More about security audits

Previously, you were introduced to how to plan and complete an internal security audit. In this
reading, you will learn more about security audits, including the goals and objectives of audits.

Security audits
A security audit is a review of an organization's security controls, policies, and procedures
against a set of expectations. Audits are independent reviews that evaluate whether an
organization is meeting internal and external criteria. Internal criteria include outlined policies,
procedures, and best practices. External criteria include regulatory compliance, laws, and federal
regulations.

Additionally, a security audit can be used to assess an organization's established security

controls. As a reminder, security controls are safeguards designed to reduce specific security
risks.

Audits help ensure that security checks are made (i.e., daily monitoring of security information
and event management dashboards), to identify threats, risks, and vulnerabilities. This helps
maintain an organization’s security posture. And, if there are security issues, a remediation
process must be in place.

Goals and objectives of an audit

The goal of an audit is to ensure an organization's information technology (IT) practices are
meeting industry and organizational standards. The objective is to identify and address areas of
remediation and growth. Audits provide direction and clarity by identifying what the current
failures are and developing a plan to correct them.

Security audits must be performed to safeguard data and avoid penalties and fines from
governmental agencies. The frequency of audits is dependent on local laws and federal
compliance regulations.

Factors that affect audits

Factors that determine the types of audits an organization implements include:

 Industry type
 Organization size
 Ties to the applicable government regulations
 A business’s geographical location
 A business decision to adhere to a specific regulatory compliance

To review common compliance regulations that different organizations need to adhere to, refer to
the reading about controls, frameworks, and compliance.

The role of frameworks and controls in audits

Along with compliance, it’s important to mention the role of frameworks and controls in security
audits. Frameworks such as the National Institute of Standards and Technology Cybersecurity
Framework (NIST CSF) and the international standard for information security (ISO 27000)
series are designed to help organizations prepare for regulatory compliance security audits. By
 adhering to these and other relevant frameworks, organizations can save time when conducting
external and internal audits. Additionally, frameworks, when used alongside controls, can support
organizations’ ability to align with regulatory compliance requirements and standards.

There are three main categories of controls to review during an audit, which are administrative
and/or managerial, technical, and physical controls. To learn more about specific controls related
to each category, click the following link and select “Use Template.”

Link to template: Control categories

OR

If you don’t have a Google account, you can download the template directly from the following
attachment

Control categories
DOCX File

Audit checklist
It’s necessary to create an audit checklist before conducting an audit. A checklist is generally
made up of the following areas of focus:

Identify the scope of the audit

 The audit should:

 List assets that will be assessed (e.g., firewalls are configured correctly, PII is secure, physical
assets are locked, etc.)
 Note how the audit will help the organization achieve its desired goals
 Indicate how often an audit should be performed
 Include an evaluation of organizational policies, protocols, and procedures to make sure they are
working as intended and being implemented by employees

Complete a risk assessment

 A risk assessment is used to evaluate identified organizational risks related to budget, controls,
internal processes, and external standards (i.e., regulations).

Conduct the audit

 When conducting an internal audit, you will assess the security of the identified assets listed in
the audit scope.

Create a mitigation plan

 A mitigation plan is a strategy established to lower the level of risk and potential costs, penalties,
or other issues that can negatively affect the organization’s security posture.

Communicate results to stakeholders

 The end result of this process is providing a detailed report of findings, suggested improvements
needed to lower the organization's level of risk, and compliance regulations and standards the
organization needs to adhere to.

Key takeaways
In this reading you learned more about security audits, including what they are; why they’re
conducted; and the role of frameworks, controls, and compliance in audits.

Although there is much more to learn about security audits, this introduction is meant to support
your ability to complete an audit of your own for a self-reflection portfolio activity later in this
course.
 Previously, you learned that playbooks are tools used by cybersecurity professionals to
identify and respond to security issues. In this reading, you’ll learn more about playbooks and
their purpose in the field of cybersecurity.

Playbook overview
A playbook is a manual that provides details about any operational action. Essentially, a
playbook provides a predefined and up-to-date list of steps to perform when responding to an
incident.

Playbooks are accompanied by a strategy. The strategy outlines expectations of team

members who are assigned a task, and some playbooks also list the individuals responsible.
The outlined expectations are accompanied by a plan. The plan dictates how the specific task
outlined in the playbook must be completed.

Playbooks should be treated as living documents, which means that they are frequently
updated by security team members to address industry changes and new threats. Playbooks
are generally managed as a collaborative effort, since security team members have different
levels of expertise.

Updates are often made if:

 A failure is identified, such as an oversight in the outlined policies and procedures, or in the
playbook itself.

 There is a change in industry standards, such as changes in laws or regulatory compliance.

 The cybersecurity landscape changes due to evolving threat actor tactics and techniques.

Types of playbooks
Playbooks sometimes cover specific incidents and vulnerabilities. These might include
ransomware, vishing, business email compromise (BEC), and other attacks previously
discussed. Incident and vulnerability response playbooks are very common, but they are not
the only types of playbooks organizations develop.

Each organization has a different set of playbook tools, methodologies, protocols, and
procedures that they adhere to, and different individuals are involved at each step of the
response process, depending on the country they are in. For example, incident notification
requirements from government-imposed laws and regulations, along with compliance
standards, affect the content in the playbooks. These requirements are subject to change
based on where the incident originated and the type of data affected.

Incident and vulnerability response playbooks

Incident and vulnerability response playbooks are commonly used by entry-level
cybersecurity professionals. They are developed based on the goals outlined in an
 organization’s business continuity plan. A business continuity plan is an established path
forward allowing a business to recover and continue to operate as normal, despite a
disruption like a security breach.

These two types of playbooks are similar in that they both contain predefined and up-to-date
lists of steps to perform when responding to an incident. Following these steps is necessary to
ensure that you, as a security professional, are adhering to legal and organizational standards
and protocols. These playbooks also help minimize errors and ensure that important actions
are performed within a specific timeframe.

When an incident, threat, or vulnerability occurs or is identified, the level of risk to the
organization depends on the potential damage to its assets. A basic formula for determining
the level of risk is that risk equals the likelihood of a threat. For this reason, a sense of
urgency is essential. Following the steps outlined in playbooks is also important if any
forensic task is being carried out. Mishandling data can easily compromise forensic data,
rendering it unusable.

Common steps included in incident and vulnerability playbooks include:

 Preparation

 Detection

 Analysis

 Containment

 Eradication

 Recovery from an incident

Additional steps include performing post-incident activities, and a coordination of efforts

throughout the investigation and incident and vulnerability response stages.

Zero-day attacks
Zero-day attacks are an important security consideration for organizations using cloud or
traditional on-premise network solutions. A zero day attack is an exploit that was previously
unknown. CSPs are more likely to know about a zero day attack occurring before a traditional
IT organization does. CSPs have ways of patching hypervisors and migrating workloads to
other virtual machines. These methods ensure the customers are not impacted by the attack.
There are also several tools available for patching at the operating system level that
organizations can use.

The rise of SSO and MFA

Most companies help keep their data safely locked up behind authentication systems. Usernames
and passwords are the keys that unlock information for most organizations. But are those
credentials enough? Information security often focuses on managing a user's access of, and
authorization to, information.

Previously, you learned about the three factors of authentication: knowledge, ownership, and
characteristic. Single sign-on (SSO) and multi-factor authentication (MFA) are two technologies that
have become popular for implementing these authentication factors. In this reading, you’ll learn
how these technologies work and why companies are adopting them.

A better approach to authentication

Single sign-on (SSO) is a technology that combines several different logins into one. More companies
are turning to SSO as a solution to their authentication needs for three reasons:

SSO improves the user experience by eliminating the number of usernames and passwords people
have to remember.

Companies can lower costs by streamlining how they manage connected services.

SSO improves overall security by reducing the number of access points attackers can target.

This technology became available in the mid-1990s as a way to combat password fatigue, which
refers to people’s tendency to reuse passwords across services. Remembering many different
passwords can be a challenge, but using the same password repeatedly is a major security risk. SSO
solves this dilemma by shifting the burden of authentication away from the user.

How SSO works

SSO works by automating how trust is established between a user and a service provider. Rather
than placing the responsibility on an employee or customer, SSO solutions use trusted third-parties
to prove that a user is who they claim to be. This is done through the exchange of encrypted access
tokens between the identity provider and the service provider.

Similar to other kinds of digital information, these access tokens are exchanged using specific
protocols. SSO implementations commonly rely on two different authentication protocols: LDAP and
SAML. LDAP, which stands for Lightweight Directory Access Protocol, is mostly used to transmit
information on-premises; SAML, which stands for Security Assertion Markup Language, is mostly
used to transmit information off-premises, like in the cloud.

Note: LDAP and SAML protocols are often used together.

Here's an example of how SSO can connect a user to multiple applications with one access token:

Nist CSF : (Framework)

1. Identify
2. Protect
3. Detect
4. Respond recover

NIST incident response lifecycle:

1. Preparation
2. Detection and analysis
3. Containment , eradication and recovery
4. Post incident activity

THE FIVE W’s of incident :

1. Who triggered the incident

2. What happened
 3. When the incident took place
4. Where the incident took place
5. Why the incident occurred

CSIRT ( Computer security incident response team)

 Tier 1 SOC analyst
The first tier is composed of the least experienced SOC analysts who are known as level 1s
(L1s). They are responsible for:

 Monitoring, reviewing, and prioritizing alerts based on criticality or severity

 Creating and closing alerts using ticketing systems

 Escalating alert tickets to Tier 2 or Tier 3

Tier 2 SOC analyst

The second tier comprises the more experienced SOC analysts, or level 2s (L2s). They are
responsible for:

 Receiving escalated tickets from L1 and conducting deeper investigations

 Configuring and refining security tools

 Reporting to the SOC Lead

Tier 3 SOC lead

The third tier of a SOC is composed of the SOC leads, or level 3s (L3s). These highly
experienced professionals are responsible for:

 Managing the operations of their team

 Exploring methods of detection by performing advanced detection techniques, such as
malware and forensics analysis

 Reporting to the SOC manager

SOC manager
The SOC manager is at the top of the pyramid and is responsible for:

 Hiring, training, and evaluating the SOC team members

 Creating performance metrics and managing the performance of the SOC team

 Developing reports related to incidents, compliance, and auditing

 Communicating findings to stakeholders such as executive management

Other roles
SOCs can also contain other specialized roles such as:

 Forensic investigators: Forensic investigators are commonly L2s and L3s who collect,
preserve, and analyze digital evidence related to security incidents to determine what
happened.

 Threat hunters: Threat hunters are typically L3s who work to detect, analyze, and defend
against new and advanced cybersecurity threats using threat intelligence.

________________________________________________________

Elements of security plan:

1. Policies
2. Standards
3. Procedures

TOOL TYPES :
 1.
Detection and management tools
2. Documentation tools
3. Investigative tools

Types of Documentations:
1. Playbooks
2. Incident handler’s journal
3. Policies
4. Plans
5. Final report

IDS AND IPS Tools:

1. Snort
2. Zeek
3. Kismet
4. Sagan
5. Suricata

SIEM PROCESS :
1. Collect and aggregate data
2. Normalize data
3. Analyze data

SOAR (Security orchestration automation and response):

DEFENSIVE MEASURES:
1. Prevent attacker access
2. Monitor network activity
3. Protect assets
4. Detect and stop the exfiltration
COMPONENTS OF PACKET :
1.
Header
2. Payload
3. Footer
Sudo tcpdump –i any –v –c 1
-i : which interface we want to sniff traffic on.
-v: stands for verbose which displays detailed packet info
-c: stands for count

Detection:
The prompt discovery of security events.

CHALLENGES IN THE DETECTION AND DETECTION PHASE :

1. Impossible to detect everything
2.High volume of alerts

There are other investigative tools that can be used to analyze IoCs. These tools can also
share the data that's uploaded to them to the security community.

 VIRUS TOTAL
 JOTTI MALWARE SCAN

URLSCAN.IO
 CAPE SANDBOX
 MALWARE BAZAAR

Step 1: The exemplar provides a clear and brief summary of the file hash by using the
information found under the Detection tab. The Community Score and the Security
 vendors' analysis listed in the VirusTotal report provide insight into the file. Over fifty
security vendors have flagged this file as malicious. Additionally, multiple vendors have
categorized the file as Flagpro malware, a well-known malware used by advanced threat
actors.

Step 2: The exemplar also identifies different types of IoCs using the VirusTotal report.
While the exemplar provides an example for each field in the pyramid, your activity only has
to include three IoC examples. Using the information found in the Details, Relations, and
Behavior tabs, you'll be able to find additional IoCs that are related to the file such as: a
domain names, IP addresses, hash values, network or host artifacts, tools, and tactics,
techniques, and procedures (TTPs).

 Domain names: org.misecure.com is reported as a malicious contacted domain under the

Relations tab in the VirusTotal report.
 IP address: 207.148.109.242 is listed as one of many IP addresses under the Relations tab in
the VirusTotal report. This IP address is also associated with the org.misecure.com domain as
listed in the DNS Resolutions section under the Behavior tab from the Zenbox sandbox
report.
 Hash value: 287d612e29b71c90aa54947313810a25 is a MD5 hash listed under the Details
tab in the VirusTotal report.
 Network/host artifacts: Network-related artifacts that have been observed in this malware
are HTTP requests made to the org.misecure.com domain. This is listed in the Network
Communications section under the Behavior tab from the Venus Eye Sandbox and Rising
MOVES sandbox reports.
 Tools: Input capture is listed in the Collection section under the Behavior tab from the
Zenbox sandbox report. Malicious actors use input capture to steal user input such as
passwords, credit card numbers, and other sensitive information.
 TTPs: Command and control is listed as a tactic under the Behavior tab from the Zenbox
sandbox report. Malicious actors use command and control to establish communication
channels between an infected system and their own system.

BENEFITS OF DOCUMENTATION:
Transparency
Standardization
CLARITY

CHAIN OF CUSTODY :
The process of documenting evidence possession
And control during an incident lifecycle.

Broken chain of custody:

Inconsistencies in the collection and logging of
evidence in the chain of study.

Chain of custody establishes :

1.Integrity
2.Reliability
3.Accuracy

TYPES OF PLAYBOOK :
1.
Non automated
2.Automated
3.Semi automated

TRIAGE:
The priotrizing of incidents according to their level
of importance or urgency.

TRIAGE PROCESS:
Receive and assess
Assign priority
Collect and analyze
CONTAINMENT :

The act of preventing and limiting additional damage

caused by an incident

LOG :
A record of events that occur within an
organization’s systems.

LOG TYPES:
 Network
 System
 Application
 Security
 Authentication

LOGS contain:

 Timestamps
 System characteristics
 Actions
COMMON USED LOGS :
 Syslog
 Protocol
 Service
 Log format

 JSON (Java script object notation)

 Extensible Markup language(XML)
 Common separated values (CSV)


TELEMETRY:
The collection and transmission of data for analysis.

ENDPOINT:
Any device connected on a network.
SIGNATURE ANALYSIS:

COMPONENTS OF NIDS RULE:

1.Action
2.Header
3.Rule options

HEADER :
1.Source and destination IP addresses
2.Source and destination ports
3.Protocols
4.Traffic direction
 SURICATA FORMAT TYPE :
EVE JSON ( Extensible event format javascript object
notation )
SURICATA LOG TYPES :

Alert logs
Network telemetry logs
Suricata features
There are three main ways Suricata can be used:

 Intrusion detection system (IDS): As a network-based IDS, Suricata can monitor

network traffic and alert on suspicious activities and intrusions. Suricata can
also be set up as a host-based IDS to monitor the system and network activities
of a single host like a computer.
 Intrusion prevention system (IPS): Suricata can also function as an intrusion
prevention system (IPS) to detect and block malicious activity and traffic.
Running Suricata in IPS mode requires additional configuration such as
enabling IPS mode.
 Network security monitoring (NSM): In this mode, Suricata helps keep networks
safe by producing and saving relevant network logs. Suricata can analyze live
network traffic, existing packet capture files, and create and save full or
conditional packet captures. This can be useful for forensics, incident response,
and for testing signatures. For example, you can trigger an alert and capture
the live network traffic to generate traffic logs, which you can then analyze to
refine detection signatures.
 Action: The first component of a signature. It describes the action to take if network or
system activity matches the signature. Examples include: alert, pass, drop, or reject.
 Header: The header includes network traffic information like source and destination IP
addresses, source and destination ports, protocol, and traffic direction.
 Rule options: The rule options provide you with different options to customize signatures.

SIEM process overview

Previously, you covered the SIEM process. As a refresher, the process consists of three steps:

1. Collect and aggregate data: SIEM tools collect event data from various data sources.

2. Normalize data: Event data that's been collected becomes normalized. Normalization
converts data into a standard format so that data is structured in a consistent way and
becomes easier to read and search. While data normalization is a common feature in many
SIEM tools, it's important to note that SIEM tools vary in their data normalization
capabilities.

3. Analyze data: After the data is collected and normalized, SIEM tools analyze and correlate
the data to identify common patterns that indicate unusual activity.

SPL (Search processing language)

Splunk’s query language

YARA-L :

A computer language used to create rules for searching

through ingested log data.

TYPES OF SEARCH:
UDM search

RAW log search

Strings and the security analyst

The ability to work with strings is important in the cybersecurity profession. Previously, you were
introduced to several ways to work with strings, including functions and methods. You also
learned how to extract elements in strings using bracket notation and indices. This reading
reviews these concepts and explains more about using the .index() method. It also highlights
examples of string data you might encounter in a security setting.

String data in a security setting

As an analyst, string data is one of the most common data types you will encounter in Python.
String data is data consisting of an ordered sequence of characters. It's used to store any type of
information you don't need to manipulate mathematically (such as through division or
subtraction). In a cybersecurity context, this includes IP addresses, usernames, URLs, and
employee IDs.

You'll need to work with these strings in a variety of ways. For example, you might extract certain
parts of an IP address, or you might verify whether usernames meet required criteria.

Working with indices in strings

Indices
An index is a number assigned to every element in a sequence that indicates its position. With
strings, this means each character in the string has its own index.

Indices start at 0. For example, you might be working with this string containing a device ID:
"h32rb17". The following table indicates the index for each character in this string:

character index
h 0
3 1
2 2
r 3
b 4
1 5
7 6
You can also use negative numbers as indices. This is based on their position relative to the last
character in the string:

character index
h -7
3 -6
2 -5
r -4
b -3
1 -2
7 -1
Bracket notation
Bracket notation refers to the indices placed in square brackets. You can use bracket notation to
extract a part of a string. For example, the first character of the device ID might represent a
certain characteristic of the device. If you want to extract it, you can use bracket notation for this:

"h32rb17"[0]

This device ID might also be stored within a variable called device_id. You can apply the same
bracket notation to the variable:

device_id = "h32rb17"

device_id[0]

In both cases, bracket notation outputs the character h when this bracket notation is placed
inside a print() function. You can observe this by running the following code:

device_id = "h32rb17"

print("h32rb17"[0])

print(device_id[0])

RunReset
You can also take a slice from a string. When you take a slice from a string, you extract more
than one character from it. It's often done in cybersecurity contexts when you’re only interested in
a specific part of a string. For example, this might be certain numbers in an IP address or certain
parts of a URL.
In the device ID example, you might need the first three characters to determine a particular
quality of the device. To do this, you can take a slice of the string using bracket notation. You can
run this line of code to observe that it outputs "h32":

print("h32rb17"[0:3])

RunReset
Note: The slice starts at the 0 index, but the second index specified after the colon is excluded.
This means the slice ends one position before index 3, which is at index 2.

String functions and methods

The str() and len() functions are useful for working with strings. You can also apply methods to
strings, including the .upper(), .lower(), and .index() methods. A method is a function that belongs
to a specific data type.

str() and len()

The str() function converts its input object into a string. As an analyst, you might use this in
security logs when working with numerical IDs that aren't going to be used with mathematical
processes. Converting an integer to a string gives you the ability to search through it and extract
slices from it.

Consider the example of an employee ID 19329302 that you need to convert into a string. You can
use the following line of code to convert it into a string and store it in a variable:

string_id = str(19329302)

The second function you learned for strings is the len() function, which returns the number of
elements in an object.

As an example, if you want to verify that a certain device ID conforms to a standard of containing
seven characters, you can use the len() function and a conditional. When you run the following
code, it will print a message if "h32rb17" has seven characters:

device_id_length = len("h32rb17")

if device_id_length == 7:

print("The device ID has 7 characters.")

RunReset

.upper() and .lower()

The .upper() method returns a copy of the string with all of its characters in uppercase. For
example, you can change this department name to all uppercase by running the code
"Information Technology".upper(). It would return the string "INFORMATION TECHNOLOGY".

Meanwhile, the .lower() method returns a copy of the string in all lowercase characters.
"Information Technology".lower() would return the string "information technology".

.index()
The .index() method finds the first occurrence of the input in a string and returns its location. For
example, this code uses the .index() method to find the first occurrence of the character "r" in the
device ID "h32rb17":

print("h32rb17".index("r"))

RunReset
The .index() method returns 3 because the first occurrence of the character "r" is at index 3.

In other cases, the input may not be found. When this happens, Python returns an error. For
instance, the code print("h32rb17".index("a")) returns an error because "a" is not in the string
"h32rb17".

Also note that if a string contains more than one instance of a character, only the first one will be
returned. For instance, the device ID "r45rt46" contains two instances of "r". You can run the
following code to explore its output:

print("r45rt46".index("r"))
RunReset
The output is 0 because .index() returns only the first instance of "r", which is at index 0. The
instance of "r" at index 3 is not returned.

Finding substrings with .index()

A substring is a continuous sequence of characters within a string. For example, "llo" is a
substring of "hello".

The .index() method can also be used to find the index of the first occurrence of a substring. It
returns the index of the first character in that substring. Consider this example that finds the first
instance of the user "tshah" in a string:

tshah_index = "tsnow, tshah, bmoreno - updated".index("tshah")

print(tshah_index)

RunReset
The .index() method returns the index 7, which is where the substring "tshah" starts.

Note: When using the .index() method to search for substrings, you need to be careful. In the
previous example, you want to locate the instance of "tshah". If you search for just "ts", Python
will return 0 instead of 7 because "ts" is also a substring of "tsnow".

Key takeaways
As a security analyst, you will work with strings in a variety of ways. First, you might need to use
bracket notation to work with string indices. Two functions you will likely use are str(), which
converts an input into a string, and len(), which finds the length of a string. You can also use
string methods, functions that only work on strings. These include .upper(), which converts all
letters in a string into uppercase letters, .lower(), which converts all letters in a string into
lowercase letters, and .index(), which returns the index of the first occurrence of its input within a
string.
WITH :
Handles errors and manages external resources.
Open () :
Opens a file in python

PARSING :
The process of converting data into a more readable
format.

.split () :
Converts a string into a list