then. A layered defense is
difficult to penetrate. When one barrier fails,
another takes its place to stop an attack. Defense in depth
is a security model that makes use of this concept. It's a layered approach to
vulnerability management that reduces risks. Defense in depth is commonly
referred to as the castle approach because it resembles
the layered defenses of a castle. In the Middle Ages,
these structures were very difficult
to penetrate. They featured
different defenses, each unique in its design,
that posed different challenges for attackers. For example, a
water-filled barrier called a moat usually formed
a circle around the castle, preventing threats like
large groups of attackers from reaching the castle walls. The few soldiers that made it
past the first layer of defense were then faced with a new
challenge, giant stone walls. A vulnerability of
these structures were that they could be climbed. If attackers tried exploiting
that weakness, guess what? They were met with another layer
of defense, watchtowers filled with defenders ready to
shoot arrows and keep them from climbing. Each level of defense of these
medieval structures minimized the risk of attacks by
identifying vulnerabilities and implementing a security
control should one system fail. Defense in depth works
in a similar way. The defense in depth concept can
be used to protect any asset. It's mainly used
in cybersecurity to protect information
using a five-layer design. Each layer features a
number of security controls that protect information
as it travels in and out of the model. The first layer of defense in
depth is the perimeter layer. This layer includes
some technologies that we've already explored,
like usernames and passwords. Mainly, this is a user
authentication layer that filters external access. Its function is to
only allow access to trusted partners to reach
the next layer of defense. Second, the network
layer is more closely aligned with authorization. The network layer is made
up of other technologies, like network
firewalls and others. Next is the endpoint layer. Endpoints refer to the devices
that have access on a network. They could be devices like a
laptop, desktop, or a server. Some examples of technologies
that protect these devices are antivirus software. After that, we get to
the application layer. This includes all
the interfaces that are used to interact
with technology. At this layer, security
measures are programmed as part of an application. One common example is
multi-factor authentication. You may be familiar with having
to enter both your password and a code sent by SMS. This is part of the
application layer of defense. And finally, the fifth layer
of defense is the data layer. At this layer, we've
arrived at the critical data that must be protected,
like personally identifiable information. One security control
that is important here in this final layer of defense
is assets classification. Like I mentioned earlier,
information passes in and out of each of these
five layers whenever it's exchanged over a network. There are many more security
controls, aside from the few that I mentioned, that are part
of the defense in depth model. A lot of businesses design
their security systems using the defense
in depth model. Understanding this framework
hopefully gives you a better sense of how an
organization's security controls work together to
protect important assets. We've discussed before that
security is a team effort. Did you know the
group extends well beyond a single security team? Protecting information
is a global effort. When it comes to
vulnerabilities, there are actually
online public libraries. Individuals and
organizations use them to share and document
common vulnerabilities and exposures. We've been focusing a
lot on vulnerabilities. Exposures are similar, but
they have a key difference. While a vulnerability is
a weakness of a system, an exposure is a mistake that
can be exploited by a threat. For example, imagine
you're asked to protect an important document. Documents are vulnerable
to being misplaced. If you laid the document
down near an open window, it could be exposed
to being blown away. One of the most popular
libraries of vulnerabilities and exposures is the CVE list. The Common Vulnerabilities and
Exposures list, or CVE list, is an openly
accessible dictionary of known vulnerabilities
and exposures. It is a popular resource. Many organizations
use the CVE list to find ways to
improve their defenses. The CVE list was
originally created by MITRE Corporation in 1999. MITRE is a collection
of nonprofit research and development centers. They're sponsored by
the US government. Their focus is on improving
security technologies around the world. The main purpose
of the CVE list is to offer a standard way of
identifying and categorizing known vulnerabilities
and exposures. Most CVEs in the
list are reported by independent researchers,
technology vendors, and ethical hackers. But anyone can report one. Before a CVE can make
it onto the CVE list, it first goes through
a strict review process by a CVE numbering
authority, or CNA. A CNA is an organization
that volunteers to analyze and distribute
information on eligible CVEs. All of these groups have
an established record of researching vulnerabilities
and demonstrating security advisory capabilities. When a vulnerability or
exposure is reported to them, a rigorous testing
process takes place. The CVE list tests four criteria
that a vulnerability must have before it's assigned an ID. First, it must be
independent of other issues. In other words,
the vulnerability should be able to be
fixed without having to fix something else. Second, it must be recognized
as a potential security risk by whoever reports it. Third, the vulnerability
must be submitted with supporting evidence. And finally, the
reported vulnerability can only affect one code
base, or in other words, only one program source code. For instance, the
desktop version of Chrome may be vulnerable, but the
Android application may not be. If the reported flaw
passes all of these tests, it is assigned a CVE ID. Vulnerabilities
added to the CVE list are often reviewed by other
online vulnerability databases. These organizations put them
through additional tests to reveal how
significant the flaws are and to determine what
kind of threat they pose. One of the most popular is the
NIST National Vulnerability Database. The NIST National
Vulnerability Database uses what's known as the Common
Vulnerability Scoring System, or CVSS, which is a
measurement system that scores the severity
of a vulnerability. Security teams use CVSS
as a way of calculating the impact a vulnerability
could have on a system. They also use them to determine
how quickly a vulnerability should be patched. The NIST National
Vulnerability Database provide a base score of
CVEs on a scale of 0 to 10. Base scores reflect the moment
a vulnerability is evaluated, so they don't change over time. In general, a CVSS
that scores below a 4.0 is considered to be
low-risk and doesn't require immediate attention. However, anything above
a 9.0 is considered to be a critical risk
to company assets that should be
addressed right away. Security teams commonly use
the CVE list and CVSS scores as part of their vulnerability
management strategy. These references
provide recommendations for prioritizing security
fixes, like installing software updates before patches. Libraries like the CVE list help
organizations answer questions. Is a vulnerability
dangerous to our business? If so, how soon
should we address it? These online libraries bring
together diverse perspectives from across the world. Contributing to this effort
is one of my favorite parts of working in this field. Keep gaining experience, and I
hope you will participate too. Our exploration of the
vulnerability management process so far has been
focused on a couple of topics. We've discussed how
vulnerabilities influence the design of defenses. We've also talked about how
common vulnerabilities are shared. A topic we've yet to cover
is how vulnerabilities are found in the first place. Weaknesses and
flaws are generally found during a
vulnerability assessment. A vulnerability assessment
is an internal review process of an organization's
security systems. These assessments work
similar to the process of identifying and
categorizing vulnerabilities on the CVE list. The main difference is an
organization's security team performs, evaluates, scores,
and fixes them on their own. Security analysts play a key
role throughout this process. Overall, the goal of a
vulnerability assessment is to identify weak points
and prevent attacks. They're are also how
security teams determine whether their security controls
meet regulatory standards. Organizations perform
vulnerability assessments a lot. Because companies have so
many assets to protect, security teams
sometimes need to select which areas to focus on through
vulnerability assessments. Once they decide
what to focus on, vulnerability
assessments typically follow a four-step process. The first step is
identification. Here, scanning tools
and manual testing are used to find
vulnerabilities. During the identification
step, the goal is to understand the current
state of a security system, like taking a picture of it. A large number of
findings usually appear after identification. The next step of the process
is vulnerability analysis. During this step, each of
the vulnerabilities that were identified are tested. Like being a digital
detective, the goal of vulnerability analysis is to
find the source of the problem. The third step of the
process is risk assessment. During this step of
the process, a score is assigned to
each vulnerability. This score is assigned
based on two factors-- how severe the impact would
be if the vulnerability were to be exploited and the
likelihood of this happening. Vulnerabilities uncovered
during the first two steps of this process
often outnumber the people available to fix them. Risk assessments are a way
of prioritizing resources to handle the vulnerabilities
that need to be addressed based on their score. The fourth and final step
of vulnerability assessment is remediation. It's during this step that the
vulnerabilities that can impact the organization are addressed. Remediation occurs depending
on the severity score assigned during the risk assessment step. This part of the process
is normally a joint effort between the security
staff and IT teams to come up with
the best approach to fixing the vulnerabilities
that were uncovered earlier. Examples of remediation
steps might include things like enforcing new
security procedures, updating operating systems, or
implementing system patches. Vulnerability assessments
are great for identifying the flaws of a system. Most organizations use
them to search for problems before they happen. But how do we know
where to search? When we get together
again, we'll explore how companies
figure this out. There's a wide range of
vulnerabilities and systems that need to be found. Assessing those weaknesses
is a time-consuming process. To position themselves
ahead of threats and make the most of
their limited resources, companies start by understanding
the environment surrounding their operations. An important part of this is
getting a sense of their attack surface. An attack surface is all the
potential vulnerabilities that a threat actor
could exploit. Analyzing the attack surface
is usually the first thing security teams do. For example, imagine
being part of a security team of an old castle. Your team would need to decide
how to allocate resources to defenses. Giant walls, stone
towers, and wooden gates are a few common security
controls of these structures. While these are all designed
to protect the assets inside from attacks, they
don't exactly account for all the possibilities. What if the castle
were near the ocean? If it were, these
defenses would be vulnerable to long-range
attacks by ships. A proper understanding
of the attack surface would mean your security
team equipped the castle with catapults that could deal
with these kinds of threats. Modern organizations need
to concern themselves with both a physical and
digital attack surface. The physical attack
surface is made up of people and their devices. This surface can be
attacked from both inside and outside the organization,
which makes it unique. For example, let's consider
an unattended laptop in a public space,
like a coffee shop. The person responsible
for it walked away while sensitive
company information was visible on the screen. This information is vulnerable
to external threats, like a business competitor
who can easily record the information and exploit it. An internal threat of
this attack surface, on the other hand, is
often angry employees. These employees might
share an organization's private information on purpose. In general, the
physical attack surface should be filled
with obstacles that deter attacks from happening. We call this process
security hardening. Security hardening
is the process of strengthening a system to
reduce its vulnerabilities and attack surface. In other words,
hardening is the act of minimizing the attack
surface by limiting its points of entry. We do this a lot in security,
because the smaller the attack surface, the easier
it is to protect. In fact, some security controls
that we've explored previously, like organization policies
and access controls, are common ways that
organizations harden their physical attack surface. The digital attack surface
is a bit tougher to harden. The digital attack
surface includes everything that's beyond
our organization's firewall. In other words, it
includes anything that connects to an
organization online. In the past, organizations
stored their data in a single location. This mainly consists of servers
that were managed on-site. Accessing the information
stored on those servers require connecting to the
network the workplace managed. These days, information
is accessed outside of an organization's
network because it's stored in the cloud. Information can be accessed
from anywhere in the world. A person can be in
one part of the world, fly to another
place, and continue working, all while outside of
their organization's network. Cloud computing has essentially
expanded the digital attack surface. Quicker access to information is
something we all benefit from, but it comes with a cost. Organizations of all sizes
are under more pressure to defend against threats coming
from different entry points. When we get together
next time, we'll explore why this is
such a challenge. To defend against
attacks, organizations need to have more than
just the understanding of the growing digital
landscape around them. Positioning themselves
ahead of a cyber threat also takes understanding
the type of attacks that can be used against them. Last time, we
began exploring how the cloud has expanded
the digital attack surface that organizations protect. As a result, cloud
computing has led to an increase in the number
of attack vectors available. Attack vectors refer to
the pathways attackers use to penetrate security defenses. Like the doors and
windows of a home, these pathways are the
exploitable features of an attack surface. One example of an attack
vector would be social media. Another would be removable
media, like a USB drive. Most people outside
of security assume that cybercriminals are the
only ones out there exploiting attack vectors. While attack vectors are
used by malicious hackers to steal information,
other groups use them too. For example,
employees occasionally exploit attack vectors
unintentionally. This happens a lot with
social media platforms. Sometimes, employees post
sensitive company news that shouldn't have been shared. At times, this same kind of
thing happens on purpose. Social media platforms
are also vectors that disgruntled employees
use to intentionally share confidential information
that can harm the company. We all treat attack
vectors as critical risks to asset security. Attackers typically put
forward a lot of effort planning their attacks
before carrying them out. It's up to us as
security professionals to put an even greater amount
of effort into stopping them. Security teams do this by
thinking of each vector with an attacker mindset. This starts with
a simple question. How would we
exploit this vector? We then go through a
step-by-step process to answer our question. First, when practicing
the attacker mindset, we identify a target. This could be specific
information, a system, a person, a group, or
the organization itself. Next, we determine how the
target can be accessed. What information is available
that an attacker might take advantage of
to reach the target? Based on that information,
the third step is to evaluate the
attack vectors that can be exploited to gain entry. And finally, we find the
tools and methods of attack. What will the attackers
use to carry this out? Along the way, practicing
an attacker mindset provides valuable insight
into the best security controls to implement
and the vulnerabilities that need to be monitored. Every organization has a
long list of attack vectors to defend. And while there are a lot
of ways to protect them, there are a few common
rules for doing this. One key to defending
attack vectors is educating users about
security vulnerabilities. These efforts are usually
tied to an event-- for example, advising
them about a new phishing exploit that is targeting
users and the organization. Another rule is applying the
principle of least privilege. We've explored at
least privilege earlier in this section. It's the idea that access rights
should be limited to what's required to perform a task. Like we previously
explored, this practice closes multiple security holes
inside our organization's attack surface. Next, using the right
security controls and tools can go a long way towards
defending attack vectors. Even the most
knowledgeable employees make security mistakes,
like accidentally clicking on a malicious
link in an email. Having the right
security tools in place, like antivirus software,
helps to defend attack vectors more efficiently and reduce
the risk of human error. Last but not least is building
a diverse security team. This is one of the
best ways to reduce the risk of attack vectors
and prevent future attacks. Your own unique
perspective can greatly improve a security
team's ability to apply an attacker's mindset
and stay one step ahead of potential threats. Keeping yourself informed is
always important in this field. You're already off
to a great start, so keep up the good work. Here we are, at the
end of this section. Can you believe it? I had so much fun exploring
the world of vulnerabilities. I hope you felt the same. And more importantly,
I hope you got a better sense of how complex a
landscape the digital world is. This environment
is filled with gaps that attackers can use to gain
unauthorized access to assets, making it a challenge to defend. We've explored a
lot of information this time around,
so let's quickly recap what we've covered. You've learned about the
vulnerability management process, starting with the
defense in depth model. You learned about the layers
of this security framework and how each of
them work together to build a stronger defense. You then learned
about the CVE list that's used to find
cataloged vulnerabilities. This is a great addition to
your growing security toolbox. After that, you learned
of the attack surfaces that businesses protect. We discussed physical
and digital surfaces and the challenges of
defending the cloud. We finished up by exploring
common attack vectors, where you learned how
security teams use an attacker mindset to identify the security
gaps that cybercriminals try to exploit. Every one of the vulnerabilities
that we've discussed so far is faced with a
number of threats. When we get back
together, we're going to expand our attacker
mindset even further by exploring specific
types of attacks that cyber criminals
commonly use. We'll look at
things like malware and the techniques attackers use
to compromise defense systems. By exploring how these
tools and tactics work, you'll gain a
clearer understanding of the threats they pose. Well then wrap up
by investigating how security teams stop
these threats from damaging our organization's operations,
their reputation, and most importantly, their
customers and employees. You've done a fantastic
job getting to this point. When you're ready, let's
finish the journey together. I'm looking forward to
being back with you again. Here we are, the final
section of the course. What an amazing job
you've done so far. Putting in the time,
dedication, and hard work to get to this
point is definitely something to celebrate. But we're not through yet. As we near the end
of this course, now's the time to focus
and finish strong. Let's turn our
attention to threats. We've already explored
assets, vulnerabilities, and the controls
used to protect both. A common theme between
those two topics has been the wide range of
assets and vulnerabilities out there. The world of threats
is no different. If you recall, threats are
any circumstance or event that can negatively impact assets. In this part of
the course, you're going to expand your
security mindset by getting a high-level view
of the most dangerous threats facing organizations today. First, we're going to begin by
exploring social engineering tactics, psychological tricks
that attackers use to gain unauthorized access to assets. Next, we'll explore a
common type of threat that's been around since the
start of personal computers-- malware. We're going to spend
some time investigating the major types of malware. After that, we'll
turn our attention to web-based exploits. Most organizations these days
operate in a digital space, and many of them are new to it. In this section of
the course, you're going to learn about some
of the most common threats that organizations face online. Finally, after
exploring common threats that organizations
deal with, we're going to wrap up by exploring
the threat modeling process. Understanding threats is
essential for security analysts, and there's a lot to
cover, so let's get started. When you hear the word "cyber
criminal," what comes to mind? You may imagine a hacker hunched
over a computer in a dark room. If this is what came to
mind, you're not alone. In fact, this is what most
people outside of security think of. But online criminals
aren't always that different from those
operating in the real world. Malicious hackers are just
one type of online criminal. They are a specific
kind that relies on sophisticated computer
programming skills to pull off their attacks. There are other ways to
commit crimes that don't require programming skills. Sometimes, criminals rely on
a more traditional approach-- manipulation. Social engineering is a
manipulation technique that exploits human error
to gain private information, access, or valuables. These tactics trick people
into breaking normal security procedures on the
attacker's behalf. This can lead to data exposures,
widespread malware infections, or unauthorized access
to restricted systems. Social engineering attacks
can happen anywhere. They happen online, in person,
and through other interactions. Threat actors use
many different tactics to carry out their attacks. Some attacks can take a
matter of seconds to perform. For example, someone
impersonating tech support asks an employee for their
password to fix their computer. Other attacks can
take months or longer, such as threat actors monitoring
an employee's social media. The employee might
post a comment saying they've gotten
a temporary position in a new role at the company. An attacker might use
an opportunity like this to target the
temporary worker, who is likely to be less
knowledgeable about security procedures. Regardless of the time frame,
knowing what to look for can help you quickly
identify and stop an attack in its tracks. There are multiple stages of
social engineering attacks. The first is usually to prepare. At this stage, attackers gather
information about their target. Using the intel, they'll
determine the best way to exploit them. In the next, stage
attackers establish trust. This is often referred
to as pretexting. Here, attackers
use the information they gather earlier to open
a line of communication. They'll typically
disguise themselves to trick their target into
a false sense of trust. After that, attackers
used persuasion tactics. This stage is where the earlier
preparation really matters. This is when the attacker
manipulates their target into volunteering information. Sometimes, they do this by
using specific vocabulary that makes them sound like a
member of the organization. The final stage
of the process is to disconnect from the target. After they collect the
information they want, attackers break communication
with their target. They disappear to
cover their tracks. Criminals who use social
engineering are stealthy. The digital world has
expanded their capabilities. It's also created more ways
for them to go unnoticed. Still, there are ways that
we can prevent their attacks. Implementing
managerial controls, like policies, standards,
and procedures, are one of the first
lines of defense. For example, businesses often
follow the patch management standard defined in this
special publication 800-40. These standards are used
to create procedures for updating operating systems,
applications, and firmware that can be exploited. Staying informed of trends
is also a major priority for any security professional. An even better defense against
social engineering attacks is sharing what you
know with others. Attackers play on our
natural curiosity and desire to help one another. Their hope is that
targets won't think too hard about what's going on. Teaching the signs
of attack to others goes a long way towards
preventing threats. Social engineering is
a threat to the assets and privacy of both
individuals and organizations. Malicious attackers use
a variety of tactics to confuse and
manipulate their targets. When we get back
together next time, we're going to explore
one of the most commonly used techniques that's a major
problem for organizations of all sizes. Cyber criminals
prefer attacks that do the most amount of
damage with the least amount of effort. One of the most popular forms
of social engineering that meets this description is phishing. Phishing is the use of
digital communications to trick people into
revealing sensitive data or deploying malicious software. Phishing leverages many
communication technologies, but the term is mainly
used to describe attacks that arrive by email. Phishing attacks don't
just affect individuals. They are also harmful
to organizations. A single employee that falls
for one of these tricks can give malicious
attackers access to systems. Once inside, attackers can
exploit sensitive data, like customer names
and product secrets. Attackers who carry
out these attacks commonly use phishing kits. A phishing kit is a collection
of software tools needed to launch a phishing campaign. People with little
technical background can use one of these kits. Each of the tools inside are
designed to avoid detection. As a security
professional, you should be aware of the three main
tools inside a phishing kit so that you can quickly
identify when they're being used and put a stop to it. The first is
malicious attachments. These are files that are
infected and can cause harm to the organization's systems. Phishing kits also include
fake data collection forms. These forms look like
legitimate forms, like a survey. Unlike a real survey, they
ask for sensitive information that isn't normally
asked for in an email. The third resource they include
are fraudulent web links. These open to
malicious web pages that are designed to
look like trusted brands. Unlike actual websites,
these fraudulent sites are built to steal information,
like login credentials. Cybercriminals can use these
tools to launch a phishing attack in many forms. The most common is
through malicious emails. However, they can use them in
other forms of communication too. Most recently,
cybercriminals are using smishing and vishing to
trick people into revealing private information. Smishing is the use
of text messages to obtain sensitive information
or to impersonate a known source. You probably received these
type of messages before. Not only are smishing
messages annoying to receive, they're also
difficult to prevent. That's why some
attackers send them. Some smishing messages
are easy to detect. They might show signs
of being malicious, like promising a cash reward for
clicking a attached link that shouldn't be clicked. Other times, smishing
is hard to spot. Attackers sometimes
use local area codes to appear legitimate. Some hackers can even
send messages disguised as friends and families
of their target to fool them into disclosing
sensitive information. Vishing is the exploitation of
electronic voice communication to obtain sensitive information
or impersonate a known source. During vishing
attacks, criminals pretend to be
someone they're not. For example, attackers
might call pretending to be a company representative. They might claim that there's
a problem with your account, and they can offer to fix
it if you provide them with sensitive information. Most organizations use a
few basic security measures to prevent these and any other
types of phishing attacks from becoming a problem. For example,
anti-phishing policies spread awareness
and encourage users to follow data security
procedures correctly. Employee training
resources also help inform employees about
things to look for when an email looks suspicious. Another line of defense
against phishing is securing email inboxes. Email filters are commonly
used to keep harmful messages from reaching users. For example, specific
email addresses can be blocked
using a block list. Organizations often use other
filters, like allow lists, to specify IP addresses that
are approved to send mail within the company. Organizations also use
intrusion prevention systems to look for unusual
patterns in email traffic. Security analysts use
monitoring tools like this to spot suspicious
emails, quarantine them, and produce a log of events. Phishing campaigns are
popular and dangerous forms of social engineering that
organizations of all sizes need to deal with. Just a single
compromised password that an attacker can
get their hands on can lead to a
costly data breach. Now that you're familiar with
the tools these attackers use, you're better equipped to
spot phishing and prevent it. People and computers are very
different from one another. There is one way
that we're alike. You know how? We're both vulnerable
to getting an infection. While humans can be
infected by a virus that causes a cold or flu, computers
can be infected by malware. Malware is software designed
to harm devices or networks. Malware, which is short
for malicious software, can be spread in many ways. For example, it could be spread
through an infected USB drive, or also commonly spread
between computers online. Devices and systems that are
connected to the internet are especially
vulnerable to infection. When a device becomes
infected, malware interferes with its
normal operations. Attackers use malware to take
control of the infected system without the user's
knowledge or permission. Malware has been a threat
to people and organizations for a long time. Attackers have created many
different strains of malware. They all vary in
how they're spread. Five of the most
common types of malware are a virus, worm, Trojan,
ransomware, and spyware. Let's take a look at
how each of them work. A virus is malicious
code written to interfere with
computer operations and cause damage to
data and software. Viruses typically hide inside
of trusted applications. When the infected
program is launched, the virus clones
itself and spreads to other files on the device. An important
characteristic of viruses is that they have to be
activated by the user to start the infection. The next kind of malware
doesn't have this limitation. A worm is malware that can
duplicate and spread itself across systems on its own. While viruses require
users to perform an action, like opening a
file to duplicate, worms using infected
device as a host. They scan the connected
network for other devices. Worms then infect
everything on the network without requiring an action
to trigger the spread. Viruses and worms are delivered
through phishing emails and other methods before
they infect a device. Making sure you click links
only from trusted sources is one way to avoid
these types of infection. However, attackers have designed
another form of malware that can get past this precaution. A Trojan, or Trojan
horse, is malware that looks like a
legitimate file or program. The name is a reference
to an ancient Greek legend that's set in the city of Troy. In Troy, a group of soldiers
hid inside a giant wooden horse that was presented as a
gift to their enemies. It was accepted and brought
inside the city walls. Later that evening, the
soldiers inside of the horse climbed out and
attacked the city. Like this ancient
tale, attackers design Trojans to appear harmless. This type of malware
is typically disguised as files or useful applications
to trick their target into installing them. Attackers often use Trojans
to gain access and install another kind of malware
called ransomware. Ransomware is a type
of malicious attack where attackers encrypt an
organization's data and demand payment to restore access. These kind of attacks have
become very common these days. A unique feature of
ransomware attacks is that they make themselves
known to their targets. Without doing
this, they couldn't collect the money they demand. Normally, they decrypt
the hidden data as soon as the sum
of money is paid. Unfortunately,
there's no guarantee they won't return
to demand more. The last type of malware I
want to mention is spyware. Spyware is malware that's used
to gather and sell information without consent. "Consent" is a key
word in this case. Organizations also
collect information about their customers,
like their browsing habits and purchase history. However, they always
give their customers the ability to opt out. Cybercriminals,
on the other hand, use spyware to
steal information. They use spyware
attacks to collect data like login credentials,
account PINs, and other types of
sensitive information for their own personal gain. There are many other types
of malware besides these, and new forms are
always evolving. They all pose a serious risk to
individuals and organizations. Next time, we'll explore
how security teams detect and remove these
kinds of threats. Malware has been around
nearly as long as computers. In its earliest forms, it
was used by troublemakers as a form of digital vandalism. In today's digital
world, malware has become a profitable
crime that attackers use for their own financial gain. As a security professional,
it's important that you remain aware of
the latest evolutions. Let's take a closer look at
one way malware has evolved. We'll then use this
example to consider how malware can be spotted
and how you can proactively protect against malware,. Ransomware is one of the
types of malware attackers use to steal money. Another and more recent type
of malware is cryptojacking. Cryptojacking is
a form of malware that installs software
to illegally mine cryptocurrencies. You may be familiar with
cryptocurrency from the news. If you're new to the
topic, cryptocurrencies are a form of digital money
that have real-world value. Like physical forms of currency,
there are many different types. For the most part, they're
referred to as coins or tokens. In simple terms, crypto
mining is a process used to obtain new coins. Crypto mining is similar
to the process for mining for other resources, like gold. Mining for something
like gold involves machinery, such as
trucks and bulldozers that can dig through the Earth. Crypto coins, on the other
hand, use computers instead. Rather than digging
through the Earth, the computers run software
that dig through billions of lines of encrypted code. When enough code is processed,
a crypto coin can be found. Generally, more computers
mining for coins meaning more cryptocurrency
can be discovered. Criminals unfortunately
figured this out. Beginning in 2017,
cryptojacking malware started being used to
gain unauthorized control of personal computers
to mine cryptocurrency. Since that time,
cryptojacking techniques have become more sophisticated. Criminals now regularly
target vulnerable servers to spread their mining software. Devices that communicate with
the infected server become infected themselves. The malicious code then runs
in the background, mining for coins unknown to anyone. Cryptojacking software
is hard to detect. Luckily, security professionals
have sophisticated tools that can help. An intrusion detection
system, or IDS, is an application that
monitors system activity and alerts some
possible intrusions. When abnormal
activity is detected, like malware mining
for coins, the IDS alerts security personnel. Despite their usefulness,
detection systems have a major drawback. New forms of malware
can remain undetected. Fortunately, there
are subtle signs that indicate a
device is infected with cryptojacking software
or other forms of malware. By far the most telling sign
of a cryptojacking infection is slowdown. Other signs include increased
CPU usage, sudden system crashes, and
fast-draining batteries. Another side is unusually
high electricity costs related to the
resource-intensive process of crypto mining. It's also good to know that
there are certain measures you can take to reduce the
likelihood of experiencing a malware attack
like cryptojacking. These defenses include things
like using browser extensions designed to block malware,
using ad blockers, disabling JavaScript, and staying
alert on the latest trends. Security analysts
can also educate others in their organizations
on malware attacks. While cryptojacking is
still relatively new, attacks are becoming
more common. The type of malicious
code cybercriminals spread is continually evolving. It takes many
years of experience to analyze new forms of malware. Nevertheless, you're
well on your way towards helping defend
against these threats. Previously, we explored
a few types of malware. Whether it's installed
on an individual computer or a network server,
all malicious software needs to be delivered to the
target before it can work. Phishing and other social
engineering techniques are common ways for
malware to be delivered. Another way it's spread is
using a broad class of threats known as web-based exploits. Web-based exploits are
malicious code or behavior that's used to take advantage
of coding flaws in a web application. Cybercriminals target
web-based exploits to obtain sensitive
personal information. Attacks occur because
web applications interact with multiple users
across multiple networks. Malicious hackers
commonly exploit this high level of interaction
using injection attacks. An injection attack is
malicious code inserted into a vulnerable application. The infected application often
appears to work normally. That's because the injected
code runs in the background, unknown to the user. Applications are vulnerable
to injection attacks because they are programmed
to receive data inputs. This could be something the user
types, clicks, or something one program is sharing with another. When coded correctly,
applications should be able to interpret
and handle user inputs. For example, let's
say an application is expecting the user
to enter a phone number. This application should
validate the input from the user to make sure the
data is all numbers and not more than 10 digits. If the input from
the user doesn't meet these requirements,
the application should know how to handle it. In programming, this is
known as input sanitization. Input sanitization
is programming that validates inputs from
users in other programs. Injection attacks mainly
affect applications that fail to sanitize inputs. Because of this,
web applications are one of the most vulnerable
targets for injection attacks. Web apps interact with multiple
users across many platforms. They also have a lot
of interactive objects, like images and buttons. This makes it challenging
for developers to think of all the ways they
should sanitize their input. A common and dangerous
type of injection attack that's a threat to web apps
is cross-site scripting. Cross-site scripting, or
XSS, is an injection attack that inserts code into a
vulnerable website or web application. These attacks are
often delivered by exploiting the two languages
used by most websites, HTML and JavaScript. Both can give cybercriminals
access to everything that loads on the
infected web page. This can include session
cookies, geolocation, and even webcams and microphones. There are three main types of
cross-site scripting attacks, reflected, stored,
and DOM-based. A reflected XSS
attack is an instance where a malicious script
is sent to the server and activated during
the server's response. A common example of this is
the search bar of a website. In a reflected XSS attack,
criminals send their target a web link that appears
to go to a trusted site. When they click the link,
it sends the HTTP request to the vulnerable site server. The attacker's script is then
returned, or reflected, back to the innocent user's browser. Here, the browser loads
the malicious script because it trusts the
server's response. With the script
loaded, information like session cookies are
sent back to the attacker. In a stored XSS attack,
the malicious script isn't hidden in a link that
needs to be sent to the server. Instead, a stored XSS
attack is an instance where malicious script
is injected directly on the server. Here, attackers target
elements of a site that are served to the user. This could be things
like images and buttons that load when the
site is visited. Infected elements activate
the malicious code when a user simply
visits the site. Stored XSS attacks
can be damaging because the user has no way of
knowing the site is infected beforehand. Finally, there's DOM-based XSS. D-O-M stands for document
object model, which is basically the source code of a website. A DOM-based XSS
attack is an instance where malicious script exists
in the web page a browser loads. Unlike reflected
XSS, these attacks don't need to be sent to
the server to activate. In a DOM-based attack,
a malicious script can be seen in the URL. In this example, the website's
URL contains parameter values. The parameter values
reflect input from the user. Here, the site allows users
to select color themes. When the user makes a selection,
it appears as part of the URL. In a DOM-based attack,
criminals change the parameter that's expecting an input. For example, they could
hide malicious JavaScript in the HTML tags. The browser would
process the HTML and execute the JavaScript. Hackers use these methods
of cross-site scripting to steal sensitive information. Security analysts should
be familiar with this group of injection attacks. However, they're
not the only ones, as we'll discover next time. Let's keep exploring
injection attacks by investigating another common
type of web-based exploit. The next one we're going
to discuss exploits the way websites access
information from databases. Earlier in the program, you
may have learned about SQL. You may recall, SQL is
a programming language used to create, interact
with, and request information from a database. SQL is used by most
web applications. For example, shopping
websites use it a lot. Imagine the databases of
an online clothing store. It likely contains
a full inventory of all the items
the company sells. Websites don't normally make
users enter the SQL queries manually. Instead, they use things like
menus, images, and buttons to show users information
in a meaningful way. For example, when
an online shopper clicks a button to add
a sweater to their cart, it triggers a SQL query. The query runs in
the background, where no one can see it. You would never know from
using the menus and buttons of a website, but sometimes,
those backend queries are vulnerable to
injection attacks. A SQL injection
is an attack that executes unexpected
queries on a database. Like cross-site
scripting, SQL injection occurs due to the lack
of sanitized input. The injections take
place in an area of the website that are
designed to accept user input. A common example is the
login form to access a site. One of these forms might
trigger a backend SQL statement like this when a user
enters their credentials. Web forms like this
one are designed to copy user input
into the statement exactly as they're written. The statement then
sends a request to the server, which
runs the query. Websites that are
vulnerable to SQL injection inserts the user input
exactly as it's entered before running the code. Unfortunately, this is
a serious design flaw. It commonly happens because
web developers expect people to use their inputs correctly. They don't anticipate
attackers exploiting them. For example, an attacker might
insert additional SQL code. This could cause the server
to run a harmful query of code that it wasn't expecting. Malicious hackers can
target these attack vectors to obtain sensitive information,
modify tables, and even gain administrative writes
to the database. The best way to defend
against SQL injections is code that will
sanitize the input. Developers can
write code to search for specific SQL characters. This gives the server a clearer
idea of what inputs to expect. One way this is done is
with prepared statements. A prepared statement
is a coding technique that executes SQL statements
before passing them into the database. When the user input is
unknown, the best practice is to use these
prepared statements. With just a few
extra lines of code, a prepared statement
executes the code before passing it
on to the server. This means the code
can be validated before performing the query. Having well-written
code is one of the keys to preventing SQL injection. Security teams work
with program developers to test applications for
these sort of vulnerabilities. Like a lot of security
tasks, it's a team effort. Injection attacks are
just one of many types of web-based exploits that
security teams deal with. We're going to explore
how security teams prepare for injection attacks and
other kinds of threats. Preparing for attacks
is an important job that the entire security
team is responsible for. Threat actors have many
tools they can use, depending on their target. For example, attacking
a small business can be different from
attacking a public utility. Each have different assets
and specific defenses to keep them safe. In all cases,
anticipating attacks is the key to
preparing for them. In security, we do that by
performing an activity known as threat modeling. Threat modeling is a
process of identifying assets, their
vulnerabilities, and how each is exposed to threats. We apply threat modeling
to everything we protect. Entire systems,
applications, or business processes all get examined
from this security-related perspective. Creating threat models is a
lengthy and detailed activity. They're normally performed by
a collection of individuals with years of
experience in the field. Because of that,
it's considered to be an advanced skill in security. However, that doesn't mean
you won't be involved. There are several threat
modeling frameworks used in the field. Some are better suited
for network security. Others are better for things
like information security or application development. In general, there are six
steps of a threat model. The first is to define
the scope of the model. At this stage, the
team determines what they're building by
creating an inventory of assets and classifying them. The second step is
to identify threats. Here, the team defines all
potential threat actors. A threat actor is
any person or group who presents a security risk. Threat actors are characterized
as being internal or external. For example, an
internal threat actor could be an employee who
intentionally exposed an asset to harm. An example of an
external threat actor could be a malicious hacker
or a competing business. After threat actors
have been identified, the team puts together what's
known as an attack tree. An attack tree is a diagram
that maps threats to assets. The team tries to be
as detailed as possible when constructing this
diagram before moving on. Step three of the
threat modeling process is to characterize
the environment. Here, the team applies
an attacker mindset to the business. They consider how the
customers and employees interact with the environment. Other factors they consider
are external partners and third-party vendors. At step four, their objective
is to analyze threats. Here, the team works together
to examine existing protections and identify gaps. They then rank threats
according to their risk score that they assign. During step five, the team
decides how to mitigate risk. At this point, the
group creates their plan for defending against threats. The choices here are to avoid
risk, transfer it, reduce it, or accept it. The sixth and final step
is to evaluate findings. At this stage, everything that
was done during the exercise is documented,
fixes are applied, and the team makes note
of any successes they had. They also record
any lessons learned so they can inform how they
approach future threat models. That's an overview of the
general threat modeling process. What we explored was just one
of many methods that exist. Let's finish exploring
threat modeling by taking a look at
real-world scenarios. This time, we'll use a
standard threat modeling process called PASTA. Imagine that a
fitness company is getting ready to launch
their first mobile app. Before we can go
live, the company asks their security team
to ensure the app will protect customer data. The team decides to
perform a threat model using the PASTA framework. PASTA is a popular threat
modeling framework that's used across many industries. PASTA is short for process for
attack simulation and threat analysis. There are seven stages
of the PASTA framework. Let's go through each of
them to help this fitness company get their app ready. Stage one of the PASTA
threat model framework is to define business
and security objectives. Before starting
the threat model, the team needs to decide
what their goals are. The main objective
in our example with the fitness company app
is protecting customer data. The team starts by asking a
lot of questions at this stage. They'll need to
understand things like how personally identifiable
information is handled. Answering these
questions is a key to evaluating the
impact of threats that they'll find along the way. Stage two of the
pasta framework is to define the technical scope. Here, the team's focus is
to identify the application components that
must be evaluated. This is what we discussed
earlier as the attack surface. For a mobile app,
this will include technology that's involved while
data is at rest and in use. This includes network
protocols, security controls, and other data interactions. At stage three of
PASTA, the team's job is to decompose the application. In other words, we
need to identify the existing controls that will
protect user data from threats. This normally means working
with the application developers to produce a data flow diagram. A diagram like
this would show how data gets from a user's device
to the company's database. It would also identify
the controls in place to protect this
data along the way. Stage four of PASTA is next. The focus here is to
perform a threat analysis. This is where the team gets
into their attacker mindset. Here, research is
done to collect the most up-to-date information
on the type of attacks being used. Like other technologies, mobile
apps have many attack vectors. These changed
regularly, so the team would reference resources
to stay up to date. Stage five of pasta is
performing a vulnerability analysis. In this stage, the
team more deeply investigates potential
vulnerabilities by considering the
root of the problem. Next is stage six of PASTA,
where the team conducts attack modeling. This is where the team tests
the vulnerabilities that were analyzed in stage
five by simulating attacks. The team does this by
creating an attack tree, which looks like a flow chart. For example, an attack
tree for our mobile app might look like this. Customer information, like
usernames and passwords, is a target. This data is normally
stored in a database. We've learned that databases
are vulnerable to attacks like SQL injection. So we will add this attack
vector to our attack tree. A threat actor might
exploit vulnerabilities caused by unsanitized inputs
to attack this vector. The security team uses
attack trees like this to identify attack
vectors that need to be tested to validate threats. This is just one branch
of this attack tree. An application
like a fitness app typically has lots of branches
with a number of other attack vectors. Stage seven of pasta is to
analyze risk and impact. Here, the team assembles
all the information they've collected in
stages one through six. By this stage, the
team is in position to make informed risk
management recommendations to business stakeholders
that align with their goals. And with that, we
made it all the way through a threat
modeling exercise based on the PASTA framework. Managing threats is
a major part of what security professionals do. In this part of
the course, we've explored some common
types of cyber threats that you will likely
encounter in the field. Let's review. We started off discussing
social engineering. You learned that
attackers have a variety of ways to trick their
targets into sharing private information. Social engineering
techniques rely on exploiting people's trust
and willingness to help. Phishing attacks are one
of the most common ways that attackers go about
manipulating their targets. Next, we explored malware. Here, we discussed the
major classes of malware, like viruses,
Trojans, and worms. You learned how to spot
signs of infection. You also learned how malware
has evolved and become more sophisticated over the years. After that, we
turned our attention to web-based exploits,
specifically, injection attacks. You learned about cross-site
scripting and SQL injection, two of the most common
types of attacks facing organizations online. We discussed how each of
these attacks are carried out. You also learned about how
web applications can be protected from malicious code. Finally, we explored the
threat modeling process. You learned the process
that security teams use to perform these exercises. Unfortunately, cyber attacks
and security breaches are a reality that
we're challenged with on a regular basis. However, being aware of the
type of threats that exist and the threat modeling
process provides an important foundation for
your work as a security analyst. Congratulations on making it
through the end of this course. I can hardly believe our
time together is over. Before moving on in the
certificate program, I'd like to reflect on all the
amazing progress you've made. When we started, were introduced
to a wide range of assets organizations protect. Our primary focus was
information security, specifically,
digital information. Here, you learned how
asset classification helps security teams
focus their efforts and prioritize resources. We explored digital assets
and the three states of data. We also learned how policies,
standards, and procedures can mitigate organizational risks. Our focus on the NIST
cybersecurity framework introduced you to a
commonly used framework for managing risks. Afterwards, you learned about
fundamental security systems and controls. You got to explore
technology like encryption that's used to protect
data in all its states. You also learned
how technologies, like public key infrastructure
and digital certificates, are used to maintain the
confidentiality, integrity, and availability of
information online. And you also explored
access controls that make up the
authentication, authorization, and accounting framework. Next, we explored common
vulnerabilities in systems. During this part of the
course, you got an inside look into how security teams position
themselves ahead of attacks. We explored the defense
in depth strategy that's applied to protect
information as it's exchanged between parties online. You also learned about
the Common Vulnerability and Exposures list, the
vulnerability assessment process, and attack
surfaces and attack vectors. We then explored the major
threats to asset security, like social
engineering, malware, and web-based exploits. Together, we discussed how
these attacks are carried out and the way security teams
prevent them from doing damage. We then finished up by exploring
the process of threat modeling. We covered so much. I really appreciate your
efforts through it all. When I first started
my career in security, my goal was to learn, network,
and embrace any opportunity. I was able to attend security
conferences, received job tips, earned references, and
volunteered to gain experience. At that time, I would
have never imagined that I'd be here teaching
what I've learned to others. That just goes to show
you, your security journey is only just beginning. While our time
together is over, we covered a lot of complex
topics, many of which are areas of
specialization in security. With the foundation
you built here, you have a wide range of
possibilities to continue growing in the field. I'm so glad to
have played a part in this step along your journey
into the world of security, and I wish you all the best
as you continue forward along your path. [MUSIC PLAYING]
