Cyber Security 6

Monday, September 16, 2024 12:02 PM

Overview of tcpdump
As a security analyst, you’ll use network protocol analyzers to help defend against any network
intrusions. Previously, you learned the following terms related to network monitoring and analysis:
• A network protocol analyzer (packet sniffer) is a tool designed to capture and analyze data traffic
within a network.
• Packet sniffing is the practice of capturing and inspecting data packets across a network.
In this reading, you'll learn more about tcpdump, a network protocol analyzer that can be used to
capture and view network communications.
What is tcpdump?
Tcpdump is a command-line network protocol analyzer. Recall that a command-line interface
(CLI) is a text-based user interface that uses commands to interact with the computer.
Tcpdump is used to capture network traffic. This traffic can be saved to a packet capture (p-cap),
which is a file containing data packets intercepted from an interface or network. The p-cap file can
be accessed, analyzed, or shared at a later time. Analysts use tcpdump for a variety of reasons,
from troubleshooting network issues to identifying malicious activity. Tcpdump comes pre-installed in
many Linux distributions and can also be installed on other Unix-based operating systems such as
macOS®.
Note: It's common for network traffic to be encrypted, which means data is encoded and unreadable.
Inspecting the network packets might require decrypting the data using the appropriate private keys.
Capturing packets with tcpdump
Previously in this program, you learned that a Linux root user (or superuser) has elevated
privileges to modify the system. You also learned that the sudo command temporarily grants
elevated permissions to specific users in Linux. Like many other packet sniffing tools, you’ll need to
have administrator-level privileges to capture network traffic using tcpdump. This means you will
need to either be logged in as the root user or have the ability to use the sudo command. Here is a
breakdown of the tcpdump syntax for capturing packets:
sudo tcpdump [-i int erface] [opti on( s)] [expr essi on( s)]
• The sudo tcpdump command begins running tcpdump using elevated permissions as sudo.
• The -i parameter specifies the network interface to capture network traffic. You must specify a
network interface to capture from to begin capturing packets. For example, if you specify -i any you’ll
sniff traffic from all network interfaces on the system.
• The opti on( s) are optional and provide you with the ability to alter the execution of the command.
The expr essi on( s) are a way to further filter network traffic packets so that you can isolate network
traffic. You’ll learn more about opti on( s) and expr essi on( s) in the next section.
Note: Before you can begin capturing network traffic, you must identify which network interface you'll
want to use to capture packets from. You can use the - D flag to list the network interfaces available
on a system.
Options
With tcpdump, you can apply options, also known as flags, to the end of commands to filter network
traffic. Short options are abbreviated and represented by a hyphen and a single character like -i .
Long options are spelled out using a double hyphen like --int erface. Tcpdump has over fifty options
that you can explore using the manual page. Here, you’ll examine a couple of essential tcpdump
options including how to write and read packet capture files.
Note: Options are case sensitive. For example, a lowercase - w is a separate option with a different
use than the option with an uppercase - W.
Note: tcpdump options that are written using short options can be written with or without a space
between the option and its value. For example, sudo tcpdump -i any -c 3 and sudo tcpdump -iany -
c3 are equivalent commands.
-w
Using the - w flag, you can write or save the sniffed network packets to a packet capture file instead
of just printing it out in the terminal. This is very useful because you can refer to this saved file for
later analysis. In this command, tcpdump is capturing network traffic from all network interfaces and

Quick Notes Page 1

later analysis. In this command, tcpdump is capturing network traffic from all network interfaces and
saving it to a packet capture file named packet capt ur e. pcap:
sudo tcpdump -i any -w packet capt ur e. pcap
-r
Using the - r flag, you can read a packet capture file by specifying the file name as a parameter. Here
is an example of a tcpdump command that reads a file called packet capt ur e. pcap :
sudo tcpdump -r packet capt ur e. pcap
-v
As you’ve learned, packets contain a lot of information. By default, tcpdump will not print out all of a
packet's information. This option, which stands for verbose, lets you control how much packet
information you want tcpdump to print out.
There are three levels of verbosity you can use depending on how much packet information you
want tcpdump to print out. The levels are - v, - vv, and - vvv. The level of verbosity increases with
each added v. The verbose option can be helpful if you’re looking for packet information like the
details of a packet’s IP header fields. Here’s an example of a tcpdump command that reads the
packet capt ur e. pcap file with verbosity:
sudo tcpdump -r packet capt ur e. pcap -v
-c
The - c option stands for count. This option lets you control how many packets tcpdump will capture.
For example, specifying - c 1 will only print out one single packet, whereas - c 10 prints out 10
packets. This example is telling tcpdump to only capture the first three packets it sniffs from any
network interface:
sudo tcpdump -i any -c 3
-n
By default, tcpdump will perform name resolution. This means that tcpdump automatically converts
IP addresses to names. It will also resolve ports to commonly associated services that use these
ports. This can be problematic because tcpdump isn’t always accurate in name resolution. For
example, tcpdump can capture traffic from port 80 and automatically translates port 80 to HTTP in
the output. However, this is misleading because port 80 isn’t always going to be using HTTP; it could
be using a different protocol.
Additionally, name resolution uses what’s known as a reverse DNS lookup. A reverse DNS lookup is
a query that looks for the domain name associated with an IP address. If you perform a reverse DNS
lookup on an attacker’s system, they might be alerted that you are investigating them through their
DNS records.
Using the - n flag disables this automatic mapping of numbers to names and is considered to be best
practice when sniffing or analyzing traffic. Using - n will not resolve hostnames, whereas - nn will not
resolve both hostnames or ports. Here’s an example of a tcpdump command that reads the
packet capt ur e. pcap file with verbosity and disables name resolution:
sudo tcpdump -r packet capt ur e. pcap -v -n
Pro tip: You can combine options together. For example, - v and - n can be combined as - vn. But, if
an option accepts a parameter right after it like - c 1 or - r capt ur e. pcap then you can’t combine other
options to it.
Expressions
Using filter expressions in tcpdump commands is also optional, but knowing how and when to use
filter expressions can be helpful during packet analysis. There are many ways to use filter
expressions.
If you want to specifically search for network traffic by protocol, you can use filter expressions to
isolate network packets. For example, you can filter to find only IPv6 traffic using the filter expression
ip6 .
You can also use boolean operators like and, or , or not to further filter network traffic for specific IP
addresses, ports, and more. The example below reads the packet capt ur e. pcap file and combines
two expressions i p and port 80 using the and boolean operator:
sudo tcpdump -r packet capt ur e. pcap -n 'ip and port 80'
Pro tip: You can use single or double quotes to ensure that tcpdump executes all of the
expressions. You can also use parentheses to group and prioritize different expressions. Grouping
expressions is helpful for complex or lengthy commands. For example, the command i p and (port 80
or port 443) tells tcpdump to prioritize executing the filters enclosed in the parentheses before
filtering for IPv4.
Interpreting output
Quick Notes Page 2
 Interpreting output
Once you run a command to capture packets, tcpdump will print the output of the command as the
sniffed packets. In the output, tcpdump prints one line of text for each packet with each line
beginning with a timestamp. Here’s an example of a command and output for a single TCP packet:
sudo tcpdump -i any -v -c 1
This command tells tcpdump to capture packets on -i any network interface. The option - v prints out
the packet with detailed information and the option - c 1 prints out only one packet. Here is the output
of this command:

1. Timestamp: The output begins with the timestamp, which starts with hours, minutes, seconds, and
fractions of a second.
2. Source IP: The packet’s origin is provided by its source IP address.
3. Source port: This port number is where the packet originated.
4. Destination IP: The destination IP address is where the packet is being transmitted to.
5. Destination port: This port number is where the packet is being transmitted to.
The remaining output contains details of the TCP connection including flags and sequence number.
The opti ons information is additional packet information that the - v option has provided.
Key takeaways
In security, you’ll likely encounter using network protocol analyzer tools like tcpdump. It’s important
to be equipped with the knowledge of capturing, filtering, and interpreting network packets on the
command line.
Resources for more information
• Learn more with tcpdump's tutorials and guides, which includes additional educational
resources.
• Learn more about using expressions to filter traffic with this tcpdump tutorial by Daniel
Miessler.

From <https://www.coursera.org/learn/detection-and-response/supplement/sfQGY/overview-of-tcpdump>

Glossary terms from module 2

Terms and definitions from Course 6, Module 2
Command and control (C2): The techniques used by malicious actors to maintain communications
with compromised systems
Command-line interface (CLI): A text-based user interface that uses commands to interact with the
computer
Data exfiltration: Unauthorized transmission of data from a system
Data packet: A basic unit of information that travels from one device to another within a network
Indicators of compromise (IoC): Observable evidence that suggests signs of a potential security
incident
Internet Protocol (IP): A set of standards used for routing and addressing data packets as they
travel between devices on a network
Intrusion detection systems (IDS): An application that monitors system activity and alerts on
possible intrusions
Media Access Control (MAC) Address: A unique alphanumeric identifier that is assigned to each
physical device on a network
National Institute of Standards and Technology (NIST) Incident Response Lifecycle: A
framework for incident response consisting of four phases: Preparation; Detection and Analysis;
Containment, Eradication and Recovery; and Post-incident activity
Network data: The data that’s transmitted between devices on a network
Network protocol analyzer (packet sniffer): A tool designed to capture and analyze data traffic
within a network

Quick Notes Page 3

 within a network
Network traffic: The amount of data that moves across a network
Network Interface Card (NIC): Hardware that connects computers to a network
Packet capture (p-cap): A file containing data packets intercepted from an interface or network
Packet sniffing: The practice of capturing and inspecting data packets across a network
Playbook: A manual that provides details about any operational action
Root user (or superuser): A user with elevated privileges to modify the system
Sudo: A command that temporarily grants elevated permissions to specific users
Cybersecurity incident detection methods
Security analysts use detection tools to help them discover threats, but there are additional methods
of detection that can be used as well.
Previously, you learned about how detection tools can identify attacks like data exfiltration. In this
reading, you’ll be introduced to different detection methods that organizations can employ to
discover threats.
Methods of detection
During the Detection and Analysis Phase of the incident response lifecycle, security teams are
notified of a possible incident and work to investigate and verify the incident by collecting and
analyzing data. As a reminder, detection refers to the prompt discovery of security events and
analysis involves the investigation and validation of alerts.
As you’ve learned, an intrusion detection system (IDS) can detect possible intrusions and send out
alerts to security analysts to investigate the suspicious activity. Security analysts can also use
security information and event management (SIEM) tools to detect, collect, and analyze security
data.
You’ve also learned that there are challenges with detection. Even the best security teams can fail to
detect real threats for a variety of reasons. For example, detection tools can only detect what
security teams configure them to monitor. If they aren’t properly configured, they can fail to detect
suspicious activity, leaving systems vulnerable to attack. It’s important for security teams to use
additional methods of detection to increase their coverage and accuracy.
Threat hunting
Threats evolve and attackers advance their tactics and techniques. Automated, technology-driven
detection can be limited in keeping up to date with the evolving threat landscape. Human-driven
detection like threat hunting combines the power of technology with a human element to discover
hidden threats left undetected by detection tools.
Threat hunting is the proactive search for threats on a network. Security professionals use threat
hunting to uncover malicious activity that was not identified by detection tools and as a way to do
further analysis on detections. Threat hunting is also used to detect threats before they cause
damage. For example, fileless malware is difficult for detection tools to identify. It’s a form of
malware that uses sophisticated evasion techniques such as hiding in memory instead of using files
or applications, allowing it to bypass traditional methods of detection like signature analysis. With
threat hunting, the combination of active human analysis and technology is used to identify threats
like fileless malware.
Note: Threat hunting specialists are known as threat hunters. Threat hunters perform research on
emerging threats and attacks and then determine the probability of an organization being vulnerable
to a particular attack. Threat hunters use a combination of threat intelligence, indicators of
compromise, indicators of attack, and machine learning to search for threats in an organization.
Threat intelligence
Organizations can improve their detection capabilities by staying updated on the evolving threat
landscape and understanding the relationship between their environment and malicious actors. One
way to understand threats is by using threat intelligence, which is evidence-based threat
information that provides context about existing or emerging threats.
Threat intelligence can come from private or public sources like:
• Industry reports: These often include details about attacker's tactics, techniques, and procedures
(TTP).
• Government advisories: Similar to industry reports, government advisories include details about
attackers' TTP.
• Threat data feeds: Threat data feeds provide a stream of threat-related data that can be used to
help protect against sophisticated attackers like advanced persistent threats (APTs). APTs are
instances when a threat actor maintains unauthorized access to a system for an extended period of
time. The data is usually a list of indicators like IP addresses, domains, and file hashes.

Quick Notes Page 4

time. The data is usually a list of indicators like IP addresses, domains, and file hashes.
It can be difficult for organizations to efficiently manage large volumes of threat intelligence.
Organizations can leverage a threat intelligence platform (TIP) which is an application that collects,
centralizes, and analyzes threat intelligence from different sources. TIPs provide a centralized
platform for organizations to identify and prioritize relevant threats and improve their security
posture.
Note: Threat intelligence data feeds are best used to add context to detections. They should not
drive detections completely and should be assessed before applied to an organization.
Cyber deception
Cyber deception involves techniques that deliberately deceive malicious actors with the goal of
increasing detection and improving defensive strategies.
Honeypots are an example of an active cyber defense mechanism that uses deception technology.
Honeypots are systems or resources that are created as decoys vulnerable to attacks with the
purpose of attracting potential intruders. For example, having a fake file labeled Client Credit Card
Information - 2022 can be used to capture the activity of malicious actors by tricking them into
accessing the file because it appears to be legitimate. Once a malicious actor tries to access this file,
security teams are alerted.
Key takeaways
Various detection methods can be implemented to identify and locate security events in an
environment. It’s essential for organizations to use a variety of detection methods, tools, and
technologies to adapt to the ever evolving threat landscape and better protect assets.
Resources for more information
If you would like to explore more on threat hunting and threat intelligence, here are some resources:
• An informational repository about threat hunting from The ThreatHunting Project
• Research on state-sponsored hackers from Threat Analysis Group (TAG)

From <https://www.coursera.org/learn/detection-and-response/supplement/ackUr/cybersecurity-incident-detection-
methods>

tcpdump: A command-line network protocol analyzer

Wireshark: An open-source network protocol analyzer

From <https://www.coursera.org/learn/detection-and-response/supplement/KZ5eB/glossary-terms-from-module-2>

Indicators of compromise
In this reading, you’ll be introduced to the concept of the Pyramid of Pain and you'll explore
examples of the different types of indicators of compromise. Understanding and applying this
concept helps organizations improve their defense and reduces the damage an incident can cause.
Indicators of compromise
Indicators of compromise (IoCs) are observable evidence that suggests signs of a potential
security incident. IoCs chart specific pieces of evidence that are associated with an attack, like a file
name associated with a type of malware. You can think of an IoC as evidence that points to
something that's already happened, like noticing that a valuable has been stolen from inside of a
car.
Indicators of attack (IoA) are the series of observed events that indicate a real-time incident. IoAs
focus on identifying the behavioral evidence of an attacker, including their methods and intentions.
Essentially, IoCs help to identify the who and what of an attack after it's taken place, while IoAs
focus on finding the why and how of an ongoing or unknown attack. For example, observing a
process that makes a network connection is an example of an IoA. The filename of the process and
the IP address that the process contacted are examples of the related IoCs.
Note: Indicators of compromise are not always a confirmation that a security incident has happened.
IoCs may be the result of human error, system malfunctions, and other reasons not related to
security.
Pyramid of Pain
Not all indicators of compromise are equal in the value they provide to security teams. It’s important
for security professionals to understand the different types of indicators of compromise so that they
can quickly and effectively detect and respond to them. This is why security researcher David J.

Quick Notes Page 5

 can quickly and effectively detect and respond to them. This is why security researcher David J.
Bianco created the concept of the Pyramid of Pain, with the goal of improving how indicators of
compromise are used in incident detection.

The Pyramid of Pain captures the relationship between indicators of compromise and the level of
difficulty that malicious actors experience when indicators of compromise are blocked by security
teams. It lists the different types of indicators of compromise that security professionals use to
identify malicious activity.
Each type of indicator of compromise is separated into levels of difficulty. These levels represent the
“pain” levels that an attacker faces when security teams block the activity associated with the
indicator of compromise. For example, blocking an IP address associated with a malicious actor is
labeled as easy because malicious actors can easily use different IP addresses to work around this
and continue with their malicious efforts. If security teams are able to block the IoCs located at the
top of the pyramid, the more difficult it becomes for attackers to continue their attacks. Here’s a
breakdown of the different types of indicators of compromise found in the Pyramid of Pain.
6. Hash values: Hashes that correspond to known malicious files. These are often used to provide
unique references to specific samples of malware or to files involved in an intrusion.
7. IP addresses: An internet protocol address like 192.168.1.1
8. Domain names: A web address such as www.google.com
9. Network artifacts: Observable evidence created by malicious actors on a network. For example,
information found in network protocols such as User-Agent strings.
10. Host artifacts: Observable evidence created by malicious actors on a host. A host is any device
that’s connected on a network. For example, the name of a file created by malware.
11. Tools: Software that’s used by a malicious actor to achieve their goal. For example, attackers can
use password cracking tools like John the Ripper to perform password attacks to gain access into an
account.
12. Tactics, techniques, and procedures (TTPs): This is the behavior of a malicious actor. Tactics
refer to the high-level overview of the behavior. Techniques provide detailed descriptions of the
behavior relating to the tactic. Procedures are highly detailed descriptions of the technique. TTPs are
the hardest to detect.
Key takeaways
Indicators of compromise and indicators of attack are valuable sources of information for security
professionals when it comes to detecting incidents. The Pyramid of Pain is a concept that can be
used to understand the different types of indicators of compromise and the value they have in
detecting and stopping malicious activity.

From <https://www.coursera.org/learn/detection-and-response/supplement/xQCqL/indicators-of-compromise>

Analyze indicators of compromise with

investigative tools
So far, you've learned about the different types of detection methods that can be used to detect
security incidents. This reading explores how investigative tools can be used during investigations to

Quick Notes Page 6

security incidents. This reading explores how investigative tools can be used during investigations to
analyze suspicious indicators of compromise (IoCs) and build context around alerts. Remember,
an IoC is observable evidence that suggests signs of a potential security incident.
Adding context to investigations
You've learned about the Pyramid of Pain which describes the relationship between indicators of
compromise and the level of difficulty that malicious actors experience when indicators of
compromise are blocked by security teams. You also learned about different types of IoCs, but as
you know, not all IoCs are equal. Malicious actors can manage to evade detection and continue
compromising systems despite having their IoC-related activity blocked or limited.
For example, identifying and blocking a single IP address associated with malicious activity does not
provide a broader insight on an attack, nor does it stop a malicious actor from continuing their
activity. Focusing on a single piece of evidence is like fixating on a single section of a painting: You
miss out on the bigger picture.

Security analysts need a way to expand the use of IoCs so that they can add context to alerts.
Threat intelligence is evidence-based threat information that provides context about existing or
emerging threats. By accessing additional information related to IoCs, security analysts can expand
their viewpoint to observe the bigger picture and construct a narrative that helps inform their
response actions.

By adding context to an IoC—for instance, identifying other artifacts related to the suspicious IP address,
such as suspicious network communications or unusual processes—security teams can start to develop a
detailed picture of a security incident. This context can help security teams detect security incidents faster
and take a more informed approach in their response.
The power of crowdsourcing
Quick Notes Page 7
The power of crowdsourcing
Crowdsourcing is the practice of gathering information using public input and collaboration. Threat
intelligence platforms use crowdsourcing to collect information from the global cybersecurity
community. Traditionally, an organization's response to incidents was performed in isolation. A
security team would receive and analyze an alert, and then work to remediate it without additional
insights on how to approach it. Without crowdsourcing, attackers can perform the same attacks
against multiple organizations.

With crowdsourcing, organizations harness the knowledge of millions of other cybersecurity

professionals, including cybersecurity product vendors, government agencies, cloud providers, and
more. Crowdsourcing allows people and organizations from the global cybersecurity community to
openly share and access a collection of threat intelligence data, which helps to continuously improve
detection technologies and methodologies.
Examples of information-sharing organizations include Information Sharing and Analysis Centers
(ISACs), which focus on collecting and sharing sector-specific threat intelligence to companies within
specific industries like energy, healthcare, and others. Open-source intelligence (OSINT) is the
collection and analysis of information from publicly available sources to generate usable intelligence.
OSINT can also be used as a method to gather information related to threat actors, threats,
vulnerabilities, and more.
This threat intelligence data is used to improve the detection methods and techniques of security
products, like detection tools or anti-virus software. For example, attackers often perform the same
attacks on multiple targets with the hope that one of them will be successful. Once an organization
detects an attack, they can immediately publish the attack details, such as malicious files, IP
addresses, or URLs, to tools like VirusTotal. This threat intelligence can then help other
organizations defend against the same attack.

Quick Notes Page 8

VirusTotal
VirusTotal is a service that allows anyone to analyze suspicious files, domains, URLs, and IP
addresses for malicious content. VirusTotal also offers additional services and tools for enterprise
use. This reading focuses on the VirusTotal website, which is available for free and non-commercial
use.
It can be used to analyze suspicious files, IP addresses, domains, and URLs to detect cybersecurity
threats such as malware. Users can submit and check artifacts, like file hashes or IP addresses, to
get VirusTotal reports, which provide additional information on whether an IoC is considered
malicious or not, how that IoC is connected or related to other IoCs in the dataset, and more.

Here is a breakdown of the reports summary:

Quick Notes Page 9

13. Detection: The Detection tab provides a list of third-party security vendors and their detection
verdicts on an IoC. For example, vendors can list their detection verdict as malicious, suspicious,
unsafe, and more.
14. Details: The Details tab provides additional information extracted from a static analysis of the IoC.
Information such as different hashes, file types, file sizes, headers, creation time, and first and last
submission information can all be found in this tab.
15. Relations: The Relations tab provides related IoCs that are somehow connected to an artifact, such
as contacted URLs, domains, IP addresses, and dropped files if the artifact is an executable.
16. Behavior: The Behavior tab contains information related to the observed activity and behaviors of
an artifact after executing it in a controlled or sandboxed environment. This information includes
tactics and techniques detected, network communications, registry and file systems actions,
processes, and more.
17. Community: The Community tab is where members of the VirusTotal community, such as security
professionals or researchers, can leave comments and insights about the IoC.
18. Vendors’ ratio and community score: The score displayed at the top of the report is the vendors’
ratio. The vendors’ ratio shows how many security vendors have flagged the IoC as malicious
overall. Below this score, there is also the community score, based on the inputs of the VirusTotal
community. The more detections a file has and the higher its community score is, the more likely that
the file is malicious.
Note: Data uploaded to VirusTotal will be publicly shared with the entire VirusTotal community. Be
careful of what you submit, and make sure you do not upload personal information.
Other tools
There are other investigative tools that can be used to analyze IoCs. These tools can also share the
data that's uploaded to them to the security community.
Jotti malware scan
Jotti's malware scan is a free service that lets you scan suspicious files with several antivirus
programs. There are some limitations to the number of files that you can submit.
Urlscan.io
Urlscan.io is a free service that scans and analyzes URLs and provides a detailed report
summarizing the URL information.
MalwareBazaar
MalwareBazaar is a free repository for malware samples. Malware samples are a great source of
threat intelligence that can be used for research purposes.
Key takeaways
As a security analyst, you'll analyze IoCs. It's important to understand how adding context to
investigations can help improve detection capabilities and make informed and effective decisions.

From <https://www.coursera.org/learn/detection-and-response/supplement/ZkXDx/analyze-indicators-of-compromise-with-
investigative-tools>

Quick Notes Page 10

 investigative-tools>

Best practices for effective documentation

Documentation is any form of recorded content that is used for a specific purpose, and it is
essential in the field of security. Security teams use documentation to support investigations,
complete tasks, and communicate findings. This reading explores the benefits of documentation and
provides you with a list of common practices to help you create effective documentation in your
security career.
Documentation benefits
You’ve already learned about many types of security documentation, including playbooks, final
reports, and more. As you’ve also learned, effective documentation has three benefits:
19. Transparency
20. Standardization
21. Clarity
Transparency
In security, transparency is critical for demonstrating compliance with regulations and internal
processes, meeting insurance requirements, and for legal proceedings. Chain of custody is the
process of documenting evidence possession and control during an incident lifecycle. Chain of
custody is an example of how documentation produces transparency and an audit trail.
Standardization
Standardization through repeatable processes and procedures supports continuous improvement
efforts, helps with knowledge transfer, and facilitates the onboarding of new team members.
Standards are references that inform how to set policies.
You have learned how NIST provides various security frameworks that are used to improve security
measures. Likewise, organizations set up their own standards to meet their business needs. An
example of documentation that establishes standardization is an incident response plan, which is
a document that outlines the procedures to take in each step of incident response. Incident response
plans standardize an organization’s response process by outlining procedures in advance of an
incident. By documenting an organization’s incident response plan, you create a standard that
people follow, maintaining consistency with repeatable processes and procedures.
Clarity
Ideally, all documentation provides clarity to its audience. Clear documentation helps people quickly
access the information they need so they can take necessary action. Security analysts are required
to document the reasoning behind any action they take so that it’s clear to their team why an alert
was escalated or closed.
Best practices
As a security professional, you’ll need to apply documentation best practices in your career. Here
are some general guidelines to remember:
Know your audience
Before you start creating documentation, consider your audience and their needs. For instance, an
incident summary written for a security operations center (SOC) manager will be written differently
than one that's drafted for a chief executive officer (CEO). The SOC manager can understand
technical security language but a CEO might not. Tailor your document to meet your audience’s
needs.
Be concise
You might be tasked with creating long documentation, such as a report. But when documentation is
too long, people can be discouraged from using it. To ensure that your documentation is useful,
establish the purpose immediately. This helps people quickly identify the objective of the document.
For example, executive summaries outline the major facts of an incident at the beginning of a final
report. This summary should be brief so that it can be easily skimmed to identify the key findings.
Update regularly
In security, new vulnerabilities are discovered and exploited constantly. Documentation must be
regularly reviewed and updated to keep up with the evolving threat landscape. For example, after an
incident has been resolved, a comprehensive review of the incident can identify gaps in processes
and procedures that require changes and updates. By regularly updating documentation, security
teams stay well informed and incident response plans stay updated.

Quick Notes Page 11

 teams stay well informed and incident response plans stay updated.
Key takeaways
Effective documentation produces benefits for everyone in an organization. Knowing how to create
documentation is an essential skill to have as a security analyst. As you continue in your journey to
become a security professional, be sure to consider these practices for creating effective
documentation.

From <https://www.coursera.org/learn/detection-and-response/supplement/0OpZQ/best-practices-for-effective-
documentation>

The triage process

Previously, you learned that triaging is used to assess alerts and assign priority to incidents. In this
reading, you'll explore the triage process and its benefits. As a security analyst, you'll be responsible
for analyzing security alerts. Having the skills to effectively triage is important because it allows you
to address and resolve security alerts efficiently.
Triage process
Incidents can have the potential to cause significant damage to an organization. Security teams
must respond quickly and efficiently to prevent or limit the impact of an incident before it becomes
too late. Triage is the prioritizing of incidents according to their level of importance or urgency. The
triage process helps security teams evaluate and prioritize security alerts and allocate resources
effectively so that the most critical issues are addressed first.
The triage process consists of three steps:
22. Receive and assess
23. Assign priority
24. Collect and analyze
Receive and assess
During this first step of the triage process, a security analyst receives an alert from an alerting
system like an intrusion detection system (IDS). You might recall that an IDS is an application that
monitors system activity and alerts on possible intrusions. The analyst then reviews the alert to verify
its validity and ensure they have a complete understanding of the alert.
This involves gathering as much information as possible about the alert, including details about the
activity that triggered the alert, the systems and assets involved, and more. Here are some
questions to consider when verifying the validity of an alert:
• Is the alert a false positive? Security analysts must determine whether the alert is a genuine
security concern or a false positive, or an alert that incorrectly detects the presence of a threat.
• Was this alert triggered in the past? If so, how was it resolved? The history of an alert can help
determine whether the alert is a new or recurring issue.
• Is the alert triggered by a known vulnerability? If an alert is triggered by a known vulnerability,
security analysts can leverage existing knowledge to determine an appropriate response and
minimize the impact of the vulnerability.
• What is the severity of the alert? The severity of an alert can help determine the priority of the
response so that critical issues are quickly escalated.
Assign priority
Once the alert has been properly assessed and verified as a genuine security issue, it needs to be
prioritized accordingly. Incidents differ in their impact, size, and scope, which affects the response
efforts. To manage time and resources, security teams must prioritize how they respond to various
incidents because not all incidents are equal. Here are some factors to consider when determining
the priority of an incident:
• Functional impact: Security incidents that target information technology systems impact the service
that these systems provide to its users. For example, a ransomware incident can severely impact the
confidentiality, availability, and integrity of systems. Data can be encrypted or deleted, making it
completely inaccessible to users. Consider how an incident impacts the existing business
functionality of the affected system.
• Information impact: Incidents can affect the confidentiality, integrity, and availability of an
organization’s data and information. In a data exfiltration attack, malicious actors can steal sensitive
data. This data can belong to third party users or organizations. Consider the effects that information
compromise can have beyond the organization.
• Recoverability: How an organization recovers from an incident depends on the size and scope of

Quick Notes Page 12

• Recoverability: How an organization recovers from an incident depends on the size and scope of
the incident and the amount of resources available. In some cases, recovery might not be possible,
like when a malicious actor successfully steals proprietary data and shares it publicly. Spending
time, effort, and resources on an incident with no recoverability can be wasteful. It’s important to
consider whether recovery is possible and consider whether it’s worth the time and cost.
Note: Security alerts often come with an assigned priority or severity level that classifies the urgency
of the alert based on a level of prioritization.
Collect and analyze
The final step of the triage process involves the security analyst performing a comprehensive
analysis of the incident. Analysis involves gathering evidence from different sources, conducting
external research, and documenting the investigative process. The goal of this step is to gather
enough information to make an informed decision to address it. Depending on the severity of the
incident, escalation to a level two analyst or a manager might be required. Level two analysts and
managers might have more knowledge on using advanced techniques to address the incident.
Benefits of triage
By prioritizing incidents based on their potential impact, you can reduce the scope of impact to the
organization by ensuring a timely response. Here are some benefits that triage has for security
teams:
• Resource management: Triaging alerts allows security teams to focus their resources on threats
that require urgent attention. This helps team members avoid dedicating time and resources to lower
priority tasks and might also reduce response time.
• Standardized approach: Triage provides a standardized approach to incident handling. Process
documentation, like playbooks, help to move alerts through an iterative process to ensure that alerts
are properly assessed and validated. This ensures that only valid alerts are moved up to investigate.
Key takeaways
Triage allows security teams to prioritize incidents according to their level of importance or urgency.
The triage process is important in ensuring that an organization meets their incident response goals.
As a security professional, you will likely utilize triage to effectively respond to and resolve security
incidents.

From <https://www.coursera.org/learn/detection-and-response/supplement/VuDTP/the-triage-process>

Business continuity considerations

Previously, you learned about how security teams develop incident response plans to help ensure
that there is a prepared and consistent process to quickly respond to security incidents. In this
reading, you'll explore the importance that business continuity planning has in recovering from
incidents.
Business continuity planning
Security teams must be prepared to minimize the impact that security incidents can have on their
normal business operations. When an incident occurs, organizations might experience significant
disruptions to the functionality of their systems and services. Prolonged disruption to systems and
services can have serious effects, causing legal, financial, and reputational damages. Organizations
can use business continuity planning so that they can remain operational during any major
disruptions.
Similar to an incident response plan, a business continuity plan (BCP) is a document that outlines
the procedures to sustain business operations during and after a significant disruption. A BCP helps
organizations ensure that critical business functions can resume or can be quickly restored when an
incident occurs.
Entry level security analysts aren't typically responsible for the development and testing of a BCP.
However, it's important that you understand how BCPs provide organizations with a structured way
to respond and recover from security incidents.
Note: Business continuity plans are not the same as disaster recovery plans. Disaster recovery
plans are used to recover information systems in response to a major disaster. These disasters can
range from hardware failure to the destruction of facilities from a natural disaster, like a flood.
Consider the impacts of ransomware to business continuity
Impacts of a security incident such as ransomware can be devastating for business operations.
Ransomware attacks targeting critical infrastructure such as healthcare can have the potential to

Quick Notes Page 13

 Ransomware attacks targeting critical infrastructure such as healthcare can have the potential to
cause significant disruption. Depending on the severity of a ransomware attack, the accessibility,
availability, and delivery of essential healthcare services can be impacted. For example,
ransomware can encrypt data, resulting in disabled access to medical records, which prevents
healthcare providers from accessing patient records. At a larger scale, security incidents that target
the assets, systems, and networks of critical infrastructure can also undermine national security,
economic security, and the health and safety of the public. For this reason, BCPs help to minimize
interruptions to operations so that essential services can be accessed.
Recovery strategies
When an outage occurs due to a security incident, organizations must have some sort of a functional
recovery plan set to resolve the issue and get systems fully operational. BCPs can include strategies
for recovery that focus on returning to normal operations. Site resilience is one example of a
recovery strategy.
Site resilience
Resilience is the ability to prepare for, respond to, and recover from disruptions. Organizations can
design their systems to be resilient so that they can continue delivering services despite facing
disruptions. An example is site resilience, which is used to ensure the availability of networks, data
centers, or other infrastructure when a disruption happens. There are three types of recovery sites
used for site resilience:
• Hot sites: A fully operational facility that is a duplicate of an organization's primary environment. Hot
sites can be activated immediately when an organization's primary site experiences failure or
disruption.
• Warm sites: A facility that contains a fully updated and configured version of the hot site. Unlike hot
sites, warm sites are not fully operational and available for immediate use but can quickly be made
operational when a failure or disruption occurs.
• Cold sites: A backup facility equipped with some of the necessary infrastructure required to operate
an organization's site. When a disruption or failure occurs, cold sites might not be ready for
immediate use and might need additional work to be operational.
Key takeaways
Security incidents have the potential to seriously disrupt business operations. Having the right plans
in place is essential so that organizations can continue to function. Business continuity plans help
organizations understand the impact that serious security incidents can have on their operations and
work to mitigate these impacts so that regular operations can resume.

From <https://www.coursera.org/learn/detection-and-response/supplement/Ctpgx/business-continuity-considerations>

Post-incident review
Previously, you explored the Containment, Eradication and Recovery phase of the NIST Incident
Response Lifecycle. This reading explores the activities involved in the final phase of the lifecycle:
Post-incident activity. As a security analyst, it's important to familiarize yourself with the activities
involved in this phase because each security incident will provide you with an opportunity to learn
and improve your responses to future incidents.
Post-incident activity
The Post-incident activity phase of the NIST Incident Response Lifecycle is the process of reviewing
an incident to identify areas for improvement during incident handling.

Quick Notes Page 14

 Lessons learned
After an organization has successfully contained, eradicated, and recovered from an incident, the
incident comes to a close. However, this doesn’t mean that the work of security professionals is
complete. Incidents provide organizations and their security teams with an opportunity to learn from
what happened and prioritize ways to improve the incident handling process.
This is typically done through a lessons learned meeting, also known as a post-mortem. A lessons
learned meeting includes all involved parties after a major incident. Depending on the scope of an
incident, multiple meetings can be scheduled to gather sufficient data. The purpose of this meeting is
to evaluate the incident in its entirety, assess the response actions, and identify any areas of
improvement. It provides an opportunity for an organization and its people to learn and improve, not
to assign blame. This meeting should be scheduled no later than two weeks after an incident has
been successfully remediated.
Not all incidents require their own lessons learned meeting; the size and severity of an incident will
dictate whether the meeting is necessary. However, major incidents, such as ransomware attacks,
should be reviewed in a dedicated lessons learned meeting. This meeting consists of all parties who
participated in any aspect of the incident response process. Here are some examples of questions
that are addressed in this meeting:
• What happened?
• What time did it happen?
• Who discovered it?
• How did it get contained?
• What were the actions taken for recovery?
• What could have been done differently?
Besides having the opportunity to learn from the incident, there are additional benefits to conducting
a lessons learned meeting. For large organizations, lessons learned meetings offer a platform for
team members across departments to share information and recommendations for future
prevention.
Pro tip: Before a team hosts a lessons learned meeting, organizers should make sure all attendees
come prepared. The meeting hosts typically develop and distribute a meeting agenda beforehand,
which contains the topics of discussion and ensures that attendees are informed and prepared.
Additionally, meeting roles should be assigned in advance, including a moderator to lead and
facilitate discussion and a scribe to take meeting notes.
Recommendations
Lessons learned meetings provide opportunities for growth and improvement. For example, security
teams can identify errors in response actions, gaps in processes and procedures, or ineffective
security controls. A lessons learned meeting should result in a list of prioritized actions or actionable
recommendations meant to improve an organization’s incident handling processes and overall
security posture. This ensures that organizations are implementing the lessons they’ve learned after
an incident so that they are not vulnerable to experiencing the same incident in the future. Examples
of changes that can be implemented include updating and improving playbook instructions or
implementing new security tools and technologies.
Final report
Throughout this course, you explored the importance that documentation has in recording details
during the incident response lifecycle. At a minimum, incident response documentation should
describe the incident by covering the 5 W's of incident investigation: who, what, where, why, and
when. The details that are captured during incident response are important for developing additional

Quick Notes Page 15

 when. The details that are captured during incident response are important for developing additional
documents during the end of the lifecycle.
One of the most essential forms of documentation that gets created during the end of an incident is
the final report. The final report provides a comprehensive review of an incident. Final reports are
not standardized, and their formats can vary across organizations. Additionally, multiple final reports
can be created depending on the audience it’s written for. Here are some examples of common
elements found in a final report:
• Executive summary: A high-level summary of the report including the key findings and essential
facts related to the incident
• Timeline: A detailed chronological timeline of the incident that includes timestamps dating the
sequence of events that led to the incident
• Investigation: A compilation of the actions taken during the detection and analysis of the incident.
For example, analysis of a network artifact such as a packet capture reveals information about what
activities happen on a network.
• Recommendations: A list of suggested actions for future prevention
Pro tip: When writing the final report, consider the audience that you’re writing the report for.
Oftentimes, business executives and other non-security professionals who don’t have the expertise
to understand technical details will read post-incident final reports. Considering the audience when
writing a final report will help you effectively communicate the most important details.
Key takeaways
Post-incident actions represent the end of the incident response lifecycle. This phase provides the
opportunity for security teams to meet, evaluate the response actions, make recommendations for
improvement, and develop the final report.

From <https://www.coursera.org/learn/detection-and-response/supplement/dFK8L/post-incident-review>

Glossary terms from module 3

Terms and definitions from Course 6, Module 3
Analysis: The investigation and validation of alerts
Broken chain of custody: Inconsistencies in the collection and logging of evidence in the chain of
custody
Business continuity plan (BCP): A document that outlines the procedures to sustain business
operations during and after a significant disruption
Chain of custody: The process of documenting evidence possession and control during an incident
lifecycle
Containment: The act of limiting and preventing additional damage caused by an incident
Crowdsourcing: The practice of gathering information using public input and collaboration
Detection: The prompt discovery of security events
Documentation: Any form of recorded content that is used for a specific purpose
Eradication: The complete removal of the incident elements from all affected systems
Final report: Documentation that provides a comprehensive review of an incident
Honeypot: A system or resource created as a decoy vulnerable to attacks with the purpose of
attracting potential intruders
Incident response plan: A document that outlines the procedures to take in each step of incident
response
Indicators of attack (IoA): The series of observed events that indicate a real-time incident
Indicators of compromise (IoC): Observable evidence that suggests signs of a potential security
incident
Intrusion detection system (IDS): An application that monitors system activity and alerts on
possible intrusions
Lessons learned meeting: A meeting that includes all involved parties after a major incident
Open-source intelligence (OSINT): The collection and analysis of information from publicly
available sources to generate usable intelligence
Playbook: A manual that provides details about any operational action
Post-incident activity: The process of reviewing an incident to identify areas for improvement
during incident handling
Recovery: The process of returning affected systems back to normal operations
Resilience: The ability to prepare for, respond to, and recover from disruptions

Quick Notes Page 16

 Resilience: The ability to prepare for, respond to, and recover from disruptions
Standards: References that inform how to set policies
Threat hunting: The proactive search for threats on a network
Threat intelligence: Evidence-based threat information that provides context about existing or
emerging threats
Triage: The prioritizing of incidents according to their level of importance or urgency
VirusTotal: A service that allows anyone to analyze suspicious files, domains, URLs, and IP
addresses for malicious content

From <https://www.coursera.org/learn/detection-and-response/supplement/rmSkU/glossary-terms-from-module-3>

Best practices for log collection and

management
In this reading, you’ll examine some best practices related to log management, storage, and
protection. Understanding the best practices related to log collection and management will help
improve log searches and better support your efforts in identifying and resolving security incidents.
Logs
Data sources such as devices generate data in the form of events. A log is a record of events that
occur within an organization's systems. Logs contain log entries and each entry details information
corresponding to a single event that happened on a device or system. Originally, logs served the
sole purpose of troubleshooting common technology issues. For example, error logs provide
information about why an unexpected error occurred and help to identify the root cause of the error
so that it can be fixed. Today, virtually all computing devices produce some form of logs that provide
valuable insights beyond troubleshooting.
Security teams access logs from logging receivers like SIEM tools which consolidate logs to provide
a central repository for log data. Security professionals use logs to perform log analysis, which is
the process of examining logs to identify events of interest. Logs help uncover the details
surrounding the 5 W's of incident investigation: who triggered the incident, what happened, when the
incident took place, where the incident took place, and why the incident occurred.
Types of logs
Depending on the data source, different log types can be produced. Here’s a list of some common
log types that organizations should record:
• Network: Network logs are generated by network devices like firewalls, routers, or switches.
• System: System logs are generated by operating systems like Chrome OS™, Windows, Linux, or
macOS®.
• Application: Application logs are generated by software applications and contain information
relating to the events occurring within the application such as a smartphone app.
• Security: Security logs are generated by various devices or systems such as antivirus software and
intrusion detection systems. Security logs contain security-related information such as file deletion.
• Authentication: Authentication logs are generated whenever authentication occurs such as a
successful login attempt into a computer.
Log details
Generally, logs contain a date, time, location, action, and author of the action. Here is an example of
an authentication log:
Logi n Event [05: 45: 15] User 1 Aut henti cat ed successf ully
Logs contain information and can be adjusted to contain even more information. Verbose logging
records additional, detailed information beyond the default log recording. Here is an example of the
same log above but logged as verbose.
Logi n Event [2022/ 11/ 16 05: 45: 15. 892673] aut h_perfor mer. cc: 470 User 1 Aut henti cat ed
successf ully from devi ce1 (192. 168. 1. 2)

Log management
Because all devices produce logs, it can quickly become overwhelming for organizations to keep
track of all the logs that are generated. To get the most value from your logs, you need to choose
exactly what to log, how to access it easily, and keep it secure using log management. Log
management is the process of collecting, storing, analyzing, and disposing of log data.
What to log
The most important aspect of log management is choosing what to log. Organizations are different,

Quick Notes Page 17

 The most important aspect of log management is choosing what to log. Organizations are different,
and their logging requirements can differ too. It's important to consider which log sources are most
likely to contain the most useful information depending on your event of interest. This might be
configuring log sources to reduce the amount of data they record, such as excluding excessive
verbosity. Some information, including but not limited to phone numbers, email addresses, and
names, form personally identifiable information (PII), which requires special handling and in some
jurisdictions might not be possible to be logged.
The issue with overlogging
From a security perspective, it can be tempting to log everything. This is the most common mistake
organizations make. Just because it can be logged, doesn't mean it needs to be logged. Storing
excessive amounts of logs can have many disadvantages with some SIEM tools. For example,
overlogging can increase storage and maintenance costs. Additionally, overlogging can increase the
load on systems, which can cause performance issues and affect usability, making it difficult to
search for and identify important events.
Log retention
Organizations might operate in industries with regulatory requirements. For example, some
regulations require organizations to retain logs for set periods of time and organizations can
implement log retention practices in their log management policy.
Organizations that operate in the following industries might need to modify their log management
policy to meet regulatory requirements:
• Public sector industries, like the Federal Information Security Modernization Act (FISMA)
• Healthcare industries, like the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Financial services industries, such as the Payment Card Industry Data Security Standard (PCI DSS),
the Gramm-Leach-Bliley Act (GLBA), and the Sarbanes-Oxley Act of 2002 (SOX)
Log protection
Along with management and retention, the protection of logs is vital in maintaining log integrity. It’s
not unusual for malicious actors to modify logs in attempts to mislead security teams and to even
hide their activity.
Storing logs in a centralized log server is a way to maintain log integrity. When logs are generated,
they get sent to a dedicated server instead of getting stored on a local machine. This makes it more
difficult for attackers to access logs because there is a barrier between the attacker and the log
location.
Key takeaways
It's important to understand how to properly collect, store, and protect logs because they are integral
to incident investigations. Having a detailed plan for log management helps improve the usefulness
of logs and resource efficiency.

From <https://www.coursera.org/learn/detection-and-response/supplement/lMVO5/best-practices-for-log-collection-and-
management>

Overview of log file formats

You’ve learned about how logs record events that happen on a network, or system. In security, logs
provide key details about activities that occurred across an organization, like who signed into an
application at a specific point in time. As a security analyst, you’ll use log analysis, which is the
process of examining logs to identify events of interest. It’s important to know how to read and
interpret different log formats so that you can uncover the key details surrounding an event and
identify unusual or malicious activity. In this reading, you’ll review the following log formats:
• JSON
• Syslog
• XML
• CSV
• CEF
JavaScript Object Notation (JSON)
JavaScript Object Notation (JSON) is a file format that is used to store and transmit data. JSON is
known for being lightweight and easy to read and write. It is used for transmitting data in web
technologies and is also commonly used in cloud environments. JSON syntax is derived from
JavaScript syntax. If you are familiar with JavaScript, you might recognize that JSON contains

Quick Notes Page 18

 JavaScript syntax. If you are familiar with JavaScript, you might recognize that JSON contains
components from JavaScript including:
• Key-value pairs
• Commas
• Double quotes
• Curly brackets
• Square brackets
Key-value pairs
A key-value pair is a set of data that represents two linked items: a key and its corresponding value.
A key-value pair consists of a key followed by a colon, and then followed by a value. An example of
a key-value pair is " Al ert": "Mal war e" .
Note: For readability, it is recommended that key-value pairs contain a space before or after the
colon that separates the key and value.
Commas
Commas are used to separate data. For example: "Al ert": "Mal war e", "Al ert code": 1090,
"severity": 10 .
Double quotes
Double quotes are used to enclose text data, which is also known as a string, for example: " Al ert":
"Mal war e" . Data that contains numbers is not enclosed in quotes, like this: " Al ert code": 1090 .
Curly brackets
Curly brackets enclose an object, which is a data type that stores data in a comma-separated list of
key-value pairs. Objects are often used to describe multiple properties for a given key. JSON log
entries start and end with a curly bracket. In this example, User is the object that contains multiple
properties:
"User ": { "i d": "1234", "name": "user", "rol e": "engi neer" }
Square brackets
Square brackets are used to enclose an array, which is a data type that stores data in a comma-
separated ordered list. Arrays are useful when you want to store data as an ordered collection, for
example: [ "Admi ni st rat or s", "User s", "Engi neeri ng"] .
Syslog
Syslog is a standard for logging and transmitting data. It can be used to refer to any of its three
different capabilities:
25. Protocol: The syslog protocol is used to transport logs to a centralized log server for log
management. It uses port 514 for plaintext logs and port 6514 for encrypted logs.
26. Service: The syslog service acts as a log forwarding service that consolidates logs from multiple
sources into a single location. The service works by receiving and then forwarding any syslog log
entries to a remote server.
27. Log format: The syslog log format is one of the most commonly used log formats that you will be
focusing on. It is the native logging format used in Unix® systems. It consists of three components:
a header, structured-data, and a message.
Syslog log example
Here is an example of a syslog entry that contains all three components: a header, followed by
structured-data, and a message:
<236>1 2022- 03- 21T01: 11: 11. 003Z vi rtual.machi ne. com evnt sl og - ID01 [user @32473 iut ="1"
event Sour ce="Appl i cation" eventI D=" 9999"] Thi s is a log ent ry!
Header
The header contains details like the timestamp; the hostname, which is the name of the machine
that sends the log; the application name; and the message ID.
• Timestamp: The timestamp in this example is 2022- 03- 21T01: 11: 11. 003Z, where 2022- 03- 21 is the
date in YYYY-MM-DD format. T is used to separate the date and the time. 01: 11: 11. 003 is the 24-
hour format of the time and includes the number of milliseconds 003 . Z indicates the timezone, which
is Coordinated Universal Time (UTC).
• Hostname: vi rtual.machi ne. com
• Application: evnt sl og
• Message ID: I D01
Structured-data
Quick Notes Page 19
 Structured-data
The structured-data portion of the log entry contains additional logging information. This information
is enclosed in square brackets and structured in key-value pairs. Here, there are three keys with
corresponding values: [ user @32473 iut ="1" event Sour ce="Appl i cation" eventI D=" 9999"] .
Message
The message contains a detailed log message about the event. Here, the message is Thi s is a log
ent ry! .
Priority (PRI)
The priority (PRI) field indicates the urgency of the logged event and is contained with angle
brackets. In this example, the priority value is <236> . Generally, the lower the priority level, the more
urgent the event is.
Note: Syslog headers can be combined with JSON, and XML formats. Custom log formats also
exist.
XML (eXtensible Markup Language)
XML (eXtensible Markup Language) is a language and a format used for storing and transmitting
data. XML is a native file format used in Windows systems. XML syntax uses the following:
• Tags
• Elements
• Attributes
Tags
XML uses tags to store and identify data. Tags are pairs that must contain a start tag and an end
tag. The start tag encloses data with angle brackets, for example <t ag> , whereas the end of a tag
encloses data with angle brackets and a forward slash like this: </ tag> .
Elements
XML elements include both the data contained inside of a tag and the tags itself. All XML entries
must contain at least one root element. Root elements contain other elements that sit underneath
them, known as child elements.
Here is an example:
<Event > <EventI D>4688</ EventI D> <Ver si on>5</ Ver si on> </ Event >
In this example, <Event > is the root element and contains two child elements <EventI D> and
<Ver si on> . There is data contained in each respective child element.
Attributes
XML elements can also contain attributes. Attributes are used to provide additional information about
elements. Attributes are included as the second part of the tag itself and must always be quoted
using either single or double quotes.
For example:
<Event Dat a> <Dat a Name=' Subj ect User Si d' >S- 2- 3- 11- 160321</ Dat a> <Dat a
Name=' Subj ect User Name' >JSMI TH</ Dat a> <Dat a Name=' Subj ect Domai nName' >ADCOMP</ Dat a>
<Dat a Name=' Subj ect LogonI d' >0x1cf 1c12</ Dat a> <Dat a Name=' NewPr ocessI d' >0x1404</ Dat a>
</ Event Dat a>
In the first line for this example, the tag is <Dat a> and it uses the attribute Name=' Subj ect User Si d'
to describe the data enclosed in the tag S- 2- 3- 11- 160321 .
CSV (Comma Separated Value)
CSV (Comma Separated Value) uses commas to separate data values. In CSV logs, the position of
the data corresponds to its field name, but the field names themselves might not be included in the
log. It’s critical to understand what fields the source device (like an IPS, firewall, scanner, etc.) is
including in the log.
Here is an example:
2009- 11- 24T21: 27: 09. 534255, ALERT, 192. 168. 2. 7,
1041, x. x. 250. 50, 80, TCP, ALLOWED, 1: 2001999: 9, "ET MALWARE BTGr ab. com Spywar e
Downl oadi ng Ads", 1

CEF (Common Event Format)

Common Event Format (CEF) is a log format that uses key-value pairs to structure data and
identify fields and their corresponding values. The CEF syntax is defined as containing the following
fields:
CEF: Ver si on| Devi ce Vendor| Devi ce Pr oduct| Devi ce Ver si on| Si gnat ur e
ID| Name| Severity| Ext ensi on

Quick Notes Page 20

 ID| Name| Severity| Ext ensi on
Fields are all separated with a pipe character | . However, anything in the Ext ensi on part of the CEF
log entry must be written in a key-value format. Syslog is a common method used to transport logs
like CEF. When Syslog is used a timestamp and hostname will be prepended to the CEF message.
Here is an example of a CEF log entry that details malicious activity relating to a worm infection:
Sep 29 08: 26: 10 host CEF: 1| Security| thr eat manager| 1. 0| 100| wor m successf ully st opped| 10| src=
10. 0. 0. 2 dst =2. 1. 2. 2 spt =1232
Here is a breakdown of the fields:
• Syslog Timestamp: Sep 29 08: 26: 10
• Syslog Hostname: host
• Version: CEF: 1
• Device Vendor: Security
• Device Product: t hr eat manager
• Device Version: 1. 0
• Signature ID: 100
• Name: wor m successf ully st opped
• Severity: 10
• Extension: This field contains data written as key-value pairs. There are two IP addresses, sr c=
10. 0. 0. 2 and dst =2. 1. 2. 2 , and a source port number spt =1232. Extensions are not required and are
optional to add.
This log entry contains details about a Security application called t hr eat manager that successf ully
st opped a wor m from spreading from the internal network at 10. 0. 0. 2 to the external network 2. 1. 2. 2
through the port 1232. A high severity level of 10 is reported.
Note: Extensions and syslog prefix are optional to add to a CEF log.
Key takeaways
There is no standard format used in logging, and many different log formats exist. As a security
analyst, you will analyze logs that originate from different sources. Knowing how to interpret different
log formats will help you determine key information that you can use to support your investigations.
Resources for more information
• To learn more about the syslog protocol including priority levels, check out The Syslog Protocol.
• If you would like to explore generating log formats, check out this open-source test data generator
tool.
• To learn more about timestamp formats, check out Date and Time on the Internet: Timestamps.

From <https://www.coursera.org/learn/detection-and-response/supplement/PBuUC/overview-of-log-file-formats>

Detection tools and techniques

In this reading, you’ll examine the different types of intrusion detection system (IDS) technologies
and the alerts they produce. You’ll also explore the two common detection techniques used by
detection systems. Understanding the capabilities and limitations of IDS technologies and their
detection techniques will help you interpret security information to identify, analyze, and respond to
security events.
As you’ve learned, an intrusion detection system (IDS) is an application that monitors system
activity and alerts on possible intrusions. IDS technologies help organizations monitor the activity
that happens on their systems and networks to identify indications of malicious activity. Depending
on the location you choose to set up an IDS, it can be either host-based or network-based.
Host-based intrusion detection system
A host-based intrusion detection system (HIDS) is an application that monitors the activity of the
host on which it's installed. A HIDS is installed as an agent on a host. A host is also known as an
endpoint, which is any device connected to a network like a computer or a server.
Typically, HIDS agents are installed on all endpoints and used to monitor and detect security threats.
A HIDS monitors internal activity happening on the host to identify any unauthorized or abnormal
behavior. If anything unusual is detected, such as the installation of an unauthorized application, the
HIDS logs it and sends out an alert.
In addition to monitoring inbound and outbound traffic flows, HIDS can have additional capabilities,
such as monitoring file systems, system resource usage, user activity, and more.
This diagram shows a HIDS tool installed on a computer. The dotted circle around the host indicates

Quick Notes Page 21

This diagram shows a HIDS tool installed on a computer. The dotted circle around the host indicates
that it is only monitoring the local activity on the single computer on which it’s installed.

Network-based intrusion detection system

A network-based intrusion detection system (NIDS) is an application that collects and monitors
network traffic and network data. NIDS software is installed on devices located at specific parts of
the network that you want to monitor. The NIDS application inspects network traffic from different
devices on the network. If any malicious network traffic is detected, the NIDS logs it and generates
an alert.
This diagram shows a NIDS that is installed on a network. The highlighted circle around the server
and computers indicates that the NIDS is installed on the server and is monitoring the activity of the
computers.

Using a combination of HIDS and NIDS to monitor an environment can provide a multi-layered
approach to intrusion detection and response. HIDS and NIDS tools provide a different perspective
on the activity occurring on a network and the individual hosts that are connected to it. This helps
provide a comprehensive view of the activity happening in an environment.
Detection techniques
Detection systems can use different techniques to detect threats and attacks. The two types of
detection techniques that are commonly used by IDS technologies are signature-based analysis and
anomaly-based analysis.
Signature-based analysis
Quick Notes Page 22
 Signature-based analysis
Signature analysis, or signature-based analysis, is a detection method that is used to find events of
interest. A signature is a pattern that is associated with malicious activity. Signatures can contain
specific patterns like a sequence of binary numbers, bytes, or even specific data like an IP address.
Previously, you explored the Pyramid of Pain, which is a concept that prioritizes the different types of
indicators of compromise (IoCs) associated with an attack or threat, such as IP addresses, tools,
tactics, techniques, and more. IoCs and other indicators of attack can be useful for creating targeted
signatures to detect and block attacks.
Different types of signatures can be used depending on which type of threat or attack you want to
detect. For example, an anti-malware signature contains patterns associated with malware. This can
include malicious scripts that are used by the malware. IDS tools will monitor an environment for
events that match the patterns defined in this malware signature. If an event matches the signature,
the event gets logged and an alert is generated.
Advantages
• Low rate of false positives: Signature-based analysis is very efficient at detecting known threats
because it is simply comparing activity to signatures. This leads to fewer false positives. Remember
that a false positive is an alert that incorrectly detects the presence of a threat.
Disadvantages
• Signatures can be evaded: Signatures are unique, and attackers can modify their attack behaviors
to bypass the signatures. For example, attackers can make slight modifications to malware code to
alter its signature and avoid detection.
• Signatures require updates: Signature-based analysis relies on a database of signatures to detect
threats. Each time a new exploit or attack is discovered, new signatures must be created and added
to the signature database.
• Inability to detect unknown threats: Signature-based analysis relies on detecting known threats
through signatures. Unknown threats can't be detected, such as new malware families or zero-day
attacks, which are exploits that were previously unknown.
Anomaly-based analysis
Anomaly-based analysis is a detection method that identifies abnormal behavior. There are two
phases to anomaly-based analysis: a training phase and a detection phase. In the training phase, a
baseline of normal or expected behavior must be established. Baselines are developed by collecting
data that corresponds to normal system behavior. In the detection phase, the current system activity
is compared against this baseline. Activity that happens outside of the baseline gets logged, and an
alert is generated.
Advantages
• Ability to detect new and evolving threats: Unlike signature-based analysis, which uses known
patterns to detect threats, anomaly-based analysis can detect unknown threats.
Disadvantages
• High rate of false positives: Any behavior that deviates from the baseline can be flagged as
abnormal, including non-malicious behaviors. This leads to a high rate of false positives.
• Pre-existing compromise: The existence of an attacker during the training phase will include
malicious behavior in the baseline. This can lead to missing a pre-existing attacker.
Key takeaways
IDS technologies are an essential security tool that you will encounter in your security journey. To
recap, a NIDS monitors an entire network, whereas a HIDS monitors individual endpoints. IDS
technologies generate different types of alerts. Lastly, IDS technologies use different detection
techniques like signature-based or anomaly-based analysis to identify malicious activity.

From <https://www.coursera.org/learn/detection-and-response/supplement/YL8NC/detection-tools-and-techniques>

Overview of Suricata
So far, you've learned about detection signatures and you were introduced to Suricata, an intrusion
detection system (IDS).
In this reading, you’ll explore more about Suricata. You'll also learn about the value of writing
customized signatures and configuration. This is an important skill to build in your cybersecurity
career because you might be tasked with deploying and maintaining IDS tools.

Quick Notes Page 23

 career because you might be tasked with deploying and maintaining IDS tools.
Introduction to Suricata
Suricata is an open-source intrusion detection system, intrusion prevention system, and network
analysis tool.
Suricata features
There are three main ways Suricata can be used:
• Intrusion detection system (IDS): As a network-based IDS, Suricata can monitor network traffic
and alert on suspicious activities and intrusions. Suricata can also be set up as a host-based IDS to
monitor the system and network activities of a single host like a computer.
• Intrusion prevention system (IPS): Suricata can also function as an intrusion prevention system
(IPS) to detect and block malicious activity and traffic. Running Suricata in IPS mode requires
additional configuration such as enabling IPS mode.
• Network security monitoring (NSM): In this mode, Suricata helps keep networks safe by producing
and saving relevant network logs. Suricata can analyze live network traffic, existing packet capture
files, and create and save full or conditional packet captures. This can be useful for forensics,
incident response, and for testing signatures. For example, you can trigger an alert and capture the
live network traffic to generate traffic logs, which you can then analyze to refine detection signatures.
Rules
Rules or signatures are used to identify specific patterns, behavior, and conditions of network traffic
that might indicate malicious activity. The terms rule and signature are often used interchangeably in
Suricata. Security analysts use signatures, or patterns associated with malicious activity, to detect
and alert on specific malicious activity. Rules can also be used to provide additional context and
visibility into systems and networks, helping to identify potential security threats or vulnerabilities.
Suricata uses signatures analysis, which is a detection method used to find events of interest.
Signatures consist of three components:
• Action: The first component of a signature. It describes the action to take if network or system
activity matches the signature. Examples include: alert, pass, drop, or reject.
• Header: The header includes network traffic information like source and destination IP addresses,
source and destination ports, protocol, and traffic direction.
• Rule options: The rule options provide you with different options to customize signatures.
Here's an example of a Suricata signature:

Rule options have a specific ordering and changing their order would change the meaning of the
rule.
Note: The terms rule and signature are synonymous.
Note: Rule order refers to the order in which rules are evaluated by Suricata. Rules are processed in
the order in which they are defined in the configuration file. However, Suricata processes rules in a
different default order: pass, drop, reject, and alert. Rule order affects the final verdict of a packet
especially when conflicting actions such as a drop rule and an alert rule both match on the same
packet.
Custom rules
Although Suricata comes with pre-written rules, it is highly recommended that you modify or
customize the existing rules to meet your specific security requirements.
There is no one-size-fits-all approach to creating and modifying rules. This is because each
organization's IT infrastructure differs. Security teams must extensively test and modify detection
signatures according to their needs.
Creating custom rules helps to tailor detection and monitoring. Custom rules help to minimize the
amount of false positive alerts that security teams receive. It's important to develop the ability to write
effective and customized signatures so that you can fully leverage the power of detection
technologies.
Configuration file
Before detection tools are deployed and can begin monitoring systems and networks, you must
properly configure their settings so that they know what to do. A configuration file is a file used to
configure the settings of an application. Configuration files let you customize exactly how you want

Quick Notes Page 24

 configure the settings of an application. Configuration files let you customize exactly how you want
your IDS to interact with the rest of your environment.
Suricata's configuration file is suri cat a. yaml , which uses the YAML file format for syntax and
structure.
Log files
There are two log files that Suricata generates when alerts are triggered:
• eve.json: The eve.json file is the standard Suricata log file. This file contains detailed information
and metadata about the events and alerts generated by Suricata stored in JSON format. For
example, events in this file contain a unique identifier called flow_id which is used to correlate
related logs or alerts to a single network flow, making it easier to analyze network traffic. The
eve.json file is used for more detailed analysis and is considered to be a better file format for log
parsing and SIEM log ingestion.
• fast.log: The fast.log file is used to record minimal alert information including basic IP address and
port details about the network traffic. The fast.log file is used for basic logging and alerting and is
considered a legacy file format and is not suitable for incident response or threat hunting tasks.
The main difference between the eve.json file and the fast.log file is the level of detail that is
recorded in each. The fast.log file records basic information, whereas the eve.json file contains
additional verbose information.
Key takeaways
In this reading, you explored some of Suricata's features, rules syntax, and the importance of
configuration. Understanding how to configure detection technologies and write effective rules will
provide you with clear insight into the activity happening in an environment so that you can improve
detection capability and network visibility. Go ahead and start practicing using Suricata in the
upcoming activity!
Resources for more information
If you would like to learn more about Suricata including rule management and performance, check
out the following resources:
• Suricata user guide
• Suricata features
• Rule management
• Rule performance analysis
• Suricata threat hunting webinar
• Introduction to writing Suricata rules
• Eve.json jq examples

From <https://www.coursera.org/learn/detection-and-response/supplement/Oq4IK/overview-of-suricata>

Apply the STAR method during interviews

You’ve been learning about different techniques and strategies to use during future interviews for
jobs in the cybersecurity field. In this reading, you’ll learn more details about the STAR method for
answering interview questions. Implementing this strategy will help you answer interview questions
with confidence and clarity.
The STAR method

When interviewing for a job, it can be challenging to convey the right details about your professional

Quick Notes Page 25

When interviewing for a job, it can be challenging to convey the right details about your professional
history and skills to your interviewers. Using the STAR method can help you share your success
stories effectively and strategically. STAR stands for Situation, Task, Action, and Result. Using this
method enables you to describe potential challenges you faced in previous roles and gives you the
opportunity to show how you thoughtfully approached solving those problems from start to finish.
Situation
The situation is the project you worked on or a challenge that you had to overcome. For example,
perhaps you had to manage a disgruntled customer’s negative feedback about your company, a
system error on your work device that slowed down a customer transaction, or being left alone in the
office for an extended period of time. Fully describing the situation allows the interviewer to gain a
clear understanding of the challenge you had to overcome.
Task
The task outlines the key responsibilities or role you played in solving the challenge described in the
situation phase of the STAR method. Specifying what the task is provides clarity about what your
objectives were in this scenario.
Action
The action describes the exact steps you took to resolve the challenging situation you described in
the beginning of the STAR method. The action is crucial to the STAR method because it allows the
employer to understand what choices you made to achieve your desired outcome during a real
conflict or challenge. Employers want employees who can think fast and make decisions that help
solve problems.
Result
Finally, sharing the result of your challenge or example shows the employers how the situation was
resolved as a direct result of the actions you took. When participating in an interview, you want to
make sure that any example you give with the STAR method ends in a positive result. Positive
results show an employer that you are someone who has demonstrated an ability to successfully
resolve issues and may lead an employer to offer you a job. Of course, not all situations have
completely positive outcomes; if an employer asks you about a situation that didn’t have a positive
outcome, try to focus on what you learned from the situation and how that experience helped you
become a better employee.
Key takeaways
The STAR method stands for Situation, Task, Action, and Result. Following this method helps you
communicate to an employer an example of a challenge you faced in the workplace. Remember to
use one of your success stories when using the STAR method on an interview. Challenges arise all
the time in the security world, so being able to demonstrate an ability to overcome any type of
challenge is a great trait to show off during an interview. Plus, since cybersecurity is such a team-
driven industry, being able to communicate effectively to an interviewer will help you be a
competitive applicant.

From <https://www.coursera.org/learn/prepare-for-cybersecurity-jobs/supplement/UCzaX/apply-the-star-method-during-
interviews>

STAR Responses
Experiences that demonstrate my skills:
1. Helped Nice Touch Healthcare group strengthen their security posture
through adherence to industry standard policies and procedures.
2. Maintained effective communications with various teams across the
organization to ensure overall alignment on security best practices.
3. Completed the Google Cybersecurity Certificate, demonstrating my
eagerness to learn and grow my knowledge and skill set.
Question 1: Tell me about a time you had to work across various internal
teams on security tasks. How did you plan and arrange appropriate times to
meet and mutually acceptable timelines across these teams? What was the
outcome?
Situation When I was a Cybersecurity Junior Analyst at Nice Touch
Healthcare Group, the organization was experiencing a
tremendous increase in employees clicking on phishing email

Quick Notes Page 26

tremendous increase in employees clicking on phishing email
links. The security team determined that various department
leaders were not educating their employees on the importance
of not clicking every link and attachment found in an email.

Task I was part of a team tasked with identifying which departments

were clicking on the most phishing links and communicating
those findings to the leaders of those departments.

Action I went into our organization’s work calendar to find available

times to meet with more senior-level analysts to discuss the
phishing data they gathered. We discussed the impact of the
data and the need for me to put that data into a visual
presentation. After I created bar charts for the phishing data, I
reached out to the assistants of the various department leaders
via email to establish the best date and time for my team and
those leaders to join a video call to discuss the data. We came
up with a plan to minimize the amount of phishing emails being
clicked on by launching an employee awareness campaign and
set a timeline to complete the plan by end of year.

Result The organization saw a 20% decrease in the amount of phishing

links clicked on by employees one month after my team and I

met with all of the department leaders.

Question 2: Describe an experience in which you had to create, develop,

and/or maintain documentation related to security processes and procedures.
How did you plan, execute and maintain these documents?
Situation When I first started working at Nice Touch Healthcare Group,
the organization was working on establishing its third-party
assessment program. The purpose of the program was to
properly assess the security of all third-party companies we did
business with to ensure those companies did not have major
security vulnerabilities that could negatively impact our
organization.

Task After working at Nice Touch for a year, I was put in charge of
managing any updates or changes to the third-party
assessment program procedures and policies..

Action I was granted access to a shared drive that contained the

third-party assessment policies and procedures. From there, I
did an audit of the individuals who currently had access to that
shared folder. I found that a few employees who were either no
longer working for the company or no longer working with the
third-party assessment team still had access to the shared
folder. I mentioned this to my direct supervisor and was given
permission to remove those individuals’ access to the shared
folder. From there, I set up weekly meetings with other
members of the third-party assessment team to discuss any
new changes or adjustments that needed to be made to the
policies and procedures. I also periodically added or removed
individuals’ access to the shared folder as needed.

Quick Notes Page 27

individuals’ access to the shared folder as needed.

Result Executives mentioned the third-party assessment program in

the end-of-year functional review meeting. The executives
remarked that they appreciated how much more streamlined
and collaborative the third-party program had become after I
began maintaining the documentation.

Common Behavioral Interview Questions for Cybersecurity Analysts

1. Describe an experience advising and working with internal business units on
security related issues. In what way did you meet with teams, address
questions, encourage compliance and help ensure optimal productivity?
2. Describe an experience in which you implemented a security solution. What was
your solution, how did you help with implementation, and what were the results?
3. Describe an experience in which you used your cybersecurity skills effectively.
How did you analyze variables and identify anomalies to improve security and
productivity for your company?
4. Tell me about a time when an update in the field of information security,
cybersecurity, or regulatory compliance took you by surprise. What was this
update and how did you learn of it? What do you do today to stay up-to-date on
relevant information?
5. Describe an experience in which you used technical security tools as part of
issue resolution. How did you assess the issues and reach the conclusion that
these tools represented the optimal solution? What was the outcome?
6. Describe an experience in which you had to plan, develop, execute, and/or
maintain documentation related to security processes and procedures. How did
you plan, execute and maintain these documents?
7. Tell me about a time you had to work across various internal teams on security
tasks. How did you plan and arrange appropriate times to meet and mutually
acceptable timelines across these teams? What was the outcome?
8. Describe an experience in which a security leak or other issue called for
immediate response, analysis, and action. How did you organize and execute
this while prioritizing and dealing with other duties disrupted by this event?
What was the outcome?
9. Tell me about a time you had to speak to higher management in your role as a
cybersecurity analyst about complex technical issues and solutions. How did

you express highly technical information in a way that could be understood and
responded to effectively?
10. Tell me about a time, if any, you experienced reluctance on the part of some
members of higher management with regard to a security or regulatory issue.
How did you go about gaining support for your opinions, who did you speak
with, and what was the outcome?

Prepare for interviews

Great news! You’ve submitted your application and received a follow-up email requesting an
interview. The work isn’t over yet, though—you still have a lot of preparation to do. That’s what you’re
going to learn about in this reading!
Prepare for the introductory call
It’s important to showcase your best self in the introductory phone call. In this conversation, you’ll
talk with the recruiter or hiring manager about yourself, the kind of work or training you have, and
why you want the job. You might also be asked specifically about your salary requirements. For this
question, it’s a good idea to prepare in advance and conduct an internet search for “average salary
for entry-level security analysts.”

Quick Notes Page 28

 for entry-level security analysts.”
Do your research
Make sure you’ve done your research on the company. When the interviewer asks why you’d be a
good fit for the job, they want to learn why you’re interested in cybersecurity and why you want to
work at that company specifically.
Prepare for the second round
Your second-round interview will focus more on what you can offer as an entry-level security analyst.
You’ll likely discuss yourself here, too, but you’ll also be going into detail about your knowledge of
the profession. You’ll want to cover the same material you prepared for your introductory call, but
you’ll also need to fully review your accomplishments in the security industry. Don’t worry if you have
no prior professional cybersecurity experience. You can discuss the information you’ve learned in
this certificate program.
Depending on where you and your interviewer are located, the second-round interview might be over
the phone, via video conference, or in person. In-person interviews often last an hour or so, but if
you traveled for your interview or the company likes to bring candidates in for all of the remaining
interview stages at once, you might complete your panel interview with a group that day as well.
Panel interview
During the panel interview, you’ll meet with two or more people and discuss yourself and your ability
to contribute to the organization. If you’re nervous about this, remind yourself that the team brought
you in for the interview for a reason. When you feel confident in your abilities, you’re better able to
showcase your knowledge about the security industry and demonstrate your ability to work well with
a team.
Be sure to engage with each panelist by giving them your full attention during the interview.
Maintaining eye contact can help you express confidence, but for those who cannot do so, actively
engaging with each panelist in your own way is just as important.
It’s likely that each panelist will ask you at least one question during the interview. It’s okay to
address the whole panel when answering a question, rather than only directing your response to the
person who asked the question.
More resources to help you prepare
There’s an endless supply of job-preparation resources available to you. Here are some great ones
to get you started:
• Interview tips from Google. This resource from the Google Careers team provides best practices and
advice on how to prepare and ace your interviews at Google, but of course these tips will work at
any company!
• Interviewing techniques for persons with disabilities. This resource from the Job Accommodation
Network (JAN) offers helpful advice on navigating the interview process for individuals with
disabilities.
Key takeaways
Preparation for your first interview is very important, so be sure to do your research and practice for
the introductory call. Don’t worry if you don’t have prior security experience. Instead, you can rely on
the information and skill sets you’ve gained from completing this certificate program.

From <https://www.coursera.org/learn/prepare-for-cybersecurity-jobs/supplement/mlNbf/prepare-for-interviews>

Prepare for interviews with Interview Warmup

Now that you have developed new skills and knowledge in cybersecurity, it’s time to start preparing
for interviews. Interview Warmup is a tool that helps you practice answering questions to become
more confident and comfortable throughout the interview process.

Quick Notes Page 29

 Get started
Follow these steps to start a five-question practice interview related to cybersecurity:
28. Go to grow.google/certificates/interview-warmup/.
29. Click Start practicing.
30. Select Cybersecurity to open an additional menu.
31. Click Start.
The interview lasts about 10 minutes, and the questions will vary with each attempt. During each
interview session, you will be asked two background questions, one behavioral question, and two
technical questions. You are encouraged to try as many practice interviews as you want.
You can also review complete lists of cybersecurity interview questions or general interview
questions if you'd like to focus on a particular topic.
How it works
Interview Warmup asks you interview questions to practice answering verbally. Your answers will be
transcribed in real time, allowing you to review how you responded. In addition, Interview Warmup's
machine learning algorithm can detect insights that can help you learn more about your answers and
improve the way you communicate.
Here are a few examples of questions Interview Warmup might ask:
• What are your career goals for the next five years?
• What processes can you use to ensure user data is protected?
• Name two types of common cybersecurity attacks?
• What are two internal factors that can increase the chances of security risks?
• What do security information and event management tools enable security analysts to do?
• In Python, what’s the difference between break and continue?
Here are some of the insights that Interview Warmup provides:
• Talking points: The tool lets you know which topics you covered in your answer, such as your
experience, skills, and goals. You’ll also be able to view other topics that you might want to consider
covering.
• Most-used words: The tool highlights the words you used most often and suggests synonyms to
broaden your word choices.
• Job-related terms: The tool highlights the words you used that are related to the role or industry in
which you are preparing to work. You’ll also be able to view an entire list of job-related terms that
you might want to consider including in your answer.
Interview Warmup gives you the space to practice and prepare for interviews on your own. Your
responses will be visible only to you, and they won’t be graded or judged.
Key takeaways
Practicing for interviews is an important skill for your career in cybersecurity. Using Interview
Warmup can help you practice interview questions and receive feedback in real time. As you
practice, you will gain confidence and be able to prepare more polished responses for common
interview questions.

From <https://www.coursera.org/learn/prepare-for-cybersecurity-jobs/supplement/Fn8MB/prepare-for-interviews-with-
interview-warmup>

Quick Notes Page 30

 interview-warmup>

Prepare for interviews with Interview Warmup

Now that you have developed new skills and knowledge in cybersecurity, it’s time to start preparing
for interviews. Interview Warmup is a tool that helps you practice answering questions to become
more confident and comfortable throughout the interview process.

Get started
Follow these steps to start a five-question practice interview related to cybersecurity:
32. Go to grow.google/certificates/interview-warmup/.
33. Click Start practicing.
34. Select Cybersecurity to open an additional menu.
35. Click Start.
The interview lasts about 10 minutes, and the questions will vary with each attempt. During each
interview session, you will be asked two background questions, one behavioral question, and two
technical questions. You are encouraged to try as many practice interviews as you want.
You can also review complete lists of cybersecurity interview questions or general interview
questions if you'd like to focus on a particular topic.
How it works
Interview Warmup asks you interview questions to practice answering verbally. Your answers will be
transcribed in real time, allowing you to review how you responded. In addition, Interview Warmup's
machine learning algorithm can detect insights that can help you learn more about your answers and
improve the way you communicate.
Here are a few examples of questions Interview Warmup might ask:
• What are your career goals for the next five years?
• What processes can you use to ensure user data is protected?
• Name two types of common cybersecurity attacks?
• What are two internal factors that can increase the chances of security risks?
• What do security information and event management tools enable security analysts to do?
• In Python, what’s the difference between break and continue?
Here are some of the insights that Interview Warmup provides:
• Talking points: The tool lets you know which topics you covered in your answer, such as your
experience, skills, and goals. You’ll also be able to view other topics that you might want to consider
covering.
• Most-used words: The tool highlights the words you used most often and suggests synonyms to
broaden your word choices.
• Job-related terms: The tool highlights the words you used that are related to the role or industry in
which you are preparing to work. You’ll also be able to view an entire list of job-related terms that
you might want to consider including in your answer.
Interview Warmup gives you the space to practice and prepare for interviews on your own. Your
responses will be visible only to you, and they won’t be graded or judged.
Key takeaways
Quick Notes Page 31
Key takeaways
Practicing for interviews is an important skill for your career in cybersecurity. Using Interview
Warmup can help you practice interview questions and receive feedback in real time. As you
practice, you will gain confidence and be able to prepare more polished responses for common
interview questions.

From <https://www.coursera.org/learn/prepare-for-cybersecurity-jobs/supplement/Fn8MB/prepare-for-interviews-with-
interview-warmup>

Learn more about developing an elevator pitch

When interviewing with potential employers, it’s important to communicate who you are, your value
as a security professional, and what qualities you’re searching for in a potential job. A simple way to
deliver this information succinctly is with an elevator pitch. An elevator pitch is a brief summary of
your experience, skills, and background that should be communicated in 60 seconds or fewer.
Although an elevator pitch is often specific to an idea or a product, you can also use it to sell yourself
as a professional to potential employers. In an interview, a strong elevator pitch can be used to
stand out to your interviewer. It can be used to help explain why you’re a good fit for the role or to
answer the popular interview question “tell me about yourself.” This reading helps you prepare your
elevator pitch to express the value you can provide as an entry-level security analyst or a more
experienced cybersecurity professional.
Provide an introduction
Start by providing an introduction. Introduce yourself and give a brief overview of your professional
background. Explain some job roles you’ve had, your years of work experience, and the types of
industries you’ve worked in. If this is your first job in security, mention some of your past roles and
skills used for those roles that can translate to success in the security field. Some of these skills can
include attention to detail, goal-orientedness, and good collaboration skills.
Describe your career interests and transferable skills
Even if you’re interviewing for your first internship or job in security, it’s important to clarify that this is
your desired career. For example, you could say, “I want to apply my excellent skills for collaborating
with others, and my attention to detail, to help the security team protect company data and assets.”
To determine which transferable skills to highlight in your elevator pitch, consider ones that you have
already developed and how they might apply to your goals as a security professional, such as
problem-solving, communication, and time management.
Express your excitement
This is where you share your passion for the field and why you want to work in the industry. If you’re
motivated to help an organization defend itself against hackers, mention that. This is also a good
time to talk about your goals.
For example, you could say, “I love security because it gives me the opportunity to safeguard
valuable information from malicious actors attempting to cause unnecessary harm to people and
organizations. Long term, I’d love to develop a security and hacker mindset to play my part in
defending against the constantly evolving threat actor tactics and techniques.”
Communicate your interest in the company
Communicating why you are interested in the company—and not just the role—is a great way to help
the interviewer recognize that you are knowledgeable about the company. This helps you to establish a
rapport with the interviewer and shows that you’ve done your due diligence before coming to the interview.
For example, if you were interviewing for a position for Google’s security team, you could say, “Being
a member of Google’s security team helps protect millions of people’s private and sensitive
information. As a long-time Google products user, I’m looking forward to the opportunity to be able to
help safeguard those products and ensure customers have the best experience possible.”
Key takeaways
Creating an elevator pitch that's 60 seconds or fewer is a great tool to use to quickly share who you
are. Use an elevator pitch to introduce yourself to career and business connections in the future.
You can even use your elevator pitch in other types of situations, like meeting new friends or
colleagues.

From <https://www.coursera.org/learn/prepare-for-cybersecurity-jobs/supplement/wGuWw/learn-more-about-developing-an-

Quick Notes Page 32

 From <https://www.coursera.org/learn/prepare-for-cybersecurity-jobs/supplement/wGuWw/learn-more-about-developing-an-
elevator-pitch>

Job Search Criteria:

● Role type: cybersecurity
● Tasks: regulatory reporting, training and awareness, security process integration and
risk management.
● Skills: strong communication and organizational skills, latest industry awareness,
current knowledge of information security principles, Linux familiarity
● Experience level: entry-level
● Location: Boston
● Salary Range: $65–70K
Role: Information Security Analyst, Bob’s Marvelty Tech Inc
Relevant Experience and Skills:
Experience:
● Created cybersecurity communications plans for the global security team
● Organized awareness campaigns around phishing prevention
● Created monthly regulatory reports
● Researched latest information security principles
● Completed Google Career Certificate in cybersecurity
Skills:
● Excellent communication skills
● Strong organizational skills and close attention to detail
● Proficient in using Linux software
● Expert problem solver able to quickly identify challenges and produce effective
solutions
Company Description:
MarvelTech Inc provides medical supplies and technology to healthcare facilities around the
world.

Elevator Pitch

Hi, there. I’m Ibn. I’m currently a Cybersecurity Communications Specialist at Danni D’s
Global Inc, and I’ve been working in the communications industry for four years. Previously, I
worked as a proposal writer and copy editor. I'm interested in the Information Security Analyst
role because I want to apply my attention to detail, communication and Linux skills to an
organization that provides and protects medical equipment used by patients around the world.

In my current role, I create cybersecurity communications plans for the global security team
that focus on awareness and training of cybersecurity best practices. I am an excellent
communicator and pay close attention to details.
I am inspired by MarvelTechs’ mission to provide innovative medical supplies and
technologies that promote patient comfort and relaxation, and I would love to be a part of the
team that helps protect those supplies and technologies!

Assessment of Exemplar
Compare the exemplar to your completed elevator pitch. Review your work using each of the
criteria in the exemplar. What did you do well? Where can you improve? Use your answers to
these questions to guide you as you continue to progress through the course.
• The job description section includes:
• Criteria to filter for in a job search

Quick Notes Page 33

 •
• The title and company name of the target role that was identified
• Examples of relevant experience and skills that are similar to those listed in the job
description
• A description of the company and its mission

• Criteria to filter for in a job search

○ An introduction that includes the applicant's name and provides a brief overview of
your professional background (one to two sentences)
○ An explanation of why the role is interesting to the applicant and a short description
of the aspects of the job that interest them
○ A description of the applicant's experience and skills that communicates the value
they would bring to the position (two to four sentences)
○ An indication that the company’s mission was understood and an explanation of why
the applicant wants to work for them (one to two sentences)

From <https://www.coursera.org/learn/prepare-for-cybersecurity-jobs/supplement/JelZI/activity-exemplar-draft-an-elevator-
pitch>

Tips for interviewing remotely

A remote interview is an interview conducted virtually using video platform software. This type of
interview provides an opportunity to connect with hiring managers and recruiters, even if you are not
able to meet with them in person. Remote interviews also present challenges that in-person
interviews do not, such as issues related to technology, lighting, and sound.
In this reading, you will learn tips to successfully prepare for a remote interview.
Test your technology
The first tip is to test the technology you’ll be using for the video. Different companies use different
video platform software to host their remote interviews. Typically, the recruiter or hiring manager will
reach out to you over the phone or email to share information about which software will be used for
the interview.
Once you find out which software the company you’re interviewing with uses, you should download
that software, if you don't have it already. Next, it's important to test your computer’s camera and
microphone to ensure they work well with the video platform software a day or two before the
interview. This allows you to resolve any technical issues you might have. Be mindful of how to
mute and unmute your microphone, just in case there is noise in your environment that you do not
want the interviewer to hear. It’s also important to talk with the recruiter or hiring manager about a
backup plan if the technology does not cooperate when it's time for the interview.
You’ll also want to test any technologies you need to use to ensure you are ready to interview, such
as the closed caption feature on the app. Employers are typically happy to accommodate your needs
if you're using assistive technology or need specific accommodations. If your internet service is not
fast enough to allow for a video interview, you can request a phone interview instead.
Practice communicating through video
Communicating through video can be a challenge because there is a slight sound delay. The sound
delay can make it difficult to know how long to wait for someone to stop speaking and for you to
start. If you don’t have experience communicating through video, consider practicing with friends and
family before the remote interview. This will help you learn how pauses affect video communication.
Create a professional background
Review your video background before the interview. Typically, you should avoid having an
unorganized background or any objects that might distract the interviewer. When interviewing
remotely, ensure that your area is well lit. You might want to rearrange your desk or furniture to
ensure good lighting.
Always try to have light behind your camera so that it will shine on your face. If you can’t position
your desk next to a window or don’t have enough light coming from the window, consider using
artificial light.
Additionally, you should do your best to limit background noise and use a headset, if possible.
Dress appropriately
It’s a good idea to research the company you’re interviewing with to determine which type of
interview outfit is suitable. You might need to wear formal business attire during your remote

Quick Notes Page 34

interview outfit is suitable. You might need to wear formal business attire during your remote
interview for a particular role and company, whereas for another position, more casual clothing might
be appropriate. Typically, it is better to overdress than to underdress, especially for more traditional
businesses.
Look at the interviewer when speaking
When communicating through video, try to look at the interviewer when speaking instead of at the
camera. Looking at the interviewer can give them the feeling that you’re engaged in the conversation
and focused on what they’re saying.
Sign in early
Before the interview, test your technology. This will help you feel confident that everything will work.
However, technology and software can be unpredictable. If possible, sign in to your remote interview
early to ensure everything is working properly.
Signing in early also indicates to your interviewer that you respect their time and are a punctual
person.
Key takeaways
Follow the tips in this reading to become more confident with the remote interviewing process.
Always test your technology before the interview to ensure it works well with the video platform
software being used for the interview.

From <https://www.coursera.org/learn/prepare-for-cybersecurity-jobs/supplement/Hks36/tips-for-interviewing-remotely>

Glossary terms from module 5

Terms and definitions from Course 8, Module 5
Rapport: A friendly relationship in which the people involved understand each other’s ideas and
communicate well with each other
STAR method: An interview technique used to answer behavioral and situational questions
Elevator pitch: A brief summary of your experience, skills, and background
Mark as completed
Like
Dislike
Report an issue

From <https://www.coursera.org/learn/prepare-for-cybersecurity-jobs/supplement/NPSwP/glossary-terms-from-module-5>

Glossary
Cybersecurity

Terms and definitions from Course 8

B
Business continuity plan: A document that outlines the procedures to sustain
business operations during and after a significant disruption
C
Confidential data: Data that often has limits on the number of people who have
access to it
D
Data controller: A person that determines the procedure and purpose for processing
data
Data processor: A person that is responsible for processing data on behalf of the data
controller
Data protection officer (DPO): An individual that is responsible for monitoring the
compliance of an organization's data protection procedures
E
Elevator pitch: A brief summary of your experience, skills, and background
Escalation policy: A set of actions that outlines who should be notified when an

Quick Notes Page 35

 Escalation policy: A set of actions that outlines who should be notified when an
incident alert occurs and how that incident should be handled

I
Improper usage: An incident type that occurs when an employee of an organization
violates the organization’s acceptable use policies
Incident escalation: The process of identifying a potential security incident, triaging it,
and handing it off to a more experienced team member
M
Malware infection: An incident type that occurs when malicious software designed to
disrupt a system infiltrates an organization’s computers or network
O
OWASP Top 10: A globally recognized standard awareness document that lists the top
10 most critical security risks to web applications
P
Private data: Information that should be kept from the public
Public data: Data that is already accessible to the public and poses a minimal risk to
the organization if viewed or shared by others
R
Rapport: A friendly relationship in which the people involved understand each other’s
ideas and communicate well with each other
S
Security mindset: The ability to evaluate risk and constantly seek out and identify the
potential or actual breach of a system, an application, or data

Sensitive data: A type of data that includes personally identifiable information (PII),
sensitive personally identifiable information (SPII), or protected health information
(PHI)
Stakeholder: An individual or a group that has an interest in any decision or activity of
an organization
STAR method: An interview technique used to answer behavioral and situational
questions
U
Unauthorized access: An incident type that occurs when an individual gains digital or
physical access to a system or an application without permission

V
Visual dashboard: A way of displaying various types of data quickly in one place

Introduction to AI in Cybersecurity
In the fast-paced world of cybersecurity, staying ahead of threats requires leveraging the latest
technology. AI tools are transforming the way cybersecurity professionals work, offering powerful
capabilities to analyze data, streamline communications, and make informed decisions.
Artificial intelligence (AI) refers to computer programs that can complete cognitive tasks typically
associated with human intelligence. You can use AI tools to augment and automate general work
tasks, such as drafting emails and documents, summarizing information, and helping to analyze
data.
In this lesson, you'll discover how you can integrate AI into your daily cybersecurity tasks. We'll
explore how AI is already being used by cybersecurity professionals to help automate routine tasks,
enhance productivity, and strengthen defenses against cyber attacks.
Throughout this lesson, you will:
• Learn foundational concepts of AI.
• Discover AI tools used in the cybersecurity field.
• Review examples of how AI is used in the day-to-day work of a Google cybersecurity professional.
• Gain hands-on practice in using AI to streamline your tasks.

Quick Notes Page 36

• Gain hands-on practice in using AI to streamline your tasks.
As you begin your career as a cybersecurity professional, this lesson will give you the basic
information you need to experiment with AI tools, identify opportunities for leveraging AI in your
cybersecurity role, and keep up to date with industry changes.
The double-edged sword of AI
While AI is a powerful ally in cybersecurity, it's also crucial to recognize its potential vulnerabilities.
As AI systems become more prevalent, they become attractive targets for malicious actors.
Cybercriminals can leverage AI to launch more sophisticated attacks, evade detection, and exploit
system weaknesses.
As a cybersecurity professional, understanding AI's potential for both good and harm is paramount.
You'll need to master the tools and techniques to secure AI systems and stay one step ahead of
those who seek to misuse them.
By the end of this lesson, you'll be equipped to leverage AI's power to help protect your organization
and contribute to a safer digital world. Let’s get started!

From <https://www.coursera.org/learn/prepare-for-cybersecurity-jobs/supplement/XlVQH/introduction-to-ai-in-
cybersecurity>

Use generative AI to work smarter and faster

In the introductory reading you learned that AI refers to computer programs that can complete
cognitive tasks typically associated with human intelligence. One specific type of AI is generative AI
(gen AI), which is AI that can generate new content, like text, images, or other media. Gemini,
ChatGPT by OpenAI, and Microsoft Copilot are examples of generative AI tools. You can interact
with a generative AI tool by entering a prompt, which is input that provides instructions to an AI tool
about how to generate output. The tool then creates new content based on that prompt.
In your work as a cybersecurity professional, you can leverage generative AI tools to help you
complete both practical and creative tasks. Consider these applications of generative AI tools that
can help you work more efficiently and effectively:
• Create content. You can use generative AI tools to generate text, images, and other media. For
example, you might create a large set of fake data to test the cybersecurity tools your organization
uses.
• Analyze information quickly. Generative AI tools can analyze large amounts of content quickly.
For example, you might use generative AI to summarize reports or meeting transcripts that contain
important information related to the security of your organization, helping you identify key details
quicker.
• Answer questions in detailed and nuanced ways. Generative AI is effective at summarizing
information, which makes it useful for research. For example, you can prompt a generative AI tool to
provide you with information about common types of cybersecurity threats, such as malware and
ransomware.
• Simplify day-to-day work. You can also use generative AI to augment routine tasks. For example,
AI tools can quickly provide an initial analysis of whether an email is likely to be malicious.
In the upcoming series of videos you will be introduced to Luis, a cybersecurity professional working
at Google. Luis will introduce you to the ways that he incorporates AI into his daily workflows to do
things like check code, understand system vulnerabilities, and more.
The ways you might use generative AI in your work will likely go beyond these examples as the
capabilities of AI tools expand, and as you continue your own development as a cybersecurity
professional.

From <https://www.coursera.org/learn/prepare-for-cybersecurity-jobs/supplement/zScF0/use-generative-ai-to-work-smarter-
and-faster>

Key takeaways from AI in Cybersecurity

In this lesson, you learned about AI and how it can help you as a cybersecurity professional. Then,
you practiced prompting a generative AI (gen AI) tool to produce useful outputs. It’s helpful to use
the TCREI (task, context, references, evaluate, and iterate) framework to guide your prompts. When
you Thoughtfully Create Really Excellent Inputs, you’re more likely to get results that work for you!
Keep experimenting with generative AI tools to spark ideas, enhance your productivity, minimize
errors, and support your decision-making. Practice with Gemini or other tools to explore these topics
further and apply your Google Cybersecurity Certificate knowledge to your work—or use them outside

Quick Notes Page 37

 further and apply your Google Cybersecurity Certificate knowledge to your work—or use them outside
of work to continue your AI learning journey.
Key takeaways
The growing role of AI in cybersecurity
AI is rapidly changing the cybersecurity domain. As a cybersecurity professional, you can help boost
your career by understanding this powerful technology and how to use it effectively in your daily
work. While you continue to develop expertise in this profession, remember that:
• Understanding and using AI is important for your future success as a cybersecurity professional, as
AI tools become more commonly used in the field.
• AI tools can help you perform tasks such as identifying risks, automating responses, and prioritizing
threats.
• You may be involved in securing AI systems in your organization.
How cybersecurity professionals can use generative AI to
work smarter and faster
Generative AI is a type of AI that’s capable of creating new content. You can use gen AI tools to
complete both practical and creative tasks. As a cybersecurity professional, you might use gen AI
tools to:
• Create content, like lists of cybersecurity best practices that members of your organization can
reference.
• Analyze and summarize large amounts of information, like security reports.
• Answer questions you have about common cybersecurity threats.
• Simplify daily tasks, like determining whether an email shows signs of phishing.
Basic guidelines for responsible use of generative AI
AI tools have their share of limitations. To use generative AI responsibly, make sure to:
• Review generative AI outputs carefully for accuracy and usefulness.
• Disclose your use of generative AI.
• Consider the privacy and security implications of using generative AI, and avoid entering sensitive
information.
• Apply a human-in-the-loop approach, as AI should always serve as a complement to our human
skills and abilities.
Note: This list is not exhaustive. Be sure to check your company’s policies on the use of generative
AI.
AI in action: real-world applications in cybersecurity
In the videos, you learned how a real cybersecurity professional harnesses AI technology in their
role at Google. Luis shared how gen AI tools like Gemini can:
• Help cybersecurity professionals understand, navigate, and adopt complex security frameworks.
• Scan code for common errors, vulnerabilities, and potential performance bottlenecks.
• Make suggestions to update and improve code written in Python or other programming languages.
• Describe common security vulnerabilities, their potential impact, and how to mitigate them.
• Assist security professionals with key detection and response tasks, such as investigating alerts.
Try these examples out yourself using Gemini or another generative AI tool, and keep experimenting
to uncover new ways to apply AI to your role and responsibilities. With help from AI, you can spend
less time on repetitive, routine tasks and devote more of your energy and attention to keeping
people, organizations, and data safe—the work you’re uniquely qualified to do as a cybersecurity
professional.
Resources for more information
If you’re interested in learning more, please visit the following resources:
• All Things Generative AI: Delve into a more comprehensive introduction to generative AI, along with
links to a few other popular generative AI tools.
• Global Trends 2040: A More Contested World: Investigate how technological trends, including AI,
are expected to transform the world over the next 20 years in this publication from the U.S. Office of
the Director of National Intelligence.
• Introducing Google’s Secure AI Framework: Explore key elements of Google’s Secure AI Framework
(SAIF) and how Google uses and supports SAIF.
• Science & Tech Spotlight: Generative AI: Discover why generative AI systems matter in today’s

Quick Notes Page 38

• Science & Tech Spotlight: Generative AI: Discover why generative AI systems matter in today’s
world in this article by the U.S. Government Accountability Office (GAO).
• There’s More to AI Bias Than Biased Data, NIST Report Highlights: Examine the risks involved
when bias is present in AI data and recommendations for mitigating these risks, based on research
performed by the National Institute of Standards and Technology (NIST), U.S. Department of
Commerce.

From <https://www.coursera.org/learn/prepare-for-cybersecurity-jobs/supplement/eYhM9/key-takeaways-from-ai-in-
cybersecurity>

Take the next step with Google AI Essentials

Congratulations on completing the AI for Cybersecurity lesson! You've explored foundational AI
concepts, AI tools, and practical applications of generative AI—and this is just the beginning!
If you’re ready to hone your skills and take your AI expertise to the next level—the Google AI
Essentials course is the perfect next step!
Google AI Essentials is a self-paced course designed to help people across roles and industries
get essential AI skills to boost their productivity, zero experience required. The course is taught
by AI experts at Google who are working to make the technology helpful for everyone. In under
10 hours, they’ll do more than teach you about AI—they’ll show you how to actually use it in your
day-to-day work.
• Stuck at the beginning of a project? You’ll learn how to use AI tools to generate ideas and
content.
• Planning an event? You’ll use AI tools to help research, organize, and make more informed
decisions.
• Drowning in a flooded inbox? You’ll use AI tools to help speed up those daily work tasks like
drafting email responses.
You’ll also learn how to write effective prompts and use AI responsibly by identifying AI’s
potential biases and avoiding harm. After you complete the course, you’ll earn a certificate from
Google to share with your network and employer. By using AI as a helpful collaboration tool, you
can set yourself up for success in today’s dynamic workplace—and you don’t even need
programming skills to use it.

From <https://www.coursera.org/learn/prepare-for-cybersecurity-jobs/supplement/wVjrF/take-the-next-step-with-google-ai-
essentials>

Showcase your work

Congratulations on earning your Google Cybersecurity Certificate! Now it’s time to let the world know
about the skills you’ve gained to help advance your career. We recommend adding the completion of
this certificate program to your resume and LinkedIn® profile. Read on and follow these tips to get
started.
Add the Google Cybersecurity Certificate to your
resume and LinkedIn® profile
You may have already started on a cybersecurity resume earlier in the program. If not, there are a
variety of digital templates for creating your resume available at Enhancv, Big Interview, Google
Docs, or Microsoft Word. You can find additional resume creation guidance in this lesson from
Google Applied Digital Skills: Start a Resume.
Update your Education or Licenses and Certifications
section
• To add the completion of this certificate to your resume, update your Education or Licenses &
Certifications section.
• To add the completion of this certificate to the Licenses & Certifications section of your LinkedIn
profile, follow the steps listed in this LinkedIn® Help article.

Quick Notes Page 39

 Update your Skills section
• If applicable, update the Skills section of your resume. Following is a comprehensive list of skills
that this certificate was designed to help you develop that you could potentially add.
• To update the Skills & Endorsements section of your LinkedIn® profile, follow the steps listed in
this LinkedIn® Help article.

Update your Summary or About section

• If your resume has a Summary section, you can include this certification as a qualification.
• To include a summary that mentions this certification in your LinkedIn® profile, update your About
section by following the steps listed in this LinkedIn® Help article.
Here is an example of a professional summary:

Add your badge

Check out the next course item to learn how to claim your Google Cybersecurity Certificate
completion badge and add it to your LinkedIn® profile!

From <https://www.coursera.org/learn/prepare-for-cybersecurity-jobs/supplement/4QvT9/showcase-your-work>

Showcase your work

Congratulations on earning your Google Cybersecurity Certificate! Now it’s time to let the world know
about the skills you’ve gained to help advance your career. We recommend adding the completion of
this certificate program to your resume and LinkedIn® profile. Read on and follow these tips to get
started.
Add the Google Cybersecurity Certificate to your
resume and LinkedIn® profile
You may have already started on a cybersecurity resume earlier in the program. If not, there are a
variety of digital templates for creating your resume available at Enhancv, Big Interview, Google
Docs, or Microsoft Word. You can find additional resume creation guidance in this lesson from
Google Applied Digital Skills: Start a Resume.
Update your Education or Licenses and Certifications
section
Quick Notes Page 40
 section
• To add the completion of this certificate to your resume, update your Education or Licenses &
Certifications section.
• To add the completion of this certificate to the Licenses & Certifications section of your LinkedIn
profile, follow the steps listed in this LinkedIn® Help article.

Update your Skills section

• If applicable, update the Skills section of your resume. Following is a comprehensive list of skills
that this certificate was designed to help you develop that you could potentially add.
• To update the Skills & Endorsements section of your LinkedIn® profile, follow the steps listed in
this LinkedIn® Help article.

Update your Summary or About section

• If your resume has a Summary section, you can include this certification as a qualification.
• To include a summary that mentions this certification in your LinkedIn® profile, update your About
section by following the steps listed in this LinkedIn® Help article.
Here is an example of a professional summary:

Add your badge

Check out the next course item to learn how to claim your Google Cybersecurity Certificate
completion badge and add it to your LinkedIn® profile!

From <https://www.coursera.org/learn/prepare-for-cybersecurity-jobs/supplement/4QvT9/showcase-your-work>

Glossary
Cybersecurity

Terms and definitions from the certificate

A
Absolute file path: The full file path, which starts from the root
Access controls: Security controls that manage access, authorization, and
accountability of information

Quick Notes Page 41

accountability of information
Active packet sniffing: A type of attack where data packets are manipulated in transit
Address Resolution Protocol (ARP): A network protocol used to determine the MAC
address of the next router or device on the path
Advanced persistent threat (APT): An instance when a threat actor maintains
unauthorized access to a system for an extended period of time
Adversarial artificial intelligence (AI): A technique that manipulates artificial
intelligence (AI) and machine learning (ML) technology to conduct attacks more
efficiently
Adware: A type of legitimate software that is sometimes used to display digital
advertisements in applications
Algorithm: A set of rules used to solve a problem
Analysis: The investigation and validation of alerts
Angler phishing: A technique where attackers impersonate customer service
representatives on social media
Anomaly-based analysis: A detection method that identifies abnormal behavior

Antivirus software: A software program used to prevent, detect, and eliminate

malware and viruses
Application: A program that performs a specific task
Application programming interface (API) token: A small block of encrypted code
that contains information about a user
Argument (Linux): Specific information needed by a command
Argument (Python): The data brought into a function when it is called
Array: A data type that stores data in a comma-separated ordered list
Assess: The fifth step of the NIST RMF that means to determine if established controls
are implemented correctly
Asset: An item perceived as having value to an organization
Asset classification: The practice of labeling assets based on sensitivity and
importance to an organization
Asset inventory: A catalog of assets that need to be protected
Asset management: The process of tracking assets and the risks that affect them
Asymmetric encryption: The use of a public and private key pair for encryption and
decryption of data
Attack surface: All the potential vulnerabilities that a threat actor could exploit
Attack tree: A diagram that maps threats to assets
Attack vectors: The pathways attackers use to penetrate security defenses
Authentication: The process of verifying who someone is
Authorization: The concept of granting access to specific resources in a system
Authorize: The sixth step of the NIST RMF that refers to being accountable for the
security and privacy risks that might exist in an organization
Automation: The use of technology to reduce human and manual effort to perform
common and repetitive tasks
Availability: The idea that data is accessible to those who are authorized to access it

B
Baiting: A social engineering tactic that tempts people into compromising their
security
Bandwidth: The maximum data transmission capacity over a network, measured by
bits per second
Baseline configuration (baseline image): A documented set of specifications within
a system that is used as a basis for future builds, releases, and updates
Bash: The default shell in most Linux distributions
Basic auth: The technology used to establish a user’s request to access a server

Quick Notes Page 42

Basic auth: The technology used to establish a user’s request to access a server
Basic Input/Output System (BIOS): A microchip that contains loading instructions for
the computer and is prevalent in older systems
Biometrics: The unique physical characteristics that can be used to verify a person’s
identity
Bit: The smallest unit of data measurement on a computer
Boolean data: Data that can only be one of two values: either True or False
Bootloader: A software program that boots the operating system
Botnet: A collection of computers infected by malware that are under the control of a
single threat actor, known as the “bot-herder"
Bracket notation: The indices placed in square brackets
Broken chain of custody: Inconsistencies in the collection and logging of evidence in
the chain of custody
Brute force attack: The trial and error process of discovering private information
Bug bounty: Programs that encourage freelance hackers to find and report
vulnerabilities
Built-in function: A function that exists within Python and can be called directly

Business continuity: An organization's ability to maintain their everyday productivity

by establishing risk disaster recovery plans
Business continuity plan (BCP): A document that outlines the procedures to sustain
business operations during and after a significant disruption
Business Email Compromise (BEC): A type of phishing attack where a threat actor
impersonates a known source to obtain financial advantage
C
Categorize: The second step of the NIST RMF that is used to develop risk
management processes and tasks
CentOS: An open-source distribution that is closely related to Red Hat
Central Processing Unit (CPU): A computer’s main processor, which is used to
perform general computing tasks on a computer
Chain of custody: The process of documenting evidence possession and control
during an incident lifecycle
Chronicle: A cloud-native tool designed to retain, analyze, and search data
Cipher: An algorithm that encrypts information
Cloud-based firewalls: Software firewalls that are hosted by the cloud service
provider
Cloud computing: The practice of using remote servers, applications, and network
services that are hosted on the internet instead of on local physical devices
Cloud network: A collection of servers or computers that stores resources and data in
remote data centers that can be accessed via the internet
Cloud security: The process of ensuring that assets stored in the cloud are properly
configured and access to those assets is limited to authorized users
Command: An instruction telling the computer to do something
Command and control (C2): The techniques used by malicious actors to maintain
communications with compromised systems

Command-line interface (CLI): A text-based user interface that uses commands to

interact with the computer
Comment: A note programmers make about the intention behind their code
Common Event Format (CEF): A log format that uses key-value pairs to structure
data and identify fields and their corresponding values
Common Vulnerabilities and Exposures (CVE®) list: An openly accessible dictionary
of known vulnerabilities and exposures
Common Vulnerability Scoring System (CVSS): A measurement system that scores

Quick Notes Page 43

Common Vulnerability Scoring System (CVSS): A measurement system that scores
the severity of a vulnerability
Compliance: The process of adhering to internal standards and external regulations
Computer security incident response teams (CSIRT): A specialized group of
security professionals that are trained in incident management and response
Computer virus: Malicious code written to interfere with computer operations and
cause damage to data and software
Conditional statement: A statement that evaluates code to determine if it meets a
specified set of conditions
Confidentiality: The idea that only authorized users can access specific assets or data
Confidential data: Data that often has limits on the number of people who have
access to it
Confidentiality, integrity, availability (CIA) triad: A model that helps inform how
organizations consider risk when setting up systems and security policies
Configuration file: A file used to configure the settings of an application
Containment: The act of limiting and preventing additional damage caused by an
incident
Controlled zone: A subnet that protects the internal network from the uncontrolled
zone
Cross-site scripting (XSS): An injection attack that inserts code into a vulnerable
website or web application

Crowdsourcing: The practice of gathering information using public input and

collaboration
Cryptographic attack: An attack that affects secure forms of communication
between a sender and intended recipient
Cryptographic key: A mechanism that decrypts ciphertext
Cryptography: The process of transforming information into a form that unintended
readers can’t understand
Cryptojacking: A form of malware that installs software to illegally mine
cryptocurrencies
CVE Numbering Authority (CNA): An organization that volunteers to analyze and
distribute information on eligible CVEs
Cybersecurity (or security): The practice of ensuring confidentiality, integrity, and
availability of information by protecting networks, devices, people, and data from
unauthorized access or criminal exploitation
D
Data: Information that is translated, processed, or stored by a computer
Data at rest: Data not currently being accessed
Database: An organized collection of information or data
Data controller: A person that determines the procedure and purpose for processing
data
Data custodian: Anyone or anything that’s responsible for the safe handling,
transport, and storage of information
Data exfiltration: Unauthorized transmission of data from a system
Data in transit: Data traveling from one point to another
Data in use: Data being accessed by one or more users
Data owner: The person who decides who can access, edit, use, or destroy their
information

Data packet: A basic unit of information that travels from one device to another within
a network
Data point: A specific piece of information
Data processor: A person that is responsible for processing data on behalf of the data

Quick Notes Page 44

Data processor: A person that is responsible for processing data on behalf of the data
controller
Data protection officer (DPO): An individual that is responsible for monitoring the
compliance of an organization's data protection procedures
Data type: A category for a particular type of data item
Date and time data: Data representing a date and/or time
Debugger: A software tool that helps to locate the source of an error and assess its
causes
Debugging: The practice of identifying and fixing errors in code
Defense in depth: A layered approach to vulnerability management that reduces risk
Denial of service (DoS) attack: An attack that targets a network or server and floods
it with network traffic
Detect: A NIST core function related to identifying potential security incidents and
improving monitoring capabilities to increase the speed and efficiency of detections
Detection: The prompt discovery of security events
Dictionary data: Data that consists of one or more key-value pairs
Digital certificate: A file that verifies the identity of a public key holder
Digital forensics: The practice of collecting and analyzing data to determine what has
happened after an attack
Directory: A file that organizes where other files are stored
Disaster recovery plan: A plan that allows an organization’s security team to outline
the steps needed to minimize the impact of a security incident

Distributed denial of service (DDoS) attack: A type of denial of service attack that
uses multiple devices or servers located in different locations to flood the target
network with unwanted traffic
Distributions: The different versions of Linux
Documentation: Any form of recorded content that is used for a specific purpose
DOM-based XSS attack: An instance when malicious script exists in the webpage a
browser loads
Domain Name System (DNS): A networking protocol that translates internet domain
names into IP addresses
Dropper: A type of malware that comes packed with malicious code which is delivered
and installed onto a target system
E
Elevator pitch: A brief summary of your experience, skills, and background
Encapsulation: A process performed by a VPN service that protects your data by
wrapping sensitive data in other data packets
Encryption: The process of converting data from a readable format to an encoded
format
Endpoint: Any device connected on a network
Endpoint detection and response (EDR): An application that monitors an endpoint
for malicious activity
Eradication: The complete removal of the incident elements from all affected systems
Escalation policy: A set of actions that outline who should be notified when an
incident alert occurs and how that incident should be handled
Event: An observable occurrence on a network, system, or device
Exception: An error that involves code that cannot be executed even though it is
syntactically correct
Exclusive operator: An operator that does not include the value of comparison

Exploit: A way of taking advantage of a vulnerability

Exposure: A mistake that can be exploited by a threat
External threat: Anything outside the organization that has the potential to harm

Quick Notes Page 45

External threat: Anything outside the organization that has the potential to harm
organizational assets
F
False negative: A state where the presence of a threat is not detected
False positive: An alert that incorrectly detects the presence of a threat
Fileless malware: Malware that does not need to be installed by the user because it
uses legitimate programs that are already installed to infect a computer
File path: The location of a file or directory
Filesystem Hierarchy Standard (FHS): The component of the Linux OS that organizes
data
Filtering: Selecting data that match a certain condition
Final report: Documentation that provides a comprehensive review of an incident
Firewall: A network security device that monitors traffic to or from a network
Float data: Data consisting of a number with a decimal point
Foreign key: A column in a table that is a primary key in another table
Forward proxy server: A server that regulates and restricts a person’s access to the
internet
Function: A section of code that can be reused in a program
G
Global variable: A variable that is available through the entire program
Graphical user interface (GUI): A user interface that uses icons on the screen to
manage different tasks on the computer

H
Hacker: Any person who uses computers to gain access to computer systems,
networks, or data
Hacktivist: A person who uses hacking to achieve a political goal
Hard drive: A hardware component used for long-term memory
Hardware: The physical components of a computer
Hash collision: An instance when different inputs produce the same hash value
Hash function: An algorithm that produces a code that can’t be decrypted
Hash table: A data structure that's used to store and reference hash values
Health Insurance Portability and Accountability Act (HIPAA): A U.S. federal law
established to protect patients’ health information
Honeypot: A system or resource created as a decoy vulnerable to attacks with the
purpose of attracting potential intruders
Host-based intrusion detection system (HIDS): An application that monitors the
activity of the host on which it’s installed
Hub: A network device that broadcasts information to every device on the network
Hypertext Transfer Protocol (HTTP): An application layer protocol that provides a
method of communication between clients and website servers
Hypertext Transfer Protocol Secure (HTTPS): A network protocol that provides a
secure method of communication between clients and website servers
I
Identify: A NIST core function related to management of cybersecurity risk and its
effect on an organization’s people and assets
Identity and access management (IAM): A collection of processes and technologies
that helps organizations manage digital identities in their environment
IEEE 802.11 (Wi-Fi): A set of standards that define communication for wireless LANs

Immutable: An object that cannot be changed after it is created and assigned a value
Implement: The fourth step of the NIST RMF that means to implement security and
privacy plans for an organization
Improper usage: An incident type that occurs when an employee of an organization

Quick Notes Page 46

Improper usage: An incident type that occurs when an employee of an organization
violates the organization’s acceptable use policies
Incident: An occurrence that actually or imminently jeopardizes, without lawful
authority, the confidentiality, integrity, or availability of information or an information
system; or constitutes a violation or imminent threat of violation of law, security
policies, security procedures, or acceptable use policies
Incident escalation: The process of identifying a potential security incident, triaging it,
and handing it off to a more experienced team member
Incident handler’s journal: A form of documentation used in incident response
Incident response: An organization’s quick attempt to identify an attack, contain the
damage, and correct the effects of a security breach
Incident response plan: A document that outlines the procedures to take in each step
of incident response
Inclusive operator: An operator that includes the value of comparison
Indentation: Space added at the beginning of a line of code
Index: A number assigned to every element in a sequence that indicates its position
Indicators of attack (IoA): The series of observed events that indicate a real-time
incident
Indicators of compromise (IoC): Observable evidence that suggests signs of a
potential security incident
Information privacy: The protection of unauthorized access and distribution of data
Information security (InfoSec): The practice of keeping data in all states away from
unauthorized users
Injection attack: Malicious code inserted into a vulnerable application
Input validation: Programming that validates inputs from users and other programs

Integer data: Data consisting of a number that does not include a decimal point
Integrated development environment (IDE): A software application for writing code
that provides editing assistance and error correction tools
Integrity: The idea that the data is correct, authentic, and reliable
Internal hardware: The components required to run the computer
Internal threat: A current or former employee, external vendor, or trusted partner who
poses a security risk
Internet Control Message Protocol (ICMP): An internet protocol used by devices to
tell each other about data transmission errors across the network
Internet Control Message Protocol flood (ICMP flood): A type of DoS attack
performed by an attacker repeatedly sending ICMP request packets to a network
server
Internet Protocol (IP): A set of standards used for routing and addressing data
packets as they travel between devices on a network
Internet Protocol (IP) address: A unique string of characters that identifies the
location of a device on the internet
Interpreter: A computer program that translates Python code into runnable
instructions line by line
Intrusion detection system (IDS): An application that monitors system activity and
alerts on possible intrusions
Intrusion prevention system (IPS): An application that monitors system activity for
intrusive activity and takes action to stop the activity
IP spoofing: A network attack performed when an attacker changes the source IP of a
data packet to impersonate an authorized system and gain access to a network
Iterative statement: Code that repeatedly executes a set of instructions
K

KALI LINUX TM: An open-source distribution of Linux that is widely used in the security

Quick Notes Page 47

KALI LINUX TM: An open-source distribution of Linux that is widely used in the security
industry
Kernel: The component of the Linux OS that manages processes and memory
Key-value pair: A set of data that represents two linked items: a key, and its
corresponding value
L
Legacy operating system: An operating system that is outdated but still being used
Lessons learned meeting: A meeting that includes all involved parties after a major
incident
Library: A collection of modules that provide code users can access in their programs
Linux: An open-source operating system
List concatenation: The concept of combining two lists into one by placing the
elements of the second list directly after the elements of the first list
List data: Data structure that consists of a collection of data in sequential form
Loader: A type of malware that downloads strains of malicious code from an external
source and installs them onto a target system
Local Area Network (LAN): A network that spans small areas like an office building, a
school, or a home
Local variable: A variable assigned within a function
Log: A record of events that occur within an organization’s systems
Log analysis: The process of examining logs to identify events of interest
Logging: The recording of events occurring on computer systems and networks
Logic error: An error that results when the logic used in code produces unintended
results
Log management: The process of collecting, storing, analyzing, and disposing of log
data

Loop condition: The part of a loop that determines when the loop terminates
Loop variable: A variable that is used to control the iterations of a loop
M
Malware: Software designed to harm devices or networks
Malware infection: An incident type that occurs when malicious software designed to
disrupt a system infiltrates an organization’s computers or network
Media Access Control (MAC) address: A unique alphanumeric identifier that is
assigned to each physical device on a network
Method: A function that belongs to a specific data type
Metrics: Key technical attributes such as response time, availability, and failure rate,
which are used to assess the performance of a software application
MITRE: A collection of non-profit research and development centers
Modem: A device that connects your router to the internet and brings internet access
to the LAN
Module: A Python file that contains additional functions, variables, classes, and any
kind of runnable code
Monitor: The seventh step of the NIST RMF that means be aware of how systems are
operating
Multi-factor authentication (MFA): A security measure that requires a user to verify
their identity in two or more ways to access a system or network
N
nano: A command-line file editor that is available by default in many Linux distributions
National Institute of Standards and Technology (NIST) Cybersecurity Framework
(CSF): A voluntary framework that consists of standards, guidelines, and best
practices to manage cybersecurity risk
National Institute of Standards and Technology (NIST) Incident Response
Lifecycle: A framework for incident response consisting of four phases: Preparation;

Quick Notes Page 48

Lifecycle: A framework for incident response consisting of four phases: Preparation;

Detection and Analysis; Containment, Eradication and Recovery, and Post-incident

activity
National Institute of Standards and Technology (NIST) Special Publication (S.P.)
800-53: A unified framework for protecting the security of information systems within
the U.S. federal government
Network: A group of connected devices
Network-based intrusion detection system (NIDS): An application that collects and
monitors network traffic and network data
Network data: The data that’s transmitted between devices on a network
Network Interface Card (NIC): Hardware that connects computers to a network
Network log analysis: The process of examining network logs to identify events of
interest
Network protocol analyzer (packet sniffer): A tool designed to capture and analyze
data traffic within a network
Network protocols: A set of rules used by two or more devices on a network to
describe the order of delivery and the structure of data
Network security: The practice of keeping an organization's network infrastructure
secure from unauthorized access
Network segmentation: A security technique that divides the network into segments
Network traffic: The amount of data that moves across a network
Non-repudiation: The concept that the authenticity of information can’t be denied
Notebook: An online interface for writing, storing, and running code
Numeric data: Data consisting of numbers
O
OAuth: An open-standard authorization protocol that shares designated access
between applications

Object: A data type that stores data in a comma-separated list of key-value pairs
On-path attack: An attack where a malicious actor places themselves in the middle of
an authorized connection and intercepts or alters the data in transit
Open-source intelligence (OSINT): The collection and analysis of information from
publicly available sources to generate usable intelligence
Open systems interconnection (OSI) model: A standardized concept that describes
the seven layers computers use to communicate and send data over the network
Open Web Application Security Project/Open Worldwide Application Security
Project (OWASP): A non-profit organization focused on improving software security
Operating system (OS): The interface between computer hardware and the user
Operator: A symbol or keyword that represents an operation
Options: Input that modifies the behavior of a command
Order of volatility: A sequence outlining the order of data that must be preserved
from first to last
OWASP Top 10: A globally recognized standard awareness document that lists the top
10 most critical security risks to web applications
P
Package: A piece of software that can be combined with other packages to form an
application
Package manager: A tool that helps users install, manage, and remove packages or
applications
Packet capture (P-cap): A file containing data packets intercepted from an interface
or network
Packet sniffing: The practice of capturing and inspecting data packets across a
network

Quick Notes Page 49

network
Parameter (Python): An object that is included in a function definition for use in that
function

Parrot: An open-source distribution that is commonly used for security

Parsing: The process of converting data into a more readable format
Passive packet sniffing: A type of attack where a malicious actor connects to a
network hub and looks at all traffic on the network
Password attack: An attempt to access password secured devices, systems,
networks, or data
Patch update: A software and operating system update that addresses security
vulnerabilities within a program or product
Payment Card Industry Data Security Standards (PCI DSS): A set of security
standards formed by major organizations in the financial industry
Penetration test (pen test): A simulated attack that helps identify vulnerabilities in
systems, networks, websites, applications, and processes
PEP 8 style guide: A resource that provides stylistic guidelines for programmers
working in Python
Peripheral devices: Hardware components that are attached and controlled by the
computer system
Permissions: The type of access granted for a file or directory
Personally identifiable information (PII): Any information used to infer an individual's
identity
Phishing: The use of digital communications to trick people into revealing sensitive
data or deploying malicious software
Phishing kit: A collection of software tools needed to launch a phishing campaign
Physical attack: A security incident that affects not only digital but also physical
environments where the incident is deployed
Physical social engineering: An attack in which a threat actor impersonates an
employee, customer, or vendor to obtain unauthorized access to a physical location
Ping of death: A type of DoS attack caused when a hacker pings a system by sending
it an oversized ICMP packet that is bigger than 64KB
Playbook: A manual that provides details about any operational action

Policy: A set of rules that reduce risk and protect information

Port: A software-based location that organizes the sending and receiving of data
between devices on a network
Port filtering: A firewall function that blocks or allows certain port numbers to limit
unwanted communication
Post-incident activity: The process of reviewing an incident to identify areas for
improvement during incident handling
Potentially unwanted application (PUA): A type of unwanted software that is
bundled in with legitimate programs which might display ads, cause device slowdown,
or install other software
Private data: Information that should be kept from the public
Prepare: The first step of the NIST RMF related to activities that are necessary to
manage security and privacy risks before a breach occurs
Prepared statement: A coding technique that executes SQL statements before
passing them on to a database
Primary key: A column where every row has a unique entry
Principle of least privilege: The concept of granting only the minimal access and
authorization required to complete a task or function
Privacy protection: The act of safeguarding personal information from unauthorized
use

Quick Notes Page 50

use
Procedures: Step-by-step instructions to perform a specific security task
Process of Attack Simulation and Threat Analysis (PASTA): A popular threat
modeling framework that’s used across many industries
Programming: A process that can be used to create a specific set of instructions for a
computer to execute tasks
Protect: A NIST core function used to protect an organization through the
implementation of policies, procedures, training, and tools that help mitigate
cybersecurity threats

Protected health information (PHI): Information that relates to the past, present, or
future physical or mental health or condition of an individual
Protecting and preserving evidence: The process of properly working with fragile
and volatile digital evidence
Proxy server: A server that fulfills the requests of its clients by forwarding them to
other servers
Public data: Data that is already accessible to the public and poses a minimal risk to
the organization if viewed or shared by others
Public key infrastructure (PKI): An encryption framework that secures the exchange
of online information
Python Standard Library: An extensive collection of Python code that often comes
packaged with Python
Q
Query: A request for data from a database table or a combination of tables
Quid pro quo: A type of baiting used to trick someone into believing that they’ll be
rewarded in return for sharing access, information, or money
R
Rainbow table: A file of pre-generated hash values and their associated plaintext
Random Access Memory (RAM): A hardware component used for short-term
memory
Ransomware: A malicious attack where threat actors encrypt an organization’s data
and demand payment to restore access
Rapport: A friendly relationship in which the people involved understand each other’s
ideas and communicate well with each other
Recover: A NIST core function related to returning affected systems back to normal
operation

Recovery: The process of returning affected systems back to normal operations

Red Hat® Enterprise Linux® (also referred to simply as Red Hat in this course): A
subscription-based distribution of Linux built for enterprise use
Reflected XSS attack: An instance when malicious script is sent to a server and
activated during the server’s response
Regular expression (regex): A sequence of characters that forms a pattern
Regulations: Rules set by a government or other authority to control the way
something is done
Relational database: A structured database containing tables that are related to each
other
Relative file path: A file path that starts from the user's current directory
Replay attack: A network attack performed when a malicious actor intercepts a data
packet in transit and delays it or repeats it at another time
Resiliency: The ability to prepare for, respond to, and recover from disruptions
Respond: A NIST core function related to making sure that the proper procedures are
used to contain, neutralize, and analyze security incidents, and implement
improvements to the security process

Quick Notes Page 51

improvements to the security process
Return statement: A Python statement that executes inside a function and sends
information back to the function call
Reverse proxy server: A server that regulates and restricts the internet's access to an
internal server
Risk: Anything that can impact the confidentiality, integrity, or availability of an asset
Risk mitigation: The process of having the right procedures and rules in place to
quickly reduce the impact of a risk like a breach
Root directory: The highest-level directory in Linux
Rootkit: Malware that provides remote, administrative access to a computer
Root user (or superuser): A user with elevated privileges to modify the system
Router: A network device that connects multiple networks together

S
Salting: An additional safeguard that’s used to strengthen hash functions
Scareware: Malware that employs tactics to frighten users into infecting their device
Search Processing Language (SPL): Splunk’s query language
Secure File Transfer Protocol (SFTP): A secure protocol used to transfer files from
one device to another over a network
Secure shell (SSH): A security protocol used to create a shell with a remote system
Security architecture: A type of security design composed of multiple components,
such as tools and processes, that are used to protect an organization from risks and
external threats
Security audit: A review of an organization's security controls, policies, and
procedures against a set of expectations
Security controls: Safeguards designed to reduce specific security risks
Security ethics: Guidelines for making appropriate decisions as a security
professional
Security frameworks: Guidelines used for building plans to help mitigate risk and
threats to data and privacy
Security governance: Practices that help support, define, and direct security efforts
of an organization
Security hardening: The process of strengthening a system to reduce its
vulnerabilities and attack surface
Security information and event management (SIEM): An application that collects
and analyzes log data to monitor critical activities in an organization
Security mindset: The ability to evaluate risk and constantly seek out and identify the
potential or actual breach of a system, application, or data
Security operations center (SOC): An organizational unit dedicated to monitoring
networks, systems, and devices for security threats or attacks

Security orchestration, automation, and response (SOAR): A collection of

applications, tools, and workflows that use automation to respond to security events
Security posture: An organization’s ability to manage its defense of critical assets and
data and react to change
Security zone: A segment of a company’s network that protects the internal network
from the internet
Select: The third step of the NIST RMF that means to choose, customize, and capture
documentation of the controls that protect an organization
Sensitive data: A type of data that includes personally identifiable information (PII),
sensitive personally identifiable information (SPII), or protected health information
(PHI)
Sensitive personally identifiable information (SPII): A specific type of PII that falls
under stricter handling guidelines

Quick Notes Page 52

under stricter handling guidelines
Separation of duties: The principle that users should not be given levels of
authorization that would allow them to misuse a system
Session: a sequence of network HTTP requests and responses associated with the
same user
Session cookie: A token that websites use to validate a session and determine how
long that session should last
Session hijacking: An event when attackers obtain a legitimate user’s session ID
Session ID: A unique token that identifies a user and their device while accessing a
system
Set data: Data that consists of an unordered collection of unique values
Shared responsibility: The idea that all individuals within an organization take an
active role in lowering risk and maintaining both physical and virtual security
Shell: The command-line interpreter
Signature: A pattern that is associated with malicious activity
Signature analysis: A detection method used to find events of interest

Simple Network Management Protocol (SNMP): A network protocol used for

monitoring and managing devices on a network
Single sign-on (SSO): A technology that combines several different logins into one
Smishing: The use of text messages to trick users to obtain sensitive information or to
impersonate a known source
Smurf attack: A network attack performed when an attacker sniffs an authorized
user’s IP address and floods it with ICMP packets
Social engineering: A manipulation technique that exploits human error to gain
private information, access, or valuables
Social media phishing: A type of attack where a threat actor collects detailed
information about their target on social media sites before initiating the attack
Spear phishing: A malicious email attack targeting a specific user or group of users,
appearing to originate from a trusted source
Speed: The rate at which a device sends and receives data, measured by bits per
second
Splunk Cloud: A cloud-hosted tool used to collect, search, and monitor log data
Splunk Enterprise: A self-hosted tool used to retain, analyze, and search an
organization's log data to provide security information and alerts in real-time
Spyware: Malware that’s used to gather and sell information without consent
SQL (Structured Query Language): A programming language used to create, interact
with, and request information from a database
SQL injection: An attack that executes unexpected queries on a database
Stakeholder: An individual or group that has an interest in any decision or activity of
an organization
Standard error: An error message returned by the OS through the shell
Standard input: Information received by the OS via the command line
Standard output: Information returned by the OS through the shell
Standards: References that inform how to set policies

STAR method: An interview technique used to answer behavioral and situational

questions
Stateful: A class of firewall that keeps track of information passing through it and
proactively filters out threats
Stateless: A class of firewall that operates based on predefined rules and that does
not keep track of information from data packets
Stored XSS attack: An instance when malicious script is injected directly on the server
String concatenation: The process of joining two strings together

Quick Notes Page 53

String concatenation: The process of joining two strings together
String data: Data consisting of an ordered sequence of characters
Style guide: A manual that informs the writing, formatting, and design of documents
Subnetting: The subdivision of a network into logical groups called subnets
Substring: A continuous sequence of characters within a string
Sudo: A command that temporarily grants elevated permissions to specific users
Supply-chain attack: An attack that targets systems, applications, hardware, and/or
software to locate a vulnerability where malware can be deployed
Suricata: An open-source intrusion detection system, intrusion prevention system, and
network analysis tool
Switch: A device that makes connections between specific devices on a network by
sending and receiving data between them
Symmetric encryption: The use of a single secret key to exchange information
Synchronize (SYN) flood attack: A type of DoS attack that simulates a TCP/IP
connection and floods a server with SYN packets
Syntax: The rules that determine what is correctly structured in a computing language
Syntax error: An error that involves invalid usage of a programming language
T
Tailgating: A social engineering tactic in which unauthorized people follow an
authorized person into a restricted area

TCP/IP model: A framework used to visualize how data is organized and transmitted
across a network
tcpdump: A command-line network protocol analyzer
Technical skills: Skills that require knowledge of specific tools, procedures, and
policies
Telemetry: The collection and transmission of data for analysis
Threat: Any circumstance or event that can negatively impact assets
Threat actor: Any person or group who presents a security risk
Threat hunting: The proactive search for threats on a network
Threat intelligence: Evidence-based threat information that provides context about
existing or emerging threats
Threat modeling: The process of identifying assets, their vulnerabilities, and how each
is exposed to threats
Transferable skills: Skills from other areas that can apply to different careers
Transmission Control Protocol (TCP): An internet communication protocol that
allows two devices to form a connection and stream data
Triage: The prioritizing of incidents according to their level of importance or urgency
Trojan horse: Malware that looks like a legitimate file or program
True negative: A state where there is no detection of malicious activity
True positive An alert that correctly detects the presence of an attack
Tuple data: Data structure that consists of a collection of data that cannot be changed
Type error: An error that results from using the wrong data type
U
Ubuntu: An open-source, user-friendly distribution that is widely used in security and
other industries

Unauthorized access: An incident type that occurs when an individual gains digital or
physical access to a system or application without permission
Uncontrolled zone: Any network outside your organization's control
Unified Extensible Firmware Interface (UEFI): A microchip that contains loading
instructions for the computer and replaces BIOS on more modern systems
USB baiting: An attack in which a threat actor strategically leaves a malware USB stick
for an employee to find and install to unknowingly infect a network

Quick Notes Page 54

for an employee to find and install to unknowingly infect a network
User: The person interacting with a computer
User Datagram Protocol (UDP): A connectionless protocol that does not establish a
connection between devices before transmissions
User-defined function: A function that programmers design for their specific needs
User interface: A program that allows the user to control the functions of the
operating system
User provisioning: The process of creating and maintaining a user's digital identity
V
Variable: A container that stores data
Virtual machine (VM): A virtual version of a physical computer
Virtual Private Network (VPN): A network security service that changes your public
IP address and hides your virtual location so that you can keep your data private when
you are using a public network like the internet
Virus: Malicious code written to interfere with computer operations and cause
damage to data and software
VirusTotal: A service that allows anyone to analyze suspicious files, domains, URLs,
and IP addresses for malicious content
Vishing: The exploitation of electronic voice communication to obtain sensitive
information or to impersonate a known source
Visual dashboard: A way of displaying various types of data quickly in one place

Vulnerability: A weakness that can be exploited by a threat

Vulnerability assessment: The internal review process of an organization's security
systems
Vulnerability management: The process of finding and patching vulnerabilities
Vulnerability scanner: Software that automatically compares existing common
vulnerabilities and exposures against the technologies on the network
W
Watering hole attack: A type of attack when a threat actor compromises a website
frequently visited by a specific group of users
Web-based exploits: Malicious code or behavior that’s used to take advantage of
coding flaws in a web application
Whaling: A category of spear phishing attempts that are aimed at high-ranking
executives in an organization
Wide Area Network (WAN): A network that spans a large geographic area like a city,
state, or country
Wi-Fi Protected Access (WPA): A wireless security protocol for devices to connect to
the internet
Wildcard: A special character that can be substituted with any other character
Wireshark: An open-source network protocol analyzer
World-writable file: A file that can be altered by anyone in the world
Worm: Malware that can duplicate and spread itself across systems on its own
Y
YARA-L: A computer language used to create rules for searching through ingested log
data
Z

Zero-day: An exploit that was previously unknown

Quick Notes Page 55