Entry level cybersecurity Training

Computer Networking and Security

• Confidentiality -Confidentiality means preserving authorized restrictions on information

access and disclosure, including means for protecting personal privacy and proprietary
information.
• Integrity - Integrity means guarding against improper information modification or
destruction and includes ensuring information non-repudiation and authenticity.
• Availability - Availability means ensuring timely and reliable access to and use of information.

Networking and Networking Models

Parts of a Network

Before we jump into the video below, I want to describe some of the components you'll find in a basic
network, so you have a picture in your mind going forward. As we noted in the last lesson, a network is
basically two or more computers that are linked together and share a common set of resources, files, and
services. You likely have a home network, where you possibly have one or more desktops or laptops or phones
or tablets connected to it. In fact, these days, you may even have a smart TV, doorbell, thermostat, or personal
assistant device connected to that network as well. To connect your home network to the internet, you have
a router, which is a device that connects networks and routes traffic between them.
Another device that you'll see in networks is called a switch or Ethernet switch. This is a device that connects
nodes (computers) on the same network. So, unlike a router, a switch is only concerned about sending traffic
between computers on the same network, rather than routing data between networks. You might encounter a
switch at your office, where multiple computers on your LAN (Local Area Network) are connected via cables
into a switch. You may not see the switch near your desk, as it may be in a special room within your building,
where network administrators can access it. A similar device is a hub. A hub also sends data between nodes on
the same network, but the difference is that it broadcasts data to all nodes and is not smart enough to send
only certain data to a certain node. Because switches can be used to send data to specific nodes, you may find
that your office network only uses switches and does not have a hub.

A few other items on a network that you need to know about are servers, firewalls, and endpoints. We'll start
with endpoints, as we already mentioned them above. Endpoints are typically those things that end-users
interact with, such as desktops, laptops, mobile phones, and so forth. That's sort of where the data ends as it
goes out of a network, to a human, and back again. Then you have servers, these are simply computers that
provide a particular service. Examples are web servers, email servers, print servers, and so forth. You can think
of them as providing services that everyone needs (i.e., everyone needs to send email; everyone needs to print
files, and so forth). And, then finally, firewalls are important devices in a network that filter traffic going
between networks for the purposes of protecting the network. Typically, we think of the firewall as being
something that protects us from bad things coming in from the internet, such as spam, viruses, and so forth.
Network Device Terms:

To recap, here are the network terms covered above:

• Hub - Remember that unlike a switch, a hub broadcasts to all nodes and cannot direct traffic to
specific nodes. (According to TechTarget, a network hub is "a node that broadcasts data to every
computer or Ethernet-based device connected to it." )
• Switch - A device that connects multiple nodes on the same network. Remember that it is more
sophisticated than a hub because it can direct traffic to only certain nodes instead of broadcasting to
all nodes.
• Router - A device that connects and routes traffic between networks.
• Endpoint - Typically, an end-user device like a desktop, laptop, printer, mobile phone, etc.
• Server - A computer that provides a particular service, like a mail server or print server.
• Firewall - A device that filters traffic going between networks for the purposes of protecting the
network.
Why Should We Care about Network Models?

If you are a network administrator, you are not necessarily going to be thinking about the OSI Model in your
day-to-day work. It is an abstract idea that you might have used to understand networking at a high level.
However, after that, you may not think about it much anymore.

A Common Language

On the other hand, it can provide a common language and knowledgebase whenever you need to converse
with other technical people in your organization. For example, you may need to discuss your network with
application programmers and network architects, and having a network model that everyone can relate to can
be helpful. If you all know the importance of the Transport Layer and what it represents, for example, you can
more easily speak a common language about it. An architect may need to ask a network engineer about what
is already existing in the network to design a new part of the network. Or an application programmer may
need to know how network communications are set up to make sure she designs her application in a secure
way.

TCP/IP Model

TCP/IP Model, which is another reference model that helps explain how network communications work. The
Department of Defence developed it in the 1960s and it is still referenced today. It uses 4 layers to represent
some of the same ideas that the OSI Model represents with 7 layers. Some people consider the TCP/IP Model
to be more practical, whereas the OSI Model is more abstract. Take note that I refer to the 4 layers of the
TCP/IP Model as the Link Layer, Internet Layer, Transport Layer, and Application Layer, while some people
refer to that first layer as the Network Access Layer, rather than the Link Layer. In either case, the idea is the
same. That first layer is the one that provides access (or a link) to the network.

Inventory and Security

Another reason why the OSI Model and the TCP/IP Model can be beneficial is because they can help you take
an inventory of what you have in your network. You can break your network down and think about it in terms
of each layer. What is going on in each layer and have we secured each layer? I mentioned Defence-in-Depth
earlier in the course, and this is one way you can apply it. You can look at your network in an abstract layer-by-
layer way and determine whether everything is secure at every level. One example I've seen to describe how
this can be helpful is if you have an organization where users need to download a lot of sensitive data onto
their endpoints, like laptops and smart phones. If they do, then your endpoint security (and security at the
Application Layer, for example) might be more important for you than an organization that keeps all its
sensitive data in the cloud and does not have users who need to download it. This is just a high-level example
of how network models can help you converse with others about protecting your network.
Common Ports and Protocols
A Little More about FTPS and SFTP

First, be aware that some protocols deal with communication, some deal with management, and some deal
with security. As such, they are often used in concert with each other. For example, a protocol that handles
communication may be used along with a protocol that handles security. That is the case with the two secure
versions of File Transfer Protocol (FTP): FTPS and SFTP. FTPS is where file transfer is being done with SSL
(Secure Sockets Layer) encryption added to it. SFTP is where file transfer is being done with SSH (Secure Shell),
which sort of provides a secure channel for the file transfer to take place. SSH itself is worth knowing more
about, and I go into SSH a bit more below.

What is a Shell?

Since we talked about SSH, let's go into it a bit more and talk about a couple of other concepts that are sort of
related and important for you to know in the context of cybersecurity.

• Shell - If SSH is a Secure Shell, what is a shell? A shell is a computer program that allows you to control
a computer from a command-line interface (CLI). This is where you don't have a graphical user
interface (with images and buttons and so forth), but just a command prompt, where you type in
commands to control what's happening on the computer. I think of a shell as a sort of portal -- either
to the control Center of the computer I'm on or to a remote computer if I'm using SSH to connect
remotely. As you move further in your cybersecurity journey, you will likely type commands from a CLI
at some point, if you haven't already.
• SSH - As we've mentioned, SSH stands for Secure Shell. Per Wikipedia, SSH is "a cryptographic
network protocol for operating network services securely over an unsecured network. Its most
notable applications are remote login and command-line execution." It is also worth noting that SSH
uses public key cryptography, and we will be talking about public keys in our lesson on encryption. In
any case, I can't stress enough how important it is for you to know this protocol and the concept it
represents. When a hacker wants to get access to a server on a network and control it, a major
accomplishment would be for the hacker to obtain SSH credentials for that server. So, it's extremely
important to protect those credentials, which should only be accessible to authorized administrators.
• Web Shell - A web shell, on the other hand, is a nefarious script that a hacker will use to access and
control a web server remotely.

Network Threats and Attacks

Attack Flow Frameworks

Before we look at some examples of network threats and attacks, let's talk about some frameworks we can
use to understand how cyber criminals operate. We will look at both Lockheed Martin's Cyber Kill Chain and
the MITRE Corporation's ATT&CK Framework. The idea behind these frameworks is to allow us to think like an
adversary. What are adversaries trying to do at each stage of an attack? How might they do one thing to
enable another?

Lockheed Martin's Cyber Kill Chain

Lockheed Martin has developed a framework to describe the basic steps an adversary might take when
carrying out a cyber-attack. The framework is based on intelligence about what attackers have commonly
done, and it enables security teams to plan their countermoves at each stage so they can effectively detect
and prevent attacks.

The framework is called the Cyber Kill Chain. The 7 steps in this framework are as follows, but keep in mind
that an adversary may repeat steps and may not always follow this process in a linear fashion:
 1. Reconnaissance - obtain information about the target.
2. Weaponization - create the malware to use against the victim.
3. Delivery - infiltrate the victim's network to deliver the malware.
4. Exploitation - once in the victim network, take steps to achieve goals.
5. Installation - install malware, backdoors, and other cyber weapons.
6. Command and Control (C2) - communicate with the malware once installed.
7. Actions on Objectives - carry out the final objective, such as stealing information or disrupting
services.

MITRE ATT&CK Framework

Another model we can use to understand how a cyber threat actor operates is the MITRE ATT&CK Framework.
ATT&CK stands for Adversarial Tactics, Techniques, & Common Knowledge. You will see some overlap between
how Lockheed Martin and MITRE have described the steps in an attack. MITRE has 14 tactics in its enterprise
framework that describe what an adversary is trying to accomplish at various stages of an attack. A given
attack may only include some of these tactics, and they may be repeated. Each tactic is associated with various
techniques and procedures. The tactics describe what the attacker is trying to do, and the techniques describe
how they might go about doing it. Procedures provide real-life examples of how attackers have used the
techniques in the past. The tactics in this framework are:

1. Reconnaissance - gather info about the victim from the outside

2. Resource Development - establish resources to use.
3. Initial Access - gain access to the victim network
4. Execution - run malicious code.
5. Persistence - maintain one's foothold.
6. Privilege Escalation - gain higher-level privileges.
7. Defense Evasion - avoid being detected.
8. Credential Access - steal account credentials.
9. Discovery - learn more about the victim's network environment.
10. Lateral Movement - move around in the network.
11. Collection - gather data of interest for achieving one's goal.
12. Command and Control (C2) - communicate from within compromised systems and control them.
13. Exfiltration - steal data
14. Impact - manipulate, interrupt, or destroy systems and data.
Because the MITRE ATT&CK Framework describes these tactics, techniques, and procedures that adversaries
are known to use, the term TTP (Tactics, Techniques, and Procedures) has become a common way to refer to
the way an adversary might behave. The MITRE ATT&CK Framework is normally shown in a matrix like the one
pictured below. Threat actors are constantly devising new methods of attack, however, so MITRE continues to
update its matrix to reflect the documented TTPs that have been seen in the wild. MITRE also maintains
multiple matrices to reflect the TTPs in enterprise networks, mobile networks, and ICS (Industrial Control
System) networks.
Real Attacks in the News

Now that we have gone over some common types of threats and attacks, let's look at some real examples in
the news. Keep in mind that these attacks can be used in combination with each other to make up an overall
attack flow. Here are just a few examples:

Spoofing & Phishing: Threat Actors Use Google Cloud to Spoof Best Buy

• In this attack, the threat actors used spoofing and phishing. They sent a phishing email and used the
Google Cloud Storage facility in the links of the email to bypass security systems. As such, there was a
greater likelihood their phishing emails would make it into recipients' inboxes. If recipients of the
email missed the clues that the email was fake and clicked the links, they would be taken to a
malicious site.

Phishing and Man-in-the-Middle: Cloudflare and Twilio Attacks

• In this set of attacks, threat actors used phishing text messages to employees of Cloudflare and Twilio
that were made to look like they were from the IT department. The messages instructed recipients to
change their passwords and were sophisticated enough to look legitimate. If the victims fell for it and
changed their passwords, attackers would be able to intercept their new credentials and log into the
same systems as the victims. This article explains other ways attackers could use a man-in-the-middle
attack.

DDOS Attack - Taiwanese Websites Hit with DDOS Attacks

• In this set of attacks, hackers temporarily shut down various Taiwanese government websites using
Distributed Denial of Service attacks by overwhelming the sites with more traffic than they could
handle.

Remote Code Execution and Privilege Escalation - Zoom Privilege Escalation and Zoom
Remote Code Execution Vulnerabilities

• In these two cases, Zoom was vulnerable to attack in certain situations. In the first case, an attacker
could take advantage of Zoom's automatic update process by compromising an unprivileged user's
account. When the update occurs, the attacker could escalate the user's privileges to a privileged
user's (root) level. In the second case, an attacker on an already compromised system could use
 Zoom's chat feature to execute malware remotely (remote code execution) by sending the user a
message over the XMPP protocol, which is used for instant messaging. In both cases, the
vulnerabilities were patched; however, it is useful to understand how attackers might have taken
advantage of these weaknesses.

Network Security Infrastructure

Tools Used to Protect Networks

You will likely hear these terms used a lot in the cybersecurity world, and it's important to know what they
mean.

• IDS (Intrusion Detection System) - A device or software solution that monitors a network for activity
that is known or suspected to be malicious and alerts network defenders about the activity. It does
not take any action to respond or prevent the activity. Variations are NIDS (Network IDS) and HIDS
(Host IDS).
• IPS (Intrusion Protection System) - A device or software solution that monitors a network for
suspected or known malicious activity and takes action to prevent it or stop it. This feature of taking
action to prevent the activity is what differentiates an IPS from an IDS. Variations are NIPS (Network
IPS) and HIPS (Host IPS).
• SIEM (Security Information and Event Management) - A tool used to combine security information
and event management in a way that allows analysts and network managers to monitor it and make
sense of it more easily. A SIEM typically centralizes logs or pulls in already centralized logs from many
sources so that they are consolidated and searchable for network defenders to visualize and analyze.
• EDR (Endpoint Detection & Response) - A solution that monitors end-user devices for malware and
responds to prevent or stop it. We've talked a few times about endpoint devices and how they can be
especially vulnerable. This solution is meant to help mitigate endpoint security issues.
• SOAR (Security Orchestration Automation & Response) - A solution that is typically made up of a
collection of tools that automatically handle security operation tasks, like scanning for vulnerabilities
and responding to incidents. This type of tool automates tasks that network defenders might normally
do in response to a threat or incident. With automation of this sort, network defenders can be freed
up to do other work and more quickly respond to incidents that get past normal defenses.
• Honeypot - A system (e.g., a web server) or system resource (e.g., a file on a server) that is designed
to be attractive to potential hackers and intruders, like honey is attractive to bears. The idea is to put a
honeypot out to attract an adversary and confirm whether that adversary is trying to target you. It can
also provide valuable intelligence about how that adversary behaves in relation to the target.
Security Controls and control Frameworks

What is security Control?

Security Awareness Training as a Control

I briefly mentioned in the video that security training itself can be a type of administrative control. It is a good
idea to involve all types of staff in your security training, to include contractors, custodial staff, personnel who
provide physical security, and after-hours support personnel. It is also worth noting that training can extend to
visual aids and posters placed throughout the office that keep security top of mind for employees.
Organizations should strive to provide security training to employees at least annually, if not quarterly.
Furthermore, organizations should document when training has occurred.

One acronym you might see associated with this is Security Education, Training, and Awareness (SETA). A good
SETA program will reinforce the following ideas:

• Everyone is responsible for security.

• A clean desk policy is not just a call to be neat; it is a good security control since office visitors cannot
readily see potentially sensitive information.
• Employees should observe the proper procedures for disposing of confidential paper waste (such as
by shredding it).
• Employees should observe strong password policies related to length and complexity and change their
passwords regularly. (Logical/technical controls can be put in place to enforce these password
standards, but the role of the employee is still important.)
• Employees should know the proper rules around sending email attachments, including when and how
to encrypt them if they contain sensitive information.
• Employees should be aware of the threat posed by phishing and know to be cautious when opening
email attachments or clicking links in emails or texts they receive. They also should know the proper
procedure for reporting suspicious messages to the IT department.

More Security Control Terminology

• The Principle of Least Privilege - The principle that a security architecture should be designed so that
each person or entity is granted the minimum system resources and authorizations that the entity
needs to perform its function.
• The Need to Know - A determination that a prospective recipient requires access to specific
information to perform official functions. Remember that this concept is related to access to
information.
• Segregation of Duties - An administrative control that requires that more than one person is needed
to complete a task, such as requiring more than one person to sign off on an expense. This principle is
meant to reduce fraud and waste by reducing the possibility that a single person can make decisions
that can put an organization at risk. (Also known as Separation of Duties)
• Dual Controls - This is a concept very similar to Segregation of Duties, where two people are required
to perform an action to ensure that the responsibility for a high-risk action is shared.
• Man Trap - A type of physical control that is placed at the entrance to a building. It requires people to
pass through two doors, with only one being open at a time.
 Access Management

User Provisioning

The act of granting a user access to a system can seem mundane, but it's important to realize how vital it is to
safeguard that process. A hacker who gains access to a system by targeting a regular user in a phishing
campaign could instantly have access to a lot of the organization's intellectual property. Normally, hackers will
then try to escalate their privileges by seeking out admin-level rights on the system. However, the critical point
where they got in, by targeting a regular user, is already a serious inflection point in an attack flow.

Administrators normally need to do some identity proofing before they grant user’s access. Then, as they
decide what privileges to give to users, they will likely need to think through certain questions. What do they
really need access to? Should they be able to download software onto their machines? Do they need to access
highly classified or sensitive information? If they need to access special information, do they need that access
all the time or just in certain circumstances? By thinking through these types of questions, an administrator
can reduce the risks associated with user provisioning.

When it comes to provisioning another privileged (admin) user, the administrator needs to think about the
types of special access needed, such as for root, enterprise admin, or domain admin. In a small organization,
there may be only one administrator, but in a large organization, there will likely be a team of administrators. In
this situation, the team needs to sort out how to properly share admin-level account access and keep related
credentials secure.
Here are a few other concepts you should know in connection with Access Management.

User Life Cycle Management - This concept is associated with all the practices related to creating, maintaining,
disabling, and deleting a user account. When a new employee joins an organization, administrators will create
the account and onboard the new user. They may use a "baseline account" to set the user up and then apply
any changes to that user's access that are commensurate with the user's role. If the user changes to a new
position, the administrator may need to modify the account and its access. If the user takes a temporary leave
of access, the admin will need to temporarily disable the account. And, finally, when the user has a separation
of employment, the admin will need to delete and "offboard" the account. Administrators have a lot of
responsibility when it comes to ensuring that this life cycle is handled in the most secure and meticulous way.

User Life Cycle Risks - Risks associated with not managing the user life cycle properly include inadvertently
allowing for privilege creep, such as if a user required greater privileges for one role, but then transfers to
another role, and the admin fails to remove those privileges. Another risk could be that the administrator fails
to deprovision a user when that user goes on a temporary leave or separates from the organization.

Privileged Access Management (PAM) - Properly managing privileged access is another major responsibility for
administrators. Privileged users require admin-level accounts that need to be highly protected; however, with
PAM, the need to use those privileges can be limited so that administrators only use them when needed. This
process reduces risk and reduces the chances that a threat actor will be able to obtain privileged access. This is
also known as "reducing the attack surface" by limiting the opportunities a threat actor must exploit the system
and gain greater access.

Insider Threat - The threat that an insider will use her/his authorized access, wittingly or unwittingly, to do
harm to the security of organizational operations and assets, individuals, other organizations, and the Nation.
This is an important threat to keep in mind when performing access management and one that is often
overlooked.

Control Frameworks

Frameworks that help us ensure we are following the best practices in cybersecurity. When we want to make
sure we are doing all that we can to protect our networks, clients, and data, these frameworks can help us
check all the proper boxes.
 Security Operations

Data Handling practices

Making Sense of All the Data

This lesson covers how we treat data, including how we classify it, categorize it, protect it, log it, and make
sense of it. We live in a "big data" world, and it can be difficult to know how to process everything. If you are a
network defender, and every connection point on your network could be a potential access point for an
adversary, how can you possibly keep track of what is happening everywhere all the time? A big part of a
Security Analyst's job, for example, is knowing what is normal and what an anomaly looks like. There are
key Indicators of Compromise (IOCs) to look out for. For example, a flurry of failed login attempts could
indicate that a threat actor is trying to get access. You would need to know both what normal login attempts
look like, as well what the IOC is for a failed login.

As mentioned below, there are a number of tools that analysts use to monitor the network and look for IOCs
so they can make decisions about whether they need to take action. I mention the SIEM tool again, which is a
Security Information and Event Management tool that pulls together various logs from sensors throughout the
network and puts them through analytics that allow the analyst to visualize the data and be informed when
anomalies occur. Some SIEM tool offerings also couple the log data with cyber threat intelligence so the
analyst can see the activity in the context of known adversarial behaviour. Below, I'm listing a few SIEM tool
products that you can be aware of. There are many on the market, and they are being updated all the time.
Here are just a few:

Splunk - This is probably one of the most popular SIEM tools available. It can also be expensive, but as of early
2022, they offer a free trial version for a limited time if you want to check it out.

Elastic (ELK Stack) - Elastic offers a free version of its SIEM tool, which is also commonly referred to as the ELK
Stack, as it is made up of three components: Elastic, Logstash, and Kibana. (Cybrary features this SIEM tool in
the labs for its Threat Actor Campaign series of courses).

Sumo Logic - This SIEM tool was ranked as a "visionary" in Gartner Research's 2021 "Magic Quadrant for
Security Information Event Management (SIEM)" report. It also has a free version that you can try out.
LogRhythm - This SIEM tool has been ranked as a "leader" in the aforementioned Gartner Research report. As
of mid-2022, it did not appear to have a free trial version available.

To make it easier for organizations to integrate the various tools and services they need to detect and protect
against cyber threats, a group of cyber and tech companies have come together to create something called the
Open Cybersecurity Schema Framework, or OCSF. Both Splunk and Sumo Logic were among the organizations
involved. The Wall Street Journal reported in August 2022 that this standard would be applied to the various
alerts that come from different logging and monitoring tools, so that the alerts are formatted in a single way.
This helps overcome the challenges created by having so many proprietary data formats. With this standard in
place, security analysts will be able to combine different sources of data more easily into one solution; and
rather than having to monitor several dashboards to spot anomalies, analysts could potentially integrate the
data into a so-called "single pane of glass."
 Encryption and Cryptography

some basic terms associated with cryptography and encryption.

• Cryptography - The discipline that embodies the principles, means, and methods for the
transformation of data to hide their semantic content, prevent their unauthorized use, or prevent
their undetected modification.
• Plaintext - Intelligible data that has meaning and can be understood without the application of
decryption. In other words, this is typically the original message without any encryption applied to it.
• Ciphertext - Encrypted (enciphered) data. In other words, this is the message after encryption has
been applied to it.
• Encryption - Any procedure used in cryptography to convert plaintext into ciphertext to prevent
anyone but the intended recipient from reading that data.
More Details about PKI

How does the sender know the recipient is really the owner of those keys and that their keys are valid?

To provide for this validation, there is a whole system involved with the issuance of a person's (or entity's)
public key. Something called a Certificate Authority (CA) is trusted to issue public keys to people or entities
that are referred to in this case as "subscribers." The keys are issued as part of what is called a Digital
Certificate. The Digital Certificate contains the identity of the issuing authority (the CA), the identity of the
subscriber, the period during which the certificate is valid, and the subscriber's public key. As I suggested,
these certificates are not only issued to people, but also to entities like applications and devices. Networks can
use the digital certificates issued to applications or devices to ensure that only trusted entities connect to the
network. Certain web sites also require digital certificates in order for you to interact with them.

You might have digital certificates in your browser right now that you can go and look at. Sometimes, if you
need to access a secured web site, you would need your certificate saved in your browser in order to access it.
If you are using Chrome, for example, you can go into your Chrome Settings > Privacy and Security > Security
and look for the option to Manage Certificates. You may not have any there, but it might be interesting to see
where they would go.

Ok, here are some definitions of these terms from the NIST Computer Security Resource Center :

• Digital Certificate - A digitally signed representation of information that 1) identifies the authority
issuing it, 2) identifies the subscriber, 3) identifies its valid operational period (date issued / expiration
date). In the information assurance (IA) community, certificate usually implies public key certificate
and can have the following types: A digital representation of information which at least (1) identifies
the certification authority (CA) issuing it, (2) names or identifies its subscriber, (3) contains the
subscriber’s public key, (4) identifies its operational period, and (5) is digitally signed by the
certification authority issuing it.
• Certificate Authority - A trusted entity that issues and revokes public key certificates.

Key Take-Aways:

Encryption and cryptography are complex topics, and we've covered them at a high level. At the risk of giving
away the answer key to the questions below, here are some key take-aways to remember:

• See what I did there? The key to this lesson is keys!

• Seriously, though, remember that symmetric encryption is fast and strong and uses the same key for
encryption and decryption.
• Asymmetric encryption is strong, scalable, and provides a solution to the problem of key distribution.
It involves public keys and private keys. The sender of a message uses the recipient's public key to
encrypt a message. The recipient keeps his private key private and uses that private key to decrypt the
message.
• Public Key Infrastructure (PKI) is a system that provides a secure way to share public keys.
• Hashing is a one-way, non-reversible process of producing a digest of a file, sort of like a fingerprint.
The input is the file itself, and the output is a unique, fixed-length representation of the file that
consists of a seemingly random string of letters and numbers.

Incident Response (IR), Business Continuity (BC) and Disaster Recovery (DR)

Incident Response
This is the beginning of the module covering Incident Response (IR), Business Continuity (BC), and Disaster
Recovery (DR). It is all about how to deal with situations when things go wrong. As that is sort of the initial
point at which an organization is reacting to a situation.
 Business Continuity

An organization may need to conduct multiple analyses to consider various scenarios. Once the Business
Impact Analysis (BIA) phase is complete, the organization should determine its recovery strategies. If a given
situation occurs, how will it recover? Based on the BIA and the recovery strategies, the organization can then
develop the BC plan. And, finally, as with the Incident Response plan we discussed previously, the organization
should test the BC plan and conduct exercises that allow each person involved to understand their role and
consider the way they need to respond in the event of a real disruption. Lessons learned during an exercise can
be funneled into the BC plan to improve it.

Business Impact Analysis

Ready.gov also provides a useful outline of how an organization should conduct a Business Impact Analysis. A
BIA incorporates many ideas that we'll also talk about in our section on risk management. In both cases, it is
important to identify your assets and assess their value to properly consider the impact of their loss or
degradation. In addition to that, the key things the organization should consider are:

• Types of Events - What types of events would most disrupt the business? Consider damage to
facilities, supply chain disruptions, system outages, loss of personnel, etc.
• Types of Impact - Given the various event scenarios, what would be the impact? How would the
organization be affected financially? What would be the effect on the organization's reputation? What
are the regulatory implications?
 • Timing and Duration - What would be the worst time and/or length of time for an event to occur and
how would that impact the business? For example, a retail store would be severely affected if an event
were to coincide with a major holiday shopping period. Or, for an airline, the temporary grounding of
an aircraft type will have a greater impact the longer the aircraft are not able to fly. Organizations
should consider the worst-case scenario and determine how they would react. Would they be ready to
react?

The organization can use a questionnaire to gather this type of information and have different business units
perform the analysis at a granular level. The next step is to create a BIA report. The report should list the
potential impacts and rank them according to their severity for the business. It should also compare the costs
of the impacts to the costs for possible recovery strategies. Finally, it should provide a prioritized list of
recovery strategies, putting those related to the highest operational and financial impacts first.
Backups and Failovers: In the infrastructure and processes to back up critical data and fail-over to another
system if one system goes down should be in place before an incident occurs. Then, the act of restoring from a
backup or failing over to a reserve system happens as part of Disaster Recovery. In cybersecurity, the need to
regularly back up your data has become increasingly important as companies have fallen victim to ransomware
attacks where threat actors steal critical data and prevent organizations from being able to operate.

Disaster Recovery

There are a lot of similarities between Incident Response, Business Continuity, and Disaster Recovery. In this
lesson, we'll try to call out a few things that make planning for Disaster Recovery different.

A key element is the degree to which you need to use your imagination. You really need to consider the worst-
case scenarios and how you would deal with them. It can be hard to imagine that you could lose facilities,
power, communications, data, supplies, and worst of all, people. Rather than having to merely keep operations
running, you are going to possibly need to rebuild your operations. You will need to account for things like
alternate sites, alternate means of communication, and backup systems that you can fail over to. You may need
to re-route shipping and/or establish new supply chains. You also may need to be concerned about rescuing
personnel, giving them housing, and providing them with a means of transportation.

A couple of key items that should be defined in a DR plan include The RTO and RPO (described below). These
parameters allow you to determine how much damage a given disaster has caused or is causing, based on what
you have done to plan.
• Recovery Time Objective (RTO) - This is the maximum amount of time that the organization has
assessed that it can afford to wait for IT systems to come back online after a disaster strikes. Another
way of looking at this is that it is the amount of time in which you need to restore systems after a
disaster to avoid an unacceptable situation for the business.
• Recovery Point Objective (RPO) - This is the maximum amount of data that the organization can
afford to lose in a disaster before it becomes severely damaging to the business. Another way of
looking at this is that it relates to how often you should create backups of your data because if a
disaster should hit between backups, this would be the amount of data you would lose. Perhaps your
backups are created every five hours. If you were to lose five hours of data, would that be acceptable
for your business or would that be too great of a loss? When you are planning for a disaster, you need
to assess this and make changes to your backup processes accordingly.
 Governance, Risk, & Compliance

Governance

Governance has to do with how an organization behaves. Does it follow the laws, rules, standards, and
regulations that it should? How does it govern itself and keep itself in check? In the context of cybersecurity,
governance means how the organization manages, protects, and makes decisions about information security.

Governance can fall into two broad categories: legal or legislation (where we must abide by the law)
and corporate governance (where we must abide by our industry's standards and policies). Earlier in the
course, we talked about security controls, and those largely fall into this second bucket of corporate
governance. Some standards and policies are not mandated by law, but to operate in each industry, you need
to follow them.
 Risk Management
An organization faces many risks, such as disruptions to productivity, loss of revenue, data breach, or damage
to one's reputation. With so much of our business happening in a digital context today, cybersecurity risks have
become a major focus in risk management. Risk is inherent in almost everything we do.

The first step in risk management is to consider your assets. Your assets are those things of value that you will
be upset to lose or have damaged, in information security, the assets we are mainly talking about are
information, data, and, by extension, the systems, and databases where we use and store our data. We need to
assess the value of these assets and prioritize our assets according to their value.

Next, we want to consider the threats and vulnerabilities associated with our assets. We considered various
threats when we talked about incident management, business continuity, and disaster recovery. We also talked
about doing a Business Impact Analysis, where we need to consider the impact, we could face when we
encounter a threat.

After considering threats and impact, we want to evaluate the likelihood that something bad could happen to
our assets. If we have a data center in a flood zone, for example, we need to consider the likelihood that
flooding could affect that data center. In response to that risk, what should we do? Should we set up a back-up
data center on higher ground? Should we move to the cloud and let a cloud provider worry about the data
center? You may do this assessment in a qualitative way, using knowledge and experience to determine
probability. Or you may do a quantitative risk assessment, which involves using objective, measurable data to
assess the risk.

All these elements -- assets, threats/vulnerabilities, impact, likelihood, and assessment, make up the core of
risk management.

A key idea here is that we cannot eliminate risk. And we cannot ignore risk. We need a strategy to manage it.
Once you decide on the response you want to take, you need to document your decision-making process.
 Compliance
Compliance is a fairly involved concept in my mind. On the surface, it is just about an organization's adherence
to the various laws, standards, regulations, and policies it is required to follow. On the other hand, it also
invokes the ideas of being transparent about whether you follow these things, as well as proving that you
follow these things. In the field of GRC, compliance is sort of where the rubber meets the road because
organizations can claim they behave appropriately, and they can claim they manage risk, but compliance is
where they prove that they do these things.

Be Familiar with These

As a cybersecurity professional, you may not need to know every detail about these laws and regulations;
however, it is important to be aware of them. Most of them have to do with privacy and security of
information, essentially how we handle data. So, you may recall back in our module on Security Operations, we
talked a lot about how we handle data and keep it secure. We also said that we want clients and partners to
know that we take care to keep data secure in the way that we store it, transmit it, and even how we destroy it.
We also talked about how we may have to follow certain rules around how long we keep data. These laws,
regulations, and standards dictate a lot of the rules we must abide by, and cybersecurity is a big part of making
that happen. We've mentioned some of these before, so this is also a bit of a review.
• Family Educational Rights and Privacy Act (FERPA) - This act regulates the handling and privacy of
student education records.
• General Data Protection Regulation (GDPR) - This regulation governs data protection and privacy for
people in the European Union (EU). Importantly, it applies to any company that handles the protected
data of people who are in the EU, even if the company itself is not located in the EU.
• Gramm-Leach-Bliley Act (GLBA) - This act applies to financial institutions and regulates the privacy of
customer financial information.
• Health Insurance Portability and Accountability Act (HIPAA) - This act regulates the handling and
privacy of protected health information.
• ISO/IEC 27001 - This standard specifies how organizations should manage information security.
• Payment Card Industry Data Security Standard (PCI DSS) - This standard applies to any organization
that handles branded credit cards. If you use credit cards, you benefit from the protection this
standard provides to ensure your cardholder data is securely processed, stored, and transmitted by
retailers and other merchants.
• Sarbanes-Oxley Act (SOX) - This act applies to any publicly traded company and regulates the financial
reporting activities of such companies.
 Knowledge Check
1. You are a network administrator for your company, and your security team just alerted you to the
fact that a cyber-attack has caused all services to go down and customers cannot access your
company's platform. What key aspect of information assurance has been jeopardized in this
situation? ----Availability

2. This concept describes the strategy of protecting a network at multiple levels and layers instead of
just at the perimeter. ----Defense In Depth

3. Protecting this aspect of your data is important to ensure only those who are authorized can
access it. ----Confidentiality

4. During a cyber-attack, threat actors have gained access to your system and updated access control
files to gain persistence so they can log back in whenever they want. By altering these access files in
this way, they have violated what aspect of your network? ----Integrity

5. This layer of the OSI model is the closest one to where humans interact with the network. ----
Application

6. The OSI Model can be applied to any network, regardless of the technology stack being used. ----
YES

7. This network device connects two or more networks, and you likely have one as part of your home
network. ----router

8. You are working as a network administrator and your company recently moved into a new
building. Today, your task is to connect multiple nodes to the same local area network in your
building and to make sure certain network traffic is sent to certain nodes. What is the main device
you will use to do this? ----switch?

9. This layer of the OSI Model is concerned with the formatting and translation of data, and it's also
where most of the encryption occurs. ----presentation layer

10. which port is used for both SSH and SFTP ----22

11. We talked a lot about some secure protocols for transferring files, but what is the insecure
protocol used to transfer files? ----FTP

12. Which protocol provides directory assistance when you need to look up a user's details or find
the local printer on your network? ----LDAP

13. When you navigate to your favourite web site for buying garden gnomes, which protocol is being
used to translate www.bestgnomes.com into the actual network address of that store's server? ----
DNS

14. After you've found the garden gnome you want to buy; you'll probably want to check whether
the web site is using the HTTPS protocol to ensure your transaction will be secure. Assuming it is
HTTPS, what port will it be using? ----443
15. This type of tool detects and responds to malware that affects endpoint devices. ----EDR

16. What is the term for partitioning the network in such a way that it is easier to protect the
sensitive data in each part? ---- Segmentation

17. You are working as a network administrator, and your boss has asked you to set up a buffer
between the main network and the internet that has a firewall on either side. What is the term for
this part of a network architecture? ----DMZ

18. When considering the type of cloud deployment model, you need, which one would you choose
if you needed the provider to handle most of the services? ----SaaS

19. The three types of controls we identified in this lesson include logical/technical, administrative,
and what other type of control? ----Physical

20. The principle of __________ is meant to ensure that people are only granted the minimum
amount of access they need to perform their job. ---- Least privilege

21. drawback of logical/technical controls is ----They can slow down performance.

22. This type of "creep" is one of the risks associated with User Life Cycle Management. ---- privilege

23. ___________ Access Control is the access control model where a centralized group controls
access to an asset. ----Mandatory

24. This is the process of validating that an identity being claimed by a user is known to the system
and verifying what access that person should have. ---- Authorization

25. An indicator of __________ helps a security analyst take note of an anomaly in the data that
might indicate a network intrusion. ----Compromise

26. Jane is working with her IT department to answer questionnaires from clients about how her
company, Fair Winds Consulting, handles client data. The top concerns of clients likely include which
of the following? ---- How client data is stored, how long client data is retained, how client data is
destroyed

27. Green Leaf Travel Agency has an extensive client base in the European Union. Which of the
following standards or regulations are they likely to be most concerned about? ----GDPR

28. symmetric encryption is fast and strong, and asymmetric encryption is overcoming problems with
______ distribution. ----Key

29. If you are using asymmetric encryption to send a message to Mike, you will need one of Mike's
keys to encrypt it. Which type of key do you need? ----Public

30. If you use a hashing algorithm to obtain the hash for a file, you can use the same hashing
algorithm to decrypt it. ---- False/No

31. Which pillar of the CIA Triad does hashing support the most? ----Integrity
32. This is an occurrence in which the confidentiality, integrity, or availability of a network or system
is jeopardized. ---- Incident

33. This term refers to a vulnerability that has not been previously registered or recognized; as such,
most teams are likely not prepared for it. ---- Zero-day

34. During which stage of the Incident Response Life Cycle should you document lessons learned and
feed those back into your plan? ---- Post-incident Activity

35. You are Incident Manager for your organization, and you are 6 hours into responding to a
possible breach. You provided an update to your leadership an hour ago, and your boss is expecting
another update in five minutes. However, nothing has changed, and you aren't sure whether you
should bother your boss during this hectic time. What should you do? ----Have the call anyway, as it
is important to provide frequent updates even if nothing has changed.

36. In addition to assessing the types of events that could occur and the timing and duration that
could most affect your operations, you should identify the types of _________. ---- Impact

37. You have been given the task to lead business continuity planning for your organization. What is
the first step you should take? ----Conduct a Business Impact Analysis

38. Which of the following actions might be taken as part of a disaster recovery plan? ----Restoring
from backups

39. As part of your organization's Disaster Recovery Plan, you want to use an automated call tree
service to reach out to key personnel in the event of a disaster. In addition to availability, which
aspect of the CIA Triad will you be most concerned about, given that it will incorporate sensitive
contact information? ---- confidentiality.

40. A tornado has destroyed your company's headquarters building, and employees are not set up to
work from home. Which of the following items in your DR plan do you need to communicate out to
them? ---- The alternate site location

41. The IT team at Humphrey, Madison, and Couch, an HR consulting firm, has determined that it
needs to configure data backups to occur more frequently based on this parameter that is defined in
the company's DR plan. ----RPO (Recovery Point Objective)

42. Your company is having an "all hands" meeting next week to discuss some new information
security policies that the IT team will be implementing. These policies describe what the company
needs to do and why. Who would normally dictate these policies? ---- Corporate leadership

43. After the "all hands" meeting, business units will meet to discuss new __________ that define
how to implement the new policies. ---- procedures

44. Jack has put together a risk assessment that he will deliver to company leadership. In the report,
he plans to identify the remaining level of risk that the organization will face after it implements key
security controls. This is called _________ risk. ---- residual
45. Amir is conducting a risk assessment based on his organization's cybersecurity posture and has
decided to recommend the purchase of ransomware insurance. Which type of risk response is he
advocating for? ---- Share/Transfer

46. Sally is extremely meticulous and finds cybersecurity policies fascinating. She thinks she might
like a job where she would evaluate whether companies are compliant with cybersecurity and
information systems standards. What job role should she consider pursuing? ----auditor

47. Strong Life Health Insurance provides an online portal where clients can access their medical and
health insurance information. It must be sure to stay compliant with which of the following laws
related to protecting health information? ---- HIPPA