Google Cybersecurity Coursera Study Materials Notes

Determine the type of attack
Previously, you learned about the eight Certified Information Systems Security Professional (CISSP)
security domains. The domains can help you better understand how a security analyst's job duties
can be organized into categories. Additionally, the domains can help establish an understanding of
how to manage risk. In this reading, you will learn about additional methods of attack. You’ll also be
able to recognize the types of risk these attacks present.
Attack types
Password attack
A password attack is an attempt to access password-secured devices, systems, networks, or data.
Some forms of password attacks that you’ll learn about later in the certificate program are:
 Brute force
 Rainbow table
Password attacks fall under the communication and network security domain.
Social engineering attack

Social engineering is a manipulation technique that exploits human error to gain private information,
access, or valuables. Some forms of social engineering attacks that you will continue to learn about
throughout the program are:
 Phishing
 Smishing
 Vishing
 Spear phishing
 Whaling
 Social media phishing
 Business Email Compromise (BEC)
 Watering hole attack
 USB (Universal Serial Bus) baiting
 Physical social engineering
Social engineering attacks are related to the security and risk management domain.
Physical attack
A physical attack is a security incident that affects not only digital but also physical environments
where the incident is deployed. Some forms of physical attacks are:
 Malicious USB cable

 Malicious flash drive
 Card cloning and skimming
Physical attacks fall under the asset security domain.
Adversarial artificial intelligence

Adversarial artificial intelligence is a technique that manipulates artificial intelligence and machine
learning technology to conduct attacks more efficiently. Adversarial artificial intelligence falls under
both the communication and network security and the identity and access management domains.
Supply-chain attack
A supply-chain attack targets systems, applications, hardware, and/or software to locate a
vulnerability where malware can be deployed. Because every item sold undergoes a process that
involves third parties, this means that the security breach can occur at any point in the supply chain.
These attacks are costly because they can affect multiple organizations and the individuals who
work for them. Supply-chain attacks can fall under several domains, including but not limited to the
security and risk management, security architecture and engineering, and security operations
domains.
Cryptographic attack
A cryptographic attack affects secure forms of communication between a sender and intended
recipient. Some forms of cryptographic attacks are:
 Birthday
 Collision
 Downgrade
Cryptographic attacks fall under the communication and network security domain.
Key takeaways
The eight CISSP security domains can help an organization and its security team fortify against and
prepare for a data breach. Data breaches range from simple to complex and fall under one or more
domains. Note that the methods of attack discussed are only a few of many. These and other types
of attacks will be discussed throughout the certificate program.
Understand attackers
Previously, you were introduced to the concept of threat actors. As a reminder, a threat actor is any
person or group who presents a security risk. In this reading, you’ll learn about different types of
threat actors. You will also learn about their motivations, intentions, and how they’ve influenced the
security industry.
Threat actor types

Advanced persistent threats
Advanced persistent threats (APTs) have significant expertise accessing an organization's network
without authorization. APTs tend to research their targets (e.g., large corporations or government
entities) in advance and can remain undetected for an extended period of time. Their intentions and
motivations can include:
 Damaging critical infrastructure, such as the power grid and natural resources
 Gaining access to intellectual property, such as trade secrets or patents
Insider threats
Insider threats abuse their authorized access to obtain data that may harm an organization. Their
intentions and motivations can include:
 Sabotage
 Corruption
 Espionage
 Unauthorized data access or leaks
Hacktivists
Hacktivists are threat actors that are driven by a political agenda. They abuse digital technology to
accomplish their goals, which may include:
 Demonstrations
 Propaganda
 Social change campaigns
 Fame
Hacker types
A hacker is any person who uses computers to gain access to computer systems, networks, or data.
They can be beginner or advanced technology professionals who use their skills for a variety of
reasons. There are three main categories of hackers:
 Authorized hackers are also called ethical hackers. They follow a code of ethics and adhere
to the law to conduct organizational risk evaluations. They are motivated to safeguard people
and organizations from malicious threat actors.
 Semi-authorized hackers are considered researchers. They search for vulnerabilities but
don’t take advantage of the vulnerabilities they find.
 Unauthorized hackers are also called unethical hackers. They are malicious threat actors
who do not follow or respect the law. Their goal is to collect and sell confidential data for
financial gain.
Note: There are multiple hacker types that fall into one or more of these three categories.
New and unskilled threat actors have various goals, including:
 To learn and enhance their hacking skills

 To seek revenge
 To exploit security weaknesses by using existing malware, programming scripts, and other
tactics
Other types of hackers are not motivated by any particular agenda other than completing the job
they were contracted to do. These types of hackers can be considered unethical or ethical hackers.
They have been known to work on both illegal and legal tasks for pay.
There are also hackers who consider themselves vigilantes. Their main goal is to protect the world
from unethical hackers.
Key takeaways
Threat actors are defined by their malicious intent and hackers are defined by their technical
skills and motivations. Understanding their motivations and intentions will help you be better
prepared to protect your organization and the people it serves from malicious attacks carried out
by some of these individuals and groups.
Glossary terms from module 2

Terms and definitions from Course 1, Module 2
Adversarial artificial intelligence (AI): A technique that manipulates artificial intelligence (AI)
and machine learning (ML) technology to conduct attacks more efficiently
Business Email Compromise (BEC): A type of phishing attack where a threat actor
impersonates a known source to obtain financial advantage
CISSP: Certified Information Systems Security Professional is a globally recognized and highly
sought-after information security certification, awarded by the International Information Systems
Security Certification Consortium
Computer virus: Malicious code written to interfere with computer operations and cause
damage to data and software
Cryptographic attack: An attack that affects secure forms of communication between a sender
and intended recipient
Hacker: Any person who uses computers to gain access to computer systems, networks, or data
Malware: Software designed to harm devices or networks
Password attack: An attempt to access password secured devices, systems, networks, or data
Phishing: The use of digital communications to trick people into revealing sensitive data or
deploying malicious software
Physical attack: A security incident that affects not only digital but also physical environments
where the incident is deployed
Physical social engineering: An attack in which a threat actor impersonates an employee,

customer, or vendor to obtain unauthorized access to a physical location
Social engineering: A manipulation technique that exploits human error to gain private
information, access, or valuables
Social media phishing: A type of attack where a threat actor collects detailed information about
their target on social media sites before initiating the attack
Spear phishing: A malicious email attack targeting a specific user or group of users, appearing
to originate from a trusted source
Supply-chain attack: An attack that targets systems, applications, hardware, and/or software to
locate a vulnerability where malware can be deployed
USB baiting: An attack in which a threat actor strategically leaves a malware USB stick for an
employee to find and install to unknowingly infect a network
Virus: refer to “computer virus”
Vishing: The exploitation of electronic voice communication to obtain sensitive information or

to impersonate a known source
Watering hole attack: A type of attack when a threat actor compromises a website frequently
visited by a specific group of users
Mark as completed
Like
Dislike
Report an issue
Controls, frameworks, and compliance
Previously, you were introduced to security frameworks and how they provide a structured approach
to implementing a security lifecycle. As a reminder, a security lifecycle is a constantly evolving set of
policies and standards. In this reading, you will learn more about how security frameworks, controls,
and compliance regulations—or laws—are used together to manage security and make sure
everyone does their part to minimize risk.
How controls, frameworks, and compliance are related

The confidentiality, integrity, and availability (CIA) triad is a model that helps inform how
organizations consider risk when setting up systems and security policies.
CIA are the three foundational principles used by cybersecurity professionals to establish
appropriate controls that mitigate threats, risks, and vulnerabilities.
As you may recall, security controls are safeguards designed to reduce specific security risks. So
they are used alongside frameworks to ensure that security goals and processes are implemented
correctly and that organizations meet regulatory compliance requirements.
Security frameworks are guidelines used for building plans to help mitigate risks and threats to data
and privacy. They have four core components:
1. Identifying and documenting security goals

2. Setting guidelines to achieve security goals
3. Implementing strong security processes
4. Monitoring and communicating results
Compliance is the process of adhering to internal standards and external regulations.
Specific controls, frameworks, and compliance

The National Institute of Standards and Technology (NIST) is a U.S.-based agency that develops
multiple voluntary compliance frameworks that organizations worldwide can use to help manage risk.
The more aligned an organization is with compliance, the lower the risk.
Examples of frameworks include the NIST Cybersecurity Framework (CSF) and the NIST Risk
Management Framework (RMF).
Note: Specifications and guidelines can change depending on the type of organization you work for.
In addition to the NIST CSF and NIST RMF, there are several other controls, frameworks, and
compliance standards that are important for security professionals to be familiar with to help keep
organizations and the people they serve safe.
The Federal Energy Regulatory Commission - North American Electric

Reliability Corporation (FERC-NERC)
FERC-NERC is a regulation that applies to organizations that work with electricity or that are
involved with the U.S. and North American power grid. These types of organizations have an
obligation to prepare for, mitigate, and report any potential security incident that can negatively affect
the power grid. They are also legally required to adhere to the Critical Infrastructure Protection (CIP)
Reliability Standards defined by the FERC.
The Federal Risk and Authorization Management Program (FedRAMP®)

FedRAMP is a U.S. federal government program that standardizes security assessment,
authorization, monitoring, and handling of cloud services and product offerings. Its purpose is to
provide consistency across the government sector and third-party cloud providers.
Center for Internet Security (CIS®)

CIS is a nonprofit with multiple areas of emphasis. It provides a set of controls that can be used to
safeguard systems and networks against attacks. Its purpose is to help organizations establish a
better plan of defense. CIS also provides actionable controls that security professionals may follow if
a security incident occurs.
General Data Protection Regulation (GDPR)

GDPR is a European Union (E.U.) general data regulation that protects the processing of E.U.
residents’ data and their right to privacy in and out of E.U. territory. For example, if an organization is
not being transparent about the data they are holding about an E.U. citizen and why they are holding
that data, this is an infringement that can result in a fine to the organization. Additionally, if a breach
occurs and an E.U. citizen’s data is compromised, they must be informed. The affected organization
has 72 hours to notify the E.U. citizen about the breach.
Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS is an international security standard meant to ensure that organizations storing, accepting,
processing, and transmitting credit card information do so in a secure environment. The objective of
this compliance standard is to reduce credit card fraud.
The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a U.S. federal law established in 1996 to protect patients' health information. This law
prohibits patient information from being shared without their consent. It is governed by three rules:
1. Privacy
2. Security
3. Breach notification
Organizations that store patient data have a legal obligation to inform patients of a breach because if
patients' Protected Health Information (PHI) is exposed, it can lead to identity theft and insurance
fraud. PHI relates to the past, present, or future physical or mental health or condition of an
individual, whether it’s a plan of care or payments for care. Along with understanding HIPAA as a
law, security professionals also need to be familiar with the Health Information Trust Alliance
(HITRUST®), which is a security framework and assurance program that helps institutions meet
HIPAA compliance.
International Organization for Standardization (ISO)

ISO was created to establish international standards related to technology, manufacturing, and
management across borders. It helps organizations improve their processes and procedures for staff
retention, planning, waste, and services.
System and Organizations Controls (SOC type 1, SOC type 2)

The American Institute of Certified Public Accountants® (AICPA) auditing standards board
developed this standard. The SOC1 and SOC2 are a series of reports that focus on an
organization's user access policies at different organizational levels such as:
 Associate
 Supervisor
 Manager
 Executive
 Vendor
 Others
They are used to assess an organization’s financial compliance and levels of risk. They also cover
confidentiality, privacy, integrity, availability, security, and overall data safety. Control failures in
these areas can lead to fraud.
Pro tip: There are a number of regulations that are frequently revised. You are encouraged to keep
up-to-date with changes and explore more frameworks, controls, and compliance. Two suggestions
to research: the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act.
United States Presidential Executive Order 14028
On May 12, 2021, President Joe Biden released an executive order related to improving the nation’s
cybersecurity to remediate the increase in threat actor activity. Remediation efforts are directed
toward federal agencies and third parties with ties to U.S. critical infrastructure. For additional
information, review the Executive Order on Improving the Nation’s Cybersecurity.
Key takeaways
In this reading you learned more about controls, frameworks, and compliance. You also learned how
they work together to help organizations maintain a low level of risk.
As a security analyst, it’s important to stay up-to-date on common frameworks, controls, and
compliance regulations and be aware of changes to the cybersecurity landscape to help ensure the
safety of both organizations and people.
Ethical concepts that guide

cybersecurity decisions
Previously, you were introduced to the concept of security ethics. Security ethics are guidelines for
making appropriate decisions as a security professional. Being ethical requires that security
professionals remain unbiased and maintain the security and confidentiality of private data. Having a
strong sense of ethics can help you navigate your decisions as a cybersecurity professional so
you’re able to mitigate threats posed by threat actors’ constantly evolving tactics and techniques. In
this reading, you’ll learn about more ethical concepts that are essential to know so you can make
appropriate decisions about how to legally and ethically respond to attacks in a way that protects
organizations and people alike.
Ethical concerns and laws related to counterattacks

United States standpoint on counterattacks
In the U.S., deploying a counterattack on a threat actor is illegal because of laws like the Computer
Fraud and Abuse Act of 1986 and the Cybersecurity Information Sharing Act of 2015, among others.
You can only defend. The act of counterattacking in the U.S. is perceived as an act of vigilantism. A
vigilante is a person who is not a member of law enforcement who decides to stop a crime on their
own. And because threat actors are criminals, counterattacks can lead to further escalation of the
attack, which can cause even more damage and harm. Lastly, if the threat actor in question is a
state-sponsored hacktivist, a counterattack can lead to serious international implications. A hacktivist
is a person who uses hacking to achieve a political goal. The political goal may be to promote social
change or civil disobedience.
For these reasons, the only individuals in the U.S. who are allowed to counterattack are approved
employees of the federal government or military personnel.
International standpoint on counterattacks

The International Court of Justice (ICJ), which updates its guidance regularly, states that a person or
group can counterattack if:
 The counterattack will only affect the party that attacked first.
 The counterattack is a direct communication asking the initial attacker to stop.
 The counterattack does not escalate the situation.
 The counterattack effects can be reversed.
Organizations typically do not counterattack because the above scenarios and parameters are hard
to measure. There is a lot of uncertainty dictating what is and is not lawful, and at times negative
outcomes are very difficult to control. Counterattack actions generally lead to a worse outcome,
especially when you are not an experienced professional in the field.
To learn more about specific scenarios and ethical concerns from an international perspective,
review updates provided in the Tallinn Manual online.
Ethical principles and methodologies

Because counterattacks are generally disapproved of or illegal, the security realm has created
frameworks and controls—such as the confidentiality, integrity, and availability (CIA) triad and others
discussed earlier in the program—to address issues of confidentiality, privacy protections, and
laws. To better understand the relationship between these issues and the ethical obligations of
cybersecurity professionals, review the following key concepts as they relate to using ethics to
protect organizations and the people they serve.
Confidentiality means that only authorized users can access specific assets or data. Confidentiality
as it relates to professional ethics means that there needs to be a high level of respect for privacy to
safeguard private assets and data.
Privacy protection means safeguarding personal information from unauthorized use. Personally
identifiable information (PII) and sensitive personally identifiable information (SPII) are types of
personal data that can cause people harm if they are stolen. PII data is any information used to infer
an individual's identity, like their name and phone number. SPII data is a specific type of PII that falls
under stricter handling guidelines, including social security numbers and credit card numbers. To
effectively safeguard PII and SPII data, security professionals hold an ethical obligation to secure
private information, identify security vulnerabilities, manage organizational risks, and align security
with business goals.
Laws are rules that are recognized by a community and enforced by a governing entity. As a security
professional, you will have an ethical obligation to protect your organization, its internal
infrastructure, and the people involved with the organization. To do this:
 You must remain unbiased and conduct your work honestly, responsibly, and with the
highest respect for the law.
 Be transparent and just, and rely on evidence.
 Ensure that you are consistently invested in the work you are doing, so you can
appropriately and ethically address issues that arise.
 Stay informed and strive to advance your skills, so you can contribute to the betterment of
the cyber landscape.
As an example, consider the Health Insurance Portability and Accountability Act (HIPAA), which is
a U.S. federal law established to protect patients' health information, also known as PHI, or
protected health information. This law prohibits patient information from being shared without their
consent. So, as a security professional, you might help ensure that the organization you work for
adheres to both its legal and ethical obligation to inform patients of a breach if their health care data
is exposed.
Key takeaways
As a future security professional, ethics will play a large role in your daily work. Understanding ethics
and laws will help you make the correct choices if and when you encounter a security threat or an
incident that results in a breach.
-------------------------------------------------------------------------------------------------------------------------------------

Asset: An item perceived as having value to an organization
Availability: The idea that data is accessible to those who are authorized to access it
Compliance: The process of adhering to internal standards and external regulations
Confidentiality: The idea that only authorized users can access specific assets or data
Confidentiality, integrity, availability (CIA) triad: A model that helps inform how organizations
consider risk when setting up systems and security policies
Hacktivist: A person who uses hacking to achieve a political goal
Health Insurance Portability and Accountability Act (HIPAA): A U.S. federal law established to
protect patients' health information
Integrity: The idea that the data is correct, authentic, and reliable
National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF): A voluntary
framework that consists of standards, guidelines, and best practices to manage cybersecurity risk
Privacy protection: The act of safeguarding personal information from unauthorized use
Protected health information (PHI): Information that relates to the past, present, or future physical or
mental health or condition of an individual
Security architecture: A type of security design composed of multiple components, such as tools and
processes, that are used to protect an organization from risks and external threats
Security controls: Safeguards designed to reduce specific security risks
Security ethics: Guidelines for making appropriate decisions as a security professional
Security frameworks: Guidelines used for building plans to help mitigate risk and threats to data and
privacy
Security governance: Practices that help support, define, and direct security efforts of an organization
Sensitive personally identifiable information (SPII): A specific type of PII that falls under stricter
handling guidelines
---------------------------------------------------------------------------------------
Use tools to protect business operations

Previously, you were introduced to programming, operating systems, and tools commonly used by
cybersecurity professionals. In this reading, you’ll learn more about programming and operating
systems, as well as other tools that entry-level analysts use to help protect organizations and the
people they serve.
Tools and their purposes

Programming
Programming is a process that can be used to create a specific set of instructions for a computer to
execute tasks. Security analysts use programming languages, such as Python, to execute
automation. Automation is the use of technology to reduce human and manual effort in performing
common and repetitive tasks. Automation also helps reduce the risk of human error.
Another programming language used by analysts is called Structured Query Language (SQL). SQL
is used to create, interact with, and request information from a database. A database is an organized
collection of information or data. There can be millions of data points in a database. A data point is a
specific piece of information.
Operating systems
An operating system is the interface between computer hardware and the user. Linux®, macOS®,
and Windows are operating systems. They each offer different functionality and user experiences.
Previously, you were introduced to Linux as an open-source operating system. Open source means
that the code is available to the public and allows people to make contributions to improve the
software. Linux is not a programming language; however, it does involve the use of a command line
within the operating system. A command is an instruction telling the computer to do something. A
command-line interface is a text-based user interface that uses commands to interact with the
computer. You will learn more about Linux, including the Linux kernel and GNU, in a later course.
Web vulnerability
A web vulnerability is a unique flaw in a web application that a threat actor could exploit by using
malicious code or behavior, to allow unauthorized access, data theft, and malware deployment.
To stay up-to-date on the most critical risks to web applications, review the Open Web Application
Security Project (OWASP) Top 10.
Antivirus software
Antivirus software is a software program used to prevent, detect, and eliminate malware and viruses.
It is also called anti-malware. Depending on the type of antivirus software, it can scan the memory of
a device to find patterns that indicate the presence of malware.
Intrusion detection system

An intrusion detection system (IDS) is an application that monitors system activity and alerts on
possible intrusions. The system scans and analyzes network packets, which carry small amounts of
data through a network. The small amount of data makes the detection process easier for an IDS to
identify potential threats to sensitive data. Other occurrences an IDS might detect can include theft
and unauthorized access.
Encryption
Encryption makes data unreadable and difficult to decode for an unauthorized user; its main goal is
to ensure confidentiality of private data. Encryption is the process of converting data from a readable
format to a cryptographically encoded format. Cryptographic encoding means converting plaintext
into secure ciphertext. Plaintext is unencrypted information and secure ciphertext is the result of
encryption.
Note: Encoding and encryption serve different purposes. Encoding uses a public conversion
algorithm to enable systems that use different data representations to share information.
Penetration testing
Penetration testing, also called pen testing, is the act of participating in a simulated attack that helps
identify vulnerabilities in systems, networks, websites, applications, and processes. It is a thorough
risk assessment that can evaluate and identify external and internal threats as well as weaknesses.
Key takeaways
In this reading, you learned more about programming and operating systems. You were also
introduced to several new tools and processes. Every organization selects their own set of tools.
Therefore, the more tools you know, the more valuable you are to an organization. Tools help
security analysts complete their tasks more efficiently and effectively.

Antivirus software: A software program used to prevent, detect, and eliminate malware and viruses
Database: An organized collection of information or data
Data point: A specific piece of information

Intrusion detection system (IDS): An application that monitors system activity and alerts on possible
intrusions
Linux: An open-source operating system
Log: A record of events that occur within an organization’s systems
Network protocol analyzer (packet sniffer): A tool designed to capture and analyze data traffic within
a network
Order of volatility: A sequence outlining the order of data that must be preserved from first to last
Programming: A process that can be used to create a specific set of instructions for a computer to
execute tasks
Protecting and preserving evidence: The process of properly working with fragile and volatile digital
evidence
Security information and event management (SIEM): An application that collects and analyzes log
data to monitor critical activities in an organization
SQL (Structured Query Language): A query language used to create, interact with, and request
information from a database
Manage common threats, risks, and

vulnerabilities
Previously, you learned that security involves protecting organizations and people from threats,
risks, and vulnerabilities. Understanding the current threat landscapes gives organizations the ability
to create policies and processes designed to help prevent and mitigate these types of security
issues. In this reading, you will further explore how to manage risk and some common threat actor
tactics and techniques, so you are better prepared to protect organizations and the people they
serve when you enter the cybersecurity field.
Risk management
A primary goal of organizations is to protect assets. An asset is an item perceived as having value to
an organization. Assets can be digital or physical. Examples of digital assets include the personal
information of employees, clients, or vendors, such as:
 Social Security Numbers (SSNs), or unique national identification numbers assigned to

individuals
 Dates of birth
 Bank account numbers
 Mailing addresses
Examples of physical assets include:
 Payment kiosks
 Servers
 Desktop computers
 Office spaces
Some common strategies used to manage risks include:
 Acceptance: Accepting a risk to avoid disrupting business continuity

 Avoidance: Creating a plan to avoid the risk altogether
 Transference: Transferring risk to a third party to manage
 Mitigation: Lessening the impact of a known risk
Additionally, organizations implement risk management processes based on widely accepted

frameworks to help protect digital and physical assets from various threats, risks, and vulnerabilities.
Examples of frameworks commonly used in the cybersecurity industry include the National Institute
of Standards and Technology Risk Management Framework (NIST RMF) and Health Information
Trust Alliance (HITRUST).
Following are some common types of threats, risks, and vulnerabilities you’ll help organizations
manage as a security professional.
Today’s most common threats, risks, and

vulnerabilities
Threats
A threat is any circumstance or event that can negatively impact assets. As an entry-level security
analyst, your job is to help defend the organization’s assets from inside and outside threats.
Therefore, understanding common types of threats is important to an analyst’s daily work. As a
reminder, common threats include:
 Insider threats: Staff members or vendors abuse their authorized access to obtain data that
may harm an organization.
 Advanced persistent threats (APTs): A threat actor maintains unauthorized access to a
system for an extended period of time.
Risks
A risk is anything that can impact the confidentiality, integrity, or availability of an asset. A basic
formula for determining the level of risk is that risk equals the likelihood of a threat. One way to think
about this is that a risk is being late to work and threats are traffic, an accident, a flat tire, etc.
There are different factors that can affect the likelihood of a risk to an organization’s assets,
including:
 External risk: Anything outside the organization that has the potential to harm organizational
assets, such as threat actors attempting to gain access to private information
 Internal risk: A current or former employee, vendor, or trusted partner who poses a security
risk
 Legacy systems: Old systems that might not be accounted for or updated, but can still impact
assets, such as workstations or old mainframe systems. For example, an organization might
have an old vending machine that takes credit card payments or a workstation that is still
connected to the legacy accounting system.
 Multiparty risk: Outsourcing work to third-party vendors can give them access to intellectual
property, such as trade secrets, software designs, and inventions.
 Software compliance/licensing: Software that is not updated or in compliance, or patches that
are not installed in a timely manner
There are many resources, such as the NIST, that provide lists of cybersecurity risks. Additionally,
the Open Web Application Security Project (OWASP) publishes a standard awareness document
about the top 10 most critical security risks to web applications, which is updated regularly.
Note: The OWASP’s common attack types list contains three new risks for the years 2017 to 2021:
insecure design, software and data integrity failures, and server-side request forgery. This update
emphasizes the fact that security is a constantly evolving field. It also demonstrates the importance
of staying up to date on current threat actor tactics and techniques, so you can be better prepared to
manage these types of risks.
Vulnerabilities
A vulnerability is a weakness that can be exploited by a threat. Therefore, organizations need to
regularly inspect for vulnerabilities within their systems. Some vulnerabilities include:
 ProxyLogon: A pre-authenticated vulnerability that affects the Microsoft Exchange server.

This means a threat actor can complete a user authentication process to deploy malicious
code from a remote location.
 ZeroLogon: A vulnerability in Microsoft’s Netlogon authentication protocol. An authentication
protocol is a way to verify a person's identity. Netlogon is a service that ensures a user’s
identity before allowing access to a website's location.
 Log4Shell: Allows attackers to run Java code on someone else’s computer or leak sensitive
information. It does this by enabling a remote attacker to take control of devices connected to
the internet and run malicious code.
 PetitPotam: Affects Windows New Technology Local Area Network (LAN) Manager (NTLM).
It is a theft technique that allows a LAN-based attacker to initiate an authentication request.
 Security logging and monitoring failures: Insufficient logging and monitoring capabilities that
result in attackers exploiting vulnerabilities without the organization knowing it
 Server-side request forgery: Allows attackers to manipulate a server-side application into
accessing and updating backend resources. It can also allow threat actors to steal data.
As an entry-level security analyst, you might work in vulnerability management, which is monitoring a
system to identify and mitigate vulnerabilities. Although patches and updates may exist, if they are
not applied, intrusions can still occur. For this reason, constant monitoring is important. The sooner
an organization identifies a vulnerability and addresses it by patching it or updating their systems,
the sooner it can be mitigated, reducing the organization’s exposure to the vulnerability.
To learn more about the vulnerabilities explained in this section of the reading, as well as other
vulnerabilities, explore the NIST National Vulnerability Database and CISA Known Exploited
Vulnerabilities Catalog.
Key takeaways
In this reading, you learned about some risk management strategies and frameworks that can be
used to develop organization-wide policies and processes to mitigate threats, risks, and
vulnerabilities. You also learned about some of today’s most common threats, risks, and
vulnerabilities to business operations. Understanding these concepts can better prepare you to not
only protect against, but also mitigate, the types of security-related issues that can harm
organizations and people alike.
-------------------------------------------------------------------------------------------------------------------------
The relationship between frameworks

and controls
Previously, you learned how organizations use security frameworks and controls to protect against
threats, risks, and vulnerabilities. This included discussions about the National Institute of Standards
and Technology’s (NIST’s) Risk Management Framework (RMF) and Cybersecurity Framework
(CSF), as well as the confidentiality, integrity, and availability (CIA) triad. In this reading, you will
further explore security frameworks and controls and how they are used together to help mitigate
organizational risk.
Frameworks and controls

Security frameworks are guidelines used for building plans to help mitigate risk and threats to data
and privacy. Frameworks support organizations’ ability to adhere to compliance laws and
regulations. For example, the healthcare industry uses frameworks to comply with the United States’
Health Insurance Portability and Accountability Act (HIPAA), which requires that medical
professionals keep patient information safe.
Security controls are safeguards designed to reduce specific security risks. Security controls are the
measures organizations use to lower risk and threats to data and privacy. For example, a control
that can be used alongside frameworks to ensure a hospital remains compliant with HIPAA is
requiring that patients use multi-factor authentication (MFA) to access their medical records. Using a
measure like MFA to validate someone’s identity is one way to help mitigate potential risks and
threats to private data.
Specific frameworks and controls
There are many different frameworks and controls that organizations can use to remain compliant
with regulations and achieve their security goals. Frameworks covered in this reading are the Cyber
Threat Framework (CTF) and the International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) 27001. Several common security controls, used alongside
these types of frameworks, are also explained.
Cyber Threat Framework (CTF)

According to the Office of the Director of National Intelligence, the CTF was developed by the U.S.
government to provide “a common language for describing and communicating information about
cyber threat activity.” By providing a common language to communicate information about threat
activity, the CTF helps cybersecurity professionals analyze and share information more efficiently.
This allows organizations to improve their response to the constantly evolving cybersecurity
landscape and threat actors' many tactics and techniques.
International Organization for Standardization/International Electrotechnical

Commission (ISO/IEC) 27001
An internationally recognized and used framework is ISO/IEC 27001. The ISO 27000 family of
standards enables organizations of all sectors and sizes to manage the security of assets, such as
financial information, intellectual property, employee data, and information entrusted to third parties.
This framework outlines requirements for an information security management system, best
practices, and controls that support an organization’s ability to manage risks. Although the ISO/IEC
27001 framework does not require the use of specific controls, it does provide a collection of controls
that organizations can use to improve their security posture.
Controls
Controls are used alongside frameworks to reduce the possibility and impact of a security threat,
risk, or vulnerability. Controls can be physical, technical, and administrative and are typically used to
prevent, detect, or correct security issues.
Examples of physical controls:
 Gates, fences, and locks

 Security guards
 Closed-circuit television (CCTV), surveillance cameras, and motion detectors
 Access cards or badges to enter office spaces
Examples of technical controls:
 Firewalls
 MFA
 Antivirus software
Examples of administrative controls:

 Separation of duties
 Authorization
 Asset classification
To learn more about controls, particularly those used to protect health-related assets from a variety
of threat types, review the U.S. Department of Health and Human Services’ Physical Access Control
presentation.
Key takeaways
Cybersecurity frameworks and controls are used together to establish an organization’s security
posture. They also support an organization’s ability to meet security goals and comply with laws and
regulations. Although these frameworks and controls are typically voluntary, organizations are
strongly encouraged to implement and use them to help ensure the safety of critical assets.
Use the CIA triad to protect

organizations
Previously, you were introduced to the confidentiality, integrity, and availability (CIA) triad and how it
helps organizations consider and mitigate risk. In this reading, you will learn how cybersecurity
analysts use the CIA triad in the workplace.
The CIA triad for analysts

The CIA triad is a model that helps inform how organizations consider risk when setting up systems
and security policies. It is made up of three elements that cybersecurity analysts and organizations
work toward upholding: confidentiality, integrity, and availability. Maintaining an acceptable level of
risk and ensuring systems and policies are designed with these elements in mind helps establish a
successful security posture, which refers to an organization’s ability to manage its defense of critical
assets and data and react to change.
Confidentiality
Confidentiality is the idea that only authorized users can access specific assets or data. In an
organization, confidentiality can be enhanced through the implementation of design principles, such
as the principle of least privilege. The principle of least privilege limits users' access to only the
information they need to complete work-related tasks. Limiting access is one way of maintaining the
confidentiality and security of private data.
Integrity
Integrity is the idea that the data is verifiably correct, authentic, and reliable. Having protocols in
place to verify the authenticity of data is essential. One way to verify data integrity is
through cryptography, which is used to transform data so unauthorized parties cannot read or
tamper with it (NIST, 2022). Another example of how an organization might implement integrity is by
enabling encryption, which is the process of converting data from a readable format to an encoded
format. Encryption can be used to prevent access and ensure data, such as messages on an
organization's internal chat platform, cannot be tampered with.
Availability
Availability is the idea that data is accessible to those who are authorized to use it. When a system
adheres to both availability and confidentiality principles, data can be used when needed. In the
workplace, this could mean that the organization allows remote employees to access its internal
network to perform their jobs. It’s worth noting that access to data on the internal network is still
limited, depending on what type of access employees need to do their jobs. If, for example, an
employee works in the organization’s accounting department, they might need access to corporate
accounts but not data related to ongoing development projects.
Key takeaways
The CIA triad is essential for establishing an organization’s security posture. Knowing what it is and
how it’s applied can help you better understand how security teams work to protect organizations
and the people they serve.
More about OWASP security principles
Previously, you learned that cybersecurity analysts help keep data safe and reduce risk for an
organization by using a variety of security frameworks, controls, and security principles. In this
reading, you will learn about more Open Web Application Security Project, recently renamed Open
Worldwide Application Security Project® (OWASP), security principles and how entry-level analysts
use them.
Security principles
In the workplace, security principles are embedded in your daily tasks. Whether you are analyzing
logs, monitoring a security information and event management (SIEM) dashboard, or using a
vulnerability scanner, you will use these principles in some way.
Previously, you were introduced to several OWASP security principles. These included:
 Minimize attack surface area: Attack surface refers to all the potential vulnerabilities a threat
actor could exploit.
 Principle of least privilege: Users have the least amount of access required to perform their
everyday tasks.
 Defense in depth: Organizations should have varying security controls that mitigate risks and
threats.
 Separation of duties: Critical actions should rely on multiple people, each of whom follow the
principle of least privilege.
 Keep security simple: Avoid unnecessarily complicated solutions. Complexity makes security
difficult.
 Fix security issues correctly: When security incidents occur, identify the root cause, contain
the impact, identify vulnerabilities, and conduct tests to ensure that remediation is
successful.
Additional OWASP security principles

Next, you’ll learn about four additional OWASP security principles that cybersecurity analysts and
their teams use to keep organizational operations and people safe.
Establish secure defaults

This principle means that the optimal security state of an application is also its default state for
users; it should take extra work to make the application insecure.
Fail securely
Fail securely means that when a control fails or stops, it should do so by defaulting to its most
secure option. For example, when a firewall fails it should simply close all connections and block all
new ones, rather than start accepting everything.
Don’t trust services
Many organizations work with third-party partners. These outside partners often have different
security policies than the organization does. And the organization shouldn’t explicitly trust that their
partners’ systems are secure. For example, if a third-party vendor tracks reward points for airline
customers, the airline should ensure that the balance is accurate before sharing that information with
their customers.
Avoid security by obscurity

The security of key systems should not rely on keeping details hidden. Consider the following
example from OWASP (2016):
The security of an application should not rely on keeping the source code secret. Its security should
rely upon many other factors, including reasonable password policies, defense in depth, business
transaction limits, solid network architecture, and fraud and audit controls.
Key takeaways
Cybersecurity professionals are constantly applying security principles to safeguard organizations
and the people they serve. As an entry-level security analyst, you can use these security principles
to promote safe development practices that reduce risks to companies and users alike.
-----------------------------------------------------------------------------------------------------------------------------------
Audit Scope and Goals
Summary: The internal audit needs to align current business practices with industry standards and
best practices. The audit is meant to provide mitigation recommendations for vulnerabilities found
that are classified as “high risk,” and present an overall strategy to improve the security posture of
the organization. The audit team needs to document their findings, provide remediation plans and
efforts, and communicate with stakeholders.
Scope: The internal IT audit will assess the following:
● Assess user permissions
● Identify existing controls, procedures, and system protocols
● Account for technology currently in use
Goals: The goals for the internal IT audit are:
● Adhere to the NIST Cybersecurity Framework (CSF)
● Establish policies and procedures to ensure compliance with regulations
● Fortify system controls
More about security audits

Previously, you were introduced to how to plan and complete an internal security audit. In this
reading, you will learn more about security audits, including the goals and objectives of audits.
Security audits
A security audit is a review of an organization's security controls, policies, and procedures against a
set of expectations. Audits are independent reviews that evaluate whether an organization is
meeting internal and external criteria. Internal criteria include outlined policies, procedures, and best
practices. External criteria include regulatory compliance, laws, and federal regulations.
Additionally, a security audit can be used to assess an organization's established security controls.
As a reminder, security controls are safeguards designed to reduce specific security risks.
Audits help ensure that security checks are made (i.e., daily monitoring of security information and
event management dashboards), to identify threats, risks, and vulnerabilities. This helps maintain an
organization’s security posture. And, if there are security issues, a remediation process must be in
place.
Goals and objectives of an audit

The goal of an audit is to ensure an organization's information technology (IT) practices are meeting
industry and organizational standards. The objective is to identify and address areas of remediation
and growth. Audits provide direction and clarity by identifying what the current failures are and
developing a plan to correct them.
Security audits must be performed to safeguard data and avoid penalties and fines from
governmental agencies. The frequency of audits is dependent on local laws and federal compliance
regulations.
Factors that affect audits

Factors that determine the types of audits an organization implements include:
 Industry type
 Organization size
 Ties to the applicable government regulations
 A business’s geographical location
 A business decision to adhere to a specific regulatory compliance
To review common compliance regulations that different organizations need to adhere to, refer to the
reading about controls, frameworks, and compliance.
The role of frameworks and controls in audits

Along with compliance, it’s important to mention the role of frameworks and controls in security
audits. Frameworks such as the National Institute of Standards and Technology Cybersecurity
Framework (NIST CSF) and the international standard for information security (ISO 27000) series
are designed to help organizations prepare for regulatory compliance security audits. By adhering to
these and other relevant frameworks, organizations can save time when conducting external and
internal audits. Additionally, frameworks, when used alongside controls, can support organizations’
ability to align with regulatory compliance requirements and standards.
There are three main categories of controls to review during an audit, which are administrative
and/or managerial, technical, and physical controls. To learn more about specific controls related to
each category, click the following link and select “Use Template.”
Link to template: Control categories
OR
If you don’t have a Google account, you can download the template directly from the following
attachment
Control categories
DOCX File
Audit checklist
It’s necessary to create an audit checklist before conducting an audit. A checklist is generally made
up of the following areas of focus:
Identify the scope of the audit
 The audit should:

o List assets that will be assessed (e.g., firewalls are configured correctly, PII is
secure, physical assets are locked, etc.)
o Note how the audit will help the organization achieve its desired goals
o Indicate how often an audit should be performed
o Include an evaluation of organizational policies, protocols, and procedures to make
sure they are working as intended and being implemented by employees
Complete a risk assessment
 A risk assessment is used to evaluate identified organizational risks related to budget,

controls, internal processes, and external standards (i.e., regulations).
Conduct the audit
 When conducting an internal audit, you will assess the security of the identified assets listed
in the audit scope.
Create a mitigation plan
 A mitigation plan is a strategy established to lower the level of risk and potential costs,
penalties, or other issues that can negatively affect the organization’s security posture.
Communicate results to stakeholders
 The end result of this process is providing a detailed report of findings, suggested
improvements needed to lower the organization's level of risk, and compliance regulations
and standards the organization needs to adhere to.
Key takeaways
In this reading you learned more about security audits, including what they are; why they’re
conducted; and the role of frameworks, controls, and compliance in audits.
Although there is much more to learn about security audits, this introduction is meant to support your
ability to complete an audit of your own for a self-reflection portfolio activity later in this course.
Attack vectors: The pathways attackers use to penetrate security defenses
Authentication: The process of verifying who someone is
Authorization: The concept of granting access to specific resources in a system
Availability: The idea that data is accessible to those who are authorized to access it
Biometrics: The unique physical characteristics that can be used to verify a person’s identity
Confidentiality: The idea that only authorized users can access specific assets or data
Confidentiality, integrity, availability (CIA) triad: A model that helps inform how
organizations consider risk when setting up systems and security policies
Detect: A NIST core function related to identifying potential security incidents and improving
monitoring capabilities to increase the speed and efficiency of detections
Encryption: The process of converting data from a readable format to an encoded format
Identify: A NIST core function related to management of cybersecurity risk and its effect on an
organization’s people and assets
Integrity: The idea that the data is correct, authentic, and reliable
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF):

A voluntary framework that consists of standards, guidelines, and best practices to manage
cybersecurity risk
National Institute of Standards and Technology (NIST) Special Publication (S.P.) 800-53: A
unified framework for protecting the security of information systems within the U.S. federal
government
Open Web Application Security Project/Open Worldwide Application Security Project

(OWASP): A non-profit organization focused on improving software security
Protect: A NIST core function used to protect an organization through the implementation of
policies, procedures, training, and tools that help mitigate cybersecurity threats
Recover: A NIST core function related to returning affected systems back to normal operation
Respond: A NIST core function related to making sure that the proper procedures are used to
contain, neutralize, and analyze security incidents, and implement improvements to the security
process
Risk: Anything that can impact the confidentiality, integrity, or availability of an asset
Security audit: A review of an organization's security controls, policies, and procedures against
a set of expectations
Security frameworks: Guidelines used for building plans to help mitigate risk and threats to
data and privacy
Security posture: An organization’s ability to manage its defense of critical assets and data and
react to change
Threat: Any circumstance or event that can negatively impact assets
The future of SIEM tools

Previously, you were introduced to security information and event management (SIEM) tools, along
with a few examples of SIEM tools. In this reading, you will learn more about how SIEM tools are
used to protect organizational operations. You will also gain insight into how and why SIEM tools are
changing to help protect organizations and the people they serve from evolving threat actor tactics
and techniques.
Current SIEM solutions

A SIEM tool is an application that collects and analyzes log data to monitor critical activities in an
organization. SIEM tools offer real-time monitoring and tracking of security event logs. The data is
then used to conduct a thorough analysis of any potential security threat, risk, or vulnerability
identified. SIEM tools have many dashboard options. Each dashboard option helps cybersecurity
team members manage and monitor organizational data. However, currently, SIEM tools require
human interaction for analysis of security events.
The future of SIEM tools

As cybersecurity continues to evolve, the need for cloud functionality has increased. SIEM tools
have and continue to evolve to function in cloud-hosted and cloud-native environments. Cloud-
hosted SIEM tools are operated by vendors who are responsible for maintaining and managing the
infrastructure required to use the tools. Cloud-hosted tools are simply accessed through the internet
and are an ideal solution for organizations that don’t want to invest in creating and maintaining their
own infrastructure.
Similar to cloud-hosted SIEM tools, cloud-native SIEM tools are also fully maintained and managed
by vendors and accessed through the internet. However, cloud-native tools are designed to take full
advantage of cloud computing capabilities, such as availability, flexibility, and scalability.
Yet, the evolution of SIEM tools is expected to continue in order to accommodate the changing
nature of technology, as well as new threat actor tactics and techniques. For example, consider the
current development of interconnected devices with access to the internet, known as the Internet of
Things (IoT). The more interconnected devices there are, the larger the cybersecurity attack surface
and the amount of data that threat actors can exploit. The diversity of attacks and data that require
special attention is expected to grow significantly. Additionally, as artificial intelligence (AI) and
machine learning (ML) technology continues to progress, SIEM capabilities will be enhanced to
better identify threat-related terminology, dashboard visualization, and data storage functionality.
The implementation of automation will also help security teams respond faster to possible incidents,
performing many actions without waiting for a human response. Security orchestration, automation,
and response (SOAR) is a collection of applications, tools, and workflows that uses automation to
respond to security events. Essentially, this means that handling common security-related incidents
with the use of SIEM tools is expected to become a more streamlined process requiring less manual
intervention. This frees up security analysts to handle more complex and uncommon incidents that,
consequently, can’t be automated with a SOAR. Nevertheless, the expectation is for cybersecurity-
related platforms to communicate and interact with one another. Although the technology allowing
interconnected systems and devices to communicate with each other exists, it is still a work in
progress.
Key takeaways
SIEM tools play a major role in monitoring an organization’s data. As an entry-level security analyst,
you might monitor SIEM dashboards as part of your daily tasks. Regularly researching new
developments in SIEM technology will help you grow and adapt to the changes in the cybersecurity
field. Cloud computing, SIEM-application integration, and automation are only some of the
advancements security professionals can expect in the future evolution of SIEM tools.
More about cybersecurity tools

Previously, you learned about several tools that are used by cybersecurity team members to monitor
for and identify potential security threats, risks, and vulnerabilities. In this reading, you’ll learn more
about common open-source and proprietary cybersecurity tools that you may use as a cybersecurity
professional.
Open-source tools
Open-source tools are often free to use and can be user friendly. The objective of open-source tools
is to provide users with software that is built by the public in a collaborative way, which can result in
the software being more secure. Additionally, open-source tools allow for more customization by
users, resulting in a variety of new services built from the same open-source software package.
Software engineers create open-source projects to improve software and make it available for
anyone to use, as long as the specified license is respected. The source code for open-source
projects is readily available to users, as well as the training material that accompanies them. Having
these sources readily available allows users to modify and improve project materials.
Proprietary tools
Proprietary tools are developed and owned by a person or company, and users typically pay a fee
for usage and training. The owners of proprietary tools are the only ones who can access and modify
the source code. This means that users generally need to wait for updates to be made to the
software, and at times they might need to pay a fee for those updates. Proprietary software generally
allows users to modify a limited number of features to meet individual and organizational needs.
Examples of proprietary tools include Splunk® and Chronicle SIEM tools.
Common misconceptions
There is a common misconception that open-source tools are less effective and not as safe to use
as proprietary tools. However, developers have been creating open-source materials for years that
have become industry standards. Although it is true that threat actors have attempted to manipulate
open-source tools, because these tools are open source it is actually harder for people with
malicious intent to successfully cause harm. The wide exposure and immediate access to the source
code by well-intentioned and informed users and professionals makes it less likely for issues to
occur, because they can fix issues as soon as they’re identified.
Examples of open-source tools

In security, there are many tools in use that are open-source and commonly available. Two
examples are Linux and Suricata.
Linux
Linux is an open-source operating system that is widely used. It allows you to tailor the operating
system to your needs using a command-line interface. An operating system is the interface between
computer hardware and the user. It’s used to communicate with the hardware of a computer and
manage software applications.
There are multiple versions of Linux that exist to accomplish specific tasks. Linux and its command-
line interface will be discussed in detail, later in the certificate program.
Suricata
Suricata is an open-source network analysis and threat detection software. Network analysis and
threat detection software is used to inspect network traffic to identify suspicious behavior and
generate network data logs. The detection software finds activity across users, computers, or
Internet Protocol (IP) addresses to help uncover potential threats, risks, or vulnerabilities.
Suricata was developed by the Open Information Security Foundation (OISF). OISF is dedicated to
maintaining open-source use of the Suricata project to ensure it’s free and publicly available.
Suricata is widely used in the public and private sector, and it integrates with many SIEM tools and
other security tools. Suricata will also be discussed in greater detail later in the program.
Key takeaways
Open-source tools are widely used in the cybersecurity profession. Throughout the certificate
program, you will have multiple opportunities to learn about and explore both open-source and
proprietary tools in more depth.
Use SIEM tools to protect organizations
Previously, you were introduced to security information and event management (SIEM) tools and a
few SIEM dashboards. You also learned about different threats, risks, and vulnerabilities an
organization may experience. In this reading, you will learn more about SIEM dashboard data and
how cybersecurity professionals use that data to identify a potential threat, risk, or vulnerability.
Splunk
Splunk offers different SIEM tool options: Splunk® Enterprise and Splunk® Cloud. Both allow you to
review an organization's data on dashboards. This helps security professionals manage an
organization's internal infrastructure by collecting, searching, monitoring, and analyzing log data from
multiple sources to obtain full visibility into an organization’s everyday operations.
Review the following Splunk dashboards and their purposes:
Security posture dashboard

The security posture dashboard is designed for security operations centers (SOCs). It displays the
last 24 hours of an organization’s notable security-related events and trends and allows security
professionals to determine if security infrastructure and policies are performing as designed. Security
analysts can use this dashboard to monitor and investigate potential threats in real time, such as
suspicious network activity originating from a specific IP address.
Executive summary dashboard

The executive summary dashboard analyzes and monitors the overall health of the organization over
time. This helps security teams improve security measures that reduce risk. Security analysts might
use this dashboard to provide high-level insights to stakeholders, such as generating a summary of
security incidents and trends over a specific period of time.
Incident review dashboard

The incident review dashboard allows analysts to identify suspicious patterns that can occur in the
event of an incident. It assists by highlighting higher risk items that need immediate review by an
analyst. This dashboard can be very helpful because it provides a visual timeline of the events
leading up to an incident.
Risk analysis dashboard

The risk analysis dashboard helps analysts identify risk for each risk object (e.g., a specific user, a
computer, or an IP address). It shows changes in risk-related activity or behavior, such as a user
logging in outside of normal working hours or unusually high network traffic from a specific computer.
A security analyst might use this dashboard to analyze the potential impact of vulnerabilities in
critical assets, which helps analysts prioritize their risk mitigation efforts.
Chronicle
Chronicle is a cloud-native SIEM tool from Google that retains, analyzes, and searches log data to
identify potential security threats, risks, and vulnerabilities. Chronicle allows you to collect and
analyze log data according to:
 A specific asset
 A domain name
 A user
 An IP address
Chronicle provides multiple dashboards that help analysts monitor an organization’s logs, create
filters and alerts, and track suspicious domain names.
Review the following Chronicle dashboards and their purposes:
Enterprise insights dashboard

The enterprise insights dashboard highlights recent alerts. It identifies suspicious domain names in
logs, known as indicators of compromise (IOCs). Each result is labeled with a confidence score to
indicate the likelihood of a threat. It also provides a severity level that indicates the significance of
each threat to the organization. A security analyst might use this dashboard to monitor login or data
access attempts related to a critical asset—like an application or system—from unusual locations or
devices.
Data ingestion and health dashboard

The data ingestion and health dashboard shows the number of event logs, log sources, and success
rates of data being processed into Chronicle. A security analyst might use this dashboard to ensure
that log sources are correctly configured and that logs are received without error. This helps ensure
that log related issues are addressed so that the security team has access to the log data they need.
IOC matches dashboard

The IOC matches dashboard indicates the top threats, risks, and vulnerabilities to the organization.
Security professionals use this dashboard to observe domain names, IP addresses, and device
IOCs over time in order to identify trends. This information is then used to direct the security team’s
focus to the highest priority threats. For example, security analysts can use this dashboard to search
for additional activity associated with an alert, such as a suspicious user login from an unusual
geographic location.
Main dashboard
The main dashboard displays a high-level summary of information related to the organization’s data
ingestion, alerting, and event activity over time. Security professionals can use this dashboard to
access a timeline of security events—such as a spike in failed login attempts— to identify threat
trends across log sources, devices, IP addresses, and physical locations.
Rule detections dashboard

The rule detections dashboard provides statistics related to incidents with the highest occurrences,
severities, and detections over time. Security analysts can use this dashboard to access a list of all
the alerts triggered by a specific detection rule, such as a rule designed to alert whenever a user
opens a known malicious attachment from an email. Analysts then use those statistics to help
manage recurring incidents and establish mitigation tactics to reduce an organization's level of risk.
User sign in overview dashboard

The user sign in overview dashboard provides information about user access behavior across the
organization. Security analysts can use this dashboard to access a list of all user sign-in events to
identify unusual user activity, such as a user signing in from multiple locations at the same time. This
information is then used to help mitigate threats, risks, and vulnerabilities to user accounts and the
organization’s applications.
Key takeaways
SIEM tools provide dashboards that help security professionals organize and focus their security
efforts. This is important because it allows analysts to reduce risk by identifying, analyzing, and
remediating the highest priority items in a timely manner. Later in the program, you’ll have an
opportunity to practice using various SIEM tool features and commands for search queries.

Chronicle: A cloud-native tool designed to retain, analyze, and search data
Incident response: An organization’s quick attempt to identify an attack, contain the damage, and
correct the effects of a security breach
Metrics: Key technical attributes such as response time, availability, and failure rate, which are used
to assess the performance of a software application
Operating system (OS): The interface between computer hardware and the user
Playbook: A manual that provides details about any operational action
Security orchestration, automation, and response (SOAR): A collection of applications, tools, and
workflows that use automation to respond to security events
SIEM tools: A software platform that collects, analyzes, and correlates security data from various
sources across your IT infrastructure that helps identify and respond to security threats in real-time,
investigate security incidents, and comply with security regulations
Splunk Cloud: A cloud-hosted tool used to collect, search, and monitor log data
Splunk Enterprise: A self-hosted tool used to retain, analyze, and search an organization's log data
to provide security information and alerts in real-time
More about playbooks

Previously, you learned that playbooks are tools used by cybersecurity professionals to identify and
respond to security issues. In this reading, you’ll learn more about playbooks and their purpose in
the field of cybersecurity.
Playbook overview
A playbook is a manual that provides details about any operational action. Essentially, a playbook
provides a predefined and up-to-date list of steps to perform when responding to an incident.
Playbooks are accompanied by a strategy. The strategy outlines expectations of team members who
are assigned a task, and some playbooks also list the individuals responsible. The outlined
expectations are accompanied by a plan. The plan dictates how the specific task outlined in the
playbook must be completed.
Playbooks should be treated as living documents, which means that they are frequently updated by
security team members to address industry changes and new threats. Playbooks are generally
managed as a collaborative effort, since security team members have different levels of expertise.
Updates are often made if:
 A failure is identified, such as an oversight in the outlined policies and procedures, or in the
playbook itself.
 There is a change in industry standards, such as changes in laws or regulatory compliance.
 The cybersecurity landscape changes due to evolving threat actor tactics and techniques.
Types of playbooks
Playbooks sometimes cover specific incidents and vulnerabilities. These might include ransomware,
vishing, business email compromise (BEC), and other attacks previously discussed. Incident and
vulnerability response playbooks are very common, but they are not the only types of playbooks
organizations develop.
Each organization has a different set of playbook tools, methodologies, protocols, and procedures
that they adhere to, and different individuals are involved at each step of the response process,
depending on the country they are in. For example, incident notification requirements from
government-imposed laws and regulations, along with compliance standards, affect the content in
the playbooks. These requirements are subject to change based on where the incident originated
and the type of data affected.
Incident and vulnerability response playbooks
Incident and vulnerability response playbooks are commonly used by entry-level cybersecurity
professionals. They are developed based on the goals outlined in an organization’s business
continuity plan. A business continuity plan is an established path forward allowing a business to
recover and continue to operate as normal, despite a disruption like a security breach.
These two types of playbooks are similar in that they both contain predefined and up-to-date lists of
steps to perform when responding to an incident. Following these steps is necessary to ensure that
you, as a security professional, are adhering to legal and organizational standards and protocols.
These playbooks also help minimize errors and ensure that important actions are performed within a
specific timeframe.
When an incident, threat, or vulnerability occurs or is identified, the level of risk to the organization
depends on the potential damage to its assets. A basic formula for determining the level of risk is
that risk equals the likelihood of a threat. For this reason, a sense of urgency is essential. Following
the steps outlined in playbooks is also important if any forensic task is being carried out. Mishandling
data can easily compromise forensic data, rendering it unusable.
Common steps included in incident and vulnerability playbooks include:
 Preparation
 Detection
 Analysis
 Containment
 Eradication
 Recovery from an incident
Additional steps include performing post-incident activities, and a coordination of efforts throughout
the investigation and incident and vulnerability response stages.
Key takeaways
It is essential to refine processes and procedures outlined in a playbook. With every documented
incident, cybersecurity teams need to consider what was learned from the incident and what
improvements should be made to handle incidents more effectively in the future. Playbooks create
structure and ensure compliance with the law.
Playbooks, SIEM tools, and SOAR tools
Previously, you learned that security teams encounter threats, risks, vulnerabilities, and incidents on
a regular basis and that they follow playbooks to address security-related issues. In this reading, you
will learn more about playbooks, including how they are used in security information and event
management (SIEM) and security orchestration, automation, and response (SOAR).
Playbooks and SIEM tools

Playbooks are used by cybersecurity teams in the event of an incident. Playbooks help security
teams respond to incidents by ensuring that a consistent list of actions are followed in a prescribed
way, regardless of who is working on the case. Playbooks can be very detailed and may include flow
charts and tables to clarify what actions to take and in which order. Playbooks are also used for
recovery procedures in the event of a ransomware attack. Different types of security incidents have
their own playbooks that detail who should take what action and when.
Playbooks are generally used alongside SIEM tools. If, for example, unusual user behavior is
flagged by a SIEM tool, a playbook provides analysts with instructions about how to address the
issue.
Playbooks and SOAR tools

Playbooks are also used with SOAR tools. SOAR tools are similar to SIEM tools in that they are
used for threat monitoring. SOAR is a piece of software used to automate repetitive tasks generated
by tools such as a SIEM or managed detection and response (MDR). For example, if a user
attempts to log into their computer too many times with the wrong password, a SOAR would
automatically block their account to stop a possible intrusion. Then, analysts would refer to a
playbook to take steps to resolve the issue.
Key takeaways
What is most important to know is that playbooks, also sometimes referred to as runbooks, provide
detailed actions for security teams to take in the event of an incident. Knowing exactly who needs to
do what and when can help reduce the impact of an incident and reduce the risk of damage to an
organization’s critical assets.
Course ----------- 3
Network components, devices, and
diagrams
In this reading, you will review network devices and connections and investigate a simple network
diagram similar to those used every day by network security professionals.
A foundational understanding of network architecture, sometimes referred to as network design, will

help you as you learn about security vulnerabilities inherent in all networks and how malicious actors
attempt to exploit them. Let’s get started!
Network devices
Network devices maintain information and services for users of a network. These devices connect
over wired and wireless connections. After establishing a connection to the network, the devices
send data packets. The data packets provide information about the source and the destination of the
data. This is how the information is sent and received via different devices on a network.
The network is the overall infrastructure that allows devices to communicate with each other.
Network devices are specialized vehicles like routers and switches that manage what is being sent
and received over the network. Additionally, devices like computers and phones connect to the
network via network devices.
Note: In this diagram, a router connects to the internet through a modem, which is provided by your
internet service provider (ISP). The firewall is a security device that monitors incoming and outgoing
traffic on your network. The router then directs traffic to the devices on your home network, which
can include computers, laptops, smartphones, tablets, printers, and other devices. You can imagine
here that the server is a file server. All devices on this network can access the files in this server.
This diagram also includes a switch which is an optional device that can be used to connect more
devices to your network by providing additional ports and Ethernet connections. Additionally, there
are 2 routers connected to the switch here for load balancing purposes which will improve the
performance of the network.
Devices and desktop computers

Most internet users are familiar with everyday devices, such as personal computers, laptops, mobile
phones, and tablets. Each device and desktop computer has a unique MAC address and IP address,
which identify it on the network. They also have a network interface that sends and receives data
packets. These devices can connect to the network via a hard wire or a wireless connection.
Firewalls
A firewall is a network security device that monitors traffic to or from your network. It is like your first
line of defense. Firewalls can also restrict specific incoming and outgoing network traffic. The
organization configures the security rules of the firewall. Firewalls often reside between the secured
and controlled internal network and the untrusted network resources outside the organization, such
as the internet. Remember, though, firewalls are just one line of defense in the cybersecurity
landscape.
Servers
Servers provide information and services for devices like computers, smart home devices, and
smartphones on the network. The devices that connect to a server are called clients. The following
graphic outlines this model, which is called the client-server model. In this model, clients send
requests to the server for information and services. The server performs the requests for the clients.
Common examples include DNS servers that perform domain name lookups for internet sites, file
servers that store and retrieve files from a database, and corporate mail servers that organize mail
for a company.
Hubs and switches

Hubs and switches both direct traffic on a local network. A hub is a device that provides a common
point of connection for all devices directly connected to it. Hubs additionally repeat all information out
to all ports. From a security perspective, this makes hubs vulnerable to eavesdropping. For this
reason, hubs are not used as often on modern networks; most organizations use switches instead.
Hubs are more commonly used for a limited network setup like a home office.
Switches are the preferred choice for most networks. A switch forwards packets between devices
directly connected to it. They analyze the destination address of each data packet and send it to the
intended device. Switches maintain a MAC address table that matches MAC addresses of devices
on the network to port numbers on the switch and forwards incoming data packets according to the
destination MAC address. Switches are a part of the data link layer in the TCP/IP model. Overall,
switches improve performance and security.
Routers
Routers connect networks and direct traffic, based on the IP address of the destination network.
Routers allow devices on different networks to communicate with each other. In the TCP/IP model,
routers are a part of the network layer. The IP address of the destination network is contained in the
IP header. The router reads the IP header information and forwards the packet to the next router on
the path to the destination. This continues until the packet reaches the destination network. Routers
can also include a firewall feature that allows or blocks incoming traffic based on information in the
transmission. This stops malicious traffic from entering the private network and damaging the local
area network.
Modems and wireless access points

Modems usually connect your home or office with an internet service provider (ISP). ISPs provide
internet connectivity via telephone lines or coaxial cables. Modems receive transmissions or digital
signals from the internet and translate them into analog signals that can travel through the physical
connection provided by your ISP. Usually, modems connect to a router that takes the decoded
transmissions and sends them on to the local network.
Note: Enterprise networks used by large organizations to connect their users and devices often use
other broadband technologies to handle high-volume traffic, instead of using a modem.
Wireless access point
A wireless access point sends and receives digital signals over radio waves creating a wireless
network. Devices with wireless adapters connect to the access point using Wi-Fi. Wi-Fi refers to a
set of standards that are used by network devices to communicate wirelessly. Wireless access
points and the devices connected to them use Wi-Fi protocols to send data through radio waves
where they are sent to routers and switches and directed along the path to their final destination.
Using network diagrams as a security analyst
Network diagrams allow network administrators and security personnel to imagine the architecture
and design of their organization’s private network.
Network diagrams are maps that show the devices on the network and how they connect. Network
diagrams use small representative graphics to portray each network device and dotted lines to show
how each device connects to the other. By studying network diagrams, security analysts develop
and refine their strategies for securing network architectures.
Key takeaways
In the client-server model, the client requests information and services from the server, and the
server performs the requests for the clients. Network devices include routers, workstations, servers,
hubs, switches, and modems. Security analysts use network diagrams to visualize network
architecture.
Cloud computing and software-defined

networks
In this section of the course, you’ve been learning the basic architecture of networks. You’ve learned
about how physical network devices like workstations, servers, routers, and switches connect to
each other to create a network. Networks may cover small geographical areas, as is the case in a
local area network (LAN). Or they may span a large geographic area, like a city, state, or country, as
is the case in a wide area network (WAN). You also learned about cloud networks and how cloud
computing has grown in recent years.
In this reading, you will further examine the concepts of cloud computing and cloud networking.
You’ll also learn about hybrid networks and software-defined networks, as well as the benefits they
offer. This reading will also cover the benefits of hosting networks in the cloud and why cloud-hosting
is beneficial for large organizations.
Computing processes in the cloud

Traditional networks are called on-premise networks, which means that all of the devices used for
network operations are kept at a physical location owned by the company, like in an office building,
for example. Cloud computing, however, refers to the practice of using remote servers, applications,
and network services that are hosted on the internet instead of at a physical location owned by the
company.
A cloud service provider (CSP) is a company that offers cloud computing services. These companies
own large data centers in locations around the globe that house millions of servers. Data centers
provide technology services, such as storage, and compute at such a large scale that they can sell
their services to other companies for a fee. Companies can pay for the storage and services they
need and consume them through the CSP’s application programming interface (API) or web
console.
CSPs provide three main categories of services:
 Software as a service (SaaS) refers to software suites operated by the CSP that a company
can use remotely without hosting the software.
 Infrastructure as a service (IaaS) refers to the use of virtual computer components offered by
the CSP. These include virtual containers and storage that are configured remotely through
the CSP’s API or web console. Cloud-compute and storage services can be used to operate
existing applications and other technology workloads without significant modifications.
Existing applications can be modified to take advantage of the availability, performance, and
security features that are unique to cloud provider services.
 Platform as a service (PaaS) refers to tools that application developers can use to design
custom applications for their company. Custom applications are designed and accessed in
the cloud and used for a company’s specific business needs.
Hybrid cloud environments

When organizations use a CSP’s services in addition to their on-premise computers, networks, and
storage, it is referred to as a hybrid cloud environment. When organizations use more than one CSP,
it is called a multi-cloud environment. The vast majority of organizations use hybrid cloud
environments to reduce costs and maintain control over network resources.
Software-defined networks
CSPs offer networking tools similar to the physical devices that you have learned about in this
section of the course. Next, you’ll review software-defined networking in the cloud. Software-defined
networks (SDNs) are made up of virtual network devices and services. Just like CSPs provide virtual
computers, many SDNs also provide virtual switches, routers, firewalls, and more. Most modern
network hardware devices also support network virtualization and software-defined networking. This
means that physical switches and routers use software to perform packet routing. In the case of
cloud networking, the SDN tools are hosted on servers located at the CSP’s data center.
Benefits of cloud computing and software-defined

networks
Three of the main reasons that cloud computing is so attractive to businesses are reliability,
decreased cost, and increased scalability.
Reliability
Reliability in cloud computing is based on how available cloud services and resources are, how
secure connections are, and how often the services are effectively running. Cloud computing allows
employees and customers to access the resources they need consistently and with minimal
interruption.
Cost
Traditionally, companies have had to provide their own network infrastructure, at least for internet
connections. This meant there could be potentially significant upfront costs for companies. However,
because CSPs have such large data centers, they are able to offer virtual devices and services at a
fraction of the cost required for companies to install, patch, upgrade, and manage the components
and software themselves.
Scalability
Another challenge that companies face with traditional computing is scalability. When organizations
experience an increase in their business needs, they might be forced to buy more equipment and
software to keep up. But what if business decreases shortly after? They might no longer have the
business to justify the cost incurred by the upgraded components. CSPs reduce this risk by making it
easy to consume services in an elastic utility model as needed. This means that companies only pay
for what they need when they need it.
Changes can be made quickly through the CSPs, APIs, or web console—much more quickly than if
network technicians had to purchase their own hardware and set it up. For example, if a company
needs to protect against a threat to their network, web application firewalls (WAFs), intrusion
detection/protection systems (IDS/IPS), or L3/L4 firewalls can be configured quickly whenever
necessary, leading to better network performance and security.
Key takeaways
In this reading, you learned more about cloud computing and cloud networking. You learned that
CSPs are companies that own large data centers that house millions of servers in locations all over
the globe and then provide modern technology services, including compute, storage, and
networking, through the internet. SDNs are an approach to network management. SDNs enable
dynamic, programmatically efficient network configurations to improve network performance and
monitoring. This makes it more like cloud computing than traditional network management.
Organizations can improve reliability, save costs, and scale quickly by using CSPs to provide
networking services instead of building and maintaining their own network infrastructure.
Learn more about the TCP/IP model
In this reading, you will build on what you have learned about the Transmission Control
Protocol/Internet Protocol (TCP/IP) model, consider the differences between the Open Systems
Interconnection (OSI) model and TCP/IP model, and learn how they’re related. Then, you’ll review
each layer of the TCP/IP model and go over common protocols used in each layer.
As a security professional, it's important that you understand the TCP/IP model because it describes
the functions of various network protocols. The TCP/IP model is based on the TCP/IP protocols suite
that includes all network protocols that support the main TCP/IP protocol. To reiterate from previous
lessons, a network protocol, also known as an internet protocol, is a set of standards used for
routing and addressing data packets as they travel between devices on a network. In this reading,
you will learn which network protocols operate on which communication layers of the TCP/IP model.
The two most common models available are the TCP/IP and the OSI model. These models are a
representative guideline of how hosts communicate across a network. The examples provided in this
course will follow the TCP/IP model.
The TCP/IP model

The TCP/IP model is a framework used to visualize how data is organized and transmitted across a
network. This model helps network engineers and network security analysts conceptualize
processes on the network and communicate where disruptions or security threats occur.
The TCP/IP model has four layers: the network access layer, internet layer, transport layer, and
application layer. When troubleshooting issues on the network, security professionals can analyze
which layers were impacted by an attack based on what processes were involved in an incident.
Network access layer
The network access layer, sometimes called the data link layer, deals with the creation of data
packets and their transmission across a network. This layer corresponds to the physical hardware
involved in network transmission. Hubs, modems, cables, and wiring are all considered part of this
layer. The address resolution protocol (ARP) is part of the network access layer. Since MAC
addresses are used to identify hosts on the same physical network, ARP is needed to map IP
addresses to MAC addresses for local network communication.
Internet layer
The internet layer, sometimes referred to as the network layer, is responsible for ensuring the
delivery to the destination host, which potentially resides on a different network. It ensures IP
addresses are attached to data packets to indicate the location of the sender and receiver. The
internet layer also determines which protocol is responsible for delivering the data packets and
ensures the delivery to the destination host. Here are some of the common protocols that operate at
the internet layer:
 Internet Protocol (IP). IP sends the data packets to the correct destination and relies on the
Transmission Control Protocol/User Datagram Protocol (TCP/UDP) to deliver them to the
corresponding service. IP packets allow communication between two networks. They are
routed from the sending network to the receiving network. TCP in particular retransmits any
data that is lost or corrupt.
 Internet Control Message Protocol (ICMP). The ICMP shares error information and status
updates of data packets. This is useful for detecting and troubleshooting network errors. The
ICMP reports information about packets that were dropped or that disappeared in transit,
issues with network connectivity, and packets redirected to other routers.
Transport layer
The transport layer is responsible for delivering data between two systems or networks and includes
protocols to control the flow of traffic across a network. TCP and UDP are the two transport protocols
that occur at this layer.
Transmission Control Protocol

The Transmission Control Protocol (TCP) is an internet communication protocol that allows two
devices to form a connection and stream data. It ensures that data is reliably transmitted to the
destination service. TCP contains the port number of the intended destination service, which resides
in the TCP header of a TCP/IP packet.
User Datagram Protocol

The User Datagram Protocol (UDP) is a connectionless protocol that does not establish a connection
between devices before transmissions. It is used by applications that are not concerned with the
reliability of the transmission. Data sent over UDP is not tracked as extensively as data sent using
TCP. Because UDP does not establish network connections, it is used mostly for performance
sensitive applications that operate in real time, such as video streaming.
Application layer
The application layer in the TCP/IP model is similar to the application, presentation, and session
layers of the OSI model. The application layer is responsible for making network requests or
responding to requests. This layer defines which internet services and applications any user can
access. Protocols in the application layer determine how the data packets will interact with receiving
devices. Some common protocols used on this layer are:
 Hypertext transfer protocol (HTTP)

 Simple mail transfer protocol (SMTP)
 Secure shell (SSH)
 File transfer protocol (FTP)
 Domain name system (DNS)
Application layer protocols rely on underlying layers to transfer the data across the network.
TCP/IP model versus OSI model

The OSI visually organizes network protocols into different layers. Network professionals often use
this model to communicate with each other about potential sources of problems or security threats
when they occur.
The TCP/IP model combines multiple layers of the OSI model. There are many similarities between
the two models. Both models define standards for networking and divide the network communication
process into different layers. The TCP/IP model is a simplified version of the OSI model.
Key takeaways
Both the TCP/IP and OSI models are conceptual models that help network professionals visualize
network processes and protocols in regards to data transmission between two or more systems. The
TCP/IP model contains four layers, and the OSI model contains seven layers.
The OSI model

So far in this section of the course, you learned about the components of a network, network
devices, and how communication occurs across a network. You also studied the TCP/IP model to
understand how network communication is organized across different layers of the internet.
All communication on a network is organized using network protocols. Previously, you learned about
the Transmission Control Protocol (TCP), which establishes connections between two devices, and
the Internet Protocol (IP), which is used for routing and addressing data packets as they travel
between devices on a network. These protocols are used on specific internet layers in the TCP/IP
model. The 4-layer TCP/IP model is a condensed form of the OSI (open Systems Interconnection)
model, which is made up of 7 layers. The OSI model will provide a more in depth understanding of
the processes that occur at each layer. We will work backwards from layer seven to layer one, going
from the processes that involve direct user interaction with the network to those that involve the
physical connection to the internet via network components like cables and switches. This reading
will also review the main differences between the TCP/IP and OSI models.
The TCP/IP model vs. the OSI model

The TCP/IP model is a framework used to visualize how data is organized and transmitted across a
network. This model helps network engineers and security analysts conceptualize processes on the
network and communicate where disruptions or security threats occur.
The TCP/IP model has four layers: the network access layer, internet layer, transport layer, and
application layer. When analyzing network events, security professionals can determine what layer
or layers an attack occurred in based on what processes were involved in the incident.
The OSI model is a standardized concept that describes the seven layers computers use to
communicate and send data over the network. Network and security professionals often use this
model to communicate with each other about potential sources of problems or security threats when
they occur.
Some organizations rely heavily on the TCP/IP model, while others prefer to use the OSI model. As
a security analyst, it’s important to be familiar with both models. Both the TCP/IP and OSI models
are useful for understanding how networks work.
Layer 7: Application layer

The application layer includes processes that directly involve the everyday user. This layer includes
all of the networking protocols that software applications use to connect a user to the internet. This
characteristic is the identifying feature of the application layer—user connection to the internet via
applications and requests.
An example of a type of communication that happens at the application layer is using a web
browser. The internet browser uses HTTP or HTTPS to send and receive information from the
website server. The email application uses simple mail transfer protocol (SMTP) to send and receive
email information. Also, web browsers use the domain name system (DNS) protocol to translate
website domain names into IP addresses which identify the web server that hosts the information for
the website.
Layer 6: Presentation layer

Functions at the presentation layer involve data translation and encryption for the network. This layer
adds to and replaces data with formats that can be understood by applications (layer 7) on both
sending and receiving systems. Formats at the user end may be different from those of the receiving
system. Processes at the presentation layer require the use of a standardized format.
Some formatting functions that occur at layer 6 include encryption, compression, and confirmation
that the character code set can be interpreted on the receiving system. One example of encryption
that takes place at this layer is SSL, which encrypts data between web servers and browsers as part
of websites with HTTPS.
Layer 5: Session layer

A session describes when a connection is established between two devices. An open session allows
the devices to communicate with each other. Session layer protocols keep the session open while
data is being transferred and terminate the session once the transmission is complete.
The session layer is also responsible for activities such as authentication, reconnection, and setting
checkpoints during a data transfer. If a session is interrupted, checkpoints ensure that the
transmission picks up at the last session checkpoint when the connection resumes. Sessions include
a request and response between applications. Functions in the session layer respond to requests for
service from processes in the presentation layer (layer 6) and send requests for services to the
transport layer (layer 4).
Layer 4: Transport layer

The transport layer is responsible for delivering data between devices. This layer also handles the
speed of data transfer, flow of the transfer, and breaking data down into smaller segments to make
them easier to transport. Segmentation is the process of dividing up a large data transmission into
smaller pieces that can be processed by the receiving system. These segments need to be
reassembled at their destination so they can be processed at the session layer (layer 5). The speed
and rate of the transmission also has to match the connection speed of the destination system. TCP
and UDP are transport layer protocols.
Layer 3: Network layer

The network layer oversees receiving the frames from the data link layer (layer 2) and delivers them
to the intended destination. The intended destination can be found based on the address that
resides in the frame of the data packets. Data packets allow communication between two networks.
These packets include IP addresses that tell routers where to send them. They are routed from the
sending network to the receiving network.
Layer 2: Data link layer

The data link layer organizes sending and receiving data packets within a single network. The data
link layer is home to switches on the local network and network interface cards on local devices.
Protocols like network control protocol (NCP), high-level data link control (HDLC), and synchronous
data link control protocol (SDLC) are used at the data link layer.
Layer 1: Physical layer

As the name suggests, the physical layer corresponds to the physical hardware involved in network
transmission. Hubs, modems, and the cables and wiring that connect them are all considered part of
the physical layer. To travel across an ethernet or coaxial cable, a data packet needs to be
translated into a stream of 0s and 1s. The stream of 0s and 1s are sent across the physical wiring
and cables, received, and then passed on to higher levels of the OSI model.
Key takeaways
Both the TCP/IP and OSI models are conceptual models that help network professionals design
network processes and protocols with regards to data transmission between two or more systems.
The OSI model contains seven communication layers. Network and security professionals use the
OSI model to communicate with each other about potential sources of problems or security threats
when they occur. Network engineers and network security analysts use the TCP/IP and OSI models
to conceptualize network processes and communicate the location of disruptions or threats.
Components of network layer

communication
In the reading about the OSI model, you learned about the seven layers of the OSI model that are
used to conceptualize the way data is transmitted across the internet. In this reading, you will learn
more about operations that take place at layer 3 of the OSI model: the network layer.
Operations at the network layer

Functions at the network layer organize the addressing and delivery of data packets across the
network from the host device to the destination device. This includes directing the packets from one
router to another router across the internet, till it reaches the internet protocol (IP) address of the
destination network. The destination IP address is contained within the header of each data packet.
This address will be stored for future routing purposes in routing tables along the packet’s path to its
destination.
All data packets include an IP address. A data packet is also referred to as an IP packet for TCP
connections or a datagram for UDP connections. A router uses the IP address to route packets from
network to network based on information contained in the IP header of a data packet. Header
information communicates more than just the address of the destination. It also includes information
such as the source IP address, the size of the packet, and which protocol will be used for the data
portion of the packet.
Format of an IPv4 packet
Next, you can review the format of an IP version 4 (IPv4) packet and review a detailed graphic of the
packet header. An IPv4 packet is made up of two sections, the header and the data:
 An IPv4 header format is determined by the IPv4 protocol and includes the IP routing
information that devices use to direct the packet. The size of the IPv4 header ranges from 20
to 60 bytes. The first 20 bytes are a fixed set of information containing data such as the
source and destination IP address, header length, and total length of the packet. The last set
of bytes can range from 0 to 40 and consists of the options field.
 The length of the data section of an IPv4 packet can vary greatly in size. However, the
maximum possible size of an IPv4 packet is 65,535 bytes. It contains the message being
transferred over the internet, like website information or email text.
There are 13 fields within the header of an IPv4 packet:
 Version (VER): This 4 bit component tells receiving devices what protocol the packet is
using. The packet used in the illustration above is an IPv4 packet.
 IP Header Length (HLEN or IHL): HLEN is the packet’s header length. This value indicates
where the packet header ends and the data segment begins.
 Type of Service (ToS): Routers prioritize packets for delivery to maintain quality of service on
the network. The ToS field provides the router with this information.
 Total Length: This field communicates the total length of the entire IP packet, including the
header and data. The maximum size of an IPv4 packet is 65,535 bytes.
 Identification: IPv4 packets can be up to 65, 535 bytes, but most networks have a smaller
limit. In these cases, the packets are divided, or fragmented, into smaller IP packets. The
identification field provides a unique identifier for all the fragments of the original IP packet so
that they can be reassembled once they reach their destination.
 Flags: This field provides the routing device with more information about whether the original
packet has been fragmented and if there are more fragments in transit.
 Fragmentation Offset: The fragment offset field tells routing devices where in the original
packet the fragment belongs.
 Time to Live (TTL): TTL prevents data packets from being forwarded by routers indefinitely.
It contains a counter that is set by the source. The counter is decremented by one as it
passes through each router along its path. When the TTL counter reaches zero, the router
currently holding the packet will discard the packet and return an ICMP Time Exceeded error
message to the sender.
 Protocol: The protocol field tells the receiving device which protocol will be used for the data
portion of the packet.
 Header Checksum: The header checksum field contains a checksum that can be used to
detect corruption of the IP header in transit. Corrupted packets are discarded.
 Source IP Address: The source IP address is the IPv4 address of the sending device.
 Destination IP Address: The destination IP address is the IPv4 address of the destination
device.
 Options: The options field allows for security options to be applied to the packet if the HLEN
value is greater than five. The field communicates these options to the routing devices.
Difference between IPv4 and IPv6

In an earlier part of this course, you learned about the history of IP addressing. As the internet grew,
it became clear that all of the IPv4 addresses would eventually be depleted; this is called IPv4
address exhaustion. At the time, no one had anticipated how many computing devices would need
an IP address. IPv6 was developed to mitigate IPv4 address exhaustion and other related concerns.
Some of the key differences between IPv4 and IPv6 include the length and the format of the
addresses. IPv4 addresses are made up of four decimal numbers separated by periods, each
number ranging from 0 to 255. Together the numbers span 4 bytes, and allow for up to 4.3 billion
possible addresses. An example of an IPv4 address would be: 198.51.100.0. IPv6 addresses are
made of eight hexadecimal numbers separated by colons, each number consisting of up to four
hexadecimal digits. Together, all numbers span 16 bytes, and allow for up to 340 undecillion
addresses (340 followed by 36 zeros). An example of an IPv6 address would be:
2002:0db8:0000:0000:0000:ff21:0023:1234.
Note: to represent one or more consecutive sets of all zeros, you can replace the zeros with a
double colon "::", so the above IPv6 address would be "2002:0db8::ff21:0023:1234."
There are also some differences in the layout of an IPv6 packet header. The IPv6 header format is
much simpler than IPv4. For example, the IPv4 Header includes the IHL, Identification, and Flags
fields, whereas the IPv6 does not. The IPv6 header only introduces the Flow Label field, where the
Flow Label identifies a packet as requiring special handling by other IPv6 routers.
There are some important security differences between IPv4 and IPv6. IPv6 offers more efficient
routing and eliminates private address collisions that can occur on IPv4 when two devices on the
same network are attempting to use the same address.
Key takeaways
Analyzing the different fields in an IP data packet can be used to find out important security
information about the packet. Some examples of security-related information found in IP address
packets are: where the packet is coming from, where it’s going, and which protocol it’s using.
Understanding the data in an IP data packet will allow you to make critical decisions about the
security implications of packets that you inspect.

Bandwidth: The maximum data transmission capacity over a network, measured by bits per second
Cloud computing: The practice of using remote servers, application, and network services that are
hosted on the internet instead of on local physical devices
Cloud network: A collection of servers or computers that stores resources and data in remote data
centers that can be accessed via the internet
Data packet: A basic unit of information that travels from one device to another within a network
Hub: A network device that broadcasts information to every device on the network
Internet Protocol (IP): A set of standards used for routing and addressing data packets as they travel
between devices on a network
Internet Protocol (IP) address: A unique string of characters that identifies the location of a device on
the internet
Local Area Network (LAN): A network that spans small areas like an office building, a school, or a
home
Media Access Control (MAC) address: A unique alphanumeric identifier that is assigned to each
physical device on a network
Modem: A device that connects your router to the internet and brings internet access to the LAN
Network: A group of connected devices
Open systems interconnection (OSI) model: A standardized concept that describes the seven layers
computers use to communicate and send data over the network
Packet sniffing: The practice of capturing and inspecting data packets across a network
Port: A software-based location that organizes the sending and receiving of data between devices
on a network
Router: A network device that connects multiple networks together
Speed: The rate at which a device sends and receives data, measured by bits per second
Switch: A device that makes connections between specific devices on a network by sending and
receiving data between them
TCP/IP model: A framework used to visualize how data is organized and transmitted across a
network
Transmission Control Protocol (TCP): An internet communication protocol that allows two devices to
form a connection and stream data
User Datagram Protocol (UDP): A connectionless protocol that does not establish a connection
between devices before transmissions
Wide Area Network (WAN): A network that spans a large geographic area like a city, state, or
country
Common network protocols

In this section of the course, you learned about network protocols and how they organize
communication over a network. This reading will discuss network protocols in more depth and review
some basic protocols that you have learned previously. You will also learn new protocols and
discuss some of the ways protocols are involved in network security.
Overview of network protocols

A network protocol is a set of rules used by two or more devices on a network to describe the order
of delivery and the structure of data. Network protocols serve as instructions that come with the
information in the data packet. These instructions tell the receiving device what to do with the data.
Protocols are like a common language that allows devices all across the world to communicate with
and understand each other.
Even though network protocols perform an essential function in network communication, security
analysts should still understand their associated security implications. Some protocols have
vulnerabilities that malicious actors exploit. For example, a nefarious actor could use the Domain
Name System (DNS) protocol, which resolves web addresses to IP addresses, to divert traffic from a
legitimate website to a malicious website containing malware. You’ll learn more about this topic in
upcoming course materials.
Three categories of network protocols

Network protocols can be divided into three main categories: communication protocols, management
protocols, and security protocols. There are dozens of different network protocols, but you don’t
need to memorize all of them for an entry-level security analyst role. However, it’s important for you
to know the ones listed in this reading.
Communication protocols
Communication protocols govern the exchange of information in network transmission. They dictate
how the data is transmitted between devices and the timing of the communication. They also include
methods to recover data lost in transit. Here are a few of them.
 Transmission Control Protocol (TCP) is an internet communication protocol that allows two
devices to form a connection and stream data. TCP uses a three-way handshake process.
First, the device sends a synchronize (SYN) request to a server. Then the server responds
with a SYN/ACK packet to acknowledge receipt of the device's request. Once the server
receives the final ACK packet from the device, a TCP connection is established. In the
TCP/IP model, TCP occurs at the transport layer.
 User Datagram Protocol (UDP) is a connectionless protocol that does not establish a
connection between devices before a transmission. This makes it less reliable than TCP. But
it also means that it works well for transmissions that need to get to their destination quickly.
For example, one use of UDP is for sending DNS requests to local DNS servers. In the
TCP/IP model, UDP occurs at the transport layer.
 Hypertext Transfer Protocol (HTTP) is an application layer protocol that provides a method
of communication between clients and website servers. HTTP uses port 80. HTTP is
considered insecure, so it is being replaced on most websites by a secure version, called
HTTPS that uses encryption from SSL/TLS for communication. However, there are still many
websites that use the insecure HTTP protocol. In the TCP/IP model, HTTP occurs at the
application layer.
 Domain Name System (DNS) is a protocol that translates internet domain names into IP
addresses. When a client computer wishes to access a website domain using their internet
browser, a query is sent to a dedicated DNS server. The DNS server then looks up the IP
address that corresponds to the website domain. DNS normally uses UDP on port 53.
However, if the DNS reply to a request is large, it will switch to using the TCP protocol. In the
TCP/IP model, DNS occurs at the application layer.
Management Protocols
The next category of network protocols is management protocols. Management protocols are used
for monitoring and managing activity on a network. They include protocols for error reporting and
optimizing performance on the network.
 Simple Network Management Protocol (SNMP) is a network protocol used for monitoring and
managing devices on a network. SNMP can reset a password on a network device or
change its baseline configuration. It can also send requests to network devices for a report
on how much of the network’s bandwidth is being used up. In the TCP/IP model, SNMP
occurs at the application layer.
 Internet Control Message Protocol (ICMP) is an internet protocol used by devices to tell each
other about data transmission errors across the network. ICMP is used by a receiving device
to send a report to the sending device about the data transmission. ICMP is commonly used
as a quick way to troubleshoot network connectivity and latency by issuing the “ping”
command on a Linux operating system. In the TCP/IP model, ICMP occurs at the internet
layer.
Security Protocols
Security protocols are network protocols that ensure that data is sent and received securely across a
network. Security protocols use encryption algorithms to protect data in transit. Below are some
common security protocols.
 Hypertext Transfer Protocol Secure (HTTPS) is a network protocol that provides a secure
method of communication between clients and website servers. HTTPS is a secure version
of HTTP that uses secure sockets layer/transport layer security (SSL/TLS) encryption on all
transmissions so that malicious actors cannot read the information contained. HTTPS uses
port 443. In the TCP/IP model, HTTPS occurs at the application layer.
 Secure File Transfer Protocol (SFTP) is a secure protocol used to transfer files from one
device to another over a network. SFTP uses secure shell (SSH), typically through TCP port
22. SSH uses Advanced Encryption Standard (AES) and other types of encryption to ensure
that unintended recipients cannot intercept the transmissions. In the TCP/IP model, SFTP
occurs at the application layer. SFTP is used often with cloud storage. Every time a user
uploads or downloads a file from cloud storage, the file is transferred using the SFTP
protocol.
Note: The encryption protocols mentioned do not conceal the source or destination IP address of
network traffic. This means a malicious actor can still learn some basic information about the
network traffic if they intercept it.
Key takeaways
The protocols you learned about in this reading are basic networking protocols that entry-level
cybersecurity analysts should know. Understanding how protocols function on a network is essential.
Cybersecurity analysts can leverage their knowledge of protocols to successfully mitigate
vulnerabilities on a network and potentially prevent future attacks.
Additional network protocols
In previous readings and videos, you learned how network protocols organize the sending and
receiving of data across a network. You also learned that protocols can be divided into three
categories: communication protocols, management protocols, and security protocols.
This reading will introduce you to a few additional concepts and protocols that will come up regularly
in your work as a security analyst. Some protocols are assigned port numbers by the Internet
Assigned Numbers Authority (IANA). These port numbers are included in the description of each
protocol, if assigned.
Network Address Translation

The devices on your local home or office network each have a private IP address that they use to
communicate directly with each other. However, in order for the devices with private IP addresses to
communicate with the public internet, they need to have a single public IP address that represents
all devices on the LAN to the public. For outgoing messages, the router can replace a private source
IP address with its public IP address and perform the reverse operation for responses. This process
is known as Network Address Translation (NAT) and it generally requires a router or firewall to be
specifically configured to perform NAT. NAT is a part of layer 2 (internet layer) and layer 3 (transport
layer) of the TCP/IP model.
Private IP Addresses Public IP Addresses

 Assigned by ISP and IANA
 Assigned by the router  Unique address in global internet
 Unique only within private network  Costs to lease a public IP address
 No cost to use  Assignable address ranges:
 Address ranges: o 1.0.0.0-9.255.255.255
o 10.0.0.0-10.255.255.255 o 11.0.0.0-126.255.255.255
o 172.16.0.0-172.31.255.255 o 128.0.0.0-172.15.255.255
o 192.168.0.0-192.168.255.255 o 172.32.0.0-192.167.255.255
o 192.169.0.0-233.255.255.255
Dynamic Host Configuration Protocol

Dynamic Host Configuration Protocol (DHCP) is in the management family of network protocols.
DHCP is an application layer protocol used on a network to configure devices. It works with the
router to assign a unique IP address to each device and provide the addresses of the appropriate
DNS server and default gateway for each device. DHCP servers operate on UDP port 67 while
DHCP clients operate on UDP port 68.
Address Resolution Protocol

By now, you are familiar with IP and MAC addresses. You’ve learned that each device on a network
has a public IP address, a private IP address, and a MAC address that identify it on the network. A
device’s IP address may change over time, but its MAC address is permanent because it is unique
to a device's network interface card. The MAC address is used to communicate with devices within
the same network, but sometimes, the MAC address is unknown. This is why the Address
Resolution Protocol (ARP) is needed. ARP is mainly a network access layer protocol in the TCP/IP
model used to translate the IP addresses that are found in data packets into the MAC address of the
hardware device.
Each device on the network performs ARP and keeps track of matching IP and MAC addresses in
an ARP cache. ARP does not have a specific port number since it is a layer 2 protocol and port
numbers are associated with the layer 7 application layer.
Telnet
Telnet is an application layer protocol that is used to connect with a remote system. Telnet sends all
information in clear text. It uses command line prompts to control another device similar to secure
shell (SSH), but Telnet is not as secure as SSH. Telnet can be used to connect to local or remote
devices and uses TCP port 23.
Secure shell
Secure shell protocol (SSH) is used to create a secure connection with a remote system. This
application layer protocol provides an alternative for secure authentication and encrypted
communication. SSH operates over the TCP port 22 and is a replacement for less secure protocols,
such as Telnet.
Post office protocol

Post office protocol (POP) is an application layer (layer 4 of the TCP/IP model) protocol used to
manage and retrieve email from a mail server. POP3 is the most commonly used version of POP.
Many organizations have a dedicated mail server on the network that handles incoming and
outgoing mail for users on the network. User devices will send requests to the remote mail server
and download email messages locally. If you have ever refreshed your email application and had
new emails populate in your inbox, you are experiencing POP and internet message access protocol
(IMAP) in action. Unencrypted, plaintext authentication uses TCP/UDP port 110 and encrypted
emails use Secure Sockets Layer/Transport Layer Security (SSL/TLS) over TCP/UDP port 995.
When using POP, mail has to finish downloading on a local device before it can be read. After
downloading, the mail may or may not be deleted from the mail server, so it does not guarantee that
a user can sync the same email across multiple devices.
Internet Message Access Protocol (IMAP)

IMAP is used for incoming email. It downloads the headers of emails and the message content. The
content also remains on the email server, which allows users to access their email from multiple
devices. IMAP uses TCP port 143 for unencrypted email and TCP port 993 over the TLS protocol.
Using IMAP allows users to partially read email before it is finished downloading. Since the mail is
kept on the mail server, it allows a user to sync emails across multiple devices.
Simple Mail Transfer Protocol

Simple Mail Transfer Protocol (SMTP) is used to transmit and route email from the sender to the
recipient’s address. SMTP works with Message Transfer Agent (MTA) software, which searches
DNS servers to resolve email addresses to IP addresses, to ensure emails reach their intended
destination. SMTP uses TCP/UDP port 25 for unencrypted emails and TCP/UDP port 587 using TLS
for encrypted emails. The TCP port 25 is often used by high-volume spam. SMTP helps to filter out
spam by regulating how many emails a source can send at a time.
Protocols and port numbers

Remember that port numbers are used by network devices to determine what should be done with
the information contained in each data packet once they reach their destination. Firewalls can filter
out unwanted traffic based on port numbers. For example, an organization may configure a firewall
to only allow access to TCP port 995 (POP3) by IP addresses belonging to the organization.
As a security analyst, you will need to know about many of the protocols and port numbers
mentioned in this course. They may be used to determine your technical knowledge in interviews, so
it’s a good idea to memorize them. You will also learn about new protocols on the job in a security
position.
Key takeaways
As a cybersecurity analyst, you will encounter various common protocols in your everyday work. The
protocols covered in this reading include NAT, DHCP, ARP, Telnet, SSH, POP3, IMAP, and SMTP.
It is equally important to understand where each protocol is structured in the TCP/IP model and
which ports they occupy.
Protocol Port
UDP port 67 (servers)
DHCP
UDP port 68 (clients)
ARP none
Telnet TCP port 23
SSH TCP port 22
TCP/UDP port 110 (unencrypted)
POP3
TCP/UDP port 995 (encrypted, SSL/TLS)
TCP port 143 (unencrypted)
IMAP
TCP port 993 (encrypted, SSL/TLS)
SMTP TCP/UDP Port 25 (unencrypted)
SMTPS TCP/UDP port 587 (encrypted, TLS)
The evolution of wireless security
protocols
In the early days of the internet, all internet communication happened across physical cables. It
wasn’t until the mid-1980s that authorities in the United States designated a spectrum of radio wave
frequencies that could be used without a license, so there was more opportunity for the internet to
expand.
In the late 1990s and early 2000s, technologies were developed to send and receive data over radio.
Today, users access wireless internet through laptops, smart phones, tablets, and desktops. Smart
devices, like thermostats, door locks, and security cameras, also use wireless internet to
communicate with each other and with services on the internet.
Introduction to wireless communication protocols

Many people today refer to wireless internet as Wi-Fi. Wi-Fi refers to a set of standards that define
communication for wireless LANs. Wi-Fi is a marketing term commissioned by the Wireless Ethernet
Compatibility Alliance (WECA). WECA has since renamed their organization Wi-Fi Alliance.
Wi-Fi standards and protocols are based on the 802.11 family of internet communication standards
determined by the Institute of Electrical and Electronics Engineers (IEEE). So, as a security analyst,
you might also see Wi-Fi referred to as IEEE 802.11.
Wi-Fi communications are secured by wireless networking protocols. Wireless security protocols
have evolved over the years, helping to identify and resolve vulnerabilities with more advanced
wireless technologies.
In this reading, you will learn about the evolution of wireless security protocols from WEP to WPA,
WPA2, and WPA3. You’ll also learn how the Wireless Application Protocol was used for mobile
internet communications.
Wired Equivalent Privacy

Wired equivalent privacy (WEP) is a wireless security protocol designed to provide users with the
same level of privacy on wireless network connections as they have on wired network connections.
WEP was developed in 1999 and is the oldest of the wireless security standards.
WEP is largely out of use today, but security analysts should still understand WEP in case they
encounter it. For example, a network router might have used WEP as the default security protocol
and the network administrator never changed it. Or, devices on a network might be too old to
support newer Wi-Fi security protocols. Nevertheless, a malicious actor could potentially break the
WEP encryption, so it’s now considered a high-risk security protocol.
Wi-Fi Protected Access

Wi-Fi Protected Access (WPA) was developed in 2003 to improve upon WEP, address the security
issues that it presented, and replace it. WPA was always intended to be a transitional measure so
backwards compatibility could be established with older hardware.
The flaws with WEP were in the protocol itself and how the encryption was used. WPA addressed
this weakness by using a protocol called Temporal Key Integrity Protocol (TKIP). WPA encryption
algorithm uses larger secret keys than WEPs, making it more difficult to guess the key by trial and
error.
WPA also includes a message integrity check that includes a message authentication tag with each
transmission. If a malicious actor attempts to alter the transmission in any way or resend at another
time, WPA’s message integrity check will identify the attack and reject the transmission.
Despite the security improvements of WPA, it still has vulnerabilities. Malicious actors can use a key
reinstallation attack (or KRACK attack) to decrypt transmissions using WPA. Attackers can insert
themselves in the WPA authentication handshake process and insert a new encryption key instead
of the dynamic one assigned by WPA. If they set the new key to all zeros, it is as if the transmission
is not encrypted at all.
Because of this significant vulnerability, WPA was replaced with an updated version of the protocol
called WPA2.
WPA2 & WPA3
WPA2
The second version of Wi-Fi Protected Access—known as WPA2—was released in 2004. WPA2
improves upon WPA by using the Advanced Encryption Standard (AES). WPA2 also improves upon
WPA’s use of TKIP. WPA2 uses the Counter Mode Cipher Block Chain Message Authentication
Code Protocol (CCMP), which provides encapsulation and ensures message authentication and
integrity. Because of the strength of WPA2, it is considered the security standard for all Wi-Fi
transmissions today. WPA2, like its predecessor, is vulnerable to KRACK attacks. This led to the
development of WPA3 in 2018.
Personal
WPA2 personal mode is best suited for home networks for a variety of reasons. It is easy to
implement, initial setup takes less time for personal than enterprise version. The global passphrase
for WPA2 personal version needs to be applied to each individual computer and access point in a
network. This makes it ideal for home networks, but unmanageable for organizations.
Enterprise
WPA2 enterprise mode works best for business applications. It provides the necessary security for
wireless networks in business settings. The initial setup is more complicated than WPA2 personal
mode, but enterprise mode offers individualized and centralized control over the Wi-Fi access to a
business network. This means that network administrators can grant or remove user access to a
network at any time. Users never have access to encryption keys, this prevents potential attackers
from recovering network keys on individual computers.
WPA3
WPA3 is a secure Wi-Fi protocol and is growing in usage as more WPA3 compatible devices are
released. These are the key differences between WPA2 and WPA3:
 WPA3 addresses the authentication handshake vulnerability to KRACK attacks, which is

present in WPA2.
 WPA3 uses Simultaneous Authentication of Equals (SAE), a password-authenticated,
cipher-key-sharing agreement. This prevents attackers from downloading data from wireless
network connections to their systems to attempt to decode it.
 WPA3 has increased encryption to make passwords more secure by using 128-bit
encryption, with WPA3-Enterprise mode offering optional 192-bit encryption.
Key takeaways
As a security analyst, knowing the history of how Wi-Fi security protocols developed helps you to
better understand what to consider when protecting wireless networks. It’s important that you
understand the vulnerabilities of each protocol and how important it is that devices on your network
use the most up-to-date security technologies.
Subnetting and CIDR

Earlier in this course, you learned about network segmentation, a security technique that divides
networks into sections. A private network can be segmented to protect portions of the network from
the internet, which is an unsecured global network.
For example, you learned about the uncontrolled zone, the controlled zone, the demilitarized zone,
and the restricted zone. Feel free to review the video about security zones for a refresher on how
network segmentation can be used to add a layer of security to your organization’s network
operations. Creating security zones is one example of a networking strategy called subnetting.
Overview of subnetting
Subnetting is the subdivision of a network into logical groups called subnets. It works like a network
inside a network. Subnetting divides up a network address range into smaller subnets within the
network. These smaller subnets form based on the IP addresses and network mask of the devices
on the network. Subnetting creates a network of devices to function as their own network. This
makes the network more efficient and can also be used to create security zones. If devices on the
same subnet communicate with each other, the switch changes the transmissions to stay on the
same subnet, improving speed and efficiency of the communications.
Classless Inter-Domain Routing notation for

subnetting
Classless Inter-Domain Routing (CIDR) is a method of assigning subnet masks to IP addresses to
create a subnet. Classless addressing replaces classful addressing. Classful addressing was used
in the 1980s as a system of grouping IP addresses into classes (Class A to Class E). Each class
included a limited number of IP addresses, which were depleted as the number of devices
connecting to the internet outgrew the classful range in the 1990s. Classless CIDR addressing
expanded the number of available IPv4 addresses.
CIDR allows cybersecurity professionals to segment classful networks into smaller chunks. CIDR IP
addresses are formatted like IPv4 addresses, but they include a slash (“/’”) followed by a number at
the end of the address, This extra number is called the IP network prefix. For example, a regular
IPv4 address uses the 198.51.100.0 format, whereas a CIDR IP address would include the IP
network prefix at the end of the address, 198.51.100.0/24. This CIDR address encompasses all IP
addresses between 198.51.100.0 and 198.51.100.255. The system of CIDR addressing reduces the
number of entries in routing tables and provides more available IP addresses within networks. You
can try converting CIDR to IPv4 addresses and vice versa through an online conversion tool, like
IPAddressGuide, for practice and to better understand this concept.
Note: You may learn more about CIDR during your career, but it won't be covered in any additional
depth in this certificate program. For now, you only need a basic understanding of this concept.
Security benefits of subnetting

Subnetting allows network professionals and analysts to create a network within their own network
without requesting another network IP address from their internet service provider. This process
uses network bandwidth more efficiently and improves network performance. Subnetting is one
component of creating isolated subnetworks through physical isolation, routing configuration, and
firewalls.
Key takeaways
Subnetting is a common security strategy used by organizations. Subnetting allows organizations to
create smaller networks within their private network. This improves the efficiency of the network and
can be used to create security zones.
Virtual networks and privacy

This section of the course covered a lot of information about network operations. You reviewed the
fundamentals of network architecture and communication and can now use this knowledge as you
learn how to secure networks. Securing a private network requires maintaining the confidentiality of
your data and restricting access to authorized users.
In this reading, you will review several network security topics previously covered in the course,
including virtual private networks (VPNs), proxy servers, firewalls, and security zones. You'll
continue to learn more about these concepts and how they relate to each other as you continue
through the course.
Common network protocols

Network protocols are used to direct traffic to the correct device and service depending on the kind
of communication being performed by the devices on the network. Protocols are the rules used by all
network devices that provide a mutually agreed upon foundation for how to transfer data across a
network.
There are three main categories of network protocols: communication protocols, management
protocols, and security protocols.
1. Communication protocols are used to establish connections between servers. Examples

include TCP, UDP, and Simple Mail Transfer Protocol (SMTP), which provides a framework
for email communication.
2. Management protocols are used to troubleshoot network issues. One example is the Internet
Control Message Protocol (ICMP).
3. Security protocols provide encryption for data in transit. Examples include IPSec and
SSL/TLS.
Some other commonly used protocols are:
 HyperText Transfer Protocol (HTTP). HTTP is an application layer communication protocol.

This allows the browser and the web server to communicate with one another.
 Domain Name System (DNS). DNS is an application layer protocol that translates, or maps,
host names to IP addresses.
 Address Resolution Protocol (ARP). ARP is a network layer communication protocol that
maps IP addresses to physical machines or a MAC address recognized on the local area
network.
Wi-Fi
This section of the course also introduced various wireless security protocols, including WEP, WPA,
WPA2, and WPA3. WPA3 encrypts traffic with the Advanced Encryption Standard (AES) cipher as it
travels from your device to the wireless access point. WPA2 and WPA3 offer two modes: personal
and enterprise. Personal mode is best suited for home networks while enterprise mode is generally
utilized for business networks and applications.
Network security tools and practices

Firewalls
Previously, you learned that firewalls are network virtual appliances (NVAs) or hardware devices that
inspect and can filter network traffic before it’s permitted to enter the private network. Traditional
firewalls are configured with rules that tell it what types of data packets are allowed based on the
port number and IP address of the data packet.
There are two main categories of firewalls.
 Stateless: A class of firewall that operates based on predefined rules and does not keep track
of information from data packets
 Stateful: A class of firewall that keeps track of information passing through it and proactively
filters out threats. Unlike stateless firewalls, which require rules to be configured in two
directions, a stateful firewall only requires a rule in one direction. This is because it uses a
"state table" to track connections, so it can match return traffic to an existing session
Next generation firewalls (NGFWs) are the most technologically advanced firewall protection. They
exceed the security offered by stateful firewalls because they include deep packet inspection (a kind
of packet sniffing that examines data packets and takes actions if threats exist) and intrusion
prevention features that detect security threats and notify firewall administrators. NGFWs can
inspect traffic at the application layer of the TCP/IP model and are typically application aware. Unlike
traditional firewalls that block traffic based on IP address and ports, NGFWs rules can be configured
to block or allow traffic based on the application. Some NGFWs have additional features like
Malware Sandboxing, Network Anti-Virus, and URL and DNS Filtering.
Proxy servers
A proxy server is another way to add security to your private network. Proxy servers utilize network
address translation (NAT) to serve as a barrier between clients on the network and external threats.
Forward proxies handle queries from internal clients when they access resources external to the
network. Reverse proxies function opposite of forward proxies; they handle requests from external
systems to services on the internal network. Some proxy servers can also be configured with rules,
like a firewall. For example, you can create filters to block websites identified as containing
malware.
Virtual Private Networks (VPN)

A VPN is a service that encrypts data in transit and disguises your IP address. VPNs use a process
called encapsulation. Encapsulation wraps your unencrypted data in an encrypted data packet,
which allows your data to be sent across the public network while remaining anonymous.
Enterprises and other organizations use VPNs to help protect communications from users’ devices
to corporate resources. Some of these resources include servers or virtual machines that host
business applications. Individuals also use VPNs to increase personal privacy. VPNs protect user
privacy by concealing personal information, including IP addresses, from external servers. A
reputable VPN also minimizes its own access to user internet activity by using strong encryption and
other security measures. Organizations are increasingly using a combination of VPN and SD-WAN
capabilities to secure their networks. A software-defined wide area network (SD-WAN) is a virtual
WAN service that allows organizations to securely connect users to applications across multiple
locations and over large geographical distances.
Key takeaways
There are three main categories of network protocols: communication, management, and security
protocols. In this reading, you learned the fundamentals of firewalls, proxy servers, and VPNs. More
organizations are implementing a cloud-based approach to network security by incorporating a
combination of VPN and SD-WAN capabilities as a service.
VPN protocols: Wireguard and IPSec

A VPN, or virtual private network, is a network security service that changes your public IP address
and hides your virtual location so that you can keep your data private when you’re using a public
network like the internet. VPNs provide a server that acts as a gateway between a computer and the
internet. This server creates a path similar to a virtual tunnel that hides the computer’s IP address
and encrypts the data in transit to the internet. The main purpose of a VPN is to create a secure
connection between a computer and a network. Additionally, a VPN allows trusted connections to be
established on non-trusted networks. VPN protocols determine how the secure network tunnel is
formed. Different VPN providers provide different VPN protocols.
This reading will cover the differences between remote access and site-to-site VPNs, and two VPN
protocols: WireGuard VPN and IPSec VPN. A VPN protocol is similar to a network protocol: It’s a set
of rules or instructions that will determine how data moves between endpoints. An endpoint is any
device connected on a network. Some examples of endpoints include computers, mobile devices,
and servers.
Remote access and site-to-site VPNs

Individual users use remote access VPNs to establish a connection between a personal device and
a VPN server. Remote access VPNs encrypt data sent or received through a personal device. The
connection between the user and the remote access VPN is established through the internet.
Enterprises use site-to-site VPNs largely to extend their network to other networks and locations.
This is particularly useful for organizations that have many offices across the globe. IPSec is
commonly used in site-to-site VPNs to create an encrypted tunnel between the primary network and
the remote network. One disadvantage of site-to-site VPNs is how complex they can be to configure
and manage compared to remote VPNs.
WireGuard VPN vs. IPSec VPN
WireGuard and IPSec are two different VPN protocols used to encrypt traffic over a secure network
tunnel. The majority of VPN providers offer a variety of options for VPN protocols, such as
WireGuard or IPSec. Ultimately, choosing between IPSec and WireGuard depends on many factors,
including connection speeds, compatibility with existing network infrastructure, and business or
individual needs.
WireGuard VPN
WireGuard is a high-speed VPN protocol, with advanced encryption, to protect users when they are
accessing the internet. It’s designed to be simple to set up and maintain. WireGuard can be used for
both site-to-site connection and client-server connections. WireGuard is relatively newer than IPSec,
and is used by many people due to the fact that its download speed is enhanced by using fewer
lines of code. WireGuard is also open source, which makes it easier for users to deploy and debug.
This protocol is useful for processes that require faster download speeds, such as streaming video
content or downloading large files.
IPSec VPN
IPSec is another VPN protocol that may be used to set up VPNs. Most VPN providers use IPSec to
encrypt and authenticate data packets in order to establish secure, encrypted connections. Since
IPSec is one of the earlier VPN protocols, many operating systems support IPSec from VPN
providers.
Although IPSec and WireGuard are both VPN protocols, IPSec is older and more complex than
WireGuard. Some clients may prefer IPSec due to its longer history of use, extensive security
testing, and widespread adoption. However, others may prefer WireGuard because of its potential
for better performance and simpler configuration.
Key Takeaways
A VPN protocol is similar to a network protocol: It’s a set of rules or instructions that will determine
how data moves between endpoints. There are two types of VPNs: remote access and site-to-site.
Remote access VPNs establish a connection between a personal device and a VPN server and
encrypt or decrypt data exchanged with a personal device. Enterprises use site-to-site VPNs largely
to extend their network to different locations and networks. IPSec can be used to create site-to-site
connections and WireGuard can be used for both site-to-site and remote access connections.
Address Resolution Protocol (ARP): A network protocol used to determine the MAC address
of the next router or device on the path
Cloud-based firewalls: Software firewalls that are hosted by the cloud service provider
Controlled zone: A subnet that protects the internal network from the uncontrolled zone
Domain Name System (DNS): A networking protocol that translates internet domain names into
IP addresses
Encapsulation: A process performed by a VPN service that protects your data by wrapping
sensitive data in other data packets
Firewall: A network security device that monitors traffic to or from your network
Forward proxy server: A server that regulates and restricts a person’s access to the internet
Hypertext Transfer Protocol (HTTP): An application layer protocol that provides a method of
communication between clients and website servers
Hypertext Transfer Protocol Secure (HTTPS): A network protocol that provides a secure
method of communication between clients and servers
IEEE 802.11 (Wi-Fi): A set of standards that define communication for wireless LANs
Network protocols: A set of rules used by two or more devices on a network to describe the
order of delivery of data and the structure of data
Network segmentation: A security technique that divides the network into segments
Port filtering: A firewall function that blocks or allows certain port numbers to limit unwanted
communication
Proxy server: A server that fulfills the requests of its clients by forwarding them to other servers
Reverse proxy server: A server that regulates and restricts the internet's access to an internal
server
Secure File Transfer Protocol (SFTP): A secure protocol used to transfer files from one device
to another over a network
Secure shell (SSH): A security protocol used to create a shell with a remote system
Security zone: A segment of a company’s network that protects the internal network from the
internet
Simple Network Management Protocol (SNMP): A network protocol used for monitoring and
managing devices on a network
Stateful: A class of firewall that keeps track of information passing through it and proactively
filters out threats
Stateless: A class of firewall that operates based on predefined rules and does not keep track of
information from data packets
Subnetting: The subdivision of a network into logical groups called subnets
Transmission Control Protocol (TCP): An internet communication protocol that allows two
devices to form a connection and stream data
Uncontrolled zone: The portion of the network outside the organization
Virtual private network (VPN): A network security service that changes your public IP address
and masks your virtual location so that you can keep your data private when you are using a
public network like the internet
Wi-Fi Protected Access (WPA): A wireless security protocol for devices to connect to the
internet
Mark as completed
Like
Dislike
Report an issue
How intrusions compromise your
system
In this section of the course, you learned that every network has inherent vulnerabilities and could
become the target of a network attack.
Attackers could have varying motivations for attacking your organization’s network. They may have
financial, personal, or political motivations, or they may be a disgruntled employee or an activist who
disagrees with the company's values and wants to harm an organization’s operations. Malicious
actors can target any network. Security analysts must be constantly alert to potential vulnerabilities
in their organization’s network and take quick action to mitigate them.
In this reading, you’ll learn about network interception attacks and backdoor attacks, and the
possible impacts these attacks could have on an organization.
Network interception attacks

Network interception attacks work by intercepting network traffic and stealing valuable information or
interfering with the transmission in some way.
Malicious actors can use hardware or software tools to capture and inspect data in transit. This is
referred to as packet sniffing. In addition to seeing information that they are not entitled to, malicious
actors can also intercept network traffic and alter it. These attacks can cause damage to an
organization’s network by inserting malicious code modifications or altering the message and
interrupting network operations. For example, an attacker can intercept a bank transfer and change
the account receiving the funds to one that the attacker controls.
Later in this course you will learn more about malicious packet sniffing, and other types of network
interception attacks: on-path attacks and replay attacks.
Backdoor attacks
A backdoor attack is another type of attack you will need to be aware of as a security analyst. An
organization may have a lot of security measures in place, including cameras, biometric scans and
access codes to keep employees from entering and exiting without being seen. However, an
employee might work around the security measures by finding a backdoor to the building that is not
as heavily monitored, allowing them to sneak out for the afternoon without being seen.
In cybersecurity, backdoors are weaknesses intentionally left by programmers or system and

network administrators that bypass normal access control mechanisms. Backdoors are intended to
help programmers conduct troubleshooting or administrative tasks. However, backdoors can also be
installed by attackers after they’ve compromised an organization to ensure they have persistent
access.
Once the hacker has entered an insecure network through a backdoor, they can cause extensive
damage: installing malware, performing a denial of service (DoS) attack, stealing private information
or changing other security settings that leaves the system vulnerable to other attacks. A DoS attack
is an attack that targets a network or server and floods it with network traffic.
Possible impacts on an organization
As you’ve learned already, network attacks can have a significant negative impact on an
organization. Let’s examine some potential consequences.
 Financial: When a system is taken offline with a DoS attack or some other tactic, they
prevent a company from performing tasks that generate revenue. Depending on the size of
an organization, interrupted operations can cost millions of dollars. Reparation costs to
rebuild software infrastructure and to pay large sums associated with potential ransomware
can be financially difficult. In addition, if a malicious actor gets access to the personal
information of the company’s clients or customers, the company may face heavy litigation
and settlement costs if customers seek legal recourse.
 Reputation: Attacks can also have a negative impact on the reputation of an organization. If it
becomes public knowledge that a company has experienced a cyber attack, the public may
become concerned about the security practices of the organization. They may stop trusting
the company with their personal information and choose a competitor to fulfill their needs.
 Public safety: If an attack occurs on a government network, this can potentially impact the
safety and welfare of the citizens of a country. In recent years, defense agencies across the
globe are investing heavily in combating cyber warfare tactics. If a malicious actor gained
access to a power grid, a public water system, or even a military defense communication
system, the public could face physical harm due to a network intrusion attack.
Key takeaways
Malicious actors are constantly looking for ways to exploit systems. They learn about new
vulnerabilities as they arise and attempt to exploit every vulnerability in a system. Attackers leverage
backdoor attack methods and network interception attacks to gain access to sensitive information
they can use to exploit an organization or cause serious damage. These types of attacks can impact
an organization financially, damage its reputation, and potentially put the public in danger. It is
important that security analysts stay educated in order to maintain network safety and reduce the
likelihood and impact of these types of attacks. Securing networks has never been more important.
Read tcpdump logs

A network protocol analyzer, sometimes called a packet sniffer or a packet analyzer, is a tool
designed to capture and analyze data traffic within a network. They are commonly used as
investigative tools to monitor networks and identify suspicious activity. There are a wide variety of
network protocol analyzers available, but some of the most common analyzers include:
 SolarWinds NetFlow Traffic Analyzer
 ManageEngine OpManager
 Azure Network Watcher
 Wireshark
 tcpdump
This reading will focus exclusively on tcpdump, though you can apply what you learn here to many of
the other network protocol analyzers you'll use as a cybersecurity analyst to defend against any
network intrusions. In an upcoming activity, you’ll review a tcpdump data traffic log and identify a
DoS attack to practice these skills.
tcpdump
tcpdump is a command-line network protocol analyzer. It is popular, lightweight–meaning it uses little
memory and has a low CPU usage–and uses the open-source libpcap library. tcpdump is text
based, meaning all commands in tcpdump are executed in the terminal. It can also be installed on
other Unix-based operating systems, such as macOS®. It is preinstalled on many Linux distributions.
tcpdump provides a brief packet analysis and converts key information about network traffic into
formats easily read by humans. It prints information about each packet directly into your terminal.
tcpdump also displays the source IP address, destination IP addresses, and the port numbers being
used in the communications.
Interpreting output
tcpdump prints the output of the command as the sniffed packets in the command line, and
optionally to a log file, after a command is executed. The output of a packet capture contains many
pieces of important information about the network traffic.
Some information you receive from a packet capture includes:
 Timestamp: The output begins with the timestamp, formatted as hours, minutes, seconds,
and fractions of a second.
 Source IP: The packet’s origin is provided by its source IP address.
 Source port: This port number is where the packet originated.
 Destination IP: The destination IP address is where the packet is being transmitted to.
 Destination port: This port number is where the packet is being transmitted to.
Note: By default, tcpdump will attempt to resolve host addresses to hostnames. It'll also replace port
numbers with commonly associated services that use these ports.
Common uses
tcpdump and other network protocol analyzers are commonly used to capture and view network
communications and to collect statistics about the network, such as troubleshooting network
performance issues. They can also be used to:
 Establish a baseline for network traffic patterns and network utilization metrics.
 Detect and identify malicious traffic
 Create customized alerts to send the right notifications when network issues or security
threats arise.
 Locate unauthorized instant messaging (IM), traffic, or wireless access points.
However, attackers can also use network protocol analyzers maliciously to gain information about a
specific network. For example, attackers can capture data packets that contain sensitive information,
such as account usernames and passwords. As a cybersecurity analyst, It’s important to understand
the purpose and uses of network protocol analyzers.
Key takeaways
Network protocol analyzers, like tcpdump, are common tools that can be used to monitor network
traffic patterns and investigate suspicious activity. tcpdump is a command-line network protocol
analyzer that is compatible with Linux/Unix and macOS®. When you run a tcpdump command, the
tool will output packet routing information, like the timestamp, source IP address and port number,
and the destination IP address and port number. Unfortunately, attackers can also use network
protocol analyzers to capture data packets that contain sensitive information, such as account
usernames and passwords.
Real-life DDoS attack

Previously, you were introduced to Denial of Service (DoS) attacks. You also learned that volumetric
distributed DoS (DDoS) attacks overwhelm a network by sending unwanted data packets in such
large quantities that the servers become unable to service normal users. This can be detrimental to
an organization. When systems fail, organizations cannot meet their customers' needs. They often
lose money, and in some cases, incur other losses. An organization’s reputation may also suffer if
news of a successful DDoS attack reaches consumers, who then question the security of the
organization.
In this reading you’ll learn about a 2016 DDoS attack against DNS servers that caused major
outages at multiple organizations that have millions of daily users.
A DDoS targeting a widely used DNS server

In previous videos, you learned about the function of a DNS server. As a review, DNS servers
translate website domain names into the IP address of the system that contains the information for
the website. For instance, if a user were to type in a website URL, a DNS server would translate that
into a numeric IP address that directs network traffic to the location of the website’s server.
On the day of the DDoS attack we are studying, many large companies were using a DNS service
provider. The service provider was hosting the DNS system for these companies. This meant that
when internet users typed in the URL of the website they wanted to access, their devices would be
directed to the right place. On October 21, 2016, the service provider was the victim of a DDoS
attack.
Leading up to the attack

Before the attack on the service provider, a group of university students created a botnet with the
intention to attack various gaming servers and networks. A botnet is a collection of computers
infected by malware that are under the control of a single threat actor, known as the “bot-herder."
Each computer in the botnet can be remotely controlled to send a data packet to a target system. In
a botnet attack, cyber criminals instruct all the bots on the botnet to send data packets to the target
system at the same time, resulting in a DDoS attack.
The group of university students posted the code for the botnet online so that it would be accessible
to thousands of internet users and authorities wouldn’t be able to trace the botnet back to the
students. In doing so, they made it possible for other malicious actors to learn the code to the botnet
and control it remotely. This included the cyber criminals who attacked the DNS service provider.
The day of attack

At 7:00 a.m. on the day of the attack, the botnet sent tens of millions of DNS requests to the service
provider. This overwhelmed the system and the DNS service shut down. This meant that all of the
websites that used the service provider could not be reached. When users tried to access various
websites that used the service provider, they were not directed to the website they typed in their
browser. Outages for each web service occurred all over North America and Europe.
The service provider’s systems were restored after only two hours of downtime. Although the cyber
criminals sent subsequent waves of botnet attacks, the DNS company was prepared and able to
mitigate the impact.
Key takeaways
As demonstrated in the above example, DDoS attacks can be very damaging to an organization. As
a security analyst, it’s important to acknowledge the seriousness of such an attack so that you’re
aware of opportunities to protect the network from them. If your network has important operations
distributed across hosts that can be dynamically scaled, then operations can continue if the baseline
host infrastructure goes offline. DDoS attacks are damaging, but there are concrete actions that
security analysts can take to help protect their organizations. Keep going through this course and
you will learn about common mitigation strategies to protect against DDoS attacks.
Overview of interception tactics

In the previous course items, you learned how packet sniffing and IP spoofing are used in
network attacks. Because these attacks intercept data packets as they travel across the network,
they are called interception attacks.
This reading will introduce you to some specific attacks that use packet sniffing and IP spoofing.
You will learn how hackers use these tactics and how security analysts can counter the threat of
interception attacks.
A closer review of packet sniffing

As you learned in a previous video, packet sniffing is the practice of capturing and inspecting
data packets across a network. On a private network, data packets are directed to the matching
destination device on the network.
The device’s Network Interface Card (NIC) is a piece of hardware that connects the device to a
network. The NIC reads the data transmission, and if it contains the device’s MAC address, it
accepts the packet and sends it to the device to process the information based on the protocol.
This occurs in all standard network operations. However, a NIC can be set to promiscuous mode,
which means that it accepts all traffic on the network, even the packets that aren’t addressed to
the NIC’s device. You’ll learn more about NIC’s later in the program. Malicious actors might
use software like Wireshark to capture the data on a private network and store it for later use.
They can then use the personal information to their own advantage. Alternatively, they might use
the IP and MAC addresses of authorized users of the private network to perform IP spoofing.
A closer review of IP spoofing

After a malicious actor has sniffed packets on the network, they can impersonate the IP and
MAC addresses of authorized devices to perform an IP spoofing attack. Firewalls can prevent IP
spoofing attacks by configuring it to refuse unauthorized IP packets and suspicious traffic. Next,
you’ll examine a few common IP spoofing attacks that are important to be familiar with as a
security analyst.
On-path attack
An on-path attack happens when a hacker intercepts the communication between two devices
or servers that have a trusted relationship. The transmission between these two trusted network
devices could contain valuable information like usernames and passwords that the malicious
actor can collect. An on-path attack is sometimes referred to as a meddler-in-the middle attack
because the hacker is hiding in the middle of communications between two trusted parties.
Or, it could be that the intercepted transmission contains a DNS system look-up. You’ll recall
from an earlier video that a DNS server translates website domain names into IP addresses. If a
malicious actor intercepts a transmission containing a DNS lookup, they could spoof the DNS
response from the server and redirect a domain name to a different IP address, perhaps one that
contains malicious code or other threats. The most important way to protect against an on-path
attack is to encrypt your data in transit, e.g. using TLS.
Smurf attack
A smurf attack is a network attack that is performed when an attacker sniffs an authorized
user’s IP address and floods it with packets. Once the spoofed packet reaches the broadcast
address, it is sent to all of the devices and servers on the network.
In a smurf attack, IP spoofing is combined with another denial of service (DoS) technique to
flood the network with unwanted traffic. For example, the spoofed packet could include an
Internet Control Message Protocol (ICMP) ping. As you learned earlier, ICMP is used to
troubleshoot a network. But if too many ICMP messages are transmitted, the ICMP echo
responses overwhelm the servers on the network and they shut down. This creates a denial of
service and can bring an organization’s operations to a halt.
An important way to protect against a smurf attack is to use an advanced firewall that can
monitor any unusual traffic on the network. Most next generation firewalls (NGFW) include
features that detect network anomalies to ensure that oversized broadcasts are detected before
they have a chance to bring down the network.
DoS attack
As you’ve learned, once the malicious actor has sniffed the network traffic, they can impersonate
an authorized user. A Denial of Service attack is a class of attacks where the attacker prevents
the compromised system from performing legitimate activity or responding to legitimate traffic.
Unlike IP spoofing, however, the attacker will not receive a response from the targeted host.
Everything about the data packet is authorized including the IP address in the header of the
packet. In IP spoofing attacks, the malicious actor uses IP packets containing fake IP addresses.
The attackers keep sending IP packets containing fake IP addresses until the network server
crashes.
Pro Tip: Remember the principle of defense-in-depth. There isn’t one perfect strategy for
stopping each kind of attack. You can layer your defense by using multiple strategies. In this
case, using industry standard encryption will strengthen your security and help you defend from
DoS attacks on more than one level.
Key takeaways
This reading covered several types of common IP spoofing attacks. You learned about how
packet sniffing is performed and how gathering information from intercepting data transmissions
can give malicious actors opportunities for IP spoofing. Whether it is an on-path attack, IP
spoofing attack, or a smurf attack, analysts need to ensure that mitigation strategies are in place
to limit the threat and prevent security breaches.

Active packet sniffing: A type of attack where data packets are manipulated in transit
Botnet: A collection of computers infected by malware that are under the control of a single
threat actor, known as the “bot-herder"
Denial of service (DoS) attack: An attack that targets a network or server and floods it with
network traffic
Distributed denial of service (DDoS) attack: A type of denial of service attack that uses
multiple devices or servers located in different locations to flood the target network with
unwanted traffic
Internet Control Message Protocol (ICMP): An internet protocol used by devices to tell each
other about data transmission errors across the network
Internet Control Message Protocol (ICMP) flood: A type of DoS attack performed by an
attacker repeatedly sending ICMP request packets to a network server
IP spoofing: A network attack performed when an attacker changes the source IP of a data
packet to impersonate an authorized system and gain access to a network
On-path attack: An attack where a malicious actor places themselves in the middle of an
authorized connection and intercepts or alters the data in transit
Passive packet sniffing: A type of attack where a malicious actor connects to a network hub and
looks at all traffic on the network
Ping of death: A type of DoS attack caused when a hacker pings a system by sending it an
oversized ICMP packet that is bigger than 64KB
Replay attack: A network attack performed when a malicious actor intercepts a data packet in
transit and delays it or repeats it at another time
Smurf attack: A network attack performed when an attacker sniffs an authorized user’s IP
address and floods it with ICMP packets
Synchronize (SYN) flood attack: A type of DoS attack that simulates a TCP/IP connection and
floods a server with SYN packets
Brute force attacks and OS hardening

In this reading, you’ll learn about brute force attacks. You’ll consider how vulnerabilities can be
assessed using virtual machines and sandboxes, and learn ways to prevent brute force attacks
using a combination of authentication measures. Implementing various OS hardening tasks can help
prevent brute force attacks. An attacker can use a brute force attack to gain access and compromise
a network.
Usernames and passwords are among the most common and important security controls in place
today. They are used and enforced on everything that stores or accesses sensitive or private
information, like personal phones, computers, and restricted applications within an organization.
However, a major issue with relying on login credentials as a critical line of defense is that they’re
vulnerable to being stolen and guessed by malicious actors.
Brute force attacks
A brute force attack is a trial-and-error process of discovering private information. There are different
types of brute force attacks that malicious actors use to guess passwords, including:
 Simple brute force attacks. When attackers try to guess a user's login credentials, it’s
considered a simple brute force attack. They might do this by entering any combination of
usernames and passwords that they can think of until they find the one that works.
 Dictionary attacks use a similar technique. In dictionary attacks, attackers use a list of
commonly used passwords and stolen credentials from previous breaches to access a
system. These are called “dictionary” attacks because attackers originally used a list of
words from the dictionary to guess the passwords, before complex password rules became a
common security practice.
Using brute force to access a system can be a tedious and time consuming process, especially
when it’s done manually. There are a range of tools attackers use to conduct their attacks.
Assessing vulnerabilities
Before a brute force attack or other cybersecurity incident occurs, companies can run a series of
tests on their network or web applications to assess vulnerabilities. Analysts can use virtual
machines and sandboxes to test suspicious files, check for vulnerabilities before an event occurs, or
to simulate a cybersecurity incident.
Virtual machines (VMs)

Virtual machines (VMs) are software versions of physical computers. VMs provide an additional
layer of security for an organization because they can be used to run code in an isolated
environment, preventing malicious code from affecting the rest of the computer or system. VMs can
also be deleted and replaced by a pristine image after testing malware.
VMs are useful when investigating potentially infected machines or running malware in a constrained
environment. Using a VM may prevent damage to your system in the event its tools are used
improperly. VMs also give you the ability to revert to a previous state. However, there are still some
risks involved with VMs. There’s still a small risk that a malicious program can escape virtualization
and access the host machine.
You can test and explore applications easily with VMs, and it’s easy to switch between different VMs
from your computer. This can also help in streamlining many security tasks.
Sandbox environments
A sandbox is a type of testing environment that allows you to execute software or programs separate
from your network. They are commonly used for testing patches, identifying and addressing bugs, or
detecting cybersecurity vulnerabilities. Sandboxes can also be used to evaluate suspicious software,
evaluate files containing malicious code, and simulate attack scenarios.
Sandboxes can be stand-alone physical computers that are not connected to a network; however, it
is often more time- and cost-effective to use software or cloud-based virtual machines as sandbox
environments. Note that some malware authors know how to write code to detect if the malware is
executed in a VM or sandbox environment. Attackers can program their malware to behave as
harmless software when run inside these types of testing environments.
Prevention measures
Some common measures organizations use to prevent brute force attacks and similar attacks from
occurring include:
 Salting and hashing: Hashing converts information into a unique value that can then be used
to determine its integrity. It is a one-way function, meaning it is impossible to decrypt and
obtain the original text. Salting adds random characters to hashed passwords. This
increases the length and complexity of hash values, making them more secure.
 Multi-factor authentication (MFA) and two-factor authentication (2FA): MFA is a security
measure which requires a user to verify their identity in two or more ways to access a system
or network. This verification happens using a combination of authentication factors: a
username and password, fingerprints, facial recognition, or a one-time password (OTP) sent
to a phone number or email. 2FA is similar to MFA, except it uses only two forms of
verification.
 CAPTCHA and reCAPTCHA: CAPTCHA stands for Completely Automated Public Turing
test to tell Computers and Humans Apart. It asks users to complete a simple test that proves
they are human. This helps prevent software from trying to brute force a password.
reCAPTCHA is a free CAPTCHA service from Google that helps protect websites from bots
and malicious software.
 Password policies: Organizations use password policies to standardize good password
practices throughout the business. Policies can include guidelines on how complex a
password should be, how often users need to update passwords, whether passwords can be
reused or not, and if there are limits to how many times a user can attempt to log in before
their account is suspended.
Key takeaways
Brute force attacks are a trial-and-error process of guessing passwords. Attacks can be launched
manually or through software tools. Methods include simple brute force attacks and dictionary
attacks. To protect against brute force attacks, cybersecurity analysts can use sandboxes to test
suspicious files, check for vulnerabilities, or to simulate real attacks and virtual machines to conduct
vulnerability tests. Some common measures to prevent brute force attacks include: hashing and
salting, MFA and/or 2FA, CAPTCHA and reCAPTCHA, and password policies.
Mark as completed
Activity Exemplar: Apply OS hardening
techniques
Here is a completed exemplar along with an explanation of how the exemplar fulfills the
expectations for the activity.
Completed Exemplar
To review the exemplar for this course item, click the link below and select Use Template.
 Security incident report exemplar

 The exemplar explained: Security incident report
OR
If you don’t have a Google account, you can download the exemplar and incident report directly
from the attachment below.
Security incident report exemplar

DOCX File
The Exemplar Explained_ Security incident report exemplar

DOCX File
Assessment of Exemplar
Compare the exemplar to your completed activity. Review your work using each of the criteria in
the exemplar. What did you do well? Where can you improve? Use your answers to these
questions to guide you as you continue to progress through the course.
Note: The exemplar represents one possible explanation for the issues that the end users are
facing. Yours will likely differ in certain ways. What’s important is that you identified the
network protocols involved and created a report. In your role as a security analyst, you and your
team would document any issue that occurs on the network and come up with solutions to help
prevent the same issues from occurring in the future. Good quality documentation can save you
and your organization time and potentially manage the attack early on.
First, analyze the DNS & HTTP traffic log to identify a network protocol. Then, document the
cybersecurity incident. Finally, recommend one security measure your organization could
implement to prevent brute force attacks in the future. Creating this process will, in turn, help
improve the organization’s security posture.
The exemplar is accompanied by the activity, and presents a professional documentation

example to include the following:
 One network protocol identified during the investigation

 Documentation of the incident
 A recommended security measure
Key Takeaways
As a security analyst, you might not always know exactly what is the primary cause of a network
issue or a possible attack. But being able to analyze the protocols involved will help you make an
informed assumption about what happened. This will allow you and your team to begin resolving
the issue.
Network security applications

This section of the course covers the topic of network hardening and monitoring. Each device, tool,
or security strategy put in place by security analysts further protects—or hardens—the network until
the network owner is satisfied with the level of security. This approach of adding layers of security to
a network is referred to as defense in depth.
In this reading, you are going to learn about the role of four devices used to secure a network—
firewalls, intrusion detection systems, intrusion prevention systems, and security incident and event
management tools. Network security professionals have the choice to use any or all of these devices
and tools depending on the level of security that they hope to achieve.
This reading will discuss the benefits of layered security. Each tool mentioned is an additional layer
of defense that can incrementally harden a network, starting with the minimum level of security
(provided by just a firewall), to the highest level of security (provided by combining a firewall, an
intrusion detection and prevention device, and security event monitoring).
Take note of where each tool is located on the network. Each tool has its own place in the network’s
architecture. Security analysts are required to understand the network topologies shown in the
diagrams throughout this reading.
Firewall
So far in this course, you learned about stateless firewalls, stateful firewalls, and next-generation
firewalls (NGFWs), and the security advantages of each of them.
Most firewalls are similar in their basic functions. Firewalls allow or block traffic based on a set of
rules. As data packets enter a network, the packet header is inspected and allowed or denied based
on its port number. NGFWs are also able to inspect packet payloads. Each system should have its
own firewall, regardless of the network firewall.
Intrusion Detection System

possible intrusions. An IDS alerts administrators based on the signature of malicious traffic.
The IDS is configured to detect known attacks. IDS systems often sniff data packets as they move
across the network and analyze them for the characteristics of known attacks. Some IDS systems
review not only for signatures of known attacks, but also for anomalies that could be the sign of
malicious activity. When the IDS discovers an anomaly, it sends an alert to the network administrator
who can then investigate further.
The limitations to IDS systems are that they can only scan for known attacks or obvious anomalies.
New and sophisticated attacks might not be caught. The other limitation is that the IDS doesn’t
actually stop the incoming traffic if it detects something awry. It’s up to the network administrator to
catch the malicious activity before it does anything damaging to the network.
When combined with a firewall, an IDS adds another layer of defense. The IDS is placed behind the
firewall and before entering the LAN, which allows the IDS to analyze data streams after network
traffic that is disallowed by the firewall has been filtered out. This is done to reduce noise in IDS
alerts, also referred to as false positives.
Intrusion Prevention System

An intrusion prevention system (IPS) is an application that monitors system activity for intrusive
activity and takes action to stop the activity. It offers even more protection than an IDS because it
actively stops anomalies when they are detected, unlike the IDS that simply reports the anomaly to a
network administrator.
An IPS searches for signatures of known attacks and data anomalies. An IPS reports the anomaly to
security analysts and blocks a specific sender or drops network packets that seem suspect.
The IPS (like an IDS) sits behind the firewall in the network architecture. This offers a high level of
security because risky data streams are disrupted before they even reach sensitive parts of the
network. However, one potential limitation is that it is inline: If it breaks, the connection between the
private network and the internet breaks. Another limitation of IPS is the possibility of false positives,
which can result in legitimate traffic getting dropped.
Full packet capture devices

Full packet capture devices can be incredibly useful for network administrators and security
professionals. These devices allow you to record and analyze all of the data that is transmitted over
your network. They also aid in investigating alerts created by an IDS.
Security Information and Event Management

A security information and event management system (SIEM) is an application that collects and
analyzes log data to monitor critical activities in an organization. SIEM tools work in real time to
report suspicious activity in a centralized dashboard. SIEM tools additionally analyze network log
data sourced from IDSs, IPSs, firewalls, VPNs, proxies, and DNS logs. SIEM tools are a way to
aggregate security event data so that it all appears in one place for security analysts to analyze. This
is referred to as a single pane of glass.
Below, you can review an example of a dashboard from Google Cloud’s SIEM tool, Chronicle.
Chronicle is a cloud-native tool designed to retain, analyze, and search data.
Splunk is another common SIEM tool. Splunk offers different SIEM tool options: Splunk Enterprise
and Splunk Cloud. Both options include detailed dashboards which help security professionals to
review and analyze an organization's data. There are also other similar SIEM tools available, and it's
important for security professionals to research the different tools to determine which one is most
beneficial to the organization.
A SIEM tool doesn’t replace the expertise of security analysts, or of the network- and system-
hardening activities covered in this course, but they’re used in combination with other security
methods. Security analysts often work in a Security Operations Center (SOC) where they can
monitor the activity across the network. They can then use their expertise and experience to
determine how to respond to the information on the dashboard and decide when the events meet the
criteria to be escalated to oversight.
Key takeaways
Devices / Tools Advantages Disadvantages
A firewall is only able to filter packets based
A firewall allows or blocks traffic
Firewall on information provided in the header of the
based on a set of rules.
packets.
An IDS can only scan for known attacks or
An IDS detects and alerts admins
Intrusion Detection obvious anomalies; new and sophisticated
about possible intrusions, attacks, and
System (IDS) attacks might not be caught. It doesn’t
other malicious traffic.
actually stop the incoming traffic.
An IPS is an inline appliance. If it fails, the

An IPS monitors system activity for
Intrusion Prevention connection between the private network and
intrusions and anomalies and takes
System (IPS) the internet breaks. It might detect false
action to stop them.
positives and block legitimate traffic.
Security A SIEM tool collects and analyzes log

A SIEM tool only reports on possible
Information and data from multiple network machines.
security issues. It does not take any actions
Event Management It aggregates security events for
to stop or prevent suspicious events.
(SIEM) monitoring in a central dashboard.
Each of these devices or tools cost money to purchase, install, and maintain. An organization might
need to hire additional personnel to monitor the security tools, as in the case of a SIEM. Decision-
makers are tasked with selecting the appropriate level of security based on cost and risk to the
organization. You will learn more about choosing levels of security later in the course.
Secure the cloud
Earlier in this course, you were introduced to cloud computing. Cloud computing is a model for
allowing convenient and on-demand network access to a shared pool of configurable computing
resources. These resources can be configured and released with minimal management effort or
interaction with the service provider.
Just like any other IT infrastructure, a cloud infrastructure needs to be secured. This reading will
address some main security considerations that are unique to the cloud and introduce you to the
shared responsibility model used for security in the cloud. Many organizations that use cloud
resources and infrastructure express concerns about the privacy of their data and resources. This
concern is addressed through cryptography and other additional security measures, which will be
discussed later in this course.
Cloud security considerations

Many organizations choose to use cloud services because of the ease of deployment, speed of
deployment, cost savings, and scalability of these options. Cloud computing presents unique
security challenges that cybersecurity analysts need to be aware of.
Identity access management

Identity access management (IAM) is a collection of processes and technologies that helps
organizations manage digital identities in their environment. This service also authorizes how users
can use different cloud resources. A common problem that organizations face when using the cloud
is the loose configuration of cloud user roles. An improperly configured user role increases risk by
allowing unauthorized users to have access to critical cloud operations.
Configuration
The number of available cloud services adds complexity to the network. Each service must be
carefully configured to meet security and compliance requirements. This presents a particular
challenge when organizations perform an initial migration into the cloud. When this change occurs
on their network, they must ensure that every process moved into the cloud has been configured
correctly. If network administrators and architects are not meticulous in correctly configuring the
organization’s cloud services, they could leave the network open to compromise. Misconfigured
cloud services are a common source of cloud security issues.
Attack surface
Cloud service providers (CSPs) offer numerous applications and services for organizations at a low
cost.
Every service or application on a network carries its own set of risks and vulnerabilities and
increases an organization’s overall attack surface. An increased attack surface must be
compensated for with increased security measures.
Cloud networks that utilize many services introduce lots of entry points into an organization’s
network. However, if the network is designed correctly, utilizing several services does not introduce
more entry points into an organization’s network design. These entry points can be used to introduce
malware onto the network and pose other security vulnerabilities. It is important to note that CSPs
often defer to more secure options, and have undergone more scrutiny than a traditional on-
premises network.
Zero-day attacks
Zero-day attacks are an important security consideration for organizations using cloud or traditional
on-premise network solutions. A zero day attack is an exploit that was previously unknown. CSPs are
more likely to know about a zero day attack occurring before a traditional IT organization does.
CSPs have ways of patching hypervisors and migrating workloads to other virtual machines. These
methods ensure the customers are not impacted by the attack. There are also several tools available
for patching at the operating system level that organizations can use.
Visibility and tracking

Network administrators have access to every data packet crossing the network with both on-premise
and cloud networks. They can sniff and inspect data packets to learn about network performance or
to check for possible threats and attacks.
This kind of visibility is also offered in the cloud through flow logs and tools, such as packet
mirroring. CSPs take responsibility for security in the cloud, but they do not allow the organizations
that use their infrastructure to monitor traffic on the CSP’s servers. Many CSPs offer strong security
measures to protect their infrastructure. Still, this situation might be a concern for organizations that
are accustomed to having full access to their network and operations. CSPs pay for third-party
audits to verify how secure a cloud network is and identify potential vulnerabilities. The audits can
help organizations identify whether any vulnerabilities originate from on-premise infrastructure and if
there are any compliance lapses from their CSP.
Things change fast in the cloud

CSPs are large organizations that work hard to stay up-to-date with technology advancements. For
organizations that are used to being in control of any adjustments made to their network, this can be
a potential challenge to keep up with. Cloud service updates can affect security considerations for
the organizations using them. For example, connection configurations might need to be changed
based on the CSP’s updates.
Organizations that use CSPs usually have to update their IT processes. It is possible for
organizations to continue following established best practices for changes, configurations, and other
security considerations. However, an organization might have to adopt a different approach in a way
that aligns with changes made by the CSP.
Cloud networking offers various options that might appear attractive to a small company—options
that they could never afford to build on their own premises. However, it is important to consider that
each service adds complexity to the security profile of the organization, and they will need security
personnel to monitor all of the cloud services.
Shared responsibility model

A commonly accepted cloud security principle is the shared responsibility model. The shared
responsibility model states that the CSP must take responsibility for security involving the cloud
infrastructure, including physical data centers, hypervisors, and host operating systems. The
company using the cloud service is responsible for the assets and processes that they store or
operate in the cloud.
The shared responsibility model ensures that both the CSP and the users agree about where their
responsibility for security begins and ends. A problem occurs when organizations assume that the
CSP is taking care of security that they have not taken responsibility for. One example of this is
cloud applications and configurations. The CSP takes responsibility for securing the cloud, but it is
the organization’s responsibility to ensure that services are configured properly according to the
security requirements of their organization.
Key takeaways
It is essential to know the security considerations that are unique to the cloud and understanding the
shared responsibility model for cloud security. Organizations are responsible for correctly configuring
and maintaining best security practices for their cloud services. The shared responsibility model
ensures that both the CSP and users agree about what the organization is responsible for and what
the CSP is responsible for when securing the cloud infrastructure.
Cryptography and cloud security

Earlier in this course, you were introduced to the concepts of the shared responsibility model and
identity and access management (IAM). Similar to on-premise networks, cloud networks also need
to be secured through a mixture of security hardening practices and cryptography.
This reading will address common cloud security hardening practices, what to consider when
implementing cloud security measures, and the fundamentals of cryptography. Since cloud
infrastructure is becoming increasingly common, it’s important to understand how cloud networks
operate and how to secure them.
Cloud security hardening
There are various techniques and tools that can be used to secure cloud network infrastructure and
resources. Some common cloud security hardening techniques include incorporating IAM,
hypervisors, baselining, cryptography, and cryptographic erasure.
Identity access management (IAM)

Identity access management (IAM) is a collection of processes and technologies that helps
organizations manage digital identities in their environment. This service also authorizes how users
can leverage different cloud resources.
Hypervisors
A hypervisor abstracts the host’s hardware from the operating software environment. There are two
types of hypervisors. Type one hypervisors run on the hardware of the host computer. An example
of a type one hypervisor is VMware®'s ESXi. Type two hypervisors operate on the software of the
host computer. An example of a type two hypervisor is VirtualBox. Cloud service providers (CSPs)
commonly use type one hypervisors. CSPs are responsible for managing the hypervisor and other
virtualization components. The CSP ensures that cloud resources and cloud environments are
available, and it provides regular patches and updates. Vulnerabilities in hypervisors or
misconfigurations can lead to virtual machine escapes (VM escapes). A VM escape is an exploit
where a malicious actor gains access to the primary hypervisor, potentially the host computer and
other VMs. As a CSP customer, you will rarely deal with hypervisors directly.
Baselining
Baselining for cloud networks and operations cover how the cloud environment is configured and set
up. A baseline is a fixed reference point. This reference point can be used to compare changes
made to a cloud environment. Proper configuration and setup can greatly improve the security and
performance of a cloud environment. Examples of establishing a baseline in a cloud environment
include: restricting access to the admin portal of the cloud environment, enabling password
management, enabling file encryption, and enabling threat detection services for SQL databases.
Cryptography in the cloud

Cryptography can be applied to secure data that is processed and stored in a cloud environment.
Cryptography uses encryption and secure key management systems to provide data integrity and
confidentiality. Cryptographic encryption is one of the key ways to secure sensitive data and
information in the cloud.
Encryption is the process of scrambling information into ciphertext, which is not readable to anyone
without the encryption key. Encryption primarily originated from manually encoding messages and
information using an algorithm to convert any given letter or number to a new value. Modern
encryption relies on the secrecy of a key, rather than the secrecy of an algorithm. Cryptography is an
important tool that helps secure cloud networks and data at rest to prevent unauthorized access.
You’ll learn more about cryptography in-depth in an upcoming course.
Cryptographic erasure
Cryptographic erasure is a method of erasing the encryption key for the encrypted data. When
destroying data in the cloud, more traditional methods of data destruction are not as effective.
Crypto-shredding is a newer technique where the cryptographic keys used for decrypting the data
are destroyed. This makes the data undecipherable and prevents anyone from decrypting the data.
When crypto-shredding, all copies of the key need to be destroyed so no one has any opportunity to
access the data in the future.
Key Management
Modern encryption relies on keeping the encryption keys secure. Below are the measures you can
take to further protect your data when using cloud applications:
 Trusted platform module (TPM). TPM is a computer chip that can securely store passwords,
certificates, and encryption keys.
 Cloud hardware security module (CloudHSM). CloudHSM is a computing device that
provides secure storage for cryptographic keys and processes cryptographic operations,
such as encryption and decryption.
Organizations and customers do not have access to the cloud service provider (CSP) directly, but
they can request audits and security reports by contacting the CSP. Customers typically do not have
access to the specific encryption keys that CSPs use to encrypt the customers’ data. However,
almost all CSPs allow customers to provide their own encryption keys, depending on the service the
customer is accessing. In turn, the customer is responsible for their encryption keys and ensuring
the keys remain confidential. The CSP is limited in how they can help the customer if the customer’s
keys are compromised or destroyed. One key benefit of the shared responsibility model is that the
customer is not entirely responsible for maintenance of the cryptographic infrastructure.
Organizations can assess and monitor the risk involved with allowing the CSP to manage the
infrastructure by reviewing a CSPs audit and security controls. For federal contractors, FEDRAMP
provides a list of verified CSPs.
Key takeaways
Cloud security hardening is a critical component to consider when assessing the security of various
public cloud environments and improving the security within your organization. Identity access
management (IAM), correctly configuring a baseline for the cloud environment, securing hypervisors,
cryptography, and cryptographic erasure are all methods to use to further secure cloud
infrastructure.
Baseline configuration (baseline image): A documented set of specifications within a system
that is used as a basis for future builds, releases, and updates
Hardware: The physical components of a computer
Multi-factor authentication (MFA): A security measure which requires a user to verify their
identity in two or more ways to access a system or network
Network log analysis: The process of examining network logs to identify events of interest
Patch update: A software and operating system update that addresses security vulnerabilities
within a program or product
Penetration testing (pen test): A simulated attack that helps identify vulnerabilities in systems,
networks, websites, applications, and processes
Security hardening: The process of strengthening a system to reduce its vulnerabilities and
attack surface
Security information and event management (SIEM): An application that collects and
analyzes log data to monitor critical activities for an organization
World-writable file: A file that can be altered by anyone in the world

Compare operating systems
You previously explored why operating systems are an important part of how a computer works. In
this reading, you’ll compare some popular operating systems used today. You’ll also focus on the
risks of using legacy operating systems.
Common operating systems

The following operating systems are useful to know in the security industry: Windows, macOS®,
Linux, ChromeOS, Android, and iOS.
Windows and macOS

Windows and macOS are both common operating systems. The Windows operating system was
introduced in 1985, and macOS was introduced in 1984. Both operating systems are used in
personal and enterprise computers.
Windows is a closed-source operating system, which means the source code is not shared freely
with the public. macOS is partially open source. It has some open-source components, such as
macOS’s kernel. macOS also has some closed-source components.
Linux
The first version of Linux was released in 1991, and other major releases followed in the early
1990s. Linux is a completely open-source operating system, which means that anyone can access
Linux and its source code. The open-source nature of Linux allows developers in the Linux
community to collaborate.
Linux is particularly important to the security industry. There are some distributions that are
specifically designed for security. Later in this course, you’ll learn about Linux and its importance to
the security industry.
ChromeOS
ChromeOS launched in 2011. It’s partially open source and is derived from Chromium OS, which is
completely open source. ChromeOS is frequently used in the education field.
Android and iOS

Android and iOS are both mobile operating systems. Unlike the other operating systems mentioned,
mobile operating systems are typically used in mobile devices, such as phones, tablets, and
watches. Android was introduced for public use in 2008, and iOS was introduced in 2007. Android is
open source, and iOS is partially open source.
Operating systems and vulnerabilities

Security issues are inevitable with all operating systems. An important part of protecting an operating
system is keeping the system and all of its components up to date.
Legacy operating systems

A legacy operating system is an operating system that is outdated but still being used. Some
organizations continue to use legacy operating systems because software they rely on is not
compatible with newer operating systems. This can be more common in industries that use a lot of
equipment that requires embedded software—software that’s placed inside components of the
equipment.
Legacy operating systems can be vulnerable to security issues because they’re no longer supported
or updated. This means that legacy operating systems might be vulnerable to new threats.
Other vulnerabilities
Even when operating systems are kept up to date, they can still become vulnerable to attack. Below
are several resources that include information on operating systems and their vulnerabilities.
 Microsoft Security Response Center (MSRC): A list of known vulnerabilities affecting

Microsoft products and services
 Apple Security Updates: A list of security updates and information for Apple® operating
systems, including macOS and iOS, and other products
 Common Vulnerabilities and Exposures (CVE) Report for Ubuntu: A list of known
vulnerabilities affecting Ubuntu, which is a specific distribution of Linux
 Google Cloud Security Bulletin: A list of known vulnerabilities affecting Google Cloud
products and services
Keeping an operating system up to date is one key way to help the system stay secure. Because it
can be difficult to keep all systems updated at all times, it’s important for security analysts to be
knowledgeable about legacy operating systems and the risks they can create.
Key takeaways
Windows, macOS, Linux, ChromeOS, Android, and iOS are all commonly used operating systems.
Security analysts should be aware of vulnerabilities that affect operating systems. It’s especially
important for security analysts to be familiar with legacy operating systems, which are systems that
are outdated but still being used.
Requests to the operating system

Operating systems are a critical component of a computer. They make connections between
applications and hardware to allow users to perform tasks. In this reading, you’ll explore this
complex process further and consider it using a new analogy and a new example.
Booting the computer
When you boot, or turn on, your computer, either a BIOS or UEFI microchip is activated. The Basic
Input/Output System (BIOS) is a microchip that contains loading instructions for the computer and is
prevalent in older systems. The Unified Extensible Firmware Interface (UEFI) is a microchip that
contains loading instructions for the computer and replaces BIOS on more modern systems.
The BIOS and UEFI chips both perform the same function for booting the computer. BIOS was the
standard chip until 2007, when UEFI chips increased in use. Now, most new computers include a
UEFI chip. UEFI provides enhanced security features.
The BIOS or UEFI microchips contain a variety of loading instructions for the computer to follow. For
example, one of the loading instructions is to verify the health of the computer’s hardware.
The last instruction from the BIOS or UEFI activates the bootloader. The bootloader is a software
program that boots the operating system. Once the operating system has finished booting, your
computer is ready for use.
Completing a task
As previously discussed, operating systems help us use computers more efficiently. Once a
computer has gone through the booting process, completing a task on a computer is a four-part
process.
User
The first part of the process is the user. The user initiates the process by having something they
want to accomplish on the computer. Right now, you’re a user! You’ve initiated the process of
accessing this reading.
Application
The application is the software program that users interact with to complete a task. For example, if
you want to calculate something, you would use the calculator application. If you want to write a
report, you would use a word processing application. This is the second part of the process.
Operating system
The operating system receives the user’s request from the application. It’s the operating system’s
job to interpret the request and direct its flow. In order to complete the task, the operating system
sends it on to applicable components of the hardware.
Hardware
The hardware is where all the processing is done to complete the tasks initiated by the user. For
example, when a user wants to calculate a number, the CPU figures out the answer. As another
example, when a user wants to save a file, another component of the hardware, the hard drive,
handles this task.
After the work is done by the hardware, it sends the output back through the operating system to the
application so that it can display the results to the user.
The OS at work behind the scenes

Consider once again how a computer is similar to a car. There are processes that someone won’t
directly observe when operating a car, but they do feel it move forward when they press the gas
pedal. It’s the same with a computer. Important work happens inside a computer that you don’t
experience directly. This work involves the operating system.
You can explore this through another analogy. The process of using an operating system is also
similar to ordering at a restaurant. At a restaurant you place an order and get your food, but you
don’t see what’s happening in the kitchen when the cooks prepare the food.
Ordering food is similar to using an application on a computer. When you order your food, you make
a specific request like “a small soup, very hot.” When you use an application, you also make specific
requests like “print three double-sided copies of this document.”
You can compare the food you receive to what happens when the hardware sends output. You
receive the food that you ordered. You receive the document that you wanted to print.
Finally, the kitchen is like the OS. You don’t know what happens in the kitchen, but it’s critical in
interpreting the request and ensuring you receive what you ordered. Similarly, though the work of the
OS is not directly transparent to you, it’s critical in completing your tasks.
An example: Downloading a file from an internet browser

Previously, you explored how operating systems, applications, and hardware work together by
examining a task involving a calculation. You can expand this understanding by exploring how the
OS completes another task, downloading a file from an internet browser:
 First, the user decides they want to download a file that they found online, so they click on a
download button near the file in the internet browser application.
 Then, the internet browser communicates this action to the OS.
 The OS sends the request to download the file to the appropriate hardware for processing.
 The hardware begins downloading the file, and the OS sends this information to the internet
browser application. The internet browser then informs the user when the file has been
downloaded.
Key takeaways
Although it operates in the background, the operating system is an essential part of the process of
using a computer. The operating system connects applications and hardware to allow users to
complete a task.
Virtualization technology
You've explored a lot about operating systems. One more aspect to consider is that operating
systems can run on virtual machines. In this reading, you’ll learn about virtual machines and the
general concept of virtualization. You’ll explore how virtual machines work and the benefits of using
them.
What is a virtual machine?

A virtual machine (VM) is a virtual version of a physical computer. Virtual machines are one example
of virtualization. Virtualization is the process of using software to create virtual representations of
various physical machines. The term “virtual” refers to machines that don’t exist physically, but
operate like they do because their software simulates physical hardware. Virtual systems don’t use
dedicated physical hardware. Instead, they use software-defined versions of the physical hardware.
This means that a single virtual machine has a virtual CPU, virtual storage, and other virtual
hardware. Virtual systems are just code.
You can run multiple virtual machines using the physical hardware of a single computer. This
involves dividing the resources of the host computer to be shared across all physical and virtual
components. For example, Random Access Memory (RAM) is a hardware component used for short-
term memory. If a computer has 16GB of RAM, it can host three virtual machines so that the
physical computer and virtual machines each have 4GB of RAM. Also, each of these virtual
machines would have their own operating system and function similarly to a typical computer.
Benefits of virtual machines

Security professionals commonly use virtualization and virtual machines. Virtualization can increase
security for many tasks and can also increase efficiency.
Security
One benefit is that virtualization can provide an isolated environment, or a sandbox, on the physical
host machine. When a computer has multiple virtual machines, these virtual machines are “guests”
of the computer. Specifically, they are isolated from the host computer and other guest virtual
machines. This provides a layer of security, because virtual machines can be kept separate from the
other systems. For example, if an individual virtual machine becomes infected with malware, it can
be dealt with more securely because it’s isolated from the other machines. A security professional
could also intentionally place malware on a virtual machine to examine it in a more secure
environment.
Note: Although using virtual machines is useful when investigating potentially infected machines or
running malware in a constrained environment, there are still some risks. For example, a malicious
program can escape virtualization and access the host machine. This is why you should never
completely trust virtualized systems.
Efficiency
Using virtual machines can also be an efficient and convenient way to perform security tasks. You
can open multiple virtual machines at once and switch easily between them. This allows you to
streamline security tasks, such as testing and exploring various applications.
You can compare the efficiency of a virtual machine to a city bus. A single city bus has a lot of room
and is an efficient way to transport many people simultaneously. If city buses didn’t exist, then
everyone on the bus would have to drive their own cars. This uses more gas, cars, and other
resources than riding the city bus.
Similar to how many people can ride one bus, many virtual machines can be hosted on the same
physical machine. That way, separate physical machines aren't needed to perform certain tasks.
Managing virtual machines

Virtual machines can be managed with a software called a hypervisor. Hypervisors help users
manage multiple virtual machines and connect the virtual and physical hardware. Hypervisors also
help with allocating the shared resources of the physical host machine to one or more virtual
machines.
One hypervisor that is useful for you to be familiar with is the Kernel-based Virtual Machine (KVM).
KVM is an open-source hypervisor that is supported by most major Linux distributions. It is built into
the Linux kernel, which means it can be used to create virtual machines on any machine running a
Linux operating system without the need for additional software.
Other forms of virtualization

In addition to virtual machines, there are other forms of virtualization. Some of these virtualization
technologies do not use operating systems. For example, multiple virtual servers can be created
from a single physical server. Virtual networks can also be created to more efficiently use the
hardware of a physical network.
Key takeaways
Virtual machines are virtual versions of physical computers and are one example of virtualization.
Virtualization is a key technology in the security industry, and it’s important for security analysts to
understand the basics. There are many benefits to using virtual machines, such as isolation of
malware and other security risks. However, it’s important to remember there’s still a risk of malicious
software escaping their virtualized environments.
The command line in use
Previously, you explored graphical user interfaces (GUI) and command-line interfaces (CLI). In this
reading, you’ll compare these two interfaces and learn more about how they’re used in
cybersecurity.
CLI vs. GUI

A graphical user interface (GUI) is a user interface that uses icons on the screen to manage different
tasks on the computer. A command-line interface (CLI) is a text-based user interface that uses
commands to interact with the computer.
Display
One notable difference between these two interfaces is how they appear on the screen. A GUI has
graphics and icons, such as the icons on your desktop or taskbar for launching programs. In
contrast, a CLI only has text. It looks similar to lines of code.
Function
These two interfaces also differ in how they function. A GUI is an interface that only allows you to
make one request at a time. However, a CLI allows you to make multiple requests at a time.
Advantages of a CLI in cybersecurity

The choice between using a GUI or CLI is partly based on personal preference, but security analysts
should be able to use both interfaces. Using a CLI can provide certain advantages.
Efficiency
Some prefer the CLI because it can be used more quickly when you know how to manage this
interface. For a new user, a GUI might be more efficient because they’re easier for beginners to
navigate.
Because a CLI can accept multiple requests at one time, it’s more powerful when you need to
perform multiple tasks efficiently. For example, if you had to create multiple new files in your system,
you could quickly perform this task in a CLI. If you were using a GUI, this could take much longer,
because you have to repeat the same steps for each new file.
History file
For security analysts, using the Linux CLI is helpful because it records a history file of all the
commands and actions in the CLI. If you were using a GUI, your actions are not necessarily saved in
a history file.
For example, you might be in a situation where you’re responding to an incident using a playbook.
The playbook’s instructions require you to run a series of different commands. If you used a CLI,
you’d be able to go back to the history and ensure all of the commands were correctly used. This
could be helpful if there were issues using the playbook and you had to review the steps you
performed in the command line.
Additionally, if you suspect an attacker has compromised your system, you might be able to trace
their actions using the history file.
Key takeaways
GUIs and CLIs are two types of user interfaces that security analysts should be familiar with. There
are multiple differences between a GUI and a CLI, including their displays and how they function.
When working in cybersecurity, a CLI is often preferred over a GUI because it can handle multiple
tasks simultaneously and it includes a history file.

Application: A program that performs a specific task
Basic Input/Output System (BIOS): A microchip that contains loading instructions for the computer
and is prevalent in older systems
Bootloader: A software program that boots the operating system
Command-line interface (CLI): A text-based user interface that uses commands to interact with the
computer
Graphical user interface (GUI): A user interface that uses icons on the screen to manage different
tasks on the computer
Legacy operating system: An operating system that is outdated but still being used
Random Access Memory (RAM): A hardware component used for short-term memory
Unified Extensible Firmware Interface (UEFI): A microchip that contains loading instructions for the
computer and replaces BIOS on more modern systems
User interface: A program that allows the user to control the functions of the operating system
Virtual machine (VM): A virtual version of a physical computer
Linux architecture explained

Understanding the Linux architecture is important for a security analyst. When you understand how a
system is organized, it makes it easier to understand how it functions. In this reading, you’ll learn
more about the individual components in the Linux architecture. A request to complete a task starts
with the user and then flows through applications, the shell, the Filesystem Hierarchy Standard, the
kernel, and the hardware.
User
The user is the person interacting with a computer. They initiate and manage computer tasks. Linux
is a multi-user system, which means that multiple users can use the same resources at the same
time.
Applications
An application is a program that performs a specific task. There are many different applications on
your computer. Some applications typically come pre-installed on your computer, such as calculators
or calendars. Other applications might have to be installed, such as some web browsers or email
clients. In Linux, you'll often use a package manager to install applications. A package manager is a
tool that helps users install, manage, and remove packages or applications. A package is a piece of
software that can be combined with other packages to form an application.
Shell
The shell is the command-line interpreter. Everything entered into the shell is text based. The shell
allows users to give commands to the kernel and receive responses from it. You can think of the
shell as a translator between you and your computer. The shell translates the commands you enter
so that the computer can perform the tasks you want.
Filesystem Hierarchy Standard (FHS)

The Filesystem Hierarchy Standard (FHS) is the component of the Linux OS that organizes data. It
specifies the location where data is stored in the operating system.
A directory is a file that organizes where other files are stored. Directories are sometimes called
“folders,” and they can contain files or other directories. The FHS defines how directories, directory
contents, and other storage is organized so the operating system knows where to find specific data.
Kernel
The kernel is the component of the Linux OS that manages processes and memory. It
communicates with the applications to route commands. The Linux kernel is unique to the Linux OS
and is critical for allocating resources in the system. The kernel controls all major functions of the
hardware, which can help get tasks expedited more efficiently.
Hardware
The hardware is the physical components of a computer. You might be familiar with some hardware
components, such as hard drives or CPUs. Hardware is categorized as either peripheral or internal.
Peripheral devices
Peripheral devices are hardware components that are attached and controlled by the computer
system. They are not core components needed to run the computer system. Peripheral devices can
be added or removed freely. Examples of peripheral devices include monitors, printers, the
keyboard, and the mouse.
Internal hardware
Internal hardware are the components required to run the computer. Internal hardware includes a
main circuit board and all components attached to it. This main circuit board is also called the
motherboard. Internal hardware includes the following:
 The Central Processing Unit (CPU) is a computer’s main processor, which is used to perform
general computing tasks on a computer. The CPU executes the instructions provided by
programs, which enables these programs to run.
 Random Access Memory (RAM) is a hardware component used for short-term memory. It’s
where data is stored temporarily as you perform tasks on your computer. For example, if
you’re writing a report on your computer, the data needed for this is stored in RAM. After
you’ve finished writing the report and closed down that program, this data is deleted from
RAM. Information in RAM cannot be accessed once the computer has been turned off. The
CPU takes the data from RAM to run programs.
 The hard drive is a hardware component used for long-term memory. It’s where programs
and files are stored for the computer to access later. Information on the hard drive can be
accessed even after a computer has been turned off and on again. A computer can have
multiple hard drives.
Key takeaways
It’s important for security analysts to understand the Linux architecture and how these components
are organized. The components of the Linux architecture are the user, applications, shell, Filesystem
Hierarchy Standard, kernel, and hardware. Each of these components is important in how Linux
functions.
More Linux distributions

Previously, you were introduced to the different distributions of Linux. This included KALI LINUX ™.
(KALI LINUX ™ is a trademark of OffSec.) In addition to KALI LINUX ™, there are multiple other
Linux distributions that security analysts should be familiar with. In this reading, you’ll learn about
additional Linux distributions.
KALI LINUX ™
KALI LINUX ™ is an open-source distribution of Linux that is widely used in the security industry.
This is because KALI LINUX ™, which is Debian-based, is pre-installed with many useful tools for
penetration testing and digital forensics. A penetration test is a simulated attack that helps identify
vulnerabilities in systems, networks, websites, applications, and processes. Digital forensics is the
practice of collecting and analyzing data to determine what has happened after an attack. These are
key activities in the security industry.
However, KALI LINUX ™ is not the only Linux distribution that is used in cybersecurity.
Ubuntu
Ubuntu is an open-source, user-friendly distribution that is widely used in security and other
industries. It has both a command-line interface (CLI) and a graphical user interface (GUI). Ubuntu is
also Debian-derived and includes common applications by default. Users can also download many
more applications from a package manager, including security-focused tools. Because of its wide
use, Ubuntu has an especially large number of community resources to support users.
Ubuntu is also widely used for cloud computing. As organizations migrate to cloud servers,
cybersecurity work may more regularly involve Ubuntu derivatives.
Parrot
Parrot is an open-source distribution that is commonly used for security. Similar to KALI LINUX ™,
Parrot comes with pre-installed tools related to penetration testing and digital forensics. Like both
KALI LINUX ™ and Ubuntu, it is based on Debian.
Parrot is also considered to be a user-friendly Linux distribution. This is because it has a GUI that
many find easy to navigate. This is in addition to Parrot’s CLI.
Red Hat® Enterprise Linux®

Red Hat Enterprise Linux is a subscription-based distribution of Linux built for enterprise use. Red
Hat is not free, which is a major difference from the previously mentioned distributions. Because it’s
built and supported for enterprise use, Red Hat also offers a dedicated support team for customers
to call about issues.
CentOS
CentOS is an open-source distribution that is closely related to Red Hat. It uses source code
published by Red Hat to provide a similar platform. However, CentOS does not offer the same
enterprise support that Red Hat provides and is supported through the community.
Key takeaways
KALI LINUX ™, Ubuntu, Parrot, Red Hat, and CentOS are all widely used Linux distributions. It’s
important for security analysts to be aware of these distributions that they might encounter in their
career.
Package managers for installing applications

Previously, you learned about Linux distributions and that different distributions derive from different
sources, such as Debian or Red Hat Enterprise Linux distribution. You were also introduced to
package managers, and learned that Linux applications are commonly distributed through package
managers. In this reading, you’ll apply this knowledge to learn more about package managers.
Introduction to package managers

A package is a piece of software that can be combined with other packages to form an application.
Some packages may be large enough to form applications on their own.
Packages contain the files necessary for an application to be installed. These files include
dependencies, which are supplemental files used to run an application.
Package managers can help resolve any issues with dependencies and perform other management
tasks. A package manager is a tool that helps users install, manage, and remove packages or
applications. Linux uses multiple package managers.
Note: It’s important to use the most recent version of a package when possible. The most recent
version has the most up-to-date bug fixes and security patches. These help keep your system more
secure.
Types of package managers

Many commonly used Linux distributions are derived from the same parent distribution. For
example, KALI LINUX ™, Ubuntu, and Parrot all come from Debian. CentOS comes from Red Hat.
This knowledge is useful when installing applications because certain package managers work with
certain distributions. For example, the Red Hat Package Manager (RPM) can be used for Linux
distributions derived from Red Hat, and package managers such as dpkg can be used for Linux
distributions derived from Debian.
Different package managers typically use different file extensions. For example, Red Hat Package
Manager (RPM) has files which use the .rpm file extension, such as Package-Version-
Release_Architecture.rpm. Package managers for Debian-derived Linux distributions, such as dpkg,
have files which use the .deb file extension, such as Package_Version-Release_Architecture.deb.
Package management tools

In addition to package managers like RPM and dpkg, there are also package management tools that
allow you to easily work with packages through the shell. Package management tools are
sometimes utilized instead of package managers because they allow users to more easily perform
basic tasks, such as installing a new package. Two notable tools are the Advanced Package Tool
(APT) and Yellowdog Updater Modified (YUM).
Advanced Package Tool (APT)

APT is a tool used with Debian-derived distributions. It is run from the command-line interface to
manage, search, and install packages.
Yellowdog Updater Modified (YUM)

YUM is a tool used with Red Hat-derived distributions. It is run from the command-line interface to
manage, search, and install packages. YUM works with .rpm files.
Key takeaways
A package is a piece of software that can be combined with other packages to form an application.
Packages can be managed using a package manager. There are multiple package managers and
package management tools for different Linux distributions. Package management tools allow users
to easily work with packages through the shell. Debian-derived Linux distributions use package
managers like dpkg as well as package management tools like Advanced Package Tool (APT). Red
Hat-derived distributions use the Red Hat Package Manager (RPM) or tools like Yellowdog Updater
Modified (YUM).
Resources for completing Linux labs
This course features hands-on lab activities where you’ll have the opportunity to practice Linux
commands in the terminal. You’ll use a platform called Qwiklabs to complete these labs. In this
reading, you’ll learn how to use Qwiklabs.
This reading first provides a section on how to use Qwiklabs, which includes details on how to
launch a lab, how to interact within the Qwiklabs environment, and how to end a lab. This is followed
by another section on helpful navigation tips and keyboard shortcuts; these may be useful when
working in the terminal.
Note: You will not launch Qwiklabs directly from this reading and instead will do this through lab
activities and exemplars that you encounter throughout the course.
How to use Qwiklabs

Launching Qwiklabs
When you select a lab, you start from a Coursera page. You will need to click Launch App on that
page. After you click Launch App, a new tab will open with a Qwiklabs page that contains
instructions for that particular lab.
Start Lab button

On the Qwiklabs page, you must click Start Lab to open a temporary terminal. The instructions for
the lab will move to the right side of the screen.
Read the instructions and complete all the tasks in the lab by entering commands in the terminal.
Note: It may take a moment for the terminal to start.
Lab control dialog box

After you click Start Lab, the lab control dialog box opens. It contains the End Lab button, the timer,
and the Open Linux Console button.
You can hide or unhide the dialog box by clicking the following icon in the red box:
The timer
The timer starts when the terminal has loaded. The timer keeps track of the amount of time you
have left to complete a lab. The timer counts down until it reaches 00:00:00. When it does, your
temporary terminal and resources are deleted.
You will have ample time to complete the labs. But, stay focused on completing the tasks to ensure
you use your time well.
Open Linux Console button

When you click the button to Open Linux Console, the terminal opens in a new browser window:
Use this feature if you want a full-screen view of the terminal. You can close this window at any time.
Closing the window does not end your lab, and you can continue working in the terminal in the
original tab.
Check progress
You can check your progress by clicking Check my progress at the end of each task.
If you haven’t yet completed a task, you’ll receive hints on what you must do to complete it.
You can click Check my progress whenever you want to check the completion status of a task or
receive a hint.
Using copy/paste commands

The first time you try to use copy or paste keyboard shortcuts (such as CTRL + C), you’ll receive a
pop-up requesting permission to use your device’s clipboard: “googlecoursera.qwiklabs.com wants to
see text and images copied to the clipboard.” Please click Allow if you would like to be able to use
these shortcuts in the Qwiklabs platform. If you choose not to allow Qwiklabs access to your
clipboard, you cannot use keyboard shortcuts but you can still complete the lab.
Code block
Certain steps may include a code block. Click the copy button to copy the code provided and then
paste it into the terminal.
To paste code or other text content that you have copied from the instructions into the terminal,
activate the terminal by clicking anywhere inside it. The terminal is active when the cursor in the
terminal changes from a static empty outline to a flashing solid block.
Once the terminal is active, use the keyboard shortcut CTRL + V (hold down the CTRL key and
press the V key) to insert the copied text into the terminal at the location of the flashing cursor.
Scrolling
In certain situations, you may want to scroll within the terminal window. To do so, use the scroll
wheel on your mouse or the touchpad of your computer.
End Lab button
Finally, click End Lab when you’ve completed the tasks in the lab.
Note: Don't click End Lab until you're finished; you'll lose access to the work you've done throughout
the lab.
Tracking progress on Coursera

If you complete a lab but your progress hasn’t been tracked on Coursera, you may need to refresh
the page for your progress to be registered. Once you complete the lab and refresh the page, the
green check mark should appear.
Helpful navigation tips and keyboard shortcuts

The following contains a list of navigation tips and keyboard shortcuts you may find useful when
completing your Linux labs. Your cursor must be in the terminal window to use these navigation tips
and keyboard shortcuts.
 CTRL + C: Terminates a command that is currently running; from the instructions portion of
Qwiklabs, you can use CTRL + C to copy, but within the terminal, it will only terminate a
command and if one isn't running, it will display ^C at the prompt
 CTRL + V: Pastes text
 clear: Clears the terminal screen; this can also be done by entering CTRL + L
 CTRL + A: Sets your cursor at the beginning of a command
 CTRL + E: Sets your cursor at the end of a command
 Left arrow key: Moves left within a command
 Right arrow key: Moves right within a command
 Up arrow key: Provides the last command you entered into the command line; can be
entered multiple times to go through multiple commands from the command history
 Down arrow key: Provides the next command in the command history; must be after using
the up arrow key
 Tab key: Provides available suggestions for completing your text
Key takeaways
Knowing how to navigate Qwiklabs will be useful as you complete the labs throughout this course.
These labs can help you practice what you’ve learned in an interactive environment.
Lab tips and troubleshooting steps

Throughout this certificate you will use Qwiklabs and Jupyter Notebooks to complete hands-on
activities that include Linux command line, packet capture, and Python programming tasks. In this
reading, we will cover some tips and troubleshooting steps for using Qwiklabs and Jupyter
Notebooks on your computer.
Browser compatibility
Make sure your internet browser is updated regularly. Qwiklabs and Jupyter Notebooks require the
latest version of Google Chrome, Firefox, or Microsoft Edge. If your browser is outdated or you are
using a browser that is not supported by Qwiklabs or Jupyter Notebooks, you may encounter a
problem. If your browser is up to date and you are using one of the browsers listed above and still
encountering problems try restarting your browser or clearing your browser’s cache and cookies.
You can also use incognito mode which prevents your browser from storing cookies and other
temporary data.
Note: The Qwiklabs user interface works best with Google Chrome.
Internet connection
Qwiklabs and Jupyter Notebooks require a stable internet connection. If you are experiencing
problems starting or completing Qwiklabs or Jupyter Notebooks, your internet connection may be
slow or unreliable. Some signs of an unstable internet connection may be freezing labs, difficulty
connecting to virtual machines, or the inability to type or enter commands within the lab
environment.
Pro Tip: If you are unable to complete a Qwiklab or Jupyter Notebooks lab on one device, try using
another device.
Troubleshooting steps
To summarize, here are the troubleshooting steps to try if you encounter a problem with Qwiklabs or
Jupyter Notebooks.
1. Make sure you are using the latest version of a supported browser: Google Chrome, Firefox,
or Microsoft Edge.
2. Restart your browser and clear your browser’s cache and cookies. You can also use
incognito mode.
3. Check your internet connection and make sure it is stable. You can try restarting your router
and modem to regain a stable connection.
4. Try restarting Qwiklabs or Jupyter Notebooks again.
5. For Qwiklabs only: If problems persist or you receive a message stating that you have
exceeded the quota for a Qwiklab, submit this form to Qwiklabs support for assistance.
Different types of shells

Knowing how to work with Linux shells is an important skill for cybersecurity professionals.
Shells can be used for many common tasks. Previously, you were introduced to shells and their
functions. This reading will review shells and introduce you to different types, including the one
that you'll use in this course.
Communicate through a shell

As you explored previously, the shell is the command-line interpreter. You can think of a shell as
a translator between you and the computer system. Shells allow you to give commands to the
computer and receive responses from it. When you enter a command into a shell, the shell
executes many internal processes to interpret your command, send it to the kernel, and return
your results.
Types of shells
The many different types of Linux shells include the following:
 Bourne-Again Shell (bash)
 C Shell (csh)
 Korn Shell (ksh)

 Enhanced C shell (tcsh)
 Z Shell (zsh)
All Linux shells use common Linux commands, but they can differ in other features. For
example, ksh and bash use the dollar sign ($) to indicate where users type in their commands.
Other shells, such as zsh, use the percent sign (%) for this purpose.
Bash
Bash is the default shell in most Linux distributions. It’s considered a user-friendly shell. You
can use bash for basic Linux commands as well as larger projects.
Bash is also the most popular shell in the cybersecurity profession. You’ll use bash throughout
this course as you learn and practice Linux commands.
Key takeaways
Shells are a fundamental part of the Linux operating system. Shells allow you to give commands
to the computer and receive responses from it. They can be thought of as a translator between
you and your computer system. There are many different types of shells, but the bash shell is the
most commonly used shell in the cybersecurity profession. You’ll learn how to enter Linux
commands through the bash shell later in this course.

Application: A program that performs a specific task
Bash: The default shell in most Linux distributions
CentOS: An open-source distribution that is closely related to Red Hat
Central Processing Unit (CPU): A computer’s main processor, which is used to perform general
computing tasks on a computer
Command: An instruction telling the computer to do something

Digital forensics: The practice of collecting and analyzing data to determine what has happened after
an attack
Directory: A file that organizes where other files are stored
Distributions: The different versions of Linux
File path: The location of a file or directory
Filesystem Hierarchy Standard (FHS): The component of the Linux OS that organizes data
Graphical user interface (GUI): A user interface that uses icons on the screen to manage different
tasks on the computer
Hard drive: A hardware component used for long-term memory
Internal hardware: The components required to run the computer
Kali Linux ™: An open-source distribution of Linux that is widely used in the security industry
Kernel: The component of the Linux OS that manages processes and memory
Linux: An open source operating system
Package: A piece of software that can be combined with other packages to form an application
Package manager: A tool that helps users install, manage, and remove packages or applications
Parrot: An open-source distribution that is commonly used for security
Penetration test (pen test): A simulated attack that helps identify vulnerabilities in systems, networks,
websites, applications, and processes
Peripheral devices: Hardware components that are attached and controlled by the computer system
Random Access Memory (RAM): A hardware component used for short-term memory
Red Hat® Enterprise Linux® (also referred to simply as Red Hat in this course): A subscription-
based distribution of Linux built for enterprise use
Shell: The command-line interpreter
Standard error: An error message returned by the OS through the shell
Standard input: Information received by the OS via the command line
Standard output: Information returned by the OS through the shell

String data: Data consisting of an ordered sequence of characters
Ubuntu: An open-source, user-friendly distribution that is widely used in security and other industries
User: The person interacting with a computer
Navigate Linux and read file content

In this reading, you’ll review how to navigate the file system using Linux commands in Bash. You’ll
further explore the organization of the Linux Filesystem Hierarchy Standard, review several common
Linux commands for navigation and reading file content, and learn a couple of new commands.
Filesystem Hierarchy Standard (FHS)

Previously, you learned that the Filesystem Hierarchy Standard (FHS) is the component of Linux that
organizes data. The FHS is important because it defines how directories, directory contents, and
other storage is organized in the operating system.
This diagram illustrates the hierarchy of relationships under the FHS:
Under the FHS, a file’s location can be described by a file path. A file path is the location of a file or
directory. In the file path, the different levels of the hierarchy are separated by a forward slash ( /).
Root directory
The root directory is the highest-level directory in Linux, and it’s always represented with a forward
slash (/). All subdirectories branch off the root directory. Subdirectories can continue branching out
to as many levels as necessary.
Standard FHS directories

Directly below the root directory, you’ll find standard FHS directories. In the diagram, home, bin, and
etc are standard FHS directories. Here are a few examples of what standard directories contain:
 /home: Each user in the system gets their own home directory.
 /bin: This directory stands for “binary” and contains binary files and other executables.
Executables are files that contain a series of commands a computer needs to follow to run
programs and perform other functions.
 /etc: This directory stores the system’s configuration files.
 /tmp: This directory stores many temporary files. The /tmp directory is commonly used by
attackers because anyone in the system can modify data in these files.
 /mnt: This directory stands for “mount” and stores media, such as USB drives and hard
drives.
Pro Tip: You can use the man hier command to learn more about the FHS and its standard
directories.
User-specific subdirectories
Under home are subdirectories for specific users. In the diagram, these users are analyst and
analyst2. Each user has their own personal subdirectories, such as projects, logs, or reports.
Note: When the path leads to a subdirectory below the user’s home directory, the user’s home
directory can be represented as the tilde (~). For example, /home/analyst/logs can also be represented
as ~/logs.
You can navigate to specific subdirectories using their absolute or relative file paths. The absolute file
path is the full file path, which starts from the root. For example, /home/analyst/projects is an absolute
file path. The relative file path is the file path that starts from a user's current directory.
Note: Relative file paths can use a dot (.) to represent the current directory, or two dots (..) to
represent the parent of the current directory. An example of a relative file path could be ../projects.
Key commands for navigating the file system

The following Linux commands can be used to navigate the file system: pwd, ls, and cd.
pwd
The pwd command prints the working directory to the screen. Or in other words, it returns the
directory that you’re currently in.
The output gives you the absolute path to this directory. For example, if you’re in your home directory
and your username is analyst, entering pwd returns /home/analyst.
Pro Tip: To learn what your username is, use the whoami command. The whoami command returns
the username of the current user. For example, if your username is analyst, entering whoami returns
analyst.
ls
The ls command displays the names of the files and directories in the current working directory. For
example, in the video, ls returned directories such as logs, and a file called updates.txt.
Note: If you want to return the contents of a directory that’s not your current working directory, you
can add an argument after ls with the absolute or relative file path to the desired directory. For
example, if you’re in the /home/analyst directory but want to list the contents of its projects
subdirectory, you can enter ls /home/analyst/projects or just ls projects.
cd
The cd command navigates between directories. When you need to change directories, you should
use this command.
To navigate to a subdirectory of the current directory, you can add an argument after cd with the
subdirectory name. For example, if you’re in the /home/analyst directory and want to navigate to its
projects subdirectory, you can enter cd projects.
You can also navigate to any specific directory by entering the absolute file path. For example, if
you’re in /home/analyst/projects, entering cd /home/analyst/logs changes your current directory to
/home/analyst/logs.
Pro Tip: You can use the relative file path and enter cd .. to go up one level in the file structure. For
example, if the current directory is /home/analyst/projects, entering cd .. would change your working
directory to /home/analyst.
Common commands for reading file content

The following Linux commands are useful for reading file content: cat, head, tail, and less.
cat
The cat command displays the content of a file. For example, entering cat updates.txt returns
everything in the updates.txt file.
head
The head command displays just the beginning of a file, by default 10 lines. The head command can
be useful when you want to know the basic contents of a file but don’t need the full contents.
Entering head updates.txt returns only the first 10 lines of the updates.txt file.
Pro Tip: If you want to change the number of lines returned by head, you can specify the number of
lines by including -n. For example, if you only want to display the first five lines of the updates.txt file,
enter head -n 5 updates.txt.
tail
The tail command does the opposite of head. This command can be used to display just the end of a
file, by default 10 lines. Entering tail updates.txt returns only the last 10 lines of the updates.txt file.
Pro Tip: You can use tail to read the most recent information in a log file.
less
The less command returns the content of a file one page at a time. For example, entering less
updates.txt changes the terminal window to display the contents of updates.txt one page at a time.
This allows you to easily move forward and backward through the content.
Once you’ve accessed your content with the less command, you can use several keyboard controls
to move through the file:
 Space bar: Move forward one page
 b: Move back one page
 Down arrow: Move forward one line
 Up arrow: Move back one line
 q: Quit and return to the previous terminal window
Key takeaways
It’s important for security analysts to be able to navigate Linux and the file system of the FHS. Some
key commands for navigating the file system include pwd, ls, and cd. Reading file content is also an
important skill in the security profession. This can be done with commands such as cat, head, tail,
and less.
Filter content in Linux

In this reading, you’ll continue exploring Linux commands, which can help you filter for the
information you need. You’ll learn a new Linux command, find, which can help you search files and
directories for specific information.
Filtering for information
You previously explored how filtering for information is an important skill for security analysts.
Filtering is selecting data that match a certain condition. For example, if you had a virus in your
system that only affected the .txt files, you could use filtering to find these files quickly. Filtering
allows you to search based on specific criteria, such as file extension or a string of text.
grep
The grep command searches a specified file and returns all lines in the file containing a specified
string or text. The grep command commonly takes two arguments: a specific string to search for and
a specific file to search through.
For example, entering grep OS updates.txt returns all lines containing OS in the updates.txt file. In
this example, OS is the specific string to search for, and updates.txt is the specific file to search
through.
Let’s look at another example: grep error time_logs.txt. Here grep is used to search for the text
pattern. error is the term you are looking for in the time_logs.txt file. When you run this command,
grep will scan the time_logs.txt file and print only the lines containing the word error.
Piping
The pipe command is accessed using the pipe character (|). Piping sends the standard output of one
command as standard input to another command for further processing. As a reminder, standard
output is information returned by the OS through the shell, and standard input is information
received by the OS via the command line.
The pipe character (|) is located in various places on a keyboard. On many keyboards, it’s located on
the same key as the backslash character (\). On some keyboards, the | can look different and have a
small space through the middle of the line. If you can’t find the |, search online for its location on your
particular keyboard.
When used with grep, the pipe can help you find directories and files containing a specific word in
their names. For example, ls /home/analyst/reports | grep users returns the file and directory names in
the reports directory that contain users. Before the pipe, ls indicates to list the names of the files and
directories in reports. Then, it sends this output to the command after the pipe. In this case, grep
users returns all of the file or directory names containing users from the input it received.
Note: Piping is a general form of redirection in Linux and can be used for multiple tasks other than
filtering. You can think of piping as a general tool that you can use whenever you want the output of
one command to become the input of another command.
find
The find command searches for directories and files that meet specified criteria. There’s a wide
range of criteria that can be specified with find. For example, you can search for files and directories
that
 Contain a specific string in the name,
 Are a certain file size, or

 Were last modified within a certain time frame.
When using find, the first argument after find indicates where to start searching. For example,
entering find /home/analyst/projects searches for everything starting at the projects directory.
After this first argument, you need to indicate your criteria for the search. If you don’t include a
specific search criteria with your second argument, your search will likely return a lot of directories
and files.
Specifying criteria involves options. Options modify the behavior of a command and commonly begin
with a hyphen (-).
-name and -iname

One key criteria analysts might use with find is to find file or directory names that contain a specific
string. The specific string you’re searching for must be entered in quotes after the -name or -iname
options. The difference between these two options is that -name is case-sensitive, and -iname is not.
For example, you might want to find all files in the projects directory that contain the word “log” in the
file name. To do this, you’d enter find /home/analyst/projects -name "*log*". You could also enter
find /home/analyst/projects -iname "*log*".
In these examples, the output would be all files in the projects directory that contain log surrounded
by zero or more characters. The "*log*" portion of the command is the search criteria that indicates
to search for the string “log”. When -name is the option, files with names that include Log or LOG, for
example, wouldn’t be returned because this option is case-sensitive. However, they would be
returned when -iname is the option.
Note: An asterisk (*) is used as a wildcard to represent zero or more unknown characters.
-mtime
Security analysts might also use find to find files or directories last modified within a certain time
frame. The -mtime option can be used for this search. For example, entering find
/home/analyst/projects -mtime -3 returns all files and directories in the projects directory that have been
modified within the past three days.
The -mtime option search is based on days, so entering -mtime +1 indicates all files or directories last
modified more than one day ago, and entering -mtime -1 indicates all files or directories last modified
less than one day ago.
Note: The option -mmin can be used instead of -mtime if you want to base the search on minutes
rather than days.
Key takeaways
Filtering for information using Linux commands is an important skill for security analysts so that they
can customize data to fit their needs. Three key Linux commands for this are grep, piping (|), and
find. These commands can be used to navigate and filter for information in the file system.
Manage directories and files
Previously, you explored how to manage the file system using Linux commands. The following
commands were introduced: mkdir, rmdir, touch, rm, mv, and cp. In this reading, you’ll review these
commands, the nano text editor, and learn another way to write to files.
Creating and modifying directories

mkdir
The mkdir command creates a new directory. Like all of the commands presented in this reading,
you can either provide the new directory as the absolute file path, which starts from the root, or as a
relative file path, which starts from your current directory.
For example, if you want to create a new directory called network in your /home/analyst/logs directory,
you can enter mkdir /home/analyst/logs/network to create this new directory. If you’re already in the
/home/analyst/logs directory, you can also create this new directory by entering mkdir network.
Pro Tip: You can use the ls command to confirm the new directory was added.
rmdir
The rmdir command removes, or deletes, a directory. For example, entering rmdir
/home/analyst/logs/network would remove this empty directory from the file system.
Note: The rmdir command cannot delete directories with files or subdirectories inside. For example,
entering rmdir /home/analyst returns an error message.
Creating and modifying files

touch and rm
The touch command creates a new file. This file won’t have any content inside. If your current
directory is /home/analyst/reports, entering touch permissions.txt creates a new file in the reports
subdirectory called permissions.txt.
The rm command removes, or deletes, a file. This command should be used carefully because it’s
not easy to recover files deleted with rm. To remove the permissions file you just created, enter rm
permissions.txt.
Pro Tip: You can verify that permissions.txt was successfully created or removed by entering ls.
mv and cp
You can also use mv and cp when working with files. The mv command moves a file or directory to a
new location, and the cp command copies a file or directory into a new location. The first argument
after mv or cp is the file or directory you want to move or copy, and the second argument is the
location you want to move or copy it to.
To move permissions.txt into the logs subdirectory, enter mv permissions.txt /home/analyst/logs. Moving
a file removes the file from its original location. However, copying a file doesn’t remove it from its
original location. To copy permissions.txt into the logs subdirectory while also keeping it in its original
location, enter cp permissions.txt /home/analyst/logs.
Note: The mv command can also be used to rename files. To rename a file, pass the new name in
as the second argument instead of the new location. For example, entering mv permissions.txt
perm.txt renames the permissions.txt file to perm.txt.
nano text editor

nano is a command-line file editor that is available by default in many Linux distributions. Many
beginners find it easy to use, and it’s widely used in the security profession. You can perform
multiple basic tasks in nano, such as creating new files and modifying file contents.
To open an existing file in nano from the directory that contains it, enter nano followed by the file
name. For example, entering nano permissions.txt from the /home/analyst/reports directory opens a
new nano editing window with the permissions.txt file open for editing. You can also provide the
absolute file path to the file if you’re not in the directory that contains it.
You can also create a new file in nano by entering nano followed by a new file name. For example,
entering nano authorized_users.txt from the /home/analyst/reports directory creates the
authorized_users.txt file within that directory and opens it in a new nano editing window.
Since there isn't an auto-saving feature in nano, it’s important to save your work before exiting. To
save a file in nano, use the keyboard shortcut Ctrl + O. You’ll be prompted to confirm the file name
before saving. To exit out of nano, use the keyboard shortcut Ctrl + X.
Note: Vim and Emacs are also popular command-line text editors.
Standard output redirection

There’s an additional way you can write to files. Previously, you learned about standard input and
standard output. Standard input is information received by the OS via the command line, and
standard output is information returned by the OS through the shell.
You’ve also learned about piping. Piping sends the standard output of one command as standard
input to another command for further processing. It uses the pipe character ( |).
In addition to the pipe (|), you can also use the right angle bracket (>) and double right angle bracket
(>>) operators to redirect standard output.
When used with echo, the > and >> operators can be used to send the output of echo to a specified
file rather than the screen. The difference between the two is that > overwrites your existing file, and
>> adds your content to the end of the existing file instead of overwriting it. The > operator should be
used carefully, because it’s not easy to recover overwritten files.
When you’re inside the directory containing the permissions.txt file, entering echo "last updated date"
>> permissions.txt adds the string “last updated date” to the file contents. Entering echo "time" >
permissions.txt after this command overwrites the entire file contents of permissions.txt with the string
“time”.
Note: Both the > and >> operators will create a new file if one doesn’t already exist with your
specified name.
Key takeaways
Knowing how to manage the file system in Linux is an important skill for security analysts. Useful
commands for this include: mkdir, rmdir, touch, rm, mv, and cp. When security analysts need to write
to files, they can use the nano text editor, or the > and >> operators.
Permission commands
Previously, you explored file permissions and the commands that you can use to display and
change them. In this reading, you’ll review these concepts and also focus on an example of how
these commands work together when putting the principle of least privilege into practice.
Reading permissions
In Linux, permissions are represented with a 10-character string. Permissions include:
 read: for files, this is the ability to read the file contents; for directories, this is the ability
to read all contents in the directory including both files and subdirectories
 write: for files, this is the ability to make modifications on the file contents; for
directories, this is the ability to create new files in the directory
 execute: for files, this is the ability to execute the file if it’s a program; for directories,
this is the ability to enter the directory and access its files
These permissions are given to these types of owners:
 user: the owner of the file
 group: a larger group that the owner is a part of

 other: all other users on the system
Each character in the 10-character string conveys different information about these permissions.
The following table describes the purpose of each character:
Character Example Meaning

file type
 d for directory
1st drwxrwxrwx
 - for a regular file
read permissions for the user
 r if the user has read permissions

2nd drwxrwxrwx
 - if the user lacks read permissions
write permissions for the user
 w if the user has write permissions

3rd drwxrwxrwx
 - if the user lacks write permissions
execute permissions for the user
 x if the user has execute permissions

4th drwxrwxrwx
 - if the user lacks execute permissions
read permissions for the group
 r if the group has read permissions

5th drwxrwxrwx
 - if the group lacks read permissions
write permissions for the group
 w if the group has write permissions

6th drwxrwxrwx
 - if the group lacks write permissions
7th drwxrwxrwx execute permissions for the group

Character Example Meaning
 x if the group has execute permissions
 - if the group lacks execute permissions
read permissions for other
 r if the other owner type has read permissions

8th drwxrwxrwx
 - if the other owner type lacks read permissions
write permissions for other
 w if the other owner type has write permissions

9th drwxrwxrwx
 - if the other owner type lacks write permissions
execute permissions for other
 x if the other owner type has execute permissions

10th drwxrwxrwx
 - if the other owner type lacks execute permissions
Exploring existing permissions

You can use the ls command to investigate who has permissions on files and directories.
Previously, you learned that ls displays the names of files in directories in the current working
directory.
There are additional options you can add to the ls command to make your command more
specific. Some of these options provide details about permissions. Here are a few important ls
options for security analysts:
 ls -a: Displays hidden files. Hidden files start with a period (.) at the beginning.
 ls -l: Displays permissions to files and directories. Also displays other additional
information, including owner name, group, file size, and the time of last modification.
 ls -la: Displays permissions to files and directories, including hidden files. This is a
combination of the other two options.
Changing permissions
The principle of least privilege is the concept of granting only the minimal access and
authorization required to complete a task or function. In other words, users should not have
privileges that are beyond what is necessary. Not following the principle of least privilege can
create security risks.
The chmod command can help you manage this authorization. The chmod command changes
permissions on files and directories.
Using chmod
The chmod command requires two arguments. The first argument indicates how to change
permissions, and the second argument indicates the file or directory that you want to change
permissions for. For example, the following command would add all permissions to
login_sessions.txt:
chmod u+rwx,g+rwx,o+rwx login_sessions.txt
If you wanted to take all the permissions away, you could use
chmod u-rwx,g-rwx,o-rwx login_sessions.txt
Another way to assign these permissions is to use the equals sign (=) in this first argument. Using
= with chmod sets, or assigns, the permissions exactly as specified. For example, the following
command would set read permissions for login_sessions.txt for user, group, and other:
chmod u=r,g=r,o=r login_sessions.txt
This command overwrites existing permissions. For instance, if the user previously had write
permissions, these write permissions are removed after you specify only read permissions with =.
The following table reviews how each character is used within the first argument of chmod:
Character Description
u indicates changes will be made to user permissions
g indicates changes will be made to group permissions
o indicates changes will be made to other permissions
+ adds permissions to the user, group, or other
- removes permissions from the user, group, or other
= assigns permissions for the user, group, or other
Note: When there are permission changes to more than one owner type, commas are needed to
separate changes for each owner type. You should not add spaces after those commas.
The principle of least privilege in action

As a security analyst, you may encounter a situation like this one: There’s a file called
bonuses.txt within a compensation directory. The owner of this file is a member of the Human
Resources department with a username of hrrep1. It has been decided that hrrep1 needs access
to this file. But, since this file contains confidential information, no one else in the hr group
needs access.
You run ls -l to check the permissions of files in the compensation directory and discover that the
permissions for bonuses.txt are -rw-rw----. The group owner type has read and write permissions
that do not align with the principle of least privilege.
To remedy the situation, you input chmod g-rw bonuses.txt. Now, only the user who needs to
access this file to carry out their job responsibilities can access this file.
Key takeaways
Managing directory and file permissions may be a part of your work as a security analyst. Using
ls with the -l and -la options allows you to investigate directory and file permissions. Using
chmod allows you to change user permissions and ensure they are aligned with the principle of
least privilege.
Mark as completed
Like
Dislike
Report an issue
Responsible use of sudo

Previously, you explored authorization, authentication, and Linux commands with sudo, useradd, and
userdel. The sudo command is important for security analysts because it allows users to have
elevated permissions without risking the system by running commands as the root user. You’ll
continue exploring authorization, authentication, and Linux commands in this reading and learn two
more commands that can be used with sudo: usermod and chown.
Responsible use of sudo

To manage authorization and authentication, you need to be a root user, or a user with elevated
privileges to modify the system. The root user can also be called the “super user.” You become a
root user by logging in as the root user. However, running commands as the root user is not
recommended in Linux because it can create security risks if malicious actors compromise that
account. It’s also easy to make irreversible mistakes, and the system can’t track who ran a
command. For these reasons, rather than logging in as the root user, it’s recommended you use
sudo in Linux when you need elevated privileges.
The sudo command temporarily grants elevated permissions to specific users. The name of this
command comes from “super user do.” Users must be given access in a configuration file to use
sudo. This file is called the “sudoers file.” Although using sudo is preferable to logging in as the root
user, it's important to be aware that users with the elevated permissions to use sudo might be more
at risk in the event of an attack.
You can compare this to a hotel with a master key. The master key can be used to access any room
in the hotel. There are some workers at the hotel who need this key to perform their work. For
example, to clean all the rooms, the janitor would scan their ID badge and then use this master key.
However, if someone outside the hotel’s network gained access to the janitor’s ID badge and master
key, they could access any room in the hotel. In this example, the janitor with the master key
represents a user using sudo for elevated privileges. Because of the dangers of sudo, only users who
really need to use it should have these permissions.
Additionally, even if you need access to sudo, you should be careful about using it with only the
commands you need and nothing more. Running commands with sudo allows users to bypass the
typical security controls that are in place to prevent elevated access to an attacker.
Note: Be aware of sudo if copying commands from an online source. It’s important you don’t use sudo
accidentally.
Authentication and authorization with sudo

You can use sudo with many authentication and authorization management tasks. As a reminder,
authentication is the process of verifying who someone is, and authorization is the concept of
granting access to specific resources in a system. Some of the key commands used for these tasks
include the following:
useradd
The useradd command adds a user to the system. To add a user with the username of fgarcia with
sudo, enter sudo useradd fgarcia. There are additional options you can use with useradd:
 -g: Sets the user’s default group, also called their primary group
 -G: Adds the user to additional groups, also called supplemental or secondary groups
To use the -g option, the primary group must be specified after -g. For example, entering sudo
useradd -g security fgarcia adds fgarcia as a new user and assigns their primary group to be security.
To use the -G option, the supplemental group must be passed into the command after -G. You can
add more than one supplemental group at a time with the -G option. Entering sudo useradd -G
finance,admin fgarcia adds fgarcia as a new user and adds them to the existing finance and admin
groups.
usermod
The usermod command modifies existing user accounts. The same -g and -G options from the
useradd command can be used with usermod if a user already exists.
To change the primary group of an existing user, you need the -g option. For example, entering sudo
usermod -g executive fgarcia would change fgarcia’s primary group to the executive group.
To add a supplemental group for an existing user, you need the -G option. You also need a -a option,
which appends the user to an existing group and is only used with the -G option. For example,
entering sudo usermod -a -G marketing fgarcia would add the existing fgarcia user to the supplemental
marketing group.
Note: When changing the supplemental group of an existing user, if you don't include the -a option, -
G will replace any existing supplemental groups with the groups specified after usermod. Using -a
with -G ensures that the new groups are added but existing groups are not replaced.
There are other options you can use with usermod to specify how you want to modify the user,
including:
 -d: Changes the user’s home directory.
 -l: Changes the user’s login name.
 -L: Locks the account so the user can’t log in.
The option always goes after the usermod command. For example, to change fgarcia’s home
directory to /home/garcia_f, enter sudo usermod -d /home/garcia_f fgarcia. The option -d directly follows
the command usermod before the other two needed arguments.
userdel
The userdel command deletes a user from the system. For example, entering sudo userdel fgarcia
deletes fgarcia as a user. Be careful before you delete a user using this command.
The userdel command doesn’t delete the files in the user’s home directory unless you use the -r
option. Entering sudo userdel -r fgarcia would delete fgarcia as a user and delete all files in their home
directory. Before deleting any user files, you should ensure you have backups in case you need
them later.
Note: Instead of deleting the user, you could consider deactivating their account with usermod -L.
This prevents the user from logging in while still giving you access to their account and associated
permissions. For example, if a user left an organization, this option would allow you to identify which
files they have ownership over, so you could move this ownership to other users.
chown
The chown command changes ownership of a file or directory. You can use chown to change user or
group ownership. To change the user owner of the access.txt file to fgarcia, enter sudo chown fgarcia
access.txt. To change the group owner of access.txt to security, enter sudo chown :security access.txt.
You must enter a colon (:) before security to designate it as a group name.
Similar to useradd, usermod, and userdel, there are additional options that can be used with chown.
Key takeaways
Authentication is the process of a user verifying their identity, and authorization is the process of
determining what they have access to. You can use the sudo command to temporarily run
commands with elevated privileges to complete authentication and authorization management tasks.
Specifically, useradd, userdel, usermod, and chown can be used to manage users and file ownership.
Linux resources
Previously, you were introduced to the Linux community and some resources that exist to help Linux
users. Linux has many options available to give users the information they need. This reading will
review these resources. When you’re aware of the resources available to you, you can continue to
learn Linux independently. You can also discover even more ways that Linux can support your work
as a security analyst.
Linux community
Linux has a large online community, and this is a huge resource for Linux users of all levels. You can
likely find the answers to your questions with a simple online search. Troubleshooting issues by
searching and reading online is an effective way to discover how others approached your issue. It’s
also a great way for beginners to learn more about Linux.
The UNIX and Linux Stack Exchange is a trusted resource for troubleshooting Linux issues. The
Unix and Linux Stack Exchange is a question and answer website where community members can
ask and answer questions about Linux. Community members vote on answers, so the higher quality
answers are displayed at the top. Many of the questions are related to specific topics from advanced
users, and the topics might help you troubleshoot issues as you continue using Linux.
Integrated Linux support

Linux also has several commands that you can use for support.
man
The man command displays information on other commands and how they work. It’s short for
“manual.” To search for information on a command, enter the command after man. For example,
entering man chown returns detailed information about chown, including the various options you can
use with it. The output of the man command is also called a “man page.”
apropos
The apropos command searches the man page descriptions for a specified string. Man pages can be
lengthy and difficult to search through if you’re looking for a specific keyword. To use apropos, enter
the keyword after apropos.
You can also include the -a option to search for multiple words. For example, entering apropos -a
graph editor outputs man pages that contain both the words “graph" and "editor” in their descriptions.
whatis
The whatis command displays a description of a command on a single line. For example, entering
whatis nano outputs the description of nano. This command is useful when you don't need a detailed
description, just a general idea of the command. This might be as a reminder. Or, it might be after
you discover a new command through a colleague or online resource and want to know more.
Key takeaways
There are many resources available for troubleshooting issues or getting support for Linux. Linux
has a large global community of users who ask and answer questions on online resources, such as
the Unix and Linux Stack Exchange. You can also use integrated support commands in Linux, such
as man, apropos, and whatis.

Absolute file path: The full file path, which starts from the root
Argument (Linux): Specific information needed by a command
Authentication: The process of verifying who someone is
Authorization: The concept of granting access to specific resources in a system
Bash: The default shell in most Linux distributions
Command: An instruction telling the computer to do something
Filesystem Hierarchy Standard (FHS): The component of the Linux OS that organizes data
Filtering: Selecting data that match a certain condition

nano: A command-line file editor that is available by default in many Linux distributions
Options: Input that modifies the behavior of a command
Permissions: The type of access granted for a file or directory
Principle of least privilege: The concept of granting only the minimal access and authorization
required to complete a task or function
Relative file path: A file path that starts from the user's current directory
Root directory: The highest-level directory in Linux
Root user (or superuser): A user with elevated privileges to modify the system
Standard input: Information received by the OS via the command line
Standard output: Information returned by the OS through the shell

Mark as completed
SQL filtering versus Linux filtering

Previously, you explored the Linux commands that allow you to filter for specific information
contained within files or directories. And, more recently, you examined how SQL helps you
efficiently filter for the information you need. In this reading, you'll explore differences between
the two tools as they relate to filtering. You'll also learn that one way to access SQL is through
the Linux command line.
Accessing SQL
There are many interfaces for accessing SQL and many different versions of SQL. One way to
access SQL is through the Linux command line.
To access SQL from Linux, you need to type in a command for the version of SQL that you want
to use. For example, if you want to access SQLite, you can enter the command sqlite3 in the
command line.
After this, any commands typed in the command line will be directed to SQL instead of Linux
commands.
Differences between Linux and SQL filtering
Although both Linux and SQL allow you to filter through data, there are some differences that
affect which one you should choose.
Purpose
Linux filters data in the context of files and directories on a computer system. It’s used for tasks
like searching for specific files, manipulating file permissions, or managing processes.
SQL is used to filter data within a database management system. It’s used for querying and
manipulating data stored in tables and retrieving specific information based on defined criteria.
Syntax
Linux uses various commands and command-line options specific to each filtering tool. Syntax
varies depending on the tool and purpose. Some examples of Linux commands are find, sed, cut,
e grep
SQL uses the Structured Query Language (SQL), a standardized language with specific
keywords and clauses for filtering data across different SQL databases. Some examples of SQL
keywords and clauses are WHERE, SELECT, JOIN
Structure
SQL offers a lot more structure than Linux, which is more free-form and not as tidy.
For example, if you wanted to access a log of employee log-in attempts, SQL would have each
record separated into columns. Linux would print the data as a line of text without this
organization. As a result, selecting a specific column to analyze would be easier and more
efficient in SQL.
In terms of structure, SQL provides results that are more easily readable and that can be adjusted
more quickly than when using Linux.
Joining tables
Some security-related decisions require information from different tables. SQL allows the
analyst to join multiple tables together when returning data. Linux doesn’t have that same
functionality; it doesn’t allow data to be connected to other information on your computer. This
is more restrictive for an analyst going through security logs.
Best uses
As a security analyst, it’s important to understand when you can use which tool. Although SQL
has a more organized structure and allows you to join tables, this doesn’t mean that there aren’t
situations that would require you to filter data in Linux.
A lot of data used in cybersecurity will be stored in a database format that works with SQL.
However, other logs might be in a format that is not compatible with SQL. For instance, if the
data is stored in a text file, you cannot search through it with SQL. In those cases, it is useful to
know how to filter in Linux.
Key takeaways
Linux filtering focuses on managing files and directories on a system, while SQL filtering
focuses on structured data manipulation within databases. To work with SQL, you can access it
from multiple different interfaces, such as the Linux command line. Both SQL and Linux allow
you to filter for specific data, but SQL offers the advantages of structuring the data and allowing
you to join data from multiple tables.
Mark as completed
Like
Dislike
Report an issue
Query a database
Previously, you explored how SQL is an important tool in the world of cybersecurity and is essential
when querying databases. You examined a few basic SQL queries and keywords used to extract
needed information from a database. In this reading, you’ll review those basic SQL queries and learn
a new keyword that will help you organize your output. You'll also learn about the Chinook database,
which this course uses for queries in readings and quizzes.
Basic SQL query

There are two essential keywords in any SQL query: SELECT and FROM. You will use these
keywords every time you want to query a SQL database. Using them together helps SQL identify
what data you need from a database and the table you are returning it from.
The video demonstrated this SQL query:
SELECT employee_id, device_id
FROM employees;
In readings and quizzes, this course uses a sample database called the Chinook database to run
queries. The Chinook database includes data that might be created at a digital media company. A
security analyst employed by this company might need to query this data. For example, the
database contains eleven tables, including an employees table, a customers table, and an invoices
table. These tables include data such as names and addresses.
As an example, you can run this query to return data from the customers table of the Chinook
database:
SELECT customerid, city, country
FROM customers;
RunReset
SELECT
The SELECT keyword indicates which columns to return. For example, you can return the customerid
column from the Chinook database with
SELECT customerid
You can also select multiple columns by separating them with a comma. For example, if you want to
return both the customerid and city columns, you should write SELECT customerid, city.
If you want to return all columns in a table, you can follow the SELECT keyword with an asterisk (*).
The first line in the query will be SELECT *.
Note: Although the tables you're querying in this course are relatively small, using SELECT * may not
be advisable when working with large databases and tables; in those cases, the final output may be
difficult to understand and might be slow to run.
FROM
The SELECT keyword always comes with the FROM keyword. FROM indicates which table to query.
To use the FROM keyword, you should write it after the SELECT keyword, often on a new line, and
follow it with the name of the table you’re querying. If you want to return all columns from the
customers table, you can write:
SELECT *
FROM customers;
When you want to end the query here, you put a semicolon (;) at the end to tell SQL that this is the
entire query.
Note: Line breaks are not necessary in SQL queries, but are often used to make the query easier to
understand. If you prefer, you can also write the previous query on one line as
SELECT * FROM customers;
ORDER BY
Database tables are often very complicated, and this is where other SQL keywords come in handy.
ORDER BY is an important keyword for organizing the data you extract from a table.
ORDER BY sequences the records returned by a query based on a specified column or columns.
This can be in either ascending or descending order.
Sorting in ascending order

To use the ORDER BY keyword, write it at the end of the query and specify a column to base the
sort on. In this example, SQL will return the customerid, city, and country columns from the customers
table, and the records will be sequenced by the city column:
FROM customers
ORDER BY city;
RunReset
The ORDER BY keyword sorts the records based on the column specified after this keyword. By
default, as shown in this example, the sequence will be in ascending order. This means
 if you choose a column containing numeric data, it sorts the output from the smallest to
largest. For example, if sorting on customerid, the ID numbers are sorted from smallest to
largest.
 if the column contains alphabetic characters, such as in the example with the city column, it
orders the records from the beginning of the alphabet to the end.
Sorting in descending order

You can also use the ORDER BY with the DESC keyword to sort in descending order. The DESC
keyword is short for "descending" and tells SQL to sort numbers from largest to smallest, or
alphabetically from Z to A. This can be done by following ORDER BY with the DESC keyword. For
example, you can run this query to examine how the results differ when DESC is applied:

FROM customers
ORDER BY city DESC;

RunReset
Now, cities at the end of the alphabet are listed first.
Sorting based on multiple columns

You can also choose multiple columns to order by. For example, you might first choose the country
and then the city column. SQL then sorts the output by country, and for rows with the same country,
it sorts them based on city. You can run this to explore how SQL displays this:
FROM customers
ORDER BY country, city;

RunReset
Key takeaways
SELECT and FROM are important keywords in SQL queries. You use SELECT to indicate which
columns to return and FROM to indicate which table to query. You can also include ORDER BY in
your query to organize the output. These foundational SQL skills will support you as you move into
more advanced queries.
Resources for completing SQL labs

This course features hands-on lab activities where you’ll have the opportunity to practice using
SQL queries in the terminal. You’ll use a platform called Qwiklabs to complete these labs. In
this reading, you’ll learn how to use Qwiklabs.
This reading first provides a section on how to use Qwiklabs, which includes details on how to
launch a lab, how to interact within the Qwiklabs environment, and how to end a lab. This is
followed by another section on helpful navigation tips and keyboard shortcuts; these may be
useful when working in the terminal.
Note: You will not launch Qwiklabs directly from this reading and instead will do this through
lab activities and exemplars that you encounter throughout the course.
How to use Qwiklabs

Launching Qwiklabs
When you select a lab, you start from a Coursera page. You will need to click Launch App on
that page. After you click Launch App, a new tab will open with a Qwiklabs page that contains
instructions for that particular lab.
Start Lab button

On the Qwiklabs page, you must click Start Lab to open a temporary terminal. The instructions
for the lab will move to the right side of the screen.
Read the instructions and complete all the tasks in the lab by entering commands in the terminal.
Note: It may take a moment for the terminal to start.
Lab control dialog box

After you click Start Lab, the lab control dialog box opens. It contains the End Lab button, the
timer, and the Open Linux Console button.
You can hide or unhide the dialog box by clicking the following icon in the red box:
The timer
The timer starts when the terminal has loaded. The timer keeps track of the amount of time you
have left to complete a lab. The timer counts down until it reaches 00:00:00. When it does, your
temporary terminal and resources are deleted.
You will have ample time to complete the labs. But, stay focused on completing the tasks to
ensure you use your time well.
Open Linux Console button

When you click the button to Open Linux Console, the terminal opens in a new browser
window:
Use this feature if you want a full-screen view of the terminal. You can close this window at any
time. Closing the window does not end your lab, and you can continue working in the terminal in
the original tab.
Check progress
You can check your progress by clicking Check my progress at the end of each task.
If you haven’t yet completed a task, you’ll receive hints on what you must do to complete it.
You can click Check my progress whenever you want to check the completion status of a task
or receive a hint.
Using copy/paste commands
The first time you try to use copy or paste keyboard shortcuts (such as CTRL + C), you’ll
receive a pop-up requesting permission to use your device’s clipboard:
“googlecoursera.qwiklabs.com wants to see text and images copied to the clipboard.” Please
click Allow if you would like to be able to use these shortcuts in the Qwiklabs platform. If you
choose not to allow Qwiklabs access to your clipboard, you cannot use keyboard shortcuts but
you can still complete the lab.
Code block
Certain steps may include a code block. Click the copy button to copy the code provided and
then paste it into the terminal.
To paste code or other text content that you have copied from the instructions into the terminal,
activate the terminal by clicking anywhere inside it. The terminal is active when the cursor in the
terminal changes from a static empty outline to a flashing solid block.
Once the terminal is active, use the keyboard shortcut CTRL + V (hold down the CTRL key
and press the V key) to insert the copied text into the terminal at the location of the flashing
cursor.
Scrolling
In certain situations, you may want to scroll within the terminal window. To do so, use the scroll
wheel on your mouse or the touchpad of your computer.
End Lab button
Finally, click End Lab when you’ve completed the tasks in the lab.
Note: Don't click End Lab until you're finished; you'll lose access to the work you've done
throughout the lab.
Tracking progress on Coursera

If you complete a lab but your progress hasn’t been tracked on Coursera, you may need to
refresh the page for your progress to be registered. Once you complete the lab and refresh the
page, the green check mark should appear.
Helpful navigation tips and keyboard shortcuts

The following contains a list of navigation tips and keyboard shortcuts you may find useful when
completing your SQL labs. Your cursor must be in the terminal window to use these navigation
tips and keyboard shortcuts.
 CTRL + C: Terminates a command that is currently running; from the instructions

portion of Qwiklabs, you can use CTRL + C to copy, but within the terminal, it will only
terminate a command and if one isn't running, it will exit out of the MariaDB shell; if you
unintentionally exit, you can reconnect by running the sudo mysql organization
command
 CTRL + V: Pastes text
 CTRL + L: Clears the terminal screen; within MariaDB, you must use CTRL + L and
cannot use clear
 \c + Enter: Clears the current input
 CTRL + A: Sets your cursor at the beginning of a command
 CTRL + E: Sets your cursor at the end of a command

 Left arrow key: Moves left within a command
 Right arrow key: Moves right within a command
 Up arrow key: Provides the last command you entered into the command line; can be
entered multiple times to go through multiple commands from the command history
 Down arrow key: Provides the next command in the command history; must be after
using the up arrow key
 Tab key: Provides available suggestions for completing your text
Note: If you unintentionally exit the organization database in the MariaDB shell, you can
reconnect by running the sudo mysql organization command.
Key takeaways
Knowing how to navigate Qwiklabs will be useful as you complete the labs throughout this
course. These labs can help you practice what you’ve learned in an interactive environment.
Mark as completed
Like
Dislike
Report an issue
The WHERE clause and basic operators

Previously, you focused on how to refine your SQL queries by using the WHERE clause to filter
results. In this reading, you’ll further explore how to use the WHERE clause, the LIKE operator and
the percentage sign (%) wildcard. You’ll also be introduced to the underscore (_), another wildcard
that can help you filter queries.
How filtering helps

As a security analyst, you'll often be responsible for working with very large and complicated security
logs. To find the information you need, you'll often need to use SQL to filter the logs.
In a cybersecurity context, you might use filters to find the login attempts of a specific user or all
login attempts made at the time of a security issue. As another example, you might filter to find the
devices that are running a specific version of an application.
WHERE
To create a filter in SQL, you need to use the keyword WHERE. WHERE indicates the condition for a
filter.
If you needed to email employees with a title of IT Staff, you might use a query like the one in the
following example. You can run this example to examine what it returns:
SELECT firstname, lastname, title, email
FROM employees
WHERE title = 'IT Staff';

RunReset
Rather than returning all records in the employees table, this WHERE clause instructs SQL to return
only those that contain 'IT Staff' in the title column. It uses the equals sign (=) operator to set this
condition.
Note: You should place the semicolon (;) where the query ends. When you add a filter to a basic
query, the semicolon is after the filter.
Filtering for patterns

You can also filter based on a pattern. For example, you can identify entries that start or end with a
certain character or characters. Filtering for a pattern requires incorporating two more elements into
your WHERE clause:
 a wildcard
 the LIKE operator
Wildcards
A wildcard is a special character that can be substituted with any other character. Two of the most
useful wildcards are the percentage sign (%) and the underscore (_):
 The percentage sign substitutes for any number of other characters.
 The underscore symbol only substitutes for one other character.

These wildcards can be placed after a string, before a string, or in both locations depending on the
pattern you’re filtering for.
The following table includes these wildcards applied to the string 'a' and examples of what each
pattern would return.
Pattern Results that could be returned

'a%' apple123, art, a
'a_' as, an, a7
'a__' ant, add, a1c
'%a' pizza, Z6ra, a
'_a' ma, 1a, Ha
'%a%' Again, back, a
'_a_' Car, ban, ea7
LIKE
To apply wildcards to the filter, you need to use the LIKE operator instead of an equals sign (=).
LIKE is used with WHERE to search for a pattern in a column.
For instance, if you want to email employees with a title of either 'IT Staff' or 'IT Manager', you can
use LIKE operator combined with the % wildcard:
SELECT lastname, firstname, title, email
FROM employees
WHERE title LIKE 'IT%';

RunReset
This query returns all records with values in the title column that start with the pattern of 'IT'. This
means both 'IT Staff' and 'IT Manager' are returned.
As another example, if you want to search through the invoices table to find all customers located in
states with an abbreviation of 'NY', 'NV', 'NS' or 'NT', you can use the 'N_' pattern on the state
column:
SELECT firstname,lastname, state, country
FROM customers
WHERE state LIKE 'N_';
RunReset
This returns all the records with state abbreviations that follow this pattern.
Key takeaways
Filters are important when refining what your query returns. WHERE is an essential keyword for
adding a filter to your query. You can also filter for patterns by combining the LIKE operator with the
percentage sign (%) and the underscore (_) wildcards.
Operators for filtering dates and numbers

Previously, you examined operators like less than (<) or greater than (>) and explored how they can
be used in filtering numeric and date and time data types. This reading summarizes what you
learned and provides new examples of using operators in filters.
Numbers, dates, and times in cybersecurity

Security analysts work with more than just string data, or data consisting of an ordered sequence of
characters.
They also frequently work with numeric data, or data consisting of numbers. A few examples of
numeric data that you might encounter in your work as a security analyst include:
 the number of login attempts
 the count of a specific type of log entry
 the volume of data being sent from a source
 the volume of data being sent to a destination
You'll also encounter date and time data, or data representing a date and/or time. As a first example,
logs will generally timestamp every record. Other time and date data might include:
 login dates
 login times
 dates for patches
 the duration of a connection
Comparison operators
In SQL, filtering numeric and date and time data often involves operators. You can use the following
operators in your filters to make sure you return only the rows you need:
operator use
< less than
> greater than
= equal to
<= less than or equal to
>= greater than or equal to
<> not equal to
Note: You can also use != as an alternative operator for not equal to.
Incorporating operators into filters

These comparison operators are used in the WHERE clause at the end of a query. The following
query uses the > operator to filter the birthdate column. You can run this query to explore its output:
SELECT firstname, lastname, birthdate
FROM employees
WHERE birthdate > '1970-01-01';

RunReset
This query returns the first and last names of employees born after, but not on, '1970-01-01' (or
January 1, 1970). If you were to use the >= operator instead, the results would also include results
on exactly '1970-01-01'.
In other words, the > operator is exclusive and the >= operator is inclusive. An exclusive operator is
an operator that does not include the value of comparison. An inclusive operator is an operator that
includes the value of comparison.
BETWEEN
Another operator used for numeric data as well as date and time data is the BETWEEN operator.
BETWEEN filters for numbers or dates within a range. For example, if you want to find the first and
last names of all employees hired between January 1, 2002 and January 1, 2003, you can use the
BETWEEN operator as follows:
1
SELECT firstname, lastname, hiredate
FROM employees
WHERE hiredate BETWEEN '2002-01-01' AND '2003-01-01';

RunReset
Note: The BETWEEN operator is inclusive. This means records with a hiredate of January 1, 2002 or
January 1, 2003 are included in the results of the previous query.
Key takeaways
Operators are important when filtering numeric and date and time data. These include exclusive
operators such as < and inclusive operators such as <=. The BETWEEN operator, another inclusive
operator, helps you return the data you need within a range.
More on filters with AND, OR, and NOT

Previously, you explored how to add filters containing the AND, OR, and NOT operators to your
SQL queries. In this reading, you'll continue to explore how these operators can help you refine
your queries.
Logical operators
AND, OR, and NOT allow you to filter your queries to return the specific information that will
help you in your work as a security analyst. They are all considered logical operators.
AND
First, AND is used to filter on two conditions. AND specifies that both conditions must be met
simultaneously.
As an example, a cybersecurity concern might affect only those customer accounts that meet
both the condition of being handled by a support representative with an ID of 5 and the condition
of being located in the USA. To find the names and emails of those specific customers, you
should place the two conditions on either side of the AND operator in the WHERE clause:
SELECT firstname, lastname, email, country, supportrepid
FROM customers
WHERE supportrepid = 5 AND country = 'USA';

RunReset
Running this query returns four rows of information about the customers. You can use this
information to contact them about the security concern.
OR
The OR operator also connects two conditions, but OR specifies that either condition can be met.
It returns results where the first condition, the second condition, or both are met.
For example, if you are responsible for finding all customers who are either in the USA or
Canada so that you can communicate information about a security update, you can use an OR
operator to find all the needed records. As the following query demonstrates, you should place
the two conditions on either side of the OR operator in the WHERE clause:
SELECT firstname, lastname, email, country
FROM customers
WHERE country = 'Canada' OR country = 'USA';

RunReset
The query returns all customers in either the US or Canada.

Note: Even if both conditions are based on the same column, you need to write out both full
conditions. For instance, the query in the previous example contains the filter WHERE country
= 'Canada' OR country = 'USA'.
NOT
Unlike the previous two operators, the NOT operator only works on a single condition, and not
on multiple ones. The NOT operator negates a condition. This means that SQL returns all
records that don’t match the condition specified in the query.
For example, if a cybersecurity issue doesn't affect customers in the USA but might affect those
in other countries, you can return all customers who are not in the USA. This would be more
efficient than creating individual conditions for all of the other countries. To use the NOT
operator for this task, write the following query and place NOT directly after WHERE:
FROM customers
WHERE NOT country = 'USA';

RunReset
SQL returns every entry where the customers are not from the USA.
Pro tip: Another way of finding values that are not equal to a certain value is by using the <>
operator or the != operator. For example, WHERE country <> 'USA' and WHERE country !=
'USA' are the same filters as WHERE NOT country = 'USA'.
Combining logical operators

Logical operators can be combined in filters. For example, if you know that both the USA and
Canada are not affected by a cybersecurity issue, you can combine operators to return customers
in all countries besides these two. In the following query, NOT is placed before the first
condition, it's joined to a second condition with AND, and then NOT is also placed before that
second condition. You can run it to explore what it returns:

FROM customers
WHERE NOT country = 'Canada' AND NOT country = 'USA';

RunReset
Key takeaways
Logical operators allow you to create more specific filters that target the security-related
information you need. The AND operator requires two conditions to be true simultaneously, the
OR operator requires either one or both conditions to be true, and the NOT operator negates a
condition. Logical operators can be combined together to create even more specific queries.
Portfolio Activity Exemplar: Apply filters to SQL

queries
Here is a completed exemplar along with an explanation of how the exemplar fulfills the expectations
for the activity.
Completed Exemplar
To review the exemplar for this course item, click the following link and select Use Template.
Link to exemplar: Apply filters to SQL queries
OR
If you don’t have a Google account, you can download the exemplar directly from the following
attachment.
Apply filters to SQL queries exemplar
DOCX File
Compare the exemplar to your completed activity. Review your work using each of the criteria in the
exemplar. What did you do well? Where can you improve? Use your answers to these questions to
revise your project as needed and guide you as you continue to progress through the certificate
program.
Note: The exemplar represents one possible way to complete the Apply filters to SQL queries portfolio
activity. Yours will likely differ in certain ways. What’s important is that you understand how to use
SQL queries to apply filters.
The exemplar uses details from the given scenario and includes the following:
 Screenshots of queries or typed versions of the queries
 Explanations of queries
 A project description at the beginning
 A summary at the end
 Details on using LIKE to search for a pattern
 Details on filtering for dates and times
 Details on using AND and OR to filter on multiple conditions
 Details on using NOT in filters
Compare types of joins

Previously, you explored SQL joins and how to use them to join data from multiple tables when
these tables share a common column. You also examined how there are different types of joins, and
each of them returns different rows from the tables being joined. In this reading, you'll review these
concepts and more closely analyze the syntax needed for each type of join.
Inner joins
The first type of join that you might perform is an inner join. INNER JOIN returns rows matching on a
specified column that exists in more than one table.
It only returns the rows where there is a match, but like other types of joins, it returns all specified
columns from all joined tables. For example, if the query joins two tables with SELECT *, all columns
in both of the tables are returned.
Note: If a column exists in both of the tables, it is returned twice when SELECT * is used.
The syntax of an inner join

To write a query using INNER JOIN, you can use the following syntax:
SELECT *
FROM employees
INNER JOIN machines ON employees.device_id = machines.device_id;
You must specify the two tables to join by including the first or left table after FROM and the second
or right table after INNER JOIN.
After the name of the right table, use the ON keyword and the = operator to indicate the column you
are joining the tables on. It's important that you specify both the table and column names in this
portion of the join by placing a period (.) between the table and the column.
In addition to selecting all columns, you can select only certain columns. For example, if you only
want the join to return the username, operating_system and device_id columns, you can write this
query:
SELECT username, operating_system, employees.device_id
FROM employees
INNER JOIN machines ON employees.device_id = machines.device_id;

Note: In the example query, username and operating_system only appear in one of the two tables, so
they are written with just the column name. On the other hand, because device_id appears in both
tables, it's necessary to indicate which one to return by specifying both the table and column name
(employees.device_id).
Outer joins
Outer joins expand what is returned from a join. Each type of outer join returns all rows from either
one table or both tables.
Left joins
When joining two tables, LEFT JOIN returns all the records of the first table, but only returns rows of
the second table that match on a specified column.
The syntax for using LEFT JOIN is demonstrated in the following query:
SELECT *
FROM employees
LEFT JOIN machines ON employees.device_id = machines.device_id;
As with all joins, you should specify the first or left table as the table that comes after FROM and the
second or right table as the table that comes after LEFT JOIN. In the example query, because
employees is the left table, all of its records are returned. Only records that match on the device_id
column are returned from the right table, machines.
Right joins
When joining two tables, RIGHT JOIN returns all of the records of the second table, but only returns
rows from the first table that match on a specified column.
The following query demonstrates the syntax for RIGHT JOIN:
SELECT *
FROM employees
RIGHT JOIN machines ON employees.device_id = machines.device_id;
RIGHT JOIN has the same syntax as LEFT JOIN, with the only difference being the keyword RIGHT
JOIN instructs SQL to produce different output. The query returns all records from machines, which is
the second or right table. Only matching records are returned from employees, which is the first or left
table.
Note: You can use LEFT JOIN and RIGHT JOIN and return the exact same results if you use the
tables in reverse order. The following RIGHT JOIN query returns the exact same result as the LEFT
JOIN query demonstrated in the previous section:
SELECT *
FROM machines
RIGHT JOIN employees ON employees.device_id = machines.device_id;
All that you have to do is switch the order of the tables that appear before and after the keyword
used for the join, and you will have swapped the left and right tables.
Full outer joins

FULL OUTER JOIN returns all records from both tables. You can think of it as a way of completely
merging two tables.
You can review the syntax for using FULL OUTER JOIN in the following query:
SELECT *
FROM employees
FULL OUTER JOIN machines ON employees.device_id = machines.device_id;
The results of a FULL OUTER JOIN query include all records from both tables. Similar to INNER
JOIN, the order of tables does not change the results of the query.
Key takeaways
When working in SQL, there are multiple ways to join tables. All joins return the records that match
on a specified column. INNER JOIN will return only these records. Outer joins also return all other
records from one or both of the tables. LEFT JOIN returns all records from the first or left table,
RIGHT JOIN returns all records from the second or right table, and FULL OUTER JOIN returns all
records from both tables.
Database: An organized collection of information or data
Date and time data: Data representing a date and/or time
Exclusive operator: An operator that does not include the value of comparison
Filtering: Selecting data that match a certain condition
Foreign key: A column in a table that is a primary key in another table
Inclusive operator: An operator that includes the value of comparison
Log: A record of events that occur within an organization's systems
Numeric data: Data consisting of numbers
Operator: A symbol or keyword that represents an operation
Primary key: A column where every row has a unique entry
Query: A request for data from a database table or a combination of tables
Relational database: A structured database containing tables that are related to each other
SQL (Structured Query Language): A programming language used to create, interact with,
and request information from a database
Syntax: The rules that determine what is correctly structured in a computing language
Wildcard: A special character that can be substituted with any other character
Understand risks, threats, and vulnerabilities
When security events occur, you’ll need to work in close coordination with others to address the
problem. Doing so quickly requires clear communication between you and your team to get the
job done.
Previously, you learned about three foundational security terms:
 Risk: Anything that can impact the confidentiality, integrity, or availability of an asset
 Threat: Any circumstance or event that can negatively impact assets
 Vulnerability: A weakness that can be exploited by a threat
These words tend to be used interchangeably in everyday life. But in security, they are used to
describe very specific concepts when responding to and planning for security events. In this
reading, you’ll identify what each term represents and how they are related.
Security risk
Security plans are all about how an organization defines risk. However, this definition can vary
widely by organization. As you may recall, a risk is anything that can impact the confidentiality,
integrity, or availability of an asset. Since organizations have particular assets that they value,
they tend to differ in how they interpret and approach risk.
One way to interpret risk is to consider the potential effects that negative events can have on a
business. Another way to present this idea is with this calculation:
Likelihood x Impact = Risk
For example, you risk being late when you drive a car to work. This negative event is more likely
to happen if you get a flat tire along the way. And the impact could be serious, like losing your
job. All these factors influence how you approach commuting to work every day. The same is
true for how businesses handle security risks.
In general, we calculate risk in this field to help:
 Prevent costly and disruptive events
 Identify improvements that can be made to systems and processes
 Determine which risks can be tolerated
 Prioritize the critical assets that require attention

The business impact of a negative event will always depend on the asset and the situation. Your
primary focus as a security professional will be to focus on the likelihood side of the equation by
dealing with certain factors that increase the odds of a problem.
Risk factors
As you’ll discover throughout this course, there are two broad risk factors that you’ll be
concerned with in the field:
 Threats
 Vulnerabilities
The risk of an asset being harmed or damaged depends greatly on whether a threat takes
advantage of vulnerabilities.
Let’s apply this to the risk of being late to work. A threat would be a nail puncturing your tire,
since tires are vulnerable to running over sharp objects. In terms of security planning, you would
want to reduce the likelihood of this risk by driving on a clean road.
Categories of threat
Threats are circumstances or events that can negatively impact assets. There are many different
types of threats. However, they are commonly categorized as two types: intentional and
unintentional.
For example, an intentional threat might be a malicious hacker who gains access to sensitive
information by targeting a misconfigured application. An unintentional threat might be an
employee who holds the door open for an unknown person and grants them access to a restricted
area. Either one can cause an event that must be responded to.
Categories of vulnerability
Vulnerabilities are weaknesses that can be exploited by threats. There’s a wide range of
vulnerabilities, but they can be grouped into two categories: technical and human.
For example, a technical vulnerability can be misconfigured software that might give an
unauthorized person access to important data. A human vulnerability can be a forgetful employee
who loses their access card in a parking lot. Either one can lead to risk.
Key takeaways
Risks, threats, and vulnerabilities have very specific meanings in security. Knowing the
relationship between them can help you build a strong foundation as you grow essential skills
and knowledge as a security analyst. This can help you gain credibility in the industry by
demonstrating that you have working knowledge of the field. And it signals to your future
colleagues that you’re a member of the global security community.
Mark as completed
Common classification requirements
Asset management is the process of tracking assets and the risks that affect them. The idea behind
this process is simple: you can only protect what you know you have.
Previously, you learned that identifying, tracking, and classifying assets are all important parts of
asset management. In this reading, you’ll learn more about the purpose and benefits of asset
classification, including common classification levels.
Why asset management matters

Keeping assets safe requires a workable system that helps businesses operate smoothly. Setting
these systems up requires having detailed knowledge of the assets in an environment. For example,
a bank needs to have money available each day to serve its customers. Equipment, devices, and
processes need to be in place to ensure that money is available and secure from unauthorized
access.
Organizations protect a variety of different assets. Some examples might include:
 Digital assets such as customer data or financial records.
 Information systems that process data, like networks or software.
 Physical assets which can include facilities, equipment, or supplies.
 Intangible assets such as brand reputation or intellectual property.
Regardless of its type, every asset should be classified and accounted for. As you may recall, asset
classification is the practice of labeling assets based on sensitivity and importance to an
organization. Determining each of those two factors varies, but the sensitivity and importance of an
asset typically requires knowing the following:
 What you have
 Where it is
 Who owns it, and
 How important it is
An organization that classifies its assets does so based on these characteristics. Doing so helps
them determine the sensitivity and value of an asset.
Common asset classifications

Asset classification helps organizations implement an effective risk management strategy. It also
helps them prioritize security resources, reduce IT costs, and stay in compliance with legal
regulations.
The most common classification scheme is: restricted, confidential, internal-only, and public.
 Restricted is the highest level. This category is reserved for incredibly sensitive assets, like
need-to-know information.
 Confidential refers to assets whose disclosure may lead to a significant negative impact on
an organization.
 Internal-only describes assets that are available to employees and business partners.
 Public is the lowest level of classification. These assets have no negative consequences to
the organization if they’re released.
How this scheme is applied depends greatly on the characteristics of an asset. It might surprise you
to learn that identifying an asset’s owner is sometimes the most complicated characteristic to
determine.
Note: Although many organizations adopt this classification scheme, there can be variability at the
highest levels. For example, government organizations label their most sensitive assets as
confidential instead of restricted.
Challenges of classifying information

Identifying the owner of certain assets is straightforward, like the owner of a building. Other types of
assets can be trickier to identify. This is especially true when it comes to information.
For example, a business might issue a laptop to one of its employees to allow them to work
remotely. You might assume the business is the asset owner in this situation. But, what if the
employee uses the laptop for personal matters, like storing their photos?
Ownership is just one characteristic that makes classifying information a challenge. Another concern
is that information can have multiple classification values at the same time. For example, consider a
letter addressed to you in the mail. The letter contains some public information that’s okay to share,
like your name. It also contains fairly confidential pieces of information that you’d rather only be
available to certain people, like your address. You’ll learn more about how these challenges are
addressed as you continue through the program.
Key takeaways
Every business is different. Each business will have specific requirements to address when devising
their security strategy. Knowing why and how businesses classify their assets is an important skill to
have as a security professional. Information is one of the most important assets in the world. As a
cybersecurity professional, you will be closely involved with protecting information from damage,
disclosure, and misuse. Recognizing the challenges that businesses face classifying this type of
asset is a key to helping them solve their security needs.
The emergence of cloud security

One of the most significant technology developments this century has been the emergence of cloud
computing. The United Kingdom's National Cyber Security Centre defines cloud computing as, “An
on-demand, massively scalable service, hosted on shared infrastructure, accessible via the internet.”
Earlier, you learned that most information is in the form of data, which is in a constant state of
change. In recent years, businesses started moving their data to the cloud. The adoption of cloud-
based services has complicated how information is kept safe online. In this reading, you’ll learn
about these challenges and the opportunities they’ve created for security professionals.
Soaring into the cloud
Starting an online business used to be a complicated and costly process. In years past, companies
had to build and maintain their own internal solutions to operate in the digital marketplace. Now, it’s
much easier for anyone to participate because of the cloud.
The availability of cloud technologies has drastically changed how businesses operate online. These
new tools allow companies to scale and adapt quickly while also lowering their costs. Despite these
benefits, the shift to cloud-based services has also introduced a range of new cybersecurity
challenges that put assets at risk.
Cloud-based services
The term cloud-based services refers to a variety of on demand or web-based business solutions.
Depending on a company’s needs and budget, services can range from website hosting, to
application development environments, to entire back-end infrastructure.
There are three main categories of cloud-based services:
 Software as a service (SaaS)
 Platform as a service (PaaS)
 Infrastructure as a service (IaaS)
Software as a service (SaaS)

SaaS refers to front-end applications that users access via a web browser. The service providers
host, manage, and maintain all of the back-end systems for those applications. Common examples
of SaaS services include applications like Gmail™ email service, Slack, and Zoom software.
Platform as a service (PaaS)
PaaS refers to back-end application development tools that clients can access online. Developers
use these resources to write code and build, manage, and deploy their own apps. Meanwhile, the
cloud service providers host and maintain the back-end hardware and software that the apps use to
operate. Some examples of PaaS services include Google App Engine™ platform, Heroku®, and
VMware Cloud Foundry.
Infrastructure as a service (IaaS)

IaaS customers are given remote access to a range of back-end systems that are hosted by the
cloud service provider. This includes data processing servers, storage, networking resources, and
more. Resources are commonly licensed as needed, making it a cost-effective alternative to buying
and maintaining on premises.
Cloud-based services allow companies to connect with their customers, employees, and business
partners over the internet. Some of the largest organizations in the world offer cloud-based services:
 Google Cloud Platform
 Microsoft Azure
Cloud security
Shifting applications and infrastructure over to the cloud can make it easier to operate an online
business. It can also complicate keeping data private and safe. Cloud security is a growing subfield
of cybersecurity that specifically focuses on the protection of data, applications, and infrastructure in
the cloud.
In a traditional model, organizations had their entire IT infrastructure on premises. Protecting those
systems was entirely up to the internal security team in that environment. These responsibilities are
not so clearly defined when part or all of an operational environment is in the cloud.
For example, a PaaS client pays to access the resources they need to build their applications. So, it
is reasonable to expect them to be responsible for securing the apps they build. On the other hand,
the responsibility for maintaining the security of the servers they are accessing should belong to the
cloud service provider because there are other clients using the same systems.
In cloud security, this concept is known as the shared responsibility model. Clients are commonly
responsible for securing anything that is directly within their control:
 Identity and access management
 Resource configuration
 Data handling
Note: The amount of responsibility that is delegated to a service provider varies depending on the
service being used: SaaS, PaaS, and IaaS.
Cloud security challenges
All service providers do their best to deliver secure products to their customers. Much of their
success depends on preventing breaches and how well they can protect sensitive information.
However, since data is stored in the cloud and accessed over the internet, several challenges arise:
 Misconfiguration is one of the biggest concerns. Customers of cloud-based services are

responsible for configuring their own security environment. Oftentimes, they use out-of-the-
box configurations that fail to address their specific security objectives.
 Cloud-native breaches are more likely to occur due to misconfigured services.
 Monitoring access might be difficult depending on the client and level of service.
 Meeting regulatory standards is also a concern, particularly in industries that are required by
law to follow specific requirements such as HIPAA, PCI DSS, and GDPR.
Many other challenges exist besides these. As more businesses adopt cloud-based services, there’s
a growing need for cloud security professionals to meet a growing number of risks. Burning Glass, a
leading labor market analytics firm, ranks cloud security among the most in-demand skills in
cybersecurity.
Key takeaways
So much of the global marketplace has shifted to cloud-based services. Cloud technology is still
new, resulting in the emergence of new security models and a range of security challenges. And it’s
likely that other concerns might arise as more businesses become reliant on the cloud. Being
familiar with the cloud and the different services that are available is an important step towards
supporting any organizations efforts to protect information online.
Security guidelines in action

Organizations often face an overwhelming amount of risk. Developing a security plan from the
beginning that addresses all risk can be challenging. This makes security frameworks a useful
option.
Previously, you learned about the NIST Cybersecurity Framework (CSF). A major benefit of the CSF
is that it's flexible and can be applied to any industry. In this reading, you’ll explore how the NIST
CSF can be implemented.
Origins of the framework

Originally released in 2014, NIST developed the Cybersecurity Framework to protect critical
infrastructure in the United States. NIST was selected to develop the CSF because they are an
unbiased source of scientific data and practices. NIST eventually adapted the CSF to fit the needs of
businesses in the public and private sector. Their goal was to make the framework more flexible,
making it easier to adopt for small businesses or anyone else that might lack the resources to
develop their own security plans.
Components of the CSF

As you might recall, the framework consists of three main components: the core, tiers, and profiles.
In the following sections, you'll learn more about each of these CSF components.
Core
The CSF core is a set of desired cybersecurity outcomes that help organizations customize their
security plan. It consists of five functions, or parts: Identify, Protect, Detect, Respond, and Recover.
These functions are commonly used as an informative reference to help organizations identify their
most important assets and protect those assets with appropriate safeguards. The CSF core is also
used to understand ways to detect attacks and develop response and recovery plans should an
attack happen.
Tiers
The CSF tiers are a way of measuring the sophistication of an organization's cybersecurity program.
CSF tiers are measured on a scale of 1 to 4. Tier 1 is the lowest score, indicating that a limited set of
security controls have been implemented. Overall, CSF tiers are used to assess an organization's
security posture and identify areas for improvement.
Profiles
The CSF profiles are pre-made templates of the NIST CSF that are developed by a team of industry
experts. CSF profiles are tailored to address the specific risks of an organization or industry. They
are used to help organizations develop a baseline for their cybersecurity plans, or as a way of
comparing their current cybersecurity posture to a specific industry standard.
Note: The core, tiers, and profiles were each designed to help any business improve their security
operations. Although there are only three components, the entire framework consists of a complex
system of subcategories and processes.
Implementing the CSF

As you might recall, compliance is an important concept in security. Compliance is the process of
adhering to internal standards and external regulations. In other words, compliance is a way of
measuring how well an organization is protecting their assets. The NIST Cybersecurity Framework
(CSF) is a voluntary framework that consists of standards, guidelines, and best practices to manage
cybersecurity risk. Organizations may choose to use the CSF to achieve compliance with a variety of
regulations.
Note: Regulations are rules that must be followed, while frameworks are resources you can choose
to use.
Since its creation, many businesses have used the NIST CSF. However, CSF can be a challenge to
implement due to its high level of detail. It can also be tough to find where the framework fits in. For
example, some businesses have established security plans, making it unclear how CSF can benefit
them. Alternatively, some businesses might be in the early stages of building their plans and need a
place to start.
In any scenario, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) provides detailed
guidance that any organization can use to implement the CSF. This is a quick overview and
summary of their recommendations:
 Create a current profile of the security operations and outline the specific needs of your
business.
 Perform a risk assessment to identify which of your current operations are meeting business
and regulatory standards.
 Analyze and prioritize existing gaps in security operations that place the businesses assets at
risk.
 Implement a plan of action to achieve your organization’s goals and objectives.
Pro tip: Always consider current risk, threat, and vulnerability trends when using the NIST CSF.
You can learn more about implementing the CSF in this report by CISA that outlines how the
framework was applied in the commercial facilities sector.
Industries embracing the CSF
The NIST CSF has continued to evolve since its introduction in 2014. Its design is influenced by the
standards and best practices of some of the largest companies in the world.
A benefit of the framework is that it aligns with the security practices of many organizations across
the global economy. It also helps with regulatory compliance that might be shared by business
partners.
Key takeaways
The NIST CSF is a flexible resource that organizations may choose to use to assess and improve
their security posture. It's a useful framework that combines the security best practices of industries
around the world. Implementing the CSF can be a challenge for any organization. The CSF can help
business meet regulatory compliance requirements to avoid financial and reputational risks.

Asset classification: The practice of labeling assets based on sensitivity and importance to an
organization
Asset inventory: A catalog of assets that need to be protected
Asset management: The process of tracking assets and the risks that affect them
Compliance: The process of adhering to internal standards and external regulations
Data: Information that is translated, processed, or stored by a computer
Data at rest: Data not currently being accessed
Data in transit: Data traveling from one point to another
Data in use: Data being accessed by one or more users

Information security (InfoSec): The practice of keeping data in all states away from
unauthorized users
National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF):

A voluntary framework that consists of standards, guidelines, and best practices to manage
cybersecurity risk
Policy: A set of rules that reduce risk and protect information
Procedures: Step-by-step instructions to perform a specific security task
Regulations: Rules set by a government or other authority to control the way something is done
Risk: Anything that can impact confidentiality, integrity, or availability of an asset
Standards: References that inform how to set policies
Vulnerability: A weakness that can be exploited by a threat
Principle of least privilege

Security controls are essential to keeping sensitive data private and safe. One of the most
common controls is the principle of least privilege, also referred to as PoLP or least privilege.
The principle of least privilege is a security concept in which a user is only granted the
minimum level of access and authorization required to complete a task or function.
Least privilege is a fundamental security control that supports the confidentiality, integrity, and
availability (CIA) triad of information. In this reading, you'll learn how the principle of least
privilege reduces risk, how it's commonly implemented, and why it should be routinely audited.
Limiting access reduces risk

Every business needs to plan for the risk of data theft, misuse, or abuse. Implementing the
principle of least privilege can greatly reduce the risk of costly incidents like data breaches by:
 Limiting access to sensitive information

 Reducing the chances of accidental data modification, tampering, or loss
 Supporting system monitoring and administration
Least privilege greatly reduces the likelihood of a successful attack by connecting specific
resources to specific users and placing limits on what they can do. It's an important security
control that should be applied to any asset. Clearly defining who or what your users are is usually
the first step of implementing least privilege effectively.
Note: Least privilege is closely related to another fundamental security principle, the separation
of duties—a security concept that divides tasks and responsibilities among different users to
prevent giving a single user complete control over critical business functions. You'll learn more
about separation of duties in a different reading about identity and access management.
Determining access and authorization

To implement least privilege, access and authorization must be determined first. There are two
questions to ask to do so:
 Who is the user?
 How much access do they need to a specific resource?
Determining who the user is usually straightforward. A user can refer to a person, like a
customer, an employee, or a vendor. It can also refer to a device or software that's connected to
your business network. In general, every user should have their own account. Accounts are
typically stored and managed within an organization's directory service.
These are the most common types of user accounts:
 Guest accounts are provided to external users who need to access an internal network,
like customers, clients, contractors, or business partners.
 User accounts are assigned to staff based on their job duties.
 Service accounts are granted to applications or software that needs to interact with other
software on the network.
 Privileged accounts have elevated permissions or administrative access.
It's best practice to determine a baseline access level for each account type before implementing
least privilege. However, the appropriate access level can change from one moment to the next.
For example, a customer support representative should only have access to your information
while they are helping you. Your data should then become inaccessible when the support agent
starts working with another customer and they are no longer actively assisting you. Least
privilege can only reduce risk if user accounts are routinely and consistently monitored.
Pro tip: Passwords play an important role when implementing the principle of least privilege.
Even if user accounts are assigned appropriately, an insecure password can compromise your
systems.
Auditing account privileges

Setting up the right user accounts and assigning them the appropriate privileges is a helpful first
step. Periodically auditing those accounts is a key part of keeping your company’s systems
secure.
There are three common approaches to auditing user accounts:
 Usage audits
 Privilege audits
 Account change audits
As a security professional, you might be involved with any of these processes.
Usage audits
When conducting a usage audit, the security team will review which resources each account is
accessing and what the user is doing with the resource. Usage audits can help determine whether
users are acting in accordance with an organization’s security policies. They can also help
identify whether a user has permissions that can be revoked because they are no longer being
used.
Privilege audits
Users tend to accumulate more access privileges than they need over time, an issue known as
privilege creep. This might occur if an employee receives a promotion or switches teams and
their job duties change. Privilege audits assess whether a user's role is in alignment with the
resources they have access to.
Account change audits

Account directory services keep records and logs associated with each user. Changes to an
account are usually saved and can be used to audit the directory for suspicious activity, like
multiple attempts to change an account password. Performing account change audits helps to
ensure that all account changes are made by authorized users.
Note: Most directory services can be configured to alert system administrators of suspicious
activity.
Key takeaways
The principle of least privilege is a security control that can reduce the risk of unauthorized
access to sensitive information and resources. Setting up and configuring user accounts with the
right levels of access and authorization is an important step toward implementing least privilege.
Auditing user accounts and revoking unnecessary access rights is an important practice that helps
to maintain the confidentiality, integrity, and availability of information.
The data lifecycle

Organizations of all sizes handle a large amount of data that must be kept private. You learned that
data can be vulnerable whether it is at rest, in use, or in transit. Regardless of the state it is in,
information should be kept private by limiting access and authorization.
In security, data vulnerabilities are often mapped in a model known as the data lifecycle. Each stage
of the data lifecycle plays an important role in the security controls that are put in place to maintain
the CIA triad of information. In this reading, you will learn about the data lifecycle, the plans that
determine how data is protected, and the specific types of data that require extra attention.
The data lifecycle

The data lifecycle is an important model that security teams consider when protecting information. It
influences how they set policies that align with business objectives. It also plays an important role in
the technologies security teams use to make information accessible.
In general, the data lifecycle has five stages. Each describe how data flows through an organization
from the moment it is created until it is no longer useful:
 Collect
 Store
 Use
 Archive
 Destroy
Protecting information at each stage of this process describes the need to keep it accessible and
recoverable should something go wrong.
Data governance
Businesses handle massive amounts of data every day. New information is constantly being
collected from internal and external sources. A structured approach to managing all of this data is
the best way to keep it private and secure.
Data governance is a set of processes that define how an organization manages information.
Governance often includes policies that specify how to keep data private, accurate, available, and
secure throughout its lifecycle.
Effective data governance is a collaborative activity that relies on people. Data governance policies
commonly categorize individuals into a specific role:
 Data owner: the person that decides who can access, edit, use, or destroy their information.
 Data custodian: anyone or anything that's responsible for the safe handling, transport, and
storage of information.
 Data steward: the person or group that maintains and implements data governance policies
set by an organization.
Businesses store, move, and transform data using a wide range of IT systems. Data governance
policies often assign accountability to data owners, custodians, and stewards.
Note: As a data custodian, you will primarily be responsible for maintaining security and privacy
rules for your organization.
Protecting data at every stage
Most security plans include a specific policy that outlines how information will be managed across an
organization. This is known as a data governance policy. These documents clearly define
procedures that should be followed to participate in keeping data safe. They place limits on who or
what can access data. Security professionals are important participants in data governance. As a
data custodian, you will be responsible for ensuring that data isn’t damaged, stolen, or misused.
Legally protected information

Data is more than just a bunch of 1s and 0s being processed by a computer. Data can represent
someone's personal thoughts, actions, and choices. It can represent a purchase, a sensitive medical
decision, and everything in between. For this reason, data owners should be the ones deciding
whether or not to share their data. As a security professional, protecting a person's data privacy
decisions must always be respected.
Securing data can be challenging. In large part, that's because data owners generate more data
than they can manage. As a result, data custodians and stewards sometimes lack direct, explicit
instructions on how they should handle specific types of data. Governments and other regulatory
agencies have bridged this gap by creating rules that specify the types of information that
organizations must protect by default:
 PII is any information used to infer an individual's identity. Personally identifiable information,
or PII, refers to information that can be used to contact or locate someone.
 PHI stands for protected health information. In the U.S., it is regulated by the Health
Insurance Portability and Accountability Act (HIPAA), which defines PHI as “information that
relates to the past, present, or future physical or mental health or condition of an individual.”
In the EU, PHI has a similar definition but it is regulated by the General Data Protection
Regulation (GDPR).
 SPII is a specific type of PII that falls under stricter handling guidelines. The S stands for
sensitive, meaning this is a type of personally identifiable information that should only be
accessed on a need-to-know basis, such as a bank account number or login credentials.
Overall, it's important to protect all types of personal information from unauthorized use and
disclosure.
Key takeaways
Keeping information private has never been so important. Many organizations have data governance
policies that outline how they plan to protect sensitive information. As a data custodian, you will play
a key role in keeping information accessible and safe throughout its lifecycle. There are various
types of information and controls that you’ll encounter in the field. As you continue through this
course, you’ll learn more about major security controls that keep data private.
Information privacy: Regulations and compliance
Security and privacy have a close relationship. As you may recall, people have the right to
control how their personal data is collected and used. Organizations also have a responsibility to
protect the information they are collecting from being compromised or misused. As a security
professional, you will be highly involved in these efforts.
Previously, you learned how regulations and compliance reduce security risk. To review, refer to
the reading about how security controls, frameworks, and compliance regulations are used
together to manage security and minimize risk. In this reading, you will learn how information
privacy regulations affect data handling practices. You'll also learn about some of the most
influential security regulations in the world.
Information security vs. information privacy

Security and privacy are two terms that often get used interchangeably outside of this field.
Although the two concepts are connected, they represent specific functions:
 Information privacy refers to the protection of unauthorized access and distribution of

data.
 Information security (InfoSec) refers to the practice of keeping data in all states away
from unauthorized users.
The key difference: Privacy is about providing people with control over their personal
information and how it's shared. Security is about protecting people’s choices and keeping their
information safe from potential threats.
For example, a retail company might want to collect specific kinds of personal information about
its customers for marketing purposes, like their age, gender, and location. How this private
information will be used should be disclosed to customers before it's collected. In addition,
customers should be given an option to opt-out if they decide not to share their data.
Once the company obtains consent to collect personal information, it might implement specific
security controls in place to protect that private data from unauthorized access, use, or disclosure.
The company should also have security controls in place to respect the privacy of all
stakeholders and anyone who chose to opt-out.
Note: Privacy and security are both essential for maintaining customer trust and brand
reputation.
Why privacy matters in security

Data privacy and protection are topics that started gaining a lot of attention in the late 1990s. At
that time, tech companies suddenly went from processing people’s data to storing and using it for
business purposes. For example, if a user searched for a product online, companies began storing
and sharing access to information about that user’s search history with other companies.
Businesses were then able to deliver personalized shopping experiences to the user for free.
Eventually this practice led to a global conversation about whether these organizations had the
right to collect and share someone’s private data. Additionally, the issue of data security became
a greater concern; the more organizations collected data, the more vulnerable it was to being
abused, misused, or stolen.
Many organizations became more concerned about the issues of data privacy. Businesses became
more transparent about how they were collecting, storing, and using information. They also
began implementing more security measures to protect people's data privacy. However, without
clear rules in place, protections were inconsistently applied.
Note: The more data is collected, stored, and used, the more vulnerable it is to breaches and
threats.
Notable privacy regulations

Businesses are required to abide by certain laws to operate. As you might recall, regulations are
rules set by a government or another authority to control the way something is done. Privacy
regulations in particular exist to protect a user from having their information collected, used, or
shared without their consent. Regulations may also describe the security measures that need to be
in place to keep private information away from threats.
Three of the most influential industry regulations that every security professional should know
about are:
 General Data Protection Regulation (GDPR)
 Payment Card Industry Data Security Standard (PCI DSS)
 Health Insurance Portability and Accountability Act (HIPAA)
GDPR
GDPR is a set of rules and regulations developed by the European Union (EU) that puts data
owners in total control of their personal information. Under GDPR, types of personal
information include a person's name, address, phone number, financial information, and medical
information.
The GDPR applies to any business that handles the data of EU citizens or residents, regardless of
where that business operates. For example, a US based company that handles the data of EU
visitors to their website is subject to the GDPRs provisions.
PCI DSS
PCI DSS is a set of security standards formed by major organizations in the financial industry.
This regulation aims to secure credit and debit card transactions against data theft and fraud.
HIPAA
HIPAA is a U.S. law that requires the protection of sensitive patient health information. HIPAA
prohibits the disclosure of a person's medical information without their knowledge and consent.
Note: These regulations influence data handling at many organizations around the world even
though they were developed by specific nations.
Several other security and privacy compliance laws exist. Which ones your organization needs to
follow will depend on the industry and the area of authority. Regardless of the circumstances,
regulatory compliance is important to every business.
Security assessments and audits

Businesses should comply with important regulations in their industry. Doing so validates that
they have met a minimum level of security while also demonstrating their dedication to
maintaining data privacy.
Meeting compliance standards is usually a continual, two-part process of security audits and
assessments:
 A security audit is a review of an organization's security controls, policies, and

procedures against a set of expectations.
 A security assessment is a check to determine how resilient current security
implementations are against threats.
For example, if a regulation states that multi-factor authentication (MFA) must be enabled for all
administrator accounts, an audit might be conducted to check those user accounts for
compliance. After the audit, the internal team might perform a security assessment that
determines many users are using weak passwords. Based on their assessment, the team could
decide to enable MFA on all user accounts to improve their overall security posture.
Note: Compliance with legal regulations, such as GDPR, can be determined during audits.
As a security analyst, you are likely to be involved with security audits and assessments in the
field. Businesses usually perform security audits less frequently, approximately once per year.
Security audits may be performed both internally and externally by different third-party groups.
In contrast, security assessments are usually performed more frequently, about every three-to-six
months. Security assessments are typically performed by internal employees, often as
preparation for a security audit. Both evaluations are incredibly important ways to ensure that
your systems are effectively protecting everyone's privacy.
Key takeaways
A growing number of businesses are making it a priority to protect and govern the use of
sensitive data to maintain customer trust. Security professionals should think about data and the
need for privacy in these terms. Organizations commonly use security assessments and audits to
evaluate gaps in their security plans. While it is possible to overlook or delay addressing the
results of an assessment, doing so can have serious business consequences, such as fines or data
breaches.
Symmetric and asymmetric encryption

Previously, you learned these terms:
 Encryption: the process of converting data from a readable format to an encoded format
 Public key infrastructure (PKI): an encryption framework that secures the exchange of
online information
 Cipher: an algorithm that encrypts information
All digital information deserves to be kept private, safe, and secure. Encryption is one key to doing
that! It is useful for transforming information into a form that unintended recipients cannot
understand. In this reading, you’ll compare symmetric and asymmetric encryption and learn about
some well-known algorithms for each.
Types of encryption
There are two main types of encryption:
 Symmetric encryption is the use of a single secret key to exchange information. Because it
uses one key for encryption and decryption, the sender and receiver must know the secret
key to lock or unlock the cipher.
 Asymmetric encryption is the use of a public and private key pair for encryption and
decryption of data. It uses two separate keys: a public key and a private key. The public key
is used to encrypt data, and the private key decrypts it. The private key is only given to users
with authorized access.
The importance of key length

Ciphers are vulnerable to brute force attacks, which use a trial and error process to discover private
information. This tactic is the digital equivalent of trying every number in a combination lock trying to
find the right one. In modern encryption, longer key lengths are considered to be more secure.
Longer key lengths mean more possibilities that an attacker needs to try to unlock a cipher.
One drawback to having long encryption keys is slower processing times. Although short key lengths
are generally less secure, they’re much faster to compute. Providing fast data communication online
while keeping information safe is a delicate balancing act.
Approved algorithms
Many web applications use a combination of symmetric and asymmetric encryption. This is how they
balance user experience with safeguarding information. As an analyst, you should be aware of the
most widely-used algorithms.
Symmetric algorithms
 Triple DES (3DES) is known as a block cipher because of the way it converts plaintext into
ciphertext in “blocks.” Its origins trace back to the Data Encryption Standard (DES), which
was developed in the early 1970s. DES was one of the earliest symmetric encryption
algorithms that generated 64-bit keys. A bit is the smallest unit of data measurement on a
computer. As you might imagine, Triple DES generates keys that are 192 bits, or three times
as long. Despite the longer keys, many organizations are moving away from using Triple
DES due to limitations on the amount of data that can be encrypted. However, Triple DES is
likely to remain in use for backwards compatibility purposes.
 Advanced Encryption Standard (AES) is one of the most secure symmetric algorithms today.
AES generates keys that are 128, 192, or 256 bits. Cryptographic keys of this size are
considered to be safe from brute force attacks. It’s estimated that brute forcing an AES 128-
bit key could take a modern computer billions of years!
Asymmetric algorithms
 Rivest Shamir Adleman (RSA) is named after its three creators who developed it while at the
Massachusetts Institute of Technology (MIT). RSA is one of the first asymmetric encryption
algorithms that produces a public and private key pair. Asymmetric algorithms like RSA
produce even longer key lengths. In part, this is due to the fact that these functions are
creating two keys. RSA key sizes are 1,024, 2,048, or 4,096 bits. RSA is mainly used to
protect highly sensitive data.
 Digital Signature Algorithm (DSA) is a standard asymmetric algorithm that was introduced by
NIST in the early 1990s. DSA also generates key lengths of 2,048 bits. This algorithm is
widely used today as a complement to RSA in public key infrastructure.
Generating keys
These algorithms must be implemented when an organization chooses one to protect their data.
One way this is done is using OpenSSL, which is an open-source command line tool that can be
used to generate public and private keys. OpenSSL is commonly used by computers to verify digital
certificates that are exchanged as part of public key infrastructure.
Note: OpenSSL is just one option. There are various others available that can generate keys with
any of these common algorithms.
In early 2014, OpenSSL disclosed a vulnerability, known as the Heartbleed bug, that exposed
sensitive data in the memory of websites and applications. Although unpatched versions of
OpenSSL are still available, the Heartbleed bug was patched later that year (2014). Many
businesses today use the secure versions of OpenSSL to generate public and private keys,
demonstrating the importance of using up-to-date software.
Obscurity is not security

In the world of cryptography, a cipher must be proven to be unbreakable before claiming that it is
secure. According to Kerchoff’s principle, cryptography should be designed in such a way that all the
details of an algorithm—except for the private key—should be knowable without sacrificing its
security. For example, you can access all the details about how AES encryption works online and
yet it is still unbreakable.
Occasionally, organizations implement their own, custom encryption algorithms. There have been
instances where those secret cryptographic systems have been quickly cracked after being made
public.
Pro tip: A cryptographic system should not be considered secure if it requires secrecy around how it
works.
Encryption is everywhere
Companies use both symmetric and asymmetric encryption. They often work as a team, balancing
security with user experience.
For example, websites tend to use asymmetric encryption to secure small blocks of data that are
important. Usernames and passwords are often secured with asymmetric encryption while
processing login requests. Once a user gains access, the rest of their web session often switches to
using symmetric encryption for its speed.
Using data encryption like this is increasingly required by law. Regulations like the Federal
Information Processing Standards (FIPS 140-3) and the General Data Protection Regulation
(GDPR) outline how data should be collected, used, and handled. Achieving compliance with either
regulation is critical to demonstrating to business partners and governments that customer data is
handled responsibly.
Key takeaways
Knowing the basics of encryption is important for all security professionals. Symmetric encryption
relies on a single secret key to protect data. On the other hand, asymmetric uses a public and
private key pair. Their encryption algorithms create different key sizes. Both types of encryption are
used to meet compliance regulations and protect data online.
The evolution of hash functions

Hash functions are important controls that are part of every company's security strategy. Hashing is
widely used for authentication and non-repudiation, the concept that the authenticity of information
can’t be denied.
Previously, you learned that hash functions are algorithms that produce a code that can't be
decrypted. Hash functions convert information into a unique value that can then be used to
determine its integrity. In this reading, you’ll learn about the origins of hash functions and how
they’ve changed over time.
Origins of hashing
Hash functions have been around since the early days of computing. They were originally created as
a way to quickly search for data. Since the beginning, these algorithms have been designed to
represent data of any size as small, fixed-size values, or digests. Using a hash table, which is a data
structure that's used to store and reference hash values, these small values became a more secure
and efficient way for computers to reference data.
One of the earliest hash functions is Message Digest 5, more commonly known as MD5. Professor
Ronald Rivest of the Massachusetts Institute of Technology (MIT) developed MD5 in the early 1990s
as a way to verify that a file sent over a network matched its source file.
Whether it’s used to convert a single email or the source code of an application, MD5 works by
converting data into a 128-bit value. You might recall that a bit is the smallest unit of data
measurement on a computer. Bits can either be a 0 or 1. In a computer, bits represent user input in
a way that computers can interpret. In a hash table, this appears as a string of 32 characters.
Altering anything in the source file generates an entirely new hash value.
Generally, the longer the hash value, the more secure it is. It wasn’t long after MD5's creation that
security practitioners discovered 128-bit digests resulted in a major vulnerability.
Here is an example of how plaintext gets turned into hash values:
Hash collisions
One of the flaws in MD5 happens to be a characteristic of all hash functions. Hash algorithms map
any input, regardless of its length, into a fixed-size value of letters and numbers. What’s the problem
with that? Although there are an infinite amount of possible inputs, there’s only a finite set of
available outputs!
MD5 values are limited to 32 characters in length. Due to the limited output size, the algorithm is
considered to be vulnerable to hash collision, an instance when different inputs produce the same
hash value. Because hashes are used for authentication, a hash collision is similar to copying
someone’s identity. Attackers can carry out collision attacks to fraudulently impersonate authentic
data.
Next-generation hashing
To avoid the risk of hash collisions, functions that generated longer values were needed. MD5's
shortcomings gave way to a new group of functions known as the Secure Hashing Algorithms, or
SHAs.
The National Institute of Standards and Technology (NIST) approves each of these algorithms.
Numbers besides each SHA function indicate the size of its hash value in bits. Except for SHA-1,
which produces a 160-bit digest, these algorithms are considered to be collision-resistant. However,
that doesn’t make them invulnerable to other exploits.
Five functions make up the SHA family of algorithms:
 SHA-1
 SHA-224
 SHA-256
 SHA-384
 SHA-512
Secure password storage

Passwords are typically stored in a database where they are mapped to a username. The server
receives a request for authentication that contains the credentials supplied by the user. It then looks
up the username in the database and compares it with the password that was provided and verifies
that it matches before granting them access.
This is a safe system unless an attacker gains access to the user database. If passwords are stored
in plaintext, then an attacker can steal that information and use it to access company resources.
Hashing adds an additional layer of security. Because hash values can't be reversed, an attacker
would not be able to steal someone's login credentials if they managed to gain access to the
database.
Rainbow tables
A rainbow table is a file of pre-generated hash values and their associated plaintext. They’re like
dictionaries of weak passwords. Attackers capable of obtaining an organization’s password
database can use a rainbow table to compare them against all possible values.
Adding some “salt”

Functions with larger digests are less vulnerable to collision and rainbow table attacks. But as you’re
learning, no security control is perfect.
Salting is an additional safeguard that's used to strengthen hash functions. A salt is a random string
of characters that's added to data before it's hashed. The additional characters produce a more
unique hash value, making salted data resilient to rainbow table attacks.
For example, a database containing passwords might have several hashed entries for the password
"password." If those passwords were all salted, each entry would be completely different. That
means an attacker using a rainbow table would be unable to find matching values for "password" in
the database.
For this reason, salting has become increasingly common when storing passwords and other types
of sensitive data. The length and uniqueness of a salt is important. Similar to hash values, the longer
and more complex a salt is, the harder it is to crack.
Key takeaways
Security professionals often use hashing as a tool to validate the integrity of program files,
documents, and other types of data. Another way it’s used is to reduce the chances of a data
breach. As you’ve learned, not all hashing functions provide the same level of protection. Rainbow
table attacks are more likely to work against algorithms that generate shorter keys, like MD5. Many
small- and medium-sized businesses still rely on MD5 to secure sensitive data. Knowing about
alternative algorithms and salting better prepares you to make impactful security recommendations.
The rise of SSO and MFA
Most companies help keep their data safely locked up behind authentication systems. Usernames
and passwords are the keys that unlock information for most organizations. But are those credentials
enough? Information security often focuses on managing a user's access of, and authorization to,
information.
Previously, you learned about the three factors of authentication: knowledge, ownership, and
characteristic. Single sign-on (SSO) and multi-factor authentication (MFA) are two technologies that
have become popular for implementing these authentication factors. In this reading, you’ll learn how
these technologies work and why companies are adopting them.
A better approach to authentication

Single sign-on (SSO) is a technology that combines several different logins into one. More companies
are turning to SSO as a solution to their authentication needs for three reasons:
1. SSO improves the user experience by eliminating the number of usernames and passwords
people have to remember.
2. Companies can lower costs by streamlining how they manage connected services.
3. SSO improves overall security by reducing the number of access points attackers can target.
This technology became available in the mid-1990s as a way to combat password fatigue, which
refers to people’s tendency to reuse passwords across services. Remembering many different
passwords can be a challenge, but using the same password repeatedly is a major security risk.
SSO solves this dilemma by shifting the burden of authentication away from the user.
How SSO works

SSO works by automating how trust is established between a user and a service provider. Rather
than placing the responsibility on an employee or customer, SSO solutions use trusted third-parties
to prove that a user is who they claim to be. This is done through the exchange of encrypted access
tokens between the identity provider and the service provider.
Similar to other kinds of digital information, these access tokens are exchanged using specific
protocols. SSO implementations commonly rely on two different authentication protocols: LDAP and
SAML. LDAP, which stands for Lightweight Directory Access Protocol, is mostly used to transmit
information on-premises; SAML, which stands for Security Assertion Markup Language, is mostly
used to transmit information off-premises, like in the cloud.
Note: LDAP and SAML protocols are often used together.
Here's an example of how SSO can connect a user to multiple applications with one access token:
Limitations of SSO
Usernames and passwords alone are not always the most secure way of protecting sensitive
information. SSO provides useful benefits, but there’s still the risk associated with using one form of
authentication. For example, a lost or stolen password could expose information across multiple
services. Thankfully, there’s a solution to this problem.
MFA to the rescue

Multi-factor authentication (MFA) requires a user to verify their identity in two or more ways to
access a system or network. In a sense, MFA is similar to using an ATM to withdraw money from
your bank account. First, you insert a debit card into the machine as one form of identification. Then,
you enter your PIN number as a second form of identification. Combined, both steps, or factors, are
used to verify your identity before authorizing you to access the account.
Strengthening authentication
MFA builds on the benefits of SSO. It works by having users prove that they are who they claim to
be. The user must provide two factors (2FA) or three factors (3FA) to authenticate their identification.
The MFA process asks users to provide these proofs, such as:
 Something a user knows: most commonly a username and password
 Something a user has: normally received from a service provider, like a one-time passcode
(OTP) sent via SMS
 Something a user is: refers to physical characteristics of a user, like their fingerprints or facial
scans
Requiring multiple forms of identification is an effective security measure, especially in cloud

environments. It can be difficult for businesses in the cloud to ensure that the users remotely
accessing their systems are not threat actors. MFA can reduce the risk of authenticating the wrong
users by requiring forms of identification that are difficult to imitate or brute force.
Key takeaways
Implementing both SSO and MFA security controls improves security without sacrificing the user
experience. Relying on passwords alone is a serious vulnerability. Implementing SSO means fewer
points of entry, but that’s not enough. Combining SSO and MFA can be an effective way to protect
information, so that users have a streamlined experience while unauthorized people are kept away
from important information.
Identity and access management

Security is more than simply combining processes and technologies to protect assets. Instead,
security is about ensuring that these processes and technologies are creating a secure environment
that supports a defense strategy. A key to doing this is implementing two fundamental security
principles that limit access to organizational resources:
 The principle of least privilege in which a user is only granted the minimum level of access
and authorization required to complete a task or function.
 Separation of duties, which is the principle that users should not be given levels of
authorization that would allow them to misuse a system.
Both principles typically support each other. For example, according to least privilege, a person who
needs permission to approve purchases from the IT department shouldn't have the permission to
approve purchases from every department. Likewise, according to separation of duties, the person
who can approve purchases from the IT department should be different from the person who can
input new purchases.
In other words, least privilege limits the access that an individual receives, while separation of duties
divides responsibilities among multiple people to prevent any one person from having too much
control.
Note: Separation of duties is sometimes referred to as segregation of duties.
Previously, you learned about the authentication, authorization, and accounting (AAA) framework.
Many businesses used this model to implement these two security principles and manage user
access. In this reading, you’ll learn about the other major framework for managing user access,
identity and access management (IAM). You will learn about the similarities between AAA and IAM
and how they're commonly implemented.
Identity and access management (IAM)

As organizations become more reliant on technology, regulatory agencies have put more pressure
on them to demonstrate that they’re doing everything they can to prevent threats. Identity and access
management (IAM) is a collection of processes and technologies that helps organizations manage
digital identities in their environment. Both AAA and IAM systems are designed to authenticate
users, determine their access privileges, and track their activities within a system.
Either model used by your organization is more than a single, clearly defined system. They each
consist of a collection of security controls that ensure the right user is granted access to the right
resources at the right time and for the right reasons. Each of those four factors is determined by your
organization's policies and processes.
Note: A user can either be a person, a device, or software.
Authenticating users
To ensure the right user is attempting to access a resource requires some form of proof that the user
is who they claim to be. In a video on authentication controls, you learned that there are a few
factors that can be used to authenticate a user:
 Knowledge, or something the user knows
 Ownership, or something the user possesses
 Characteristic, or something the user is
Authentication is mainly verified with login credentials. Single sign-on (SSO), a technology that
combines several different logins into one, and multi-factor authentication (MFA), a security measure
that requires a user to verify their identity in two or more ways to access a system or network, are
other tools that organizations use to authenticate individuals and systems.
Pro tip: Another way to remember this authentication model is: something you know, something you
have, and something you are.
User provisioning
Back-end systems need to be able to verify whether the information provided by a user is accurate.
To accomplish this, users must be properly provisioned. User provisioning is the process of creating
and maintaining a user's digital identity. For example, a college might create a new user account
when a new instructor is hired. The new account will be configured to provide access to instructor-
only resources while they are teaching. Security analysts are routinely involved with provisioning
users and their access privileges.
Pro tip: Another role analysts have in IAM is to deprovision users. This is an important practice that
removes a user's access rights when they should no longer have them.
Granting authorization
If the right user has been authenticated, the network should ensure the right resources are made
available. There are three common frameworks that organizations use to handle this step of IAM:
 Mandatory access control (MAC)
 Discretionary access control (DAC)
 Role-based access control (RBAC)
Mandatory Access Control (MAC)

MAC is the strictest of the three frameworks. Authorization in this model is based on a strict need-to-
know basis. Access to information must be granted manually by a central authority or system
administrator. For example, MAC is commonly applied in law enforcement, military, and other
government agencies where users must request access through a chain of command. MAC is also
known as non-discretionary control because access isn’t given at the discretion of the data owner.
Discretionary Access Control (DAC)

DAC is typically applied when a data owner decides appropriate levels of access. One example of
DAC is when the owner of a Google Drive folder shares editor, viewer, or commentor access with
someone else.
Role-Based Access Control (RBAC)
RBAC is used when authorization is determined by a user's role within an organization. For example,
a user in the marketing department may have access to user analytics but not network
administration.
Access control technologies

Users often experience authentication and authorization as a single, seamless experience. In large
part, that’s due to access control technologies that are configured to work together. These tools offer
the speed and automation needed by administrators to monitor and modify access rights. They also
decrease errors and potential risks.
An organization's IT department sometimes develops and maintains customized access control

technologies on their own. A typical IAM or AAA system consists of a user directory, a set of tools for
managing data in that directory, an authorization system, and an auditing system. Some
organizations create custom systems to tailor them to their security needs. However, building an in-
house solution comes at a steep cost of time and other resources.
Instead, many organizations opt to license third-party solutions that offer a suite of tools that enable
them to quickly secure their information systems. Keep in mind, security is about more than
combining a bunch of tools. It’s always important to configure these technologies so they can help to
provide a secure environment.
Key takeaways
Controlling access requires a collection of systems and tools. IAM and AAA are common
frameworks for implementing least privilege and separation of duties. As a security analyst, you
might be responsible for user provisioning and collaborating with other IAM or AAA teams. Having
familiarity with these models is valuable for helping organizations achieve their security objectives.
They each ensure that the right user is granted access to the right resources at the right time and for
the right reasons.

Access controls: Security controls that manage access, authorization, and accountability of
information
Algorithm: A set of rules used to solve a problem
Application programming interface (API) token: A small block of encrypted code that
contains information about a user
Asymmetric encryption: The use of a public and private key pair for encryption and decryption
of data
Basic auth: The technology used to establish a user’s request to access a server
Bit: The smallest unit of data measurement on a computer
Brute force attack: The trial and error process of discovering private information
Cipher: An algorithm that encrypts information
Cryptographic key: A mechanism that decrypts ciphertext
Cryptography: The process of transforming information into a form that unintended readers
can’t understand
Data custodian: Anyone or anything that’s responsible for the safe handling, transport, and
storage of information
Data owner: The person that decides who can access, edit, use, or destroy their information
Digital certificate: A file that verifies the identity of a public key holder
Encryption: The process of converting data from a readable format to an encoded format
Hash collision: An instance when different inputs produce the same hash value
Hash function: An algorithm that produces a code that can’t be decrypted
Hash table: A data structure that's used to store and reference hash values
Identity and access management (IAM): A collection of processes and technologies that helps
organizations manage digital identities in their environment
Information privacy: The protection of unauthorized access and distribution of data
Multi-factor authentication (MFA): A security measure that requires a user to verify their
identity in two or more ways to access a system or network
Non-repudiation: The concept that the authenticity of information can’t be denied
OAuth: An open-standard authorization protocol that shares designated access between

applications
Payment Card Industry Data Security Standards (PCI DSS): A set of security standards
formed by major organizations in the financial industry
Personally identifiable information (PII): Any information used to infer an individual's

identity
Principle of least privilege: The concept of granting only the minimal access and authorization
required to complete a task or function
Protected health information (PHI): Information that relates to the past, present, or future
physical or mental health or condition of an individual
Public key infrastructure (PKI): An encryption framework that secures the exchange of online
information
Rainbow table: A file of pre-generated hash values and their associated plaintext
Salting: An additional safeguard that’s used to strengthen hash functions
Security assessment: A check to determine how resilient current security implementations are
against threats
Security audit: A review of an organization's security controls, policies, and procedures against
a set of expectations
Separation of duties: The principle that users should not be given levels of authorization that
would allow them to misuse a system
Session: A sequence of network HTTP basic auth requests and responses associated with the
same user
Session cookie: A token that websites use to validate a session and determine how long that
session should last
Session hijacking: An event when attackers obtain a legitimate user’s session ID
Session ID: A unique token that identifies a user and their device while accessing a system
Single Sign-On (SSO): A technology that combines several different logins into one
Symmetric encryption: The use of a single secret key to exchange information
User provisioning: The process of creating and maintaining a user's digital identity
The OWASP Top 10

To prepare for future risks, security professionals need to stay informed. Previously, you learned
about the CVE® list, an openly accessible dictionary of known vulnerabilities and exposures. The
CVE® list is an important source of information that the global security community uses to share
information with each other.
In this reading, you’ll learn about another important resource that security professionals reference,
the Open Web Application Security Project, recently renamed Open Worldwide Application Security
Project® (OWASP). You’ll learn about OWASP’s role in the global security community and how
companies use this resource to focus their efforts.
What is OWASP?
OWASP is a nonprofit foundation that works to improve the security of software. OWASP is an open
platform that security professionals from around the world use to share information, tools, and
events that are focused on securing the web.
The OWASP Top 10

One of OWASP’s most valuable resources is the OWASP Top 10. The organization has published
this list since 2003 as a way to spread awareness of the web’s most targeted vulnerabilities. The
Top 10 mainly applies to new or custom made software. Many of the world's largest organizations
reference the OWASP Top 10 during application development to help ensure their programs
address common security mistakes.
Pro tip: OWASP’s Top 10 is updated every few years as technologies evolve. Rankings are based
on how often the vulnerabilities are discovered and the level of risk they present.
Note: Auditors also use the OWASP Top 10 as one point of reference when checking for regulatory
compliance.
Common vulnerabilities
Businesses often make critical security decisions based on the vulnerabilities listed in the OWASP
Top 10. This resource influences how businesses design new software that will be on their network,
unlike the CVE® list, which helps them identify improvements to existing programs. These are the
most regularly listed vulnerabilities that appear in their rankings to know about:
Broken access control

Access controls limit what users can do in a web application. For example, a blog might allow
visitors to post comments on a recent article but restricts them from deleting the article entirely.
Failures in these mechanisms can lead to unauthorized information disclosure, modification, or
destruction. They can also give someone unauthorized access to other business applications.
Cryptographic failures
Information is one of the most important assets businesses need to protect. Privacy laws such as
General Data Protection Regulation (GDPR) require sensitive data to be protected by effective
encryption methods. Vulnerabilities can occur when businesses fail to encrypt things like personally
identifiable information (PII). For example, if a web application uses a weak hashing algorithm, like
MD5, it’s more at risk of suffering a data breach.
Injection
Injection occurs when malicious code is inserted into a vulnerable application. Although the app
appears to work normally, it does things that it wasn’t intended to do. Injection attacks can give
threat actors a backdoor into an organization’s information system. A common target is a website’s
login form. When these forms are vulnerable to injection, attackers can insert malicious code that
gives them access to modify or steal user credentials.
Insecure design
Applications should be designed in such a way that makes them resilient to attack. When they aren’t,
they’re much more vulnerable to threats like injection attacks or malware infections. Insecure design
refers to a wide range of missing or poorly implemented security controls that should have been
programmed into an application when it was being developed.
Security misconfiguration
Misconfigurations occur when security settings aren’t properly set or maintained. Companies use a
variety of different interconnected systems. Mistakes often happen when those systems aren’t
properly set up or audited. A common example is when businesses deploy equipment, like a network
server, using default settings. This can lead businesses to use settings that fail to address the
organization's security objectives.
Vulnerable and outdated components

Vulnerable and outdated components is a category that mainly relates to application development.
Instead of coding everything from scratch, most developers use open-source libraries to complete
their projects faster and easier. This publicly available software is maintained by communities of
programmers on a volunteer basis. Applications that use vulnerable components that have not been
maintained are at greater risk of being exploited by threat actors.
Identification and authentication failures

Identification is the keyword in this vulnerability category. When applications fail to recognize who
should have access and what they’re authorized to do, it can lead to serious problems. For example,
a home Wi-Fi router normally uses a simple login form to keep unwanted guests off the network. If
this defense fails, an attacker can invade the homeowner’s privacy.
Software and data integrity failures

Software and data integrity failures are instances when updates or patches are inadequately
reviewed before implementation. Attackers might exploit these weaknesses to deliver malicious
software. When that occurs, there can be serious downstream effects. Third parties are likely to
become infected if a single system is compromised, an event known as a supply chain attack.
A famous example of a supply chain attack is the SolarWinds cyber attack (2020) where hackers
injected malicious code into software updates that the company unknowingly released to their
customers.
Security logging and monitoring failures

In security, it’s important to be able to log and trace back events. Having a record of events like user
login attempts is critical to finding and fixing problems. Sufficient monitoring and incident response is
equally important.
Server-side request forgery
Companies have public and private information stored on web servers. When you use a hyperlink or
click a button on a website, a request is sent to a server that should validate who you are, fetch the
appropriate data, and then return it to you.
Server-side request forgeries (SSRFs) are when attackers manipulate the normal operations of a
server to read or update other resources on that server. These are possible when an application on
the server is vulnerable. Malicious code can be carried by the vulnerable app to the host server that
will fetch unauthorized data.
Key takeaways
Staying informed and maintaining awareness about the latest cybersecurity trends can be a useful
way to help defend against attacks and prepare for future risks in your security career. OWASP’s
Top 10 is a useful resource where you can learn more about these vulnerabilities.
Open source intelligence

Cyber attacks can sometimes be prevented with the right information, which starts with knowing
where your systems are vulnerable. Previously, you learned that the CVE® list and scanning tools
are two useful ways of finding weaknesses. But, there are other ways to identify vulnerabilities and
threats.
In this reading, you’ll learn about open-source intelligence, commonly known as OSINT. OSINT is
the collection and analysis of information from publicly available sources to generate usable
intelligence. It's commonly used to support cybersecurity activities, like identifying potential threats
and vulnerabilities. You'll learn why open-source intelligence is gathered and how it can improve
cybersecurity. You’ll also learn about commonly used resources and tools for gathering information
and intelligence.
Information vs intelligence
The terms intelligence and information are often used interchangeably, making it easy to mix them
up. Both are important aspects of cybersecurity that differ in their focus and objectives.
Information refers to the collection of raw data or facts about a specific subject. Intelligence, on the
other hand, refers to the analysis of information to produce knowledge or insights that can be used
to support decision-making.
For example, new information might be released about an update to the operating system (OS)
that's installed on your organization's workstations. Later, you might find that new cyber threats have
been linked to this new update by researching multiple cybersecurity news resources. The analysis
of this information can be used as intelligence to guide your organization's decision about installing
the OS updates on employee workstations.
In other words, intelligence is derived from information through the process of analysis,
interpretation, and integration. Gathering information and intelligence are both important aspects of
cybersecurity.
Intelligence improves decision-making

Businesses often use information to gain insights into the behavior of their customers. Insights, or
intelligence, can then be used to improve their decision making. In security, open-source information
is used in a similar way to gain insights into threats and vulnerabilities that can pose risks to an
organization.
OSINT plays a significant role in information security (InfoSec), which is the practice of keeping data
in all states away from unauthorized users.
For example, a company's InfoSec team is responsible for protecting their network from potential
threats. They might utilize OSINT to monitor online forums and hacker communities for discussions
about emerging vulnerabilities. If they come across a forum post discussing a newly discovered
weakness in a popular software that the company uses, the team can quickly assess the risk,
prioritize patching efforts, and implement necessary safeguards to prevent an attack.
Here are some of the ways OSINT can be used to generate intelligence:
 To provide insights into cyber attacks
 To detect potential data exposures
 To evaluate existing defenses
 To identify unknown vulnerabilities

Collecting intelligence is sometimes part of the vulnerability management process. Security teams
might use OSINT to develop profiles of potential targets and make data driven decisions on
improving their defenses.
OSINT tools
There's an enormous amount of open-source information online. Finding relevant information that
can be used to gather intelligence is a challenge. Information can be gathered from a variety of
sources, such as search engines, social media, discussion boards, blogs, and more. Several tools
also exist that can be used in your intelligence gathering process. Here are just a few examples of
tools that you can explore:
 VirusTotal is a service that allows anyone to analyze suspicious files, domains, URLs, and IP
addresses for malicious content.
 MITRE ATT&CK® is a knowledge base of adversary tactics and techniques based on real-
world observations.
 OSINT Framework is a web-based interface where you can find OSINT tools for almost any
kind of source or platform.
 Have I been Pwned is a tool that can be used to search for breached email accounts.
There are numerous other OSINT tools that can be used to find specific types of information.
Remember, information can be gathered from a variety of sources. Ultimately, it's your responsibility
to thoroughly research any available information that's relevant to the problem you’re trying to solve.
Key takeaways
Gathering information and intelligence are important aspects of cybersecurity. OSINT is used to
make evidence-based decisions that can be used to prevent attacks. There’s so much information
available, which is why it's important for security professionals to be skilled with searching for
information. Having familiarity with popular OSINT tools and resources will make your research
easier when gathering information and collecting intelligence.
Approaches to vulnerability scanning

Previously, you learned about a vulnerability assessment, which is the internal review process of an
organization's security systems. An organization performs vulnerability assessments to identify
weaknesses and prevent attacks. Vulnerability scanning tools are commonly used to simulate
threats by finding vulnerabilities in an attack surface. They also help security teams take proactive
steps towards implementing their remediation strategy.
Vulnerability scanners are important tools that you'll likely use in the field. In this reading, you’ll
explore how vulnerability scanners work and the types of scans they can perform.
What is a vulnerability scanner?

A vulnerability scanner is software that automatically compares known vulnerabilities and exposures
against the technologies on the network. In general, these tools scan systems to find
misconfigurations or programming flaws.
Scanning tools are used to analyze each of the five attack surfaces that you learned about in the
video about the defense in depth strategy:
1. Perimeter layer, like authentication systems that validate user access
2. Network layer, which is made up of technologies like network firewalls and others
3. Endpoint layer, which describes devices on a network, like laptops, desktops, or servers
4. Application layer, which involves the software that users interact with
5. Data layer, which includes any information that’s stored, in transit, or in use
When a scan of any layer begins, the scanning tool compares the findings against databases of
security threats. At the end of the scan, the tool flags any vulnerabilities that it finds and adds them
to its reference database. Each scan adds more information to the database, helping the tool be
more accurate in its analysis.
Note: Vulnerability databases are also routinely updated by the company that designed the scanning
software.
Performing scans
Vulnerability scanners are meant to be non-intrusive. Meaning, they don’t break or take advantage of
a system like an attacker would. Instead, they simply scan a surface and alert you to any potentially
unlocked doors in your systems.
Note: While vulnerability scanners are non-intrusive, there are instances when a scan can
inadvertently cause issues, like crash a system.
There are a few different ways that these tools are used to scan a surface. Each approach
corresponds to the pathway a threat actor might take. Next, you can explore each type of scan to get
a clearer picture of this.
External vs. internal
External and internal scans simulate an attacker's approach.

External scans test the perimeter layer outside of the internal network. They analyze outward facing
systems, like websites and firewalls. These kinds of scans can uncover vulnerable things like
vulnerable network ports or servers.
Internal scans start from the opposite end by examining an organization's internal systems. For
example, this type of scan might analyze application software for weaknesses in how it handles user
input.
Authenticated vs. unauthenticated

Authenticated and unauthenticated scans simulate whether or not a user has access to a system.
Authenticated scans might test a system by logging in with a real user account or even with an
admin account. These service accounts are used to check for vulnerabilities, like broken access
controls.
Unauthenticated scans simulate external threat actors that do not have access to your business
resources. For example, a scan might analyze file shares within the organization that are used to
house internal-only documents. Unauthenticated users should receive "access denied" results if they
tried opening these files. However, a vulnerability would be identified if you were able to access a
file.
Limited vs. comprehensive

Limited and comprehensive scans focus on particular devices that are accessed by internal and
external users.
Limited scans analyze particular devices on a network, like searching for misconfigurations on a
firewall.
Comprehensive scans analyze all devices connected to a network. This includes operating systems,
user databases, and more.
Pro tip: Discovery scanning should be done prior to limited or comprehensive scans. Discovery
scanning is used to get an idea of the computers, devices, and open ports that are on a network.
Key takeaways
Finding vulnerabilities requires thinking of all possibilities. Vulnerability scans vary depending on the
surfaces that an organization is evaluating. Usually, seasoned security professionals lead the effort
of configuring and performing these types of scans to create a profile of a company’s security
posture. However, analysts also play an important role in the process. The results of a vulnerability
scan often lead to renewed compliance efforts, procedural changes, and system patching.
Understanding the objectives of common types of vulnerability scans will help you participate in
these proactive security exercises whenever possible.
Tip: To explore vulnerability scanner software commonly used in the cybersecurity industry, in your
preferred browser enter search terms similar to “popular vulnerability scanner software” and/or “open
source vulnerability scanner software used in cybersecurity”.
The importance of updates
At some point in time, you may have wondered, “Why do my devices constantly need updating?” For
consumers, updates provide improvements to performance, stability, and even new features! But
from a security standpoint, they serve a specific purpose. Updates allow organizations to address
security vulnerabilities that can place their users, devices, and networks at risk.
In a video, you learned that updates fit into every security team’s remediation strategy. They usually
take place after a vulnerability assessment, which is the internal review process of an organization's
security systems. In this reading, you’ll learn what updates do, how they’re delivered, and why
they’re important to cybersecurity.
Patching gaps in security

An outdated computer is a lot like a house with unlocked doors. Malicious actors use these gaps in
security the same way, to gain unauthorized access. Software updates are similar to locking the
doors to keep them out.
A patch update is a software and operating system update that addresses security vulnerabilities
within a program or product. Patches usually contain bug fixes that address common security
vulnerabilities and exposures.
Note: Ideally, patches address common vulnerabilities and exposures before malicious hackers find
them. However, patches are sometimes developed as a result of a zero-day, which is an exploit that
was previously unknown.
Common update strategies

When software updates become available, clients and users have two installation options:
 Manual updates
 Automatic updates
As you’ll learn, each strategy has both benefits and disadvantages.
Manual updates
A manual deployment strategy relies on IT departments or users obtaining updates from the
developers. Home office or small business environments might require you to find, download, and
install updates yourself. In enterprise settings, the process is usually handled with a configuration
management tool. These tools offer a range of options to deploy updates, like to all clients on your
network or a select group of users.
Advantage: An advantage of manual update deployment strategies is control. That can be useful if
software updates are not thoroughly tested by developers, leading to instability issues.
Disadvantage: A drawback to manual update deployments is that critical updates can be forgotten or
disregarded entirely.
Automatic updates
An automatic deployment strategy takes the opposite approach. With this option, finding,
downloading, and installing updates can be done by the system or application.
Pro tip: The Cybersecurity and Infrastructure Security Agency (CISA) recommends using automatic
options whenever they’re available.
Certain permissions need to be enabled by users or IT groups before updates can be installed, or
pushed, when they're available. It is up to the developers to adequately test their patches before
release.
Advantage: An advantage to automatic updates is that the deployment process is simplified. It also
keeps systems and software current with the latest, critical patches.
Disadvantage: A drawback to automatic updates is that instability issues can occur if the patches
were not thoroughly tested by the vendor. This can result in performance problems and a poor user
experience.
End-of-life software
Sometimes updates are not available for a certain type of software known as end-of-life (EOL)
software. All software has a lifecycle. It begins when it’s produced and ends when a newer version is
released. At that point, developers must allocate resources to the newer versions, which leads to
EOL software. While the older software is still useful, the manufacturer no longer supports it.
Note: Patches and updates are very different from upgrades. Upgrades refer to completely new
versions of hardware or software that can be purchased.
CISA recommends discontinuing the use of EOL software because it poses an unfixable risk to
systems. But, this recommendation is not always followed. Replacing EOL technology can be costly
for businesses and individual users.
The risks that EOL software presents continues to grow as more connected devices enter the
marketplace. For example, there are billions of Internet of Things (IoT) devices, like smart light
bulbs, connected to home and work networks. In some business settings, all an attacker needs is a
single unpatched device to gain access to the network and cause problems.
Key takeaways
Updating software and patching vulnerabilities is an important practice that everyone should
participate in. Unfortunately, that’s not always the case. Many of the biggest cyber attacks in the
world might have been prevented if systems were kept updated. One example is the WannaCry
attack of 2017. The attack affected computers in more than 150 countries and caused an estimated
$4 billion dollars in damages. Researchers have since found that WannaCry could have been
prevented if the infected systems were up-to-date with a security patch that was made available
months before the attack. Keeping software updated requires effort. However, the benefits they
provide make them worthwhile.
Penetration testing
An effective security plan relies on regular testing to find an organization's weaknesses. Previously,
you learned that vulnerability assessments, the internal review process of an organization's security
systems, are used to design defense strategies based on system weaknesses. In this reading, you'll
learn how security teams evaluate the effectiveness of their defenses using penetration testing.
Penetration testing
A penetration test, or pen test, is a simulated attack that helps identify vulnerabilities in systems,
networks, websites, applications, and processes. The simulated attack in a pen test involves using
the same tools and techniques as malicious actors in order to mimic a real life attack. Since a pen
test is an authorized attack, it is considered to be a form of ethical hacking. Unlike a vulnerability
assessment that finds weaknesses in a system's security, a pen test exploits those weaknesses to
determine the potential consequences if the system breaks or gets broken into by a threat actor.
For example, the cybersecurity team at a financial company might simulate an attack on their
banking app to determine if there are weaknesses that would allow an attacker to steal customer
information or illegally transfer funds. If the pen test uncovers misconfigurations, the team can
address them and improve the overall security of the app.
Note: Organizations that are regulated by PCI DSS, HIPAA, or GDPR must routinely perform
penetration testing to maintain compliance standards.
Learning from varied perspectives

These authorized attacks are performed by pen testers who are skilled in programming and network
architecture. Depending on their objectives, organizations might use a few different approaches to
penetration testing:
 Red team tests simulate attacks to identify vulnerabilities in systems, networks, or

applications.
 Blue team tests focus on defense and incident response to validate an organization's
existing security systems.
 Purple team tests are collaborative, focusing on improving the security posture of the
organization by combining elements of red and blue team exercises.
Red team tests are commonly performed by independent pen testers who are hired to evaluate
internal systems. Although, cybersecurity teams may also have their own pen testing experts.
Regardless of the approach, penetration testers must make an important decision before simulating
an attack: How much access and information do I need?
Penetration testing strategies
There are three common penetration testing strategies:
 Open-box testing is when the tester has the same privileged access that an internal
developer would have—information like system architecture, data flow, and network
diagrams. This strategy goes by several different names, including internal, full knowledge,
white-box, and clear-box penetration testing.
 Closed-box testing is when the tester has little to no access to internal systems—similar to a
malicious hacker. This strategy is sometimes referred to as external, black-box, or zero
knowledge penetration testing.
 Partial knowledge testing is when the tester has limited access and knowledge of an internal
system—for example, a customer service representative. This strategy is also known as
gray-box testing.
Closed box testers tend to produce the most accurate simulations of a real-world attack.
Nevertheless, each strategy produces valuable results by demonstrating how an attacker might
infiltrate a system and what information they could access.
Becoming a penetration tester

Penetration testers are in-demand in the fast growing field of cybersecurity. All of the skills you’re
learning in this program can help you advance towards a career in pen testing:
 Network and application security
 Experience with operating systems, like Linux
 Vulnerability analysis and threat modeling
 Detection and response tools
 Programming languages, like Python and BASH
 Communication skills
Programming skills are very helpful in penetration testing because it's often performed on software
and IT systems. With enough practice and dedication, cybersecurity professionals at any level can
develop the skills needed to be a pen tester.
Bug bounty programs

Organizations commonly run bug bounty programs which offer freelance pen testers financial
rewards for finding and reporting vulnerabilities in their products. Bug bounties are great
opportunities for amateur security professionals to participate and grow their skills.
Pro tip: HackerOne is a community of ethical hackers where you can find active bug bounties to
participate in.
Key takeaways
A major risk for organizations is malicious hackers breaking into their systems. Penetration testing is
another way for organizations to secure their systems. Security teams use these simulated attacks
to get a clearer picture of weaknesses in their defenses. There’s a growing need for specialized
security professionals in this field. Even if you start out assisting with these activities, there’s plenty
of opportunities to grow and learn the skills to be a pen tester.
Portfolio Activity Exemplar: Analyze a vulnerable system

for a small business
Here is a completed exemplar along with an explanation of how the exemplar fulfills the
expectations for the activity.
Completed Exemplar
To review the exemplar for this course item, click the following link and select Use Template.
Link to exemplar: Vulnerability assessment report
OR
If you don’t have a Google account, you can download the exemplar directly from the following
attachment.
Vulnerability assessment report exemplar
DOCX File
Compare the exemplar to your completed activity. Review your work using each of the criteria in
the exemplar. What did you do well? Where can you improve? Use your answers to these
questions to guide you as you continue to progress through the course.
Note: The exemplar represents one possible way to complete the activity. Yours will likely differ
in certain ways. What’s important is that your vulnerability assessment report includes each of
the following elements: an explanation of the purpose of the assessment, a completed risk
assessment table, an explanation of your approach to quantifying risk, and details of your
remediation strategy that address the system's vulnerabilities.
The exemplar uses details from the given scenario and includes the following:
 3-5 sentences describing the reasons for conducting the security analysis in the Purpose
section
 A completed Risk Assessment section
 3-5 sentences explaining the reasoning for the identified risks in the Approach section
 3-5 sentences summarizing a remediation and/or mitigation strategy in the Remediation

section
Overview
The exemplar report contains a Purpose section that is an explanation of the information system
that's being assessed—a publicly accessible database server. This statement describes the
business function of the system. It also makes clear the reason for conducting the analysis.
The Risk Assessment section of the exemplar contains a completed table. The risk assessment
identifies potential threat sources and threat events that could negatively impact the business.
Both were determined by asking questions such as:
 Is the threat relevant to this system?
 Is the threat internal or external?
 What is the threat actor’s intent?
 What are the threat actors’ technical capabilities?
The risk of each threat is quantified by multiplying its likelihood of occurring with the severity of
its impact on the business. Then, an overall risk score is calculated that demonstrates to
stakeholders both the seriousness of the risks to the database and how resources should be
prioritized to address the most critical risks.
Note: The number of rows in a risk assessment table can vary depending on the complexity and
scope of the assessment.
The Approach section of the exemplar is a statement following the risk assessment that explains
why and how specific threats were evaluated.
Lastly, a plan for securing the vulnerable database server was outlined in the Remediation
section of the report.
Key takeaways
It's crucial for security analysts to develop risk assessment and reporting skills. These skills will
enable you to identify potential risk within an organization's systems and escalate that
information to the appropriate channels. This activity is intended as an opportunity for you to
practice analyzing the risks of a vulnerable system. You can add this document to your
cybersecurity portfolio. However, all systems have vulnerabilities. As such, you're encouraged to
continue practicing these skills by applying them to other systems that are discussed in the
program.
Approach cybersecurity with an attacker mindset

Cybersecurity is a continuously changing field. It's a fast-paced environment where new threats and
innovative technologies can disrupt your plans at a moment's notice. As a security professional, it’s
up to you to be prepared by anticipating change.
This all starts with identifying vulnerabilities. In a video, you learned about the importance of
vulnerability assessments, the internal review process of an organization's security systems. In this
reading, you will learn how you can use the findings of a vulnerability assessment proactively by
analyzing them from the perspective of an attacker.
Being prepared for anything

Having a plan should things go wrong is important. But how do you figure out what to plan for? In
this field, teams often conduct simulations of things that can go wrong as part of their vulnerability
management strategy. One way this is done is by applying an attacker mindset to the weaknesses
they discover.
Applying an attacker mindset is a lot like conducting an experiment. It's about causing problems in a
controlled environment and evaluating the outcome to gain insights. Adopting an attacker mindset is
a beneficial skill in security because it offers a different perspective about the challenges you're
trying to solve. The insights you gain can be valuable when it's time to establish a security plan or
modify an existing one.
Simulating threats
One method of applying an attacker mindset is using attack simulations. These activities are
normally performed in one of two ways: proactively and reactively. Both approaches share a
common goal, which is to make systems safer.
 Proactive simulations assume the role of an attacker by exploiting vulnerabilities and

breaking through defenses. This is sometimes called a red team exercise.
 Reactive simulations assume the role of a defender responding to an attack. This is

sometimes called a blue team exercise.
Each kind of simulation is a team effort that you might be involved with as an analyst.
Proactive teams tend to spend more time planning their attacks than performing them. If you find
yourself engaged in one of these exercises, your team will likely deploy a range of tactics. For
example, they might persuade staff into disclosing their login credentials using fictitious emails to
evaluate security awareness at the company.
On the other hand, reactive teams dedicate their efforts to gathering information about the assets
they're protecting. This is commonly done with the assistance of vulnerability scanning tools.
Scanning for trouble

You might recall that a vulnerability scanner is software that automatically compares existing
common vulnerabilities and exposures against the technologies on the network. Vulnerability
scanners are frequently used in the field. Security teams employ a variety of scanning techniques to
uncover weaknesses in their defenses. Reactive simulations often rely on the results of a scan to
weigh the risks and determine ways to remediate a problem.
For example, a team conducting a reactive simulation might perform an external vulnerability scan of
their network. The entire exercise might follow the steps you learned in a video about vulnerability
assessments:
 Identification: A vulnerable server is flagged because it's running an outdated operating

system (OS).
 Vulnerability analysis: Research is done on the outdated OS and its vulnerabilities.
 Risk assessment: After doing your due diligence, the severity of each vulnerability is scored
and the impact of not fixing it is evaluated.
 Remediation: Finally, the information that you’ve gathered can be used to address the issue.
During an activity like this, you’ll often produce a report of your findings. These can be brought to the
attention of service providers or your supervisors. Clearly communicating the results of these
exercises to others is an important skill to develop as a security professional.
Finding innovative solutions

Many security controls that you’ve learned about were created as a reactive response to risks.
That’s because criminals are continually looking for ways to bypass existing defenses. Effectively
applying an attacker mindset will require you to stay knowledgeable of security trends and emerging
technologies.
Pro tip: Resources like NISTs National Vulnerability Database (NVD) can help you remain current on
common vulnerabilities.
Key takeaways
Vulnerability assessments are an important part of security risk planning. As an analyst, you’ll likely
participate in proactive and reactive simulations of these activities. Preparing yourself by researching
common vulnerabilities only goes so far. It’s equally important that you stay informed about new
technologies to be able to think with an innovative mindset.
Types of threat actors
Anticipating attacks is an important skill you’ll need to be an effective security professional.
Developing this skill requires you to have an open and flexible mindset about where attacks can
come from. Previously, you learned about attack surfaces, which are all the potential vulnerabilities
that a threat actor could exploit.
Networks, servers, devices, and staff are examples of attack surfaces that can be exploited. Security
teams of all sizes regularly find themselves defending these surfaces due to the expanding digital
landscape. The key to defending any of them is to limit access to them.
In this reading, you’ll learn more about threat actors and the types of risks they pose. You’ll also
explore the most common features of an attack surface that threat actors can exploit.
Threat actors
A threat actor is any person or group who presents a security risk. This broad definition refers to
people inside and outside an organization. It also includes individuals who intentionally pose a
threat, and those that accidentally put assets at risk. That’s a wide range of people!
Threat actors are normally divided into five categories based on their motivations:
 Competitors refers to rival companies who pose a threat because they might benefit from
leaked information.
 State actors are government intelligence agencies.
 Criminal syndicates refer to organized groups of people who make money from criminal
activity.
 Insider threats can be any individual who has or had authorized access to an organization’s
resources. This includes employees who accidentally compromise assets or individuals who
purposefully put them at risk for their own benefit.
 Shadow IT refers to individuals who use technologies that lack IT governance. A common
example is when an employee uses their personal email to send work-related
communications.
In the digital attack surface, these threat actors often gain unauthorized access by hacking into
systems. By definition, a hacker is any person who uses computers to gain unauthorized access to
computer systems, networks, or data. Similar to the term threat actor, hacker is also an umbrella
term. When used alone, the term fails to capture a threat actor’s intentions.
Types of hackers
Because the formal definition of a hacker is broad, the term can be a bit ambiguous. In security, it
applies to three types of individuals based on their intent:
1. Unauthorized hackers
2. Authorized, or ethical, hackers
3. Semi-authorized hackers
An unauthorized hacker, or unethical hacker, is an individual who uses their programming skills to
commit crimes. Unauthorized hackers are also known as malicious hackers. Skill level ranges widely
among this category of hacker. For example, there are hackers with limited skills who can’t write
their own malicious software, sometimes called script kiddies. Unauthorized hackers like this carry
out attacks using pre-written code that they obtain from other, more skilled hackers.
Authorized, or ethical, hackers refer to individuals who use their programming skills to improve an
organization's overall security. These include internal members of a security team who are
concerned with testing and evaluating systems to secure the attack surface. They also include
external security vendors and freelance hackers that some companies incentivize to find and report
vulnerabilities, a practice called bug bounty programs.
Semi-authorized hackers typically refer to individuals who might violate ethical standards, but are not
considered malicious. For example, a hacktivist is a person who might use their skills to achieve a
political goal. One might exploit security vulnerabilities of a public utility company to spread
awareness of their existence. The intentions of these types of threat actors is often to expose
security risks that should be addressed before a malicious hacker finds them.
Advanced persistent threats
Many malicious hackers find their way into a system, cause trouble, and then leave. But on some
occasions, threat actors stick around. These kinds of events are known as advanced persistent
threats, or APTs.
An advanced persistent threat (APT) refers to instances when a threat actor maintains unauthorized
access to a system for an extended period of time. The term is mostly associated with nation states
and state-sponsored actors. Typically, an APT is concerned with surveilling a target to gather
information. They then use the intel to manipulate government, defense, financial, and telecom
services.
Just because the term is associated with state actors does not mean that private businesses are
safe from APTs. These kinds of threat actors are stealthy because hacking into another government
agency or utility is costly and time consuming. APTs will often target private organizations first as a
step towards gaining access to larger entities.
Access points
Each threat actor has a unique motivation for targeting an organization's assets. Keeping them out
takes more than knowing their intentions and capabilities. It’s also important to recognize the types
of attack vectors they’ll use.
For the most part, threat actors gain access through one of these attack vector categories:
 Direct access, referring to instances when they have physical access to a system
 Removable media, which includes portable hardware, like USB flash drives
 Social media platforms that are used for communication and content sharing
 Email, including both personal and business accounts
 Wireless networks on premises
 Cloud services usually provided by third-party organizations
 Supply chains like third-party vendors that can present a backdoor into systems
Any of these attack vectors can provide access to a system. Recognizing a threat actor’s intentions
can help you determine which access points they might target and what ultimate goals they could
have. For example, remote workers are more likely to present a threat via email than a direct access
threat.
Key takeaways
Defending an attack surface starts with thinking like a threat actor. As a security professional, it’s
important to understand why someone would pose a threat to organizational assets. This includes
recognizing that every threat actor isn’t intentionally out to cause harm.
It’s equally important to recognize the ways in which a threat actor might gain access to a system.
Matching intentions with attack vectors is an invaluable skill as you continue to develop an attacker
mindset.
Fortify against brute force cyber attacks

Usernames and passwords are one of the most common and important security controls in use
today. They’re like the door lock that organizations use to restrict access to their networks, services,
and data. But a major issue with relying on login credentials as a critical line of defense is that
they’re vulnerable to being stolen and guessed by attackers.
In a video, you learned that brute force attacks are a trial-and-error process of discovering private
information. In this reading, you’ll learn about the many tactics and tools used by threat actors to
perform brute force attacks. You’ll also learn prevention strategies that organizations can use to
defend against them.
A matter of trial and error

One way of opening a closed lock is trying as many combinations as possible. Threat actors
sometimes use similar tactics to gain access to an application or a network.
Attackers use a variety of tactics to find their way into a system:
 Simple brute force attacks are an approach in which attackers guess a user's login
credentials. They might do this by entering any combination of username and password that
they can think of until they find the one that works.
 Dictionary attacks are a similar technique except in these instances attackers use a list of
commonly used credentials to access a system. This list is similar to matching a definition to
a word in a dictionary.
 Reverse brute force attacks are similar to dictionary attacks, except they start with a single
credential and try it in various systems until a match is found.
 Credential stuffing is a tactic in which attackers use stolen login credentials from previous
data breaches to access user accounts at another organization. A specialized type of
credential stuffing is called pass the hash. These attacks reuse stolen, unsalted hashed
credentials to trick an authentication system into creating a new authenticated user session
on the network.
Note: Besides access credentials, encrypted information can sometimes be brute forced using a
technique known as exhaustive key search.
Each of these methods involve a lot of guess work. Brute forcing your way into a system can be a
tedious and time consuming process—especially when it’s done manually. That’s why threat actors
often use tools to conduct their attacks.
Tools of the trade

There are so many combinations that can be used to create a single set of login credentials. The
number of characters, letters, and numbers that can be mixed together is truly incredible. When
done manually, it could take someone years to try every possible combination.
Instead of dedicating the time to do this, attackers often use software to do the guess work for them.
These are some common brute forcing tools:
 Aircrack-ng
 Hashcat
 John the Ripper
 Ophcrack
 THC Hydra
Sometimes, security professionals use these tools to test and analyze their own systems. They each
serve different purposes. For example, you might use Aircrack-ng to test a Wi-Fi network for
vulnerabilities to brute force attack.
Prevention measures
Organizations defend against brute force attacks with a combination of technical and managerial
controls. Each make cracking defense systems through brute force less likely:
 Hashing and salting
 Multi-factor authentication (MFA)
 CAPTCHA
 Password policies
Technologies, like multi-factor authentication (MFA), reinforce each login attempt by requiring a
second or third form of identification. Other important tools are CAPTCHA and effective password
policies.
Hashing and salting

Hashing converts information into a unique value that can then be used to determine its integrity.
Salting is an additional safeguard that’s used to strengthen hash functions. It works by adding
random characters to data, like passwords. This increases the length and complexity of hash values,
making them harder to brute force and less susceptible to dictionary attacks.
Multi-factor authentication (MFA)

Multi-factor authentication (MFA) is a security measure that requires a user to verify their identity in
two or more ways to access a system or network. MFA is a layered approach to protecting
information. MFA limits the chances of brute force attacks because unauthorized users are unlikely
to meet each authentication requirement even if one credential becomes compromised.
CAPTCHA
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans
Apart. It is known as a challenge-response authentication system. CAPTCHA asks users to
complete a simple test that proves they are human and not software that’s trying to brute force a
password.
Here are common CAPTCHA examples:
There are two types of CAPTCHA tests. One scrambles and distorts a randomly generated
sequence of letters and/or numbers and asks users to enter them into a text box. The other test asks
users to match images to a randomly generated word. You’ve likely had to pass a CAPTCHA test
when accessing a web service that contains sensitive information, like an online bank account.
Password policy
Organizations use these managerial controls to standardize good password practices across their
business. For example, one of these policies might require users to create passwords that are at
least 8 characters long and feature a letter, number, and symbol. Other common requirements can
include password lockout policies. For example, a password lockout can limit the number of login
attempts before access to an account is suspended and require users to create new, unique
passwords after a certain amount of time.
The purpose of each of these requirements is to create more possible password combinations. This
lengthens the amount of time it takes an attacker to find one that will work. The National Institute of
Standards and Technology (NIST) Special Publication 800-63B provides detailed guidance that
organizations can reference when creating their own password policies.
Key takeaways
Brute force attacks are simple yet reliable ways to gain unauthorized access to systems. Generally,
the stronger a password is, the more resilient it is to being cracked. As a security professional, you
might find yourself using the tools described above to test the security of your organization's
systems. Recognizing the tactics and tools used to conduct a brute force attack is the first step
towards stopping attackers.

Advanced persistent threat (APT): An instance when a threat actor maintains unauthorized access to
a system for an extended period of time
Attack surface: All the potential vulnerabilities that a threat actor could exploit
Attack tree: A diagram that maps threats to assets
Attack vector: The pathways attackers use to penetrate security defenses
Bug bounty: Programs that encourage freelance hackers to find and report vulnerabilities
Common Vulnerabilities and Exposures (CVE®) list: An openly accessible dictionary of known
vulnerabilities and exposures
Common Vulnerability Scoring System (CVSS): A measurement system that scores the severity of a
vulnerability
CVE Numbering Authority (CNA): An organization that volunteers to analyze and distribute
information on eligible CVEs
Defense in depth: A layered approach to vulnerability management that reduces risk
Exploit: A way of taking advantage of a vulnerability

Exposure: A mistake that can be exploited by a threat
Hacker: Any person who uses computers to gain access to computer systems, networks, or data
MITRE: A collection of non-profit research and development centers
Security hardening: The process of strengthening a system to reduce its vulnerability and attack
surface
Threat actor: Any person or group who presents a security risk
Vulnerability: A weakness that can be exploited by a threat
Vulnerability assessment: The internal review process of a company’s security systems
Vulnerability management: The process of finding and patching vulnerabilities
Vulnerability scanner: Software that automatically compares existing common vulnerabilities and
exposures against the technologies on the network
Zero-day: An exploit that was previously unknown
Social engineering tactics

Social engineering attacks are a popular choice among threat actors. That’s because it’s often easier
to trick people into providing them with access, information, or money than it is to exploit a software
or network vulnerability.
As you might recall, social engineering is a manipulation technique that exploits human error to gain
private information, access, or valuables. It's an umbrella term that can apply to a broad range of
attacks. Each technique is designed to capitalize on the trusting nature of people and their
willingness to help. In this reading, you will learn about specific social engineering tactics to watch
out for. You’ll also learn ways that organizations counter these threats.
Social engineering risks
Social engineering is a form of deception that takes advantage of the way people think. It preys on
people’s natural feelings of curiosity, generosity, and excitement. Threat actors turn those feelings
against their targets by affecting their better judgment. Social engineering attacks can be incredibly
harmful because of how easy they can be to accomplish.
One of the highest-profile social engineering attacks that occurred in recent years was the Twitter
Hack of 2020. During that incident, a group of hackers made phone calls to Twitter employees
pretending to be from the IT department. Using this basic scam, the group managed to gain access
to the organization’s network and internal tools. This allowed them to take over the accounts of high-
profile users, including politicians, celebrities, and entrepreneurs.
Attacks like this are just one example of the chaos threat actors can create using basic social
engineering techniques. These attacks present serious risks because they don’t require
sophisticated computer skills to perform. Defending against them requires a multi-layered approach
that combines technological controls with user awareness.
Signs of an attack
Oftentimes, people are unable to tell that an attack is happening until it's too late. Social engineering
is such a dangerous threat because it typically allows attackers to bypass technological defenses
that are in their way. Although these threats are difficult to prevent, recognizing the signs of social
engineering is a key to reducing the likelihood of a successful attack.
These are common types of social engineering to watch out for:
 Baiting is a social engineering tactic that tempts people into compromising their security. A
common example is USB baiting that relies on someone finding an infected USB drive and
plugging it into their device.
 Phishing is the use of digital communications to trick people into revealing sensitive data or
deploying malicious software. It is one of the most common forms of social engineering,
typically performed via email.
 Quid pro quo is a type of baiting used to trick someone into believing that they’ll be rewarded
in return for sharing access, information, or money. For example, an attacker might
impersonate a loan officer at a bank and call customers offering them a lower interest rate on
their credit card. They'll tell the customers that they simply need to provide their account
details to claim the deal.
 Tailgating is a social engineering tactic in which unauthorized people follow an authorized

person into a restricted area. This technique is also sometimes referred to as piggybacking.
 Watering hole is a type of attack when a threat actor compromises a website frequently
visited by a specific group of users. Oftentimes, these watering hole sites are infected with
malicious software. An example is the Holy Water attack of 2020 that infected various
religious, charity, and volunteer websites.
Attackers might use any of these techniques to gain unauthorized access to an organization.
Everyone is vulnerable to them, from entry-level employees to senior executives. However, you can
reduce the risks of social engineering attacks at any business by teaching others what to expect.
Encouraging caution
Spreading awareness usually starts with comprehensive security training. When it comes to social
engineering, there are three main areas to focus on when teaching others:
 Stay alert of suspicious communications and unknown people, especially when it comes to
email. For example, look out for spelling errors and double-check the sender's name and
email address.
 Be cautious about sharing information, especially over social media. Threat actors often
search these platforms for any information they can use to their advantage.
 Control curiosity when something seems too good to be true. This can include wanting to
click on attachments or links in emails and advertisements.
Pro tip: Implementing technologies like firewalls, multi-factor authentication (MFA), block lists, email
filtering, and others helps layers the defenses should someone make a mistake.
Ideally, security training extends beyond employees. Educating customers about social engineering
threats is also a key to mitigating these threats. And security analysts play an important part in
promoting safe practices. For example, a big part of an analyst's job is testing systems and
documenting best practices for others at an organization to follow.
Key takeaways
People’s willingness to help one another and their trusting nature is what makes social engineering
such an appealing tactic for criminals. It just takes one act of kindness or a momentary lapse in
judgment for an attack to work. Criminals go to great lengths to make their attacks difficult to detect.
They rely on a variety of manipulation techniques to trick their targets into granting them access. For
that reason, implementing effective controls and recognizing the signs of an attack go a long way
towards preventing threats.
Types of phishing
Phishing is one of the most common types of social engineering, which are manipulation techniques
that exploit human error to gain private information, access, or valuables. Previously, you learned
how phishing is the use of digital communications to trick people into revealing sensitive data or
deploying malicious software.
Sometimes, phishing attacks appear to come from a trusted person or business. This can lead
unsuspecting recipients into acting against their better judgment, causing them to break security
procedures. In this reading, you’ll learn about common phishing tactics used by attackers today.
The origins of phishing

Phishing has been around since the early days of the internet. It can be traced back to the 1990s. At
the time, people across the world were coming online for the first time. As the internet became more
accessible it began to attract the attention of malicious actors. These malicious actors realized that
the internet gave them a level of anonymity to commit their crimes.
Early persuasion tactics
One of the earliest instances of phishing was aimed at a popular chat service called AOL Instant
Messenger (AIM). Users of the service began receiving emails asking them to verify their accounts
or provide personal billing information. The users were unaware that these messages were sent by
malicious actors pretending to be service providers.
This was one of the first examples of mass phishing, which describes attacks that send malicious
emails out to a large number of people, increasing the likelihood of baiting someone into the trap.
During the AIM attacks, malicious actors carefully crafted emails that appeared to come directly from
AOL. The messages used official logos, colors, and fonts to trick unsuspecting users into sharing
their information and account details.
Attackers used the stolen information to create fraudulent AOL accounts they could use to carry out
other crimes anonymously. AOL was forced to adapt their security policies to address these threats.
The chat service began including messages on their platforms to warn users about phishing attacks.
How phishing has evolved

Phishing continued evolving at the turn of the century as businesses and newer technologies began
entering the digital landscape. In the early 2000s, e-commerce and online payment systems started
to become popular alternatives to traditional marketplaces. The introduction of online transactions
presented new opportunities for attackers to commit crimes.
A number of techniques began to appear around this time period, many of which are still used today.
There are five common types of phishing that every security analyst should know:
 Email phishing is a type of attack sent via email in which threat actors send messages
pretending to be a trusted person or entity.
 Smishing is a type of phishing that uses Short Message Service (SMS), a technology that
powers text messaging. Smishing covers all forms of text messaging services, including
Apple’s iMessages, WhatsApp, and other chat mediums on phones.
 Vishing refers to the use of voice calls or voice messages to trick targets into providing
personal information over the phone.
 Spear phishing is a subset of email phishing in which specific people are purposefully
targeted, such as the accountants of a small business.
 Whaling refers to a category of spear phishing attempts that are aimed at high-ranking
executives in an organization.
Since the early days of phishing, email attacks remain the most common types that are used. While
they were originally used to trick people into sharing access credentials and credit card information,
email phishing became a popular method to infect computer systems and networks with malicious
software.
In late 2003, attackers around the world created fraudulent websites that resembled businesses like
eBay and PayPal™. Mass phishing campaigns to distribute malicious programs were also launched
against e-commerce and banking sites.
Recent trends
Starting in the 2010s, attackers began to shift away from mass phishing attempts that relied on
baiting unsuspecting people into a trap. Leveraging new technologies, criminals began carrying out
what’s known as targeted phishing attempts. Targeted phishing describes attacks that are sent to
specific targets using highly customized methods to create a strong sense of familiarity.
A type of targeted phishing that evolved in the 2010s is angler phishing. Angler phishing is a
technique where attackers impersonate customer service representatives on social media. This
tactic evolved from people’s tendency to complain about businesses online. Threat actors intercept
complaints from places like message boards or comment sections and contact the angry customer
via social media. Like the AIM attacks of the 1990s, they use fraudulent accounts that appear similar
to those of actual businesses. They then trick the angry customers into sharing sensitive information
with the promise of fixing their problem.
Key takeaways
Phishing tactics have become very sophisticated over the years. Unfortunately, there isn't a perfect
solution that prevents these attacks from happening. Tactics, like email phishing that started in the
last century, remain an effective and profitable method of attack for criminals online today.
There isn’t a technological solution to prevent phishing entirely. However, there are many ways to
reduce the damage from these attacks when they happen. One way is to spread awareness and
inform others. As a security professional, you may be responsible for helping others identify forms of
social engineering, like phishing. For example, you might create training programs that educate
employees about topics like phishing. Sharing your knowledge with others is an important
responsibility that helps build a culture of security.
An introduction to malware
Previously, you learned that malware is software designed to harm devices or networks. Since its
first appearance on personal computers decades ago, malware has developed into a variety of
strains. Being able to identify different types of malware and understand the ways in which they are
spread will help you stay alert and be informed as a security professional.
Virus
A virus is malicious code written to interfere with computer operations and cause damage to data
and software. This type of malware must be installed by the target user before it can spread itself
and cause damage. One of the many ways that viruses are spread is through phishing campaigns
where malicious links are hidden within links or attachments.
Worm
A worm is malware that can duplicate and spread itself across systems on its own. Similar to a virus,
a worm must be installed by the target user and can also be spread with tactics like malicious email.
Given a worm's ability to spread on its own, attackers sometimes target devices, drives, or files that
have shared access over a network.
A well known example is the Blaster worm, also known as Lovesan, Lovsan, or MSBlast. In the early
2000s, this worm spread itself on computers running Windows XP and Windows 2000 operating
systems. It would force devices into a continuous loop of shutting down and restarting. Although it
did not damage the infected devices, it was able to spread itself to hundreds of thousands of users
around the world. Many variants of the Blaster worm have been deployed since the original and can
infect modern computers.
Note: Worms were very popular attacks in the mid 2000s but are less frequently used in recent
years.
Trojan
A trojan, also called a Trojan horse, is malware that looks like a legitimate file or program. This
characteristic relates to how trojans are spread. Similar to viruses, attackers deliver this type of
malware hidden in file and application downloads. Attackers rely on tricking unsuspecting users into
believing they’re downloading a harmless file, when they’re actually infecting their own device with
malware that can be used to spy on them, grant access to other devices, and more.
Adware
Advertising-supported software, or adware, is a type of legitimate software that is sometimes used to
display digital advertisements in applications. Software developers often use adware as a way to
lower their production costs or to make their products free to the public—also known as freeware or
shareware. In these instances, developers monetize their product through ad revenue rather than at
the expense of their users.
Malicious adware falls into a sub-category of malware known as a potentially unwanted application
(PUA). A PUA is a type of unwanted software that is bundled in with legitimate programs which
might display ads, cause device slowdown, or install other software. Attackers sometimes hide this
type of malware in freeware with insecure design to monetize ads for themselves instead of the
developer. This works even when the user has declined to receive ads.
Spyware
Spyware is malware that's used to gather and sell information without consent. It's also considered a
PUA. Spyware is commonly hidden in bundleware, additional software that is sometimes packaged
with other applications. PUAs like spyware have become a serious challenge in the open-source
software development ecosystem. That’s because developers tend to overlook how their software
could be misused or abused by others.
Scareware
Another type of PUA is scareware. This type of malware employs tactics to frighten users into
infecting their own device. Scareware tricks users by displaying fake warnings that appear to come
from legitimate companies. Email and pop-ups are just a couple of ways scareware is spread. Both
can be used to deliver phony warnings with false claims about the user's files or data being at risk.
Fileless malware
Fileless malware does not need to be installed by the user because it uses legitimate programs that
are already installed to infect a computer. This type of infection resides in memory where the
malware never touches the hard drive. This is unlike the other types of malware, which are stored
within a file on disk. Instead, these stealthy infections get into the operating system or hide within
trusted applications.
Pro tip: Fileless malware is detected by performing memory analysis, which requires experience with
operating systems.
Rootkits
A rootkit is malware that provides remote, administrative access to a computer. Most attackers use
rootkits to open a backdoor to systems, allowing them to install other forms of malware or to conduct
network security attacks.
This kind of malware is often spread by a combination of two components: a dropper and a loader. A
dropper is a type of malware that comes packed with malicious code which is delivered and installed
onto a target system. For example, a dropper is often disguised as a legitimate file, such as a
document, an image, or an executable to deceive its target into opening, or dropping it, onto their
device. If the user opens the dropper program, its malicious code is executed and it hides itself on
the target system.
Multi-staged malware attacks, where multiple packets of malicious code are deployed, commonly
use a variation called a loader. A loader is a type of malware that downloads strains of malicious
code from an external source and installs them onto a target system. Attackers might use loaders for
different purposes, such as to set up another type of malware---a botnet.
Botnet
A botnet, short for “robot network,” is a collection of computers infected by malware that are under
the control of a single threat actor, known as the “bot-herder.” Viruses, worms, and trojans are often
used to spread the initial infection and turn the devices into a bot for the bot-herder. The attacker
then uses file sharing, email, or social media application protocols to create new bots and grow the
botnet. When a target unknowingly opens the malicious file, the computer, or bot, reports the
information back to the bot-herder, who can execute commands on the infected computer.
Ransomware
Ransomware describes a malicious attack where threat actors encrypt an organization's data and
demand payment to restore access. According to the Cybersecurity and Infrastructure Security
Agency (CISA), ransomware crimes are on the rise and becoming increasingly sophisticated.
Ransomware infections can cause significant damage to an organization and its customers. An
example is the WannaCry attack that encrypts a victim's computer until a ransom payment of
cryptocurrency is paid.
Key takeaways
The variety of malware is astounding. The number of ways that it’s spread is even more staggering.
Malware is a complex threat that can require its own specialization in cybersecurity. One place to
learn more about malware analysis is INFOSEC's introductory course on malware analysis. Even
without specializing in malware analysis, recognizing the types of malware and how they’re spread is
an important part of defending against these attacks as a security analyst.
Prevent injection attacks
Previously, you learned that Structured Query Language (SQL) is a programming language used to
create, interact with, and request information from a database. SQL is one of the most common
programming languages used to interact with databases because it is widely supported by a range
of database products.
As you might recall, malicious SQL injection is a type of attack that executes unexpected queries on
a database. Threat actors perform SQL injections to modify, delete, or steal information from
databases. A SQL injection is a common attack vector that is used to gain unauthorized access to
web applications. Due to the language's popularity with developers, SQL injections are regularly
listed in the OWASP® Top 10 because developers tend to focus on making their applications work
correctly rather than protecting their products from injection.
In this reading, you'll learn about SQL queries and how they are used to request information from a
database. You will also learn about the three classes of SQL injection attacks used to manipulate
vulnerable queries. You will also learn ways to identify when websites are vulnerable and ways to
address those gaps.
SQL queries
Every bit of information that’s accessed online is stored in a database. A database is an organized
collection of information or data in one place. A database can include data such as an organization's
employee directory or customer payment methods. In SQL, database information is organized in
tables. SQL is commonly used for retrieving, inserting, updating, or deleting information in tables
using queries.
A SQL query is a request for data from a database. For example, a SQL query can request data
from an organization's employee directory such as employee IDs, names, and job titles. A human
resources application can accept an input that queries a SQL table to filter the data and locate a
specific person. SQL injections can occur anywhere within a vulnerable application that can accept a
SQL query.
Queries are usually initiated in places where users can input information into an application or a
website via an input field. Input fields include features that accept text input such as login forms,
search bars, or comment submission boxes. A SQL injection occurs when an attacker exploits input
fields that aren't programmed to filter out unwanted text. SQL injections can be used to manipulate
databases, steal sensitive data, or even take control of vulnerable applications.
SQL injection categories

There are three main categories of SQL injection:
 In-band
 Out-of-band
 Inferential
In the following sections, you'll learn that each type describes how a SQL injection is initiated and
how it returns the results of the attack.
In-band SQL injection

In-band, or classic, SQL injection is the most common type. An in-band injection is one that uses the
same communication channel to launch the attack and gather the results.
For example, this might occur in the search box of a retailer's website that lets customers find
products to buy. If the search box is vulnerable to injection, an attacker could enter a malicious query
that would be executed in the database, causing it to return sensitive information like user
passwords. The data that's returned is displayed back in the search box where the attack was
initiated.
Out-of-band SQL injection

An out-of-band injection is one that uses a different communication channel to launch the attack and
gather the results.
For example, an attacker could use a malicious query to create a connection between a vulnerable
website and a database they control. This separate channel would allow them to bypass any security
controls that are in place on the website's server, allowing them to steal sensitive data
Note: Out-of-band injection attacks are very uncommon because they'll only work when certain
features are enabled on the target server.
Inferential SQL injection

Inferential SQL injection occurs when an attacker is unable to directly see the results of their attack.
Instead, they can interpret the results by analyzing the behavior of the system.
For example, an attacker might perform a SQL injection attack on the login form of a website that
causes the system to respond with an error message. Although sensitive data is not returned, the
attacker can figure out the database's structure based on the error. They can then use this
information to craft attacks that will give them access to sensitive data or to take control of the
system.
Injection Prevention
SQL queries are often programmed with the assumption that users will only input relevant
information. For example, a login form that expects users to input their email address assumes the
input will be formatted a certain way, such as [email protected]. Unfortunately, this isn’t always the
case.
A key to preventing SQL injection attacks is to escape user inputs—preventing someone from
inserting any code that a program isn't expecting.
There are several ways to escape user inputs:

 Prepared statements: a coding technique that executes SQL statements before passing them
on to a database
 Input sanitization: programming that removes user input which could be interpreted as code.
 Input validation: programming that ensures user input meets a system's expectations.
Using a combination of these techniques can help prevent SQL injection attacks. In the security field,
you might need to work closely with application developers to address vulnerabilities that can lead to
SQL injections. OWASP's SQL injection detection techniques is a useful resource if you're interested
in investigating SQL injection vulnerabilities on your own.
Key takeaways
Many web applications retrieve data from databases using SQL, and injection attacks are quite
common due to the popularity of the language. As is the case with other kinds of injection attacks,
SQL injections are a result of unexpected user input. It's important to collaborate with app
developers to help prevent these kinds of attacks by sharing your understanding of SQL injection
techniques and the defenses that should be put in place.
Traits of an effective threat model

Threat modeling is the process of identifying assets, their vulnerabilities, and how each is exposed to
threats. It is a strategic approach that combines various security activities, such as vulnerability
management, threat analysis, and incident response. Security teams commonly perform these
exercises to ensure their systems are adequately protected. Another use of threat modeling is to
proactively find ways of reducing risks to any system or business process.
Traditionally, threat modeling is associated with the field of application development. In this reading,
you will learn about common threat modeling frameworks that are used to design software that can
withstand attacks. You'll also learn about the growing need for application security and ways that you
can participate.
Why application security matters

Applications have become an essential part of many organizations' success. For example, web-
based applications allow customers from anywhere in the world to connect with businesses, their
partners, and other customers.
Mobile applications have also changed the way people access the digital world. Smartphones are
often the main way that data is exchanged between users and a business. The volume of data being
processed by applications makes securing them a key to reducing risk for everyone who’s
connected.
For example, say an application uses Java-based logging libraries with the Log4Shell vulnerability
(CVE-2021-44228). If it's not patched, this vulnerability can allow remote code execution that an
attacker can use to gain full access to your system from anywhere in the world. If exploited, a critical
vulnerability like this can impact millions of devices.
Defending the application layer

Defending the application layer requires proper testing to uncover weaknesses that can lead to risk.
Threat modeling is one of the primary ways to ensure that an application meets security
requirements. A DevSecOps team, which stands for development, security, and operations, usually
performs these analyses.
A typical threat modeling process is performed in a cycle:
 Define the scope
 Identify threats
 Characterize the environment
 Analyze threats
 Mitigate risks
 Evaluate findings
Ideally, threat modeling should be performed before, during, and after an application is developed.
However, conducting a thorough software analysis takes time and resources. Everything from the
application's architecture to its business purposes should be evaluated. As a result, a number of
threat-modeling frameworks have been developed over the years to make the process smoother.
Note: Threat modeling should be incorporated at every stage of the software development lifecycle,
or SDLC.
Common frameworks
When performing threat modeling, there are multiple methods that can be used, such as:
 STRIDE
 PASTA
 Trike
 VAST
Organizations might use any one of these to gather intelligence and make decisions to improve their
security posture. Ultimately, the “right” model depends on the situation and the types of risks an
application might face.
STRIDE
STRIDE is a threat-modeling framework developed by Microsoft. It’s commonly used to identify
vulnerabilities in six specific attack vectors. The acronym represents each of these vectors: spoofing,
tampering, repudiation, information disclosure, denial of service, and elevation of privilege.
PASTA
The Process of Attack Simulation and Threat Analysis (PASTA) is a risk-centric threat modeling
process developed by two OWASP leaders and supported by a cybersecurity firm called VerSprite.
Its main focus is to discover evidence of viable threats and represent this information as a model.
PASTA's evidence-based design can be applied when threat modeling an application or the
environment that supports that application. Its seven stage process consists of various activities that
incorporate relevant security artifacts of the environment, like vulnerability assessment reports.
Trike
Trike is an open source methodology and tool that takes a security-centric approach to threat
modeling. It's commonly used to focus on security permissions, application use cases, privilege
models, and other elements that support a secure environment.
VAST
The Visual, Agile, and Simple Threat (VAST) Modeling framework is part of an automated threat-
modeling platform called ThreatModeler®. Many security teams opt to use VAST as a way of
automating and streamlining their threat modeling assessments.
Participating in threat modeling

Threat modeling is often performed by experienced security professionals, but it’s almost never done
alone. This is especially true when it comes to securing applications. Programs are complex systems
responsible for handling a lot of data and processing a variety of commands from users and other
systems.
One of the keys to threat modeling is asking the right questions:
 What are we working on?
 What kinds of things can go wrong?
 What are we doing about it?
 Have we addressed everything?
 Did we do a good job?
It takes time and practice to learn how to work with things like data flow diagrams and attack trees.
However, anyone can learn to be an effective threat modeler. Regardless of your level of
experience, participating in one of these exercises always starts with simply asking the right
questions.
Key takeaways
Many people rely on software applications in their day to day lives. Securing the applications that
people use has never been more important. Threat modeling is one of the main ways to determine
whether security controls are in place to protect data privacy. Building the skills required to lead a
threat modeling activity is a matter of practice. However, even a security analyst with little
experience can be a valuable contributor to the process. It all starts with applying an attacker
mindset and thinking critically about how data is handled.

Angler phishing: A technique where attackers impersonate customer service representatives on
social media
Advanced persistent threat (APT): Instances when a threat actor maintains unauthorized access to a
system for an extended period of time
Adware: A type of legitimate software that is sometimes used to display digital advertisements in
applications
Attack tree: A diagram that maps threats to assets
Baiting: A social engineering tactic that tempts people into compromising their security
Botnet: A collection of computers infected by malware that are under the control of a single threat
actor, known as the “bot-herder"
Cross-site scripting (XSS): An injection attack that inserts code into a vulnerable website or web
application
Cryptojacking: A form of malware that installs software to illegally mine cryptocurrencies
DOM-based XSS attack: An instance when malicious script exists in the webpage a browser loads
Dropper: A type of malware that comes packed with malicious code which is delivered and installed
onto a target system
Fileless malware: Malware that does not need to be installed by the user because it uses legitimate
programs that are already installed to infect a computer
Hacker: Any person or group who uses computers to gain unauthorized access to data
Identity and access management (IAM): A collection of processes and technologies that helps
organizations manage digital identities in their environment
Injection attack: Malicious code inserted into a vulnerable application
Input validation: Programming that validates inputs from users and other programs
intrusions
Loader: A type of malware that downloads strains of malicious code from an external source and
installs them onto a target system
Malware: Software designed to harm devices or networks
Process of Attack Simulation and Threat Analysis (PASTA): A popular threat modeling framework
that’s used across many industries
Phishing: The use of digital communications to trick people into revealing sensitive data or deploying
malicious software
Phishing kit: A collection of software tools needed to launch a phishing campaign
Prepared statement: A coding technique that executes SQL statements before passing them onto the
database
Potentially unwanted application (PUA): A type of unwanted software that is bundled in with
legitimate programs which might display ads, cause device slowdown, or install other software
Quid pro quo: A type of baiting used to trick someone into believing that they’ll be rewarded in return
for sharing access, information, or money
Ransomware: Type of malicious attack where attackers encrypt an organization’s data and demand
payment to restore access
Reflected XSS attack: An instance when malicious script is sent to a server and activated during the
server’s response
Rootkit: Malware that provides remote, administrative access to a computer
Scareware: Malware that employs tactics to frighten users into infecting their device
Smishing: The use of text messages to trick users to obtain sensitive information or to impersonate a
known source
Social engineering: A manipulation technique that exploits human error to gain private information,
access, or valuables
Spear phishing: A malicious email attack targeting a specific user or group of users, appearing to
originate from a trusted source
Spyware: Malware that’s used to gather and sell information without consent
SQL (Structured Query Language): A programming language used to create, interact with, and
request information from a database
SQL injection: An attack that executes unexpected queries on a database
Stored XSS attack: An instance when malicious script is injected directly on the server
Tailgating: A social engineering tactic in which unauthorized people follow an authorized person into
a restricted area
Threat actor: Any person or group who presents a security risk
Threat modeling: The process of identifying assets, their vulnerabilities, and how each is exposed to
threats
Trojan horse: Malware that looks like a legitimate file or program
Vishing: The exploitation of electronic voice communication to obtain sensitive information or to

impersonate a known source
Watering hole attack: A type of attack when a threat actor compromises a website frequently visited
by a specific group of users
Whaling: A category of spear phishing attempts that are aimed at high-ranking executives in an
organization
Web-based exploits: Malicious code or behavior that’s used to take advantage of coding flaws in a
web application
Roles in response
So far, you've been introduced to the National Institute of Standards and Technology (NIST) Incident
Response Lifecycle, which is a framework for incident response consisting of four phases:
 Preparation
 Detection and Analysis
 Containment, Eradication, and Recovery
 Post-incident activity
As a security professional, you'll work on a team to monitor, detect, and respond to incidents.
Previously, you learned about a computer security incident response team (CSIRT) and a security
operations center (SOC). This reading explains the different functions, roles, and responsibilities that
make up CSIRTs and SOCs.
Understanding the composition of incident response teams will help you navigate an organization’s
hierarchy, openly collaborate and communicate with others, and work cohesively to respond to
incidents. You may even discover specific roles that you’re interested in pursuing as you begin your
security career!
Command, control, and communication

A computer security incident response team (CSIRT) is a specialized group of security professionals
that are trained in incident management and response. During incident response, teams can
encounter a variety of different challenges. For incident response to be effective and efficient, there
must be clear command, control, and communication of the situation to achieve the desired goal.
 Command refers to having the appropriate leadership and direction to oversee the response.
 Control refers to the ability to manage technical aspects during incident response, like
coordinating resources and assigning tasks.
 Communication refers to the ability to keep stakeholders informed.
Establishing a CSIRT organizational structure with clear and distinctive roles aids in achieving an
effective and efficient response.
Roles in CSIRTs
CSIRTs are organization dependent, so they can vary in their structure and operation. Structurally,
they can exist as a separate, dedicated team or as a task force that meets when necessary. CSIRTs
involve both nonsecurity and security professionals. Nonsecurity professionals are often consulted to
offer their expertise on the incident. These professionals can be from external departments, such as
human resources, public relations, management, IT, legal, and others. Security professionals
involved in a CSIRT typically include three key security related roles:
1. Security analyst
2. Technical lead
3. Incident coordinator
Security analyst
The job of the security analyst is to continuously monitor an environment for any security threats.
This includes:
 Analyzing and triaging alerts
 Performing root-cause investigations
 Escalating or resolving alerts

If a critical threat is identified, then analysts escalate it to the appropriate team lead, such as the
technical lead.
Technical lead
The job of the technical lead is to manage all of the technical aspects of the incident response
process, such as applying software patches or updates. They do this by first determining the root
cause of the incident. Then, they create and implement the strategies for containing, eradicating,
and recovering from the incident. Technical leads often collaborate with other teams to ensure their
incident response priorities align with business priorities, such as reducing disruptions for customers
or returning to normal operations.
Incident coordinator
Responding to an incident also requires cross-collaboration with nonsecurity professionals. CSIRTs
will often consult with and leverage the expertise of members from external departments. The job of
the incident coordinator is to coordinate with the relevant departments during a security incident. By
doing so, the lines of communication are open and clear, and all personnel are made aware of the
incident status. Incident coordinators can also be found in other teams, like the SOC.
Other roles
Depending on the organization, many other roles can be found in a CSIRT, including a dedicated
communications lead, a legal lead, a planning lead, and more.
Note: Teams, roles, responsibilities, and organizational structures can differ for each company. For
example, some different job titles for incident coordinator include incident commander and incident
manager.
Security operations center

A security operations center (SOC) is an organizational unit dedicated to monitoring networks,
systems, and devices for security threats or attacks. Structurally, a SOC (usually pronounced "sock")
often exists as its own separate unit or within a CSIRT. You may be familiar with the term blue team,
which refers to the security professionals who are responsible for defending against all security
threats and attacks at an organization. A SOC is involved in various types of blue team activities,
such as network monitoring, analysis, and response to incidents.
SOC organization
A SOC is composed of SOC analysts, SOC leads, and SOC managers. Each role has its own
respective responsibilities. SOC analysts are grouped into three different tiers.
Tier 1 SOC analyst

The first tier is composed of the least experienced SOC analysts who are known as level 1s (L1s).
They are responsible for:
 Monitoring, reviewing, and prioritizing alerts based on criticality or severity

 Creating and closing alerts using ticketing systems
 Escalating alert tickets to Tier 2 or Tier 3
Tier 2 SOC analyst

The second tier comprises the more experienced SOC analysts, or level 2s (L2s). They are
responsible for:
 Receiving escalated tickets from L1 and conducting deeper investigations
 Configuring and refining security tools
 Reporting to the SOC Lead
Tier 3 SOC lead

The third tier of a SOC is composed of the SOC leads, or level 3s (L3s). These highly experienced
professionals are responsible for:
 Managing the operations of their team
 Exploring methods of detection by performing advanced detection techniques, such as

malware and forensics analysis
 Reporting to the SOC manager
SOC manager
The SOC manager is at the top of the pyramid and is responsible for:
 Hiring, training, and evaluating the SOC team members
 Creating performance metrics and managing the performance of the SOC team
 Developing reports related to incidents, compliance, and auditing
 Communicating findings to stakeholders such as executive management
Other roles
SOCs can also contain other specialized roles such as:
 Forensic investigators: Forensic investigators are commonly L2s and L3s who collect,
preserve, and analyze digital evidence related to security incidents to determine what
happened.
 Threat hunters: Threat hunters are typically L3s who work to detect, analyze, and defend
against new and advanced cybersecurity threats using threat intelligence.
Note: Just like CSIRTs, the organizational structure of a SOC can differ depending on the
organization.
Key takeaways
As a security analyst, you will collaborate with your team members and people outside of your
immediate team. Recognizing the organizational structure of an incident response team, such as a
CSIRT or SOC, will help you understand how incidents move through their lifecycle and the
responsibilities of different security roles throughout the process. Knowing the role that you and
other professionals have during an incident response event will help you respond to challenging
security situations by leveraging different perspectives and thinking of creative solutions.
Overview of detection tools

Previously, you explored intrusion detection system (IDS) and intrusion prevention system (IPS)
technologies. In this reading, you’ll compare and contrast these tools and learn about endpoint
detection and response (EDR). As a security analyst, you'll likely work with these different tools, so it's
important to understand their functions.
Why you need detection tools

Detection tools work similarly to home security systems. Whereas home security systems monitor
and protect homes against intrusion, cybersecurity detection tools help organizations protect their
networks and systems against unwanted and unauthorized access. For organizations to protect their
systems from security threats or attacks, they must be made aware when there is any indication of
an intrusion. Detection tools make security professionals aware of the activity happening on a
network or a system. The tools do this by continuously monitoring networks and systems for any
suspicious activity. Once something unusual or suspicious is detected, the tool triggers an alert that
notifies the security professional to investigate and stop the possible intrusion.
Detection tools
As a security analyst, you'll likely encounter IDS, IPS, and EDR detection tools at some point, but it's
important to understand the differences between them. Here is a comparison chart for quick
reference:
Capability IDS IPS EDR
Detects malicious activity ✓ ✓ ✓
Prevents intrusions N/A ✓ ✓
Logs activity ✓ ✓ ✓
Generates alerts ✓ ✓ ✓
Performs behavioral analysis N/A N/A ✓
Overview of IDS tools

possible intrusions. An IDS provides continuous monitoring of network events to help protect against
security threats or attacks. The goal of an IDS is to detect potential malicious activity and generate
an alert once such activity is detected. An IDS does not stop or prevent the activity. Instead, security
professionals will investigate the alert and act to stop it, if necessary.
For example, an IDS can send out an alert when it identifies a suspicious user login, such as an
unknown IP address logging into an application or a device at an unusual time. But, an IDS will not
stop or prevent any further actions, like blocking the suspicious user login.
Examples of IDS tools include Zeek, Suricata, Snort®, and Sagan.
Detection categories
As a security analyst, you will investigate alerts that an IDS generates. There are four types of
detection categories you should be familiar with:
1. A true positive is an alert that correctly detects the presence of an attack.
2. A true negative is a state where there is no detection of malicious activity. This is when no
malicious activity exists and no alert is triggered.
3. A false positive is an alert that incorrectly detects the presence of a threat. This is when an
IDS identifies an activity as malicious, but it isn't. False positives are an inconvenience for
security teams because they spend time and resources investigating an illegitimate alert.
4. A false negative is a state where the presence of a threat is not detected. This is when
malicious activity happens but an IDS fails to detect it. False negatives are dangerous
because security teams are left unaware of legitimate attacks that they can be vulnerable to.
Overview of IPS tools

An intrusion prevention system (IPS) is an application that monitors system activity for intrusive
activity and takes action to stop the activity. An IPS works similarly to an IDS. But, IPS monitors
system activity to detect and alert on intrusions, and it also takes action to prevent the activity and
minimize its effects. For example, an IPS can send an alert and modify an access control list on a
router to block specific traffic on a server.
Note: Many IDS tools can also operate as an IPS. Tools like Suricata, Snort, and Sagan have both
IDS and IPS capabilities.
Overview of EDR tools
Endpoint detection and response (EDR) is an application that monitors an endpoint for malicious
activity. EDR tools are installed on endpoints. Remember that an endpoint is any device connected
on a network. Examples include end-user devices, like computers, phones, tablets, and more.
EDR tools monitor, record, and analyze endpoint system activity to identify, alert, and respond to
suspicious activity. Unlike IDS or IPS tools, EDRs collect endpoint activity data and perform
behavioral analysis to identify threat patterns happening on an endpoint. Behavioral analysis uses
the power of machine learning and artificial intelligence to analyze system behavior to identify
malicious or unusual activity. EDR tools also use automation to stop attacks without the manual
intervention of security professionals. For example, if an EDR detects an unusual process starting up
on a user’s workstation that normally is not used, it can automatically block the process from
running.
Tools like Open EDR®, Bitdefender™ Endpoint Detection and Response, and FortiEDR™ are
examples of EDR tools.
Note: Security information and event management (SIEM) tools also have detection capabilities,
which you'll explore later.
Key takeaways
Organizations deploy detection tools to gain awareness into the activity happening in their
environments. IDS, IPS, and EDR are different types of detection tools. The value of detection tools
is in their ability to detect, log, alert, and stop potential malicious activity.
Overview of SIEM technology

Previously, you learned about the SIEM process. In this reading, you'll explore more about this
process and why SIEM tools are an important part of incident detection and response. As a
refresher, a security information and event management (SIEM) tool is an application that collects
and analyzes log data to monitor critical activities in an organization. You might recall that SIEM
tools help security analysts perform log analysis which is the process of examining logs to identify
events of interest.
SIEM advantages
SIEM tools collect and manage security-relevant data that can be used during investigations. This is
important because SIEM tools provide awareness about the activity that occurs between devices on
a network. The information SIEM tools provide can help security teams quickly investigate and
respond to security incidents. SIEM tools have many advantages that can help security teams
effectively respond to and manage incidents. Some of the advantages are:
 Access to event data: SIEM tools provide access to the event and activity data that happens
on a network, including real-time activity. Networks can be connected to hundreds of
different systems and devices. SIEM tools have the ability to ingest all of this data so that it
can be accessed.
 Monitoring, detecting, and alerting: SIEM tools continuously monitor systems and networks in
real-time. They then analyze the collected data using detection rules to detect malicious
activity. If an activity matches the rule, an alert is generated and sent out for security teams
to assess.
 Log storage: SIEM tools can act as a system for data retention, which can provide access to
historical data. Data can be kept or deleted after a period depending on an organization's
requirements.
The SIEM process

The SIEM process consists of three critical steps:
1. Collect and aggregate data
2. Normalize data
3. Analyze data
By understanding these steps, organizations can utilize the power of SIEM tools to gather, organize,
and analyze security event data from different sources. Organizations can later use this information
to improve their ability to identify and mitigate potential threats.
Collect and aggregate data

SIEM tools require data for them to be effectively used. During the first step, the SIEM collects event
data from various sources like firewalls, servers, routers, and more. This data, also known as logs,
contains event details like timestamps, IP addresses, and more. Logs are a record of events that
occur within an organization’s systems. After all of this log data is collected, it gets aggregated in
one location. Aggregation refers to the process of consolidating log data into a centralized place.
Through collection and aggregation, SIEM tools eliminate the need for manually reviewing and
analyzing event data by accessing individual data sources. Instead, all event data is accessible in
one location—the SIEM.
Parsing can occur during the first step of the SIEM process when data is collected and aggregated.
Parsing maps data according to their fields and their corresponding values. For example, the
following log example contains fields with values. At first, it might be difficult to interpret information
from this log based on its format:
April 3 11:01:21 server sshd[1088]: Failed password for user nuhara from 218.124.14.105 port 5023
In a parsed format, the fields and values are extracted and paired making them easier to read and
interpret:
 host = server
 process = sshd
 source_user = nuhara
 source ip = 218.124.14.105
 source port = 5023
Normalize data
SIEM tools collect data from many different sources. This data must be transformed into a single
format so that it can be easily processed by the SIEM. However, each data source is different and
data can be formatted in many different ways. For example, a firewall log can be formatted
differently than a server log.
Collected event data should go through the process of normalization. Normalization converts data
into a standard, structured format that is easily searchable.
Analyze data
After log data has been collected, aggregated, and normalized, the SIEM must do something useful
with all of the data to enable security teams to investigate threats. During this final step in the
process, SIEM tools analyze the data. Analysis can be done with some type of detection logic such
as a set of rules and conditions. SIEM tools then apply these rules to the data, and if any of the log
activity matches a rule, alerts are sent out to cybersecurity teams.
Note: A part of the analysis process includes correlation. Correlation involves the comparison of
multiple log events to identify common patterns that indicate potential security threats.
SIEM tools
There are many SIEM tools. The following are some SIEM tools commonly used in the cybersecurity
industry:
 AlienVault® OSSIM™
 Chronicle
 Elastic
 Exabeam
 IBM QRadar® Security Intelligence Platform
 LogRhythm
 Splunk
Key takeaways
SIEM tools collect and organize enormous amounts of data to create meaningful insights for security
teams. By understanding how SIEM tools work, what the process includes, and how organizations
leverage them, you can contribute to efforts in detecting and responding to security incidents
effectively. With this knowledge, you can assist in analyzing log data, identifying threats, and aiding
incident response activities to help improve security posture and protect valuable assets from
threats.
Computer security incident response teams (CSIRT): A specialized group of security professionals
that are trained in incident management and response
Documentation: Any form of recorded content that is used for a specific purpose
Endpoint detection and response (EDR): An application that monitors an endpoint for malicious
activity
Event: An observable occurrence on a network, system, or device
False negative: A state where the presence of a threat is not detected
False positive: An alert that incorrectly detects the presence of a threat
Incident: An occurrence that actually or imminently jeopardizes, without lawful authority, the
confidentiality, integrity, or availability of information or an information system; or constitutes a
violation or imminent threat of violation of law, security policies, security procedures, or acceptable
use policies
Incident handler’s journal: A form of documentation used in incident response
Incident response plan: A document that outlines the procedures to take in each step of incident
response
intrusions
Intrusion prevention system (IPS): An application that monitors system activity for intrusive activity
and takes action to stop the activity
National Institute of Standards and Technology (NIST) Incident Response Lifecycle: A framework for
incident response consisting of four phases: Preparation; Detection and Analysis; Containment,
Eradication, and Recovery; and Post-incident activity

Security operations center (SOC): An organizational unit dedicated to monitoring networks, systems,
and devices for security threats or attacks
Security orchestration, automation, and response (SOAR): A collection of applications, tools, and
workflows that uses automation to respond to security events
True negative: A state where there is no detection of malicious activity
True positive An alert that correctly detects the presence of an attack
Maintain awareness with network monitoring

Network communication can be noisy! Events like sending an email, streaming a video, or visiting a
website all produce network communications in the form of network traffic and network data. As a
reminder, network traffic is the amount of data that moves across a network. It can also include the
type of data that is transferred, such as HTTP. Network data is the data that's transmitted between
devices on a network.
Network monitoring is essential in maintaining situational awareness of any activity on a network. By

collecting and analyzing network traffic, organizations can detect suspicious network activity. But
before networks can be monitored, you must know exactly what to monitor. In this reading, you'll
learn more about the importance of network monitoring, ways to monitor your network, and network
monitoring tools.
Know your network

As you’ve learned, networks connect devices, and devices then communicate and exchange data
using network protocols. Network communications provide information about connections such as
source and destination IP addresses, amount of data transferred, date and time, and more. This
information can be valuable for security professionals when developing a baseline of normal or
expected behavior.
A baseline is a reference point that’s used for comparison. You've probably encountered or used
baselines at some point. For example, a grocery amount for a personal budget is an example of a
baseline that can be used to help identify any patterns or changes in spending habits. In security,
baselines help establish a standard of expected or normal behavior for systems, devices, and
networks. Essentially, by knowing the baseline of normal network behavior, you'll be better able to
identify abnormal network behavior.
Monitor your network

Once you’ve determined a baseline, you can monitor a network to identify any deviations from that
baseline. Monitoring involves examining network components to detect unusual activities, such as
large and unusual data transfers. Here are examples of network components that can be monitored
to detect malicious activity:
Flow analysis
Flow refers to the movement of network communications and includes information related to
packets, protocols, and ports. Packets can travel to ports, which receive and transmit
communications. Ports are often, but not always, associated with network protocols. For example,
port 443 is commonly used by HTTPS which is a protocol that provides website traffic encryption.
However, malicious actors can use protocols and ports that are not commonly associated to
maintain communications between the compromised system and their own machine. These
communications are what’s known as command and control (C2), which are the techniques used by
malicious actors to maintain communications with compromised systems.
For example, malicious actors can use HTTPS protocol over port 8088 as opposed to its commonly
associated port 443 to communicate with compromised systems. Organizations must know which
ports should be open and approved for connections, and watch out for any mismatches between
ports and their associated protocols.
Packet payload information
Network packets contain components related to the transmission of the packet. This includes details
like source and destination IP address, and the packet payload information, which is the actual data
that’s transmitted. Often, this data is encrypted and requires decryption for it to be readable.
Organizations can monitor the payload information of packets to uncover unusual activity, such as
sensitive data transmitting outside of the network, which could indicate a possible data exfiltration
attack.
Temporal patterns
Network packets contain information relating to time. This information is useful in understanding time
patterns. For example, a company operating in North America experiences bulk traffic flows between
9 a.m. to 5 p.m., which is the baseline of normal network activity. If large volumes of traffic are
suddenly outside of the normal hours of network activity, then this is considered off baseline and
should be investigated.
Through network monitoring, organizations can promptly detect network intrusions and work to
prevent them from happening by securing network components.
Protect your network

In this program, you’ve learned about security operations centers (SOC) and their role in monitoring
systems against security threats and attacks. Organizations may deploy a network operations center
(NOC), which is an organizational unit that monitors the performance of a network and responds to
any network disruption, such as a network outage. While a SOC is focused on maintaining the
security of an organization through detection and response, a NOC is responsible for maintaining
network performance, availability, and uptime.
Security analysts monitor networks to identify any signs of potential security incidents known as
indicators of compromise (IoC) and protect networks from threats or attacks. To do this, they must
understand the environment that network communications travel through so that they can identify
deviations in network traffic.
Network monitoring tools

Network monitoring can be automated or performed manually. Some common network monitoring
tools can include:
 Intrusion detection systems (IDS) monitor system activity and alert on possible intrusions. An
IDS will detect and alert on the deviations you’ve configured it to detect. Most commonly, IDS
tools will monitor the content of packet payload to detect patterns associated with threats
such as malware or phishing attempts.
 Network protocol analyzers, also known as packet sniffers, are tools designed to capture and
analyze data traffic within a network. They can be used to analyze network communications
manually in detail. Examples include tools such as tcpdump and Wireshark, which can be
used by security professionals to record network communications through packet captures.
Packet captures can then be investigated to identify potentially malicious activity.
Key takeaways
Monitoring and protecting networks from intrusions and attacks are key responsibilities of security
professionals. You can’t protect what you don’t know. As a security analyst, you’ll need to know the
components of a network and the communications that happen on it, so you can better protect it.
Baselines provide a way to understand network traffic by uncovering common patterns which help in
identifying any deviations from the expected traffic patterns. Tools like intrusion detection systems
and network protocol analyzers support efforts in monitoring network activities.
Learn more about packet captures

The role of security analysts involves monitoring and analyzing network traffic flows. One way to do
this is by generating packet captures and then analyzing the captured traffic to identify unusual
activity on a network.
Previously, you explored the fundamentals of networks. Throughout this section, you’ll refer to your
foundation in networking to better understand network traffic flows. In this reading, you'll learn about
the three main aspects of network analysis: packets, network protocol analyzers, and packet
captures.
Packets
Previously in the program, you learned that a data packet is a basic unit of information that travels
from one device to another within a network. Detecting network intrusions begins at the packet level.
That's because packets form the basis of information exchange over a network. Each time you
perform an activity on the internet—like visiting a website—packets are sent and received between
your computer and the website’s server. These packets are what help transmit information through a
network. For example, when uploading an image to a website, the data gets broken up into multiple
packets, which then get routed to the intended destination and reassembled upon delivery.
In cybersecurity, packets provide valuable information that helps add context to events during
investigations. Understanding the transfer of information through packets will not only help you
develop insight on network activity, it will also help you identify abnormalities and better defend
networks from attacks.
Packets contain three components: the header, the payload, and the footer. Here’s a description of
each of these components.
Header
Packets begin with the most essential component: the header. Packets can have several headers
depending on the protocols used such as an Ethernet header, an IP header, a TCP header, and
more. Headers provide information that’s used to route packets to their destination. This includes
information about the source and destination IP addresses, packet length, protocol, packet
identification numbers, and more.
Here is an IPv4 header with the information it provides:

Payload
The payload component directly follows the header and contains the actual data being delivered.
Think back to the example of uploading an image to a website; the payload of this packet would be
the image itself.
Footer
The footer, also known as the trailer, is located at the end of a packet. The Ethernet protocol uses
footers to provide error-checking information to determine if data has been corrupted. In addition,
Ethernet network packets that are analyzed might not display footer information due to network
configurations.
Note: Most protocols, such as the Internet Protocol (IP), do not use footers.
Network protocol analyzers

Network protocol analyzers (packet sniffers) are tools designed to capture and analyze data traffic
within a network. Examples of network protocol analyzers include tcpdump, Wireshark, and TShark.
Beyond their use in security as an investigative tool used to monitor networks and identify suspicious
activity, network protocol analyzers can be used to collect network statistics, such as bandwidth or
speed, and troubleshoot network performance issues, like slowdowns.
Network protocol analyzers can also be used for malicious purposes. For example, malicious actors
can use network protocol analyzers to capture packets containing sensitive data, such as account
login information.
Here’s a network diagram illustrating how packets get transmitted from a sender to the receiver. A
network protocol analyzer is placed in the middle of the communications to capture the data packets
that travel over the wire.
How network protocol analyzers work

Network protocol analyzers use both software and hardware capabilities to capture network traffic
and display it for security analysts to examine and analyze. Here’s how:
1. First, packets must be collected from the network via the Network Interface Card (NIC),
which is hardware that connects computers to a network, like a router. NICs receive and
transmit network traffic, but by default they only listen to network traffic that’s addressed to
them. To capture all network traffic that is sent over the network, a NIC must be switched to
a mode that has access to all visible network data packets. In wireless interfaces this is often
referred to as monitoring mode, and in other systems it may be called promiscuous mode.
This mode enables the NIC to have access to all visible network data packets, but it won’t
help analysts access all packets across a network. A network protocol analyzer must be
positioned in an appropriate network segment to access all traffic between different hosts.
2. The network protocol analyzer collects the network traffic in raw binary format. Binary format
consists of 0s and 1s and is not as easy for humans to interpret. The network protocol
analyzer takes the binary and converts it so that it’s displayed in a human-readable format,
so analysts can easily read and understand the information.
Capturing packets
Packet sniffing is the practice of capturing and inspecting data packets across a network. A packet
capture (p-cap) is a file containing data packets intercepted from an interface or network. Packet
captures can be viewed and further analyzed using network protocol analyzers. For example, you
can filter packet captures to only display information that's most relevant to your investigation, such
as packets sent from a specific IP address.
Note: Using network protocol analyzers to intercept and examine private network communications
without permission is considered illegal in many places.
P-cap files can come in many formats depending on the packet capture library that’s used. Each
format has different uses and network tools may use or support specific packet capture file formats
by default. You should be familiar with the following libraries and formats:
1. Libpcap is a packet capture library designed to be used by Unix-like systems, like Linux and
MacOS®. Tools like tcpdump use Libpcap as the default packet capture file format.
2. WinPcap is an open-source packet capture library designed for devices running Windows
operating systems. It’s considered an older file format and isn’t predominantly used.
3. Npcap is a library designed by the port scanning tool Nmap that is commonly used in
Windows operating systems.
4. PCAPng is a modern file format that can simultaneously capture packets and store data. Its
ability to do both explains the “ng,” which stands for “next generation.”
Pro tip: Analyzing your home network can be a good way to practice using these tools.
Key takeaways
Network protocol analyzers are helpful investigative tools that provide you with insight into the
activity happening on a network. As an analyst, you'll use network protocol analyzer tools to view
and analyze packet capture files to better understand network communications and defend against
intrusions.
Investigate packet details
So far, you've learned about how network protocol analyzers (packet sniffers) intercept network
communications. You've also learned how you can analyze packet captures (p-caps) to gain insight
into the activity happening on a network. As a security analyst, you'll use your packet analysis skills
to inspect network packets and identify suspicious activity during investigations.
In this reading, you'll re-examine IPv4 and IPv6 headers. Then, you'll explore how you can use
Wireshark to investigate the details of packet capture files.
Internet Protocol (IP)

Packets form the foundation of data exchange over a network, which means that detection begins at
the packet level. The Internet Protocol (IP) includes a set of standards used for routing and
addressing data packets as they travel between devices on a network. IP operates as the foundation
for all communications over the internet.
IP ensures that packets reach their destinations. There are two versions of IP that you will find in use
today: IPv4 and IPv6. Both versions use different headers to structure packet information.
IPv4
IPv4 is the most commonly used version of IP. There are thirteen fields in the header:
 Version: This field indicates the IP version. For an IPv4 header, IPv4 is used.
 Internet Header Length (IHL): This field specifies the length of the IPv4 header including any
Options.
 Type of Service (ToS): This field provides information about packet priority for delivery.
 Total Length: This field specifies the total length of the entire IP packet including the header
and the data.
 Identification: Packets that are too large to send are fragmented into smaller pieces. This
field specifies a unique identifier for fragments of an original IP packet so that they can be
reassembled once they reach their destination.
 Flags: This field provides information about packet fragmentation including whether the
original packet has been fragmented and if there are more fragments in transit.
 Fragment Offset: This field is used to identify the correct sequence of fragments.
 Time to Live (TTL): This field limits how long a packet can be circulated in a network,
preventing packets from being forwarded by routers indefinitely.
 Protocol: This field specifies the protocol used for the data portion of the packet.
 Header Checksum: This field specifies a checksum value which is used for error-checking the
header.
 Source Address: This field specifies the source address of the sender.
 Destination Address: This field specifies the destination address of the receiver.
 Options: This field is optional and can be used to apply security options to a packet.
IPv6
IPv6 adoption has been increasing because of its large address space. There are eight fields in the
header:
 Version: This field indicates the IP version. For an IPv6 header, IPv6 is used.
 Traffic Class: This field is similar to the IPv4 Type of Service field. The Traffic Class field
provides information about the packet's priority or class to help with packet delivery.
 Flow Label: This field identifies the packets of a flow. A flow is the sequence of packets sent
from a specific source.
 Payload Length: This field specifies the length of the data portion of the packet.
 Next Header: This field indicates the type of header that follows the IPv6 header such as
TCP.
 Hop Limit: This field is similar to the IPv4 Time to Live field. The Hop Limit limits how long a
packet can travel in a network before being discarded.
 Source Address: This field specifies the source address of the sender.
 Destination Address: This field specifies the destination address of the receiver.
Header fields contain valuable information for investigations and tools like Wireshark help to display
these fields in a human-readable format.
Wireshark
Wireshark is an open-source network protocol analyzer. It uses a graphical user interface (GUI),
which makes it easier to visualize network communications for packet analysis purposes. Wireshark
has many features to explore that are beyond the scope of this course. You'll focus on how to use
basic filtering to isolate network packets so that you can find what you need.
Display filters
Wireshark's display filters let you apply filters to packet capture files. This is helpful when you are
inspecting packet captures with large volumes of information. Display filters will help you find specific
information that's most relevant to your investigation. You can filter packets based on information
such as protocols, IP addresses, ports, and virtually any other property found in a packet. Here,
you'll focus on display filtering syntax and filtering for protocols, IP addresses, and ports.
Comparison operators
You can use different comparison operators to locate specific header fields and values. Comparison
operators can be expressed using either abbreviations or symbols. For example, this filter using the
== equal symbol in this filter ip.src == 8.8.8.8 is identical to using the eq abbreviation in this filter ip.src
eq 8.8.8.8.
This table summarizes the different types of comparison operators you can use for display filtering.
Operator type Symbol Abbreviation

Equal == eq
Not equal != ne
Greater than > gt
Less than < lt
Greater than or equal to >= ge
Less than or equal to <= le
Pro tip: You can combine comparison operators with Boolean logical operators like and and or to
create complex display filters. Parentheses can also be used to group expressions and to prioritize
search terms.
Contains operator
The contains operator is used to filter packets that contain an exact match of a string of text. Here is
an example of a filter that displays all HTTP streams that match the keyword "moved".
Matches operator
The matches operator is used to filter packets based on the regular expression (regex) that's
specified. Regular expression is a sequence of characters that forms a pattern. You'll explore more
about regular expressions later in this program.
Filter toolbar
You can apply filters to a packet capture using Wireshark's filter toolbar. In this example, dns is the
applied filter, which means Wireshark will only display packets containing the DNS protocol.
Pro tip: Wireshark uses different colors to represent protocols. You can customize colors and create
your own filters.
Filter for protocols
Protocol filtering is one of the simplest ways you can use display filters. You can simply enter the
name of the protocol to filter. For example, to filter for DNS packets simply type dns in the filter
toolbar. Here is a list of some protocols you can filter for:
 dns
 http
 ftp
 ssh
 arp
 telnet
 icmp
Filter for an IP address

You can use display filters to locate packets with a specific IP address.
For example, if you would like to filter packets that contain a specific IP address use ip.addr, followed
by a space, the equal == comparison operator, and the IP address. Here is an example of a display
filter that filters for the IP address 172.21.224.2:
ip.addr == 172.21.224.2
To filter for packets originating from a specific source IP address, you can use the ip.src filter. Here is
an example that looks for the 10.10.10.10 source IP address:
ip.src == 10.10.10.10
To filter for packets delivered to a specific destination IP address, you can use the ip.dst filter. Here
is an example that searches for the 4.4.4.4 destination IP address:
ip.dst == 4.4.4.4
Filter for a MAC address

You can also filter packets according to the Media Access Control (MAC) address. As a refresher, a
MAC address is a unique alphanumeric identifier that is assigned to each physical device on a
network.
Here's an example:
eth.addr == 00:70:f4:23:18:c4
Filter for ports
Port filtering is used to filter packets based on port numbers. This is helpful when you want to isolate
specific types of traffic. DNS traffic uses TCP or UDP port 53 so this will list traffic related to DNS
queries and responses only.
For example, if you would like to filter for a UDP port:
udp.port == 53
Likewise, you can filter for TCP ports as well:
tcp.port == 25
Follow streams
Wireshark provides a feature that lets you filter for packets specific to a protocol and view streams. A
stream or conversation is the exchange of data between devices using a protocol. Wireshark
reassembles the data that was transferred in the stream in a way that's simple to read.
Following a protocol stream is useful when trying to understand the details of a conversation. For
example, you can examine the details of an HTTP conversation to view the content of the
exchanged request and response messages.
Key takeaways
In this reading, you explored basic display filters with Wireshark. Packet analysis is an essential skill
that you will continue to develop over time in your cybersecurity journey. Put your skills to practice in
the upcoming activity and explore investigating the details of a packet capture file using Wireshark!
Overview of tcpdump
As a security analyst, you’ll use network protocol analyzers to help defend against any network
intrusions. Previously, you learned the following terms related to network monitoring and analysis:
 A network protocol analyzer (packet sniffer) is a tool designed to capture and analyze data
traffic within a network.
 Packet sniffing is the practice of capturing and inspecting data packets across a network.
In this reading, you'll learn more about tcpdump, a network protocol analyzer that can be used to
capture and view network communications.
What is tcpdump?
Tcpdump is a command-line network protocol analyzer. Recall that a command-line interface (CLI) is
a text-based user interface that uses commands to interact with the computer.
Tcpdump is used to capture network traffic. This traffic can be saved to a packet capture (p-cap),
which is a file containing data packets intercepted from an interface or network. The p-cap file can
be accessed, analyzed, or shared at a later time. Analysts use tcpdump for a variety of reasons,
from troubleshooting network issues to identifying malicious activity. Tcpdump comes pre-installed in
many Linux distributions and can also be installed on other Unix-based operating systems such as
macOS®.
Note: It's common for network traffic to be encrypted, which means data is encoded and unreadable.
Inspecting the network packets might require decrypting the data using the appropriate private keys.
Capturing packets with tcpdump

Previously in this program, you learned that a Linux root user (or superuser) has elevated privileges
to modify the system. You also learned that the sudo command temporarily grants elevated
permissions to specific users in Linux. Like many other packet sniffing tools, you’ll need to have
administrator-level privileges to capture network traffic using tcpdump. This means you will need to
either be logged in as the root user or have the ability to use the sudo command. Here is a
breakdown of the tcpdump syntax for capturing packets:
sudo tcpdump [-i interface] [option(s)] [expression(s)]
 The sudo tcpdump command begins running tcpdump using elevated permissions as sudo.
 The -i parameter specifies the network interface to capture network traffic. You must specify
a network interface to capture from to begin capturing packets. For example, if you specify -i
any you’ll sniff traffic from all network interfaces on the system.
 The option(s) are optional and provide you with the ability to alter the execution of the
command. The expression(s) are a way to further filter network traffic packets so that you can
isolate network traffic. You’ll learn more about option(s) and expression(s) in the next section.
Note: Before you can begin capturing network traffic, you must identify which network interface you'll
want to use to capture packets from. You can use the -D flag to list the network interfaces available
on a system.
Options
With tcpdump, you can apply options, also known as flags, to the end of commands to filter network
traffic. Short options are abbreviated and represented by a hyphen and a single character like -i.
Long options are spelled out using a double hyphen like --interface. Tcpdump has over fifty options
that you can explore using the manual page. Here, you’ll examine a couple of essential tcpdump
options including how to write and read packet capture files.
Note: Options are case sensitive. For example, a lowercase -w is a separate option with a different
use than the option with an uppercase -W.
Note: tcpdump options that are written using short options can be written with or without a space
between the option and its value. For example, sudo tcpdump -i any -c 3 and sudo tcpdump -iany -c3 are
equivalent commands.
-w
Using the -w flag, you can write or save the sniffed network packets to a packet capture file instead
of just printing it out in the terminal. This is very useful because you can refer to this saved file for
later analysis. In this command, tcpdump is capturing network traffic from all network interfaces and
saving it to a packet capture file named packetcapture.pcap:
sudo tcpdump -i any -w packetcapture.pcap

-r
Using the -r flag, you can read a packet capture file by specifying the file name as a parameter. Here
is an example of a tcpdump command that reads a file called packetcapture.pcap:
sudo tcpdump -r packetcapture.pcap

-v
As you’ve learned, packets contain a lot of information. By default, tcpdump will not print out all of a
packet's information. This option, which stands for verbose, lets you control how much packet
information you want tcpdump to print out.
There are three levels of verbosity you can use depending on how much packet information you
want tcpdump to print out. The levels are -v, -vv, and -vvv. The level of verbosity increases with each
added v. The verbose option can be helpful if you’re looking for packet information like the details of
a packet’s IP header fields. Here’s an example of a tcpdump command that reads the
packetcapture.pcap file with verbosity:
sudo tcpdump -r packetcapture.pcap -v

-c
The -c option stands for count. This option lets you control how many packets tcpdump will capture.
For example, specifying -c 1 will only print out one single packet, whereas -c 10 prints out 10 packets.
This example is telling tcpdump to only capture the first three packets it sniffs from any network
interface:
sudo tcpdump -i any -c 3

-n
By default, tcpdump will perform name resolution. This means that tcpdump automatically converts
IP addresses to names. It will also resolve ports to commonly associated services that use these
ports. This can be problematic because tcpdump isn’t always accurate in name resolution. For
example, tcpdump can capture traffic from port 80 and automatically translates port 80 to HTTP in
the output. However, this is misleading because port 80 isn’t always going to be using HTTP; it could
be using a different protocol.
Additionally, name resolution uses what’s known as a reverse DNS lookup. A reverse DNS lookup is
a query that looks for the domain name associated with an IP address. If you perform a reverse DNS
lookup on an attacker’s system, they might be alerted that you are investigating them through their
DNS records.
Using the -n flag disables this automatic mapping of numbers to names and is considered to be best
practice when sniffing or analyzing traffic. Using -n will not resolve hostnames, whereas -nn will not
resolve both hostnames or ports. Here’s an example of a tcpdump command that reads the
packetcapture.pcap file with verbosity and disables name resolution:
sudo tcpdump -r packetcapture.pcap -v -n

Pro tip: You can combine options together. For example, -v and -n can be combined as -vn. But, if
an option accepts a parameter right after it like -c 1 or -r capture.pcap then you can’t combine other
options to it.
Expressions
Using filter expressions in tcpdump commands is also optional, but knowing how and when to use
filter expressions can be helpful during packet analysis. There are many ways to use filter
expressions.
If you want to specifically search for network traffic by protocol, you can use filter expressions to
isolate network packets. For example, you can filter to find only IPv6 traffic using the filter expression
ip6.
You can also use boolean operators like and, or, or not to further filter network traffic for specific IP
addresses, ports, and more. The example below reads the packetcapture.pcap file and combines two
expressions ip and port 80 using the and boolean operator:
sudo tcpdump -r packetcapture.pcap -n 'ip and port 80'
Pro tip: You can use single or double quotes to ensure that tcpdump executes all of the expressions.
You can also use parentheses to group and prioritize different expressions. Grouping expressions is
helpful for complex or lengthy commands. For example, the command ip and (port 80 or port 443) tells
tcpdump to prioritize executing the filters enclosed in the parentheses before filtering for IPv4.
Interpreting output
Once you run a command to capture packets, tcpdump will print the output of the command as the
sniffed packets. In the output, tcpdump prints one line of text for each packet with each line
beginning with a timestamp. Here’s an example of a command and output for a single TCP packet:
sudo tcpdump -i any -v -c 1

This command tells tcpdump to capture packets on -i any network interface. The option -v prints out
the packet with detailed information and the option -c 1 prints out only one packet. Here is the output
of this command:
1. Timestamp: The output begins with the timestamp, which starts with hours, minutes,
seconds, and fractions of a second.
2. Source IP: The packet’s origin is provided by its source IP address.
3. Source port: This port number is where the packet originated.
4. Destination IP: The destination IP address is where the packet is being transmitted to.
5. Destination port: This port number is where the packet is being transmitted to.
The remaining output contains details of the TCP connection including flags and sequence number.
The options information is additional packet information that the -v option has provided.
Key takeaways
In security, you’ll likely encounter using network protocol analyzer tools like tcpdump. It’s important
to be equipped with the knowledge of capturing, filtering, and interpreting network packets on the
command line.

Command and control (C2): The techniques used by malicious actors to maintain communications
with compromised systems
Command-line interface (CLI): A text-based user interface that uses commands to interact with the
computer
Data exfiltration: Unauthorized transmission of data from a system
Data packet: A basic unit of information that travels from one device to another within a network
Indicators of compromise (IoC): Observable evidence that suggests signs of a potential security
incident
Internet Protocol (IP): A set of standards used for routing and addressing data packets as they travel
between devices on a network
Intrusion detection systems (IDS): An application that monitors system activity and alerts on possible
intrusions
Media Access Control (MAC) Address: A unique alphanumeric identifier that is assigned to each
physical device on a network
National Institute of Standards and Technology (NIST) Incident Response Lifecycle: A framework for
incident response consisting of four phases: Preparation; Detection and Analysis; Containment,
Eradication and Recovery; and Post-incident activity
Network data: The data that’s transmitted between devices on a network
Network protocol analyzer (packet sniffer): A tool designed to capture and analyze data traffic within
a network
Network traffic: The amount of data that moves across a network
Network Interface Card (NIC): Hardware that connects computers to a network
Packet capture (p-cap): A file containing data packets intercepted from an interface or network
Root user (or superuser): A user with elevated privileges to modify the system
Sudo: A command that temporarily grants elevated permissions to specific users
tcpdump: A command-line network protocol analyzer
Wireshark: An open-source network protocol analyzer

Cybersecurity incident detection methods
Security analysts use detection tools to help them discover threats, but there are additional methods
of detection that can be used as well.
Previously, you learned about how detection tools can identify attacks like data exfiltration. In this
reading, you’ll be introduced to different detection methods that organizations can employ to
discover threats.
Methods of detection
During the Detection and Analysis Phase of the incident response lifecycle, security teams are notified
of a possible incident and work to investigate and verify the incident by collecting and analyzing
data. As a reminder, detection refers to the prompt discovery of security events and analysis involves
the investigation and validation of alerts.
As you’ve learned, an intrusion detection system (IDS) can detect possible intrusions and send out
alerts to security analysts to investigate the suspicious activity. Security analysts can also use
security information and event management (SIEM) tools to detect, collect, and analyze security
data.
You’ve also learned that there are challenges with detection. Even the best security teams can fail to
detect real threats for a variety of reasons. For example, detection tools can only detect what
security teams configure them to monitor. If they aren’t properly configured, they can fail to detect
suspicious activity, leaving systems vulnerable to attack. It’s important for security teams to use
additional methods of detection to increase their coverage and accuracy.
Threat hunting
Threats evolve and attackers advance their tactics and techniques. Automated, technology-driven
detection can be limited in keeping up to date with the evolving threat landscape. Human-driven
detection like threat hunting combines the power of technology with a human element to discover
hidden threats left undetected by detection tools.
Threat hunting is the proactive search for threats on a network. Security professionals use threat
hunting to uncover malicious activity that was not identified by detection tools and as a way to do
further analysis on detections. Threat hunting is also used to detect threats before they cause
damage. For example, fileless malware is difficult for detection tools to identify. It’s a form of
malware that uses sophisticated evasion techniques such as hiding in memory instead of using files
or applications, allowing it to bypass traditional methods of detection like signature analysis. With
threat hunting, the combination of active human analysis and technology is used to identify threats
like fileless malware.
Note: Threat hunting specialists are known as threat hunters. Threat hunters perform research on
emerging threats and attacks and then determine the probability of an organization being vulnerable
to a particular attack. Threat hunters use a combination of threat intelligence, indicators of
compromise, indicators of attack, and machine learning to search for threats in an organization.
Threat intelligence
Organizations can improve their detection capabilities by staying updated on the evolving threat
landscape and understanding the relationship between their environment and malicious actors. One
way to understand threats is by using threat intelligence, which is evidence-based threat information
that provides context about existing or emerging threats.
Threat intelligence can come from private or public sources like:
 Industry reports: These often include details about attacker's tactics, techniques, and
procedures (TTP).
 Government advisories: Similar to industry reports, government advisories include details

about attackers' TTP.
 Threat data feeds: Threat data feeds provide a stream of threat-related data that can be used
to help protect against sophisticated attackers like advanced persistent threats (APTs). APTs
are instances when a threat actor maintains unauthorized access to a system for an
extended period of time. The data is usually a list of indicators like IP addresses, domains,
and file hashes.
It can be difficult for organizations to efficiently manage large volumes of threat intelligence.
Organizations can leverage a threat intelligence platform (TIP) which is an application that collects,
centralizes, and analyzes threat intelligence from different sources. TIPs provide a centralized
platform for organizations to identify and prioritize relevant threats and improve their security
posture.
Note: Threat intelligence data feeds are best used to add context to detections. They should not
drive detections completely and should be assessed before applied to an organization.
Cyber deception
Cyber deception involves techniques that deliberately deceive malicious actors with the goal of
increasing detection and improving defensive strategies.
Honeypots are an example of an active cyber defense mechanism that uses deception technology.
Honeypots are systems or resources that are created as decoys vulnerable to attacks with the
purpose of attracting potential intruders. For example, having a fake file labeled Client Credit Card
Information - 2022 can be used to capture the activity of malicious actors by tricking them into
accessing the file because it appears to be legitimate. Once a malicious actor tries to access this file,
security teams are alerted.
Key takeaways
Various detection methods can be implemented to identify and locate security events in an
environment. It’s essential for organizations to use a variety of detection methods, tools, and
technologies to adapt to the ever evolving threat landscape and better protect assets.
Indicators of compromise
In this reading, you’ll be introduced to the concept of the Pyramid of Pain and you'll explore
examples of the different types of indicators of compromise. Understanding and applying this
concept helps organizations improve their defense and reduces the damage an incident can cause.
Indicators of compromise
Indicators of compromise (IoCs) are observable evidence that suggests signs of a potential security
incident. IoCs chart specific pieces of evidence that are associated with an attack, like a file name
associated with a type of malware. You can think of an IoC as evidence that points to something
that's already happened, like noticing that a valuable has been stolen from inside of a car.
Indicators of attack (IoA) are the series of observed events that indicate a real-time incident. IoAs
focus on identifying the behavioral evidence of an attacker, including their methods and intentions.
Essentially, IoCs help to identify the who and what of an attack after it's taken place, while IoAs
focus on finding the why and how of an ongoing or unknown attack. For example, observing a
process that makes a network connection is an example of an IoA. The filename of the process and
the IP address that the process contacted are examples of the related IoCs.
Note: Indicators of compromise are not always a confirmation that a security incident has happened.
IoCs may be the result of human error, system malfunctions, and other reasons not related to
security.
Pyramid of Pain
Not all indicators of compromise are equal in the value they provide to security teams. It’s important
for security professionals to understand the different types of indicators of compromise so that they
can quickly and effectively detect and respond to them. This is why security researcher David J.
Bianco created the concept of the Pyramid of Pain, with the goal of improving how indicators of
compromise are used in incident detection.
The Pyramid of Pain captures the relationship between indicators of compromise and the level of
difficulty that malicious actors experience when indicators of compromise are blocked by security
teams. It lists the different types of indicators of compromise that security professionals use to
identify malicious activity.
Each type of indicator of compromise is separated into levels of difficulty. These levels represent the
“pain” levels that an attacker faces when security teams block the activity associated with the
indicator of compromise. For example, blocking an IP address associated with a malicious actor is
labeled as easy because malicious actors can easily use different IP addresses to work around this
and continue with their malicious efforts. If security teams are able to block the IoCs located at the
top of the pyramid, the more difficult it becomes for attackers to continue their attacks. Here’s a
breakdown of the different types of indicators of compromise found in the Pyramid of Pain.
1. Hash values: Hashes that correspond to known malicious files. These are often used to
provide unique references to specific samples of malware or to files involved in an intrusion.
2. IP addresses: An internet protocol address like 192.168.1.1
3. Domain names: A web address such as www.google.com
4. Network artifacts: Observable evidence created by malicious actors on a network. For

example, information found in network protocols such as User-Agent strings.
5. Host artifacts: Observable evidence created by malicious actors on a host. A host is any
device that’s connected on a network. For example, the name of a file created by malware.
6. Tools: Software that’s used by a malicious actor to achieve their goal. For example, attackers
can use password cracking tools like John the Ripper to perform password attacks to gain
access into an account.
7. Tactics, techniques, and procedures (TTPs): This is the behavior of a malicious actor. Tactics
refer to the high-level overview of the behavior. Techniques provide detailed descriptions of
the behavior relating to the tactic. Procedures are highly detailed descriptions of the
technique. TTPs are the hardest to detect.
Key takeaways
Indicators of compromise and indicators of attack are valuable sources of information for security
professionals when it comes to detecting incidents. The Pyramid of Pain is a concept that can be
used to understand the different types of indicators of compromise and the value they have in
detecting and stopping malicious activity.
Analyze indicators of compromise with investigative

tools
So far, you've learned about the different types of detection methods that can be used to detect
security incidents. This reading explores how investigative tools can be used during investigations to
analyze suspicious indicators of compromise (IoCs) and build context around alerts. Remember, an
IoC is observable evidence that suggests signs of a potential security incident.
Adding context to investigations

You've learned about the Pyramid of Pain which describes the relationship between indicators of
compromise and the level of difficulty that malicious actors experience when indicators of
compromise are blocked by security teams. You also learned about different types of IoCs, but as
you know, not all IoCs are equal. Malicious actors can manage to evade detection and continue
compromising systems despite having their IoC-related activity blocked or limited.
For example, identifying and blocking a single IP address associated with malicious activity does not
provide a broader insight on an attack, nor does it stop a malicious actor from continuing their
activity. Focusing on a single piece of evidence is like fixating on a single section of a painting: You
miss out on the bigger picture.
Security analysts need a way to expand the use of IoCs so that they can add context to alerts.
Threat intelligence is evidence-based threat information that provides context about existing or
emerging threats. By accessing additional information related to IoCs, security analysts can expand
their viewpoint to observe the bigger picture and construct a narrative that helps inform their
response actions.
By adding context to an IoC—for instance, identifying other artifacts related to the suspicious IP
address, such as suspicious network communications or unusual processes—security teams can
start to develop a detailed picture of a security incident. This context can help security teams detect
security incidents faster and take a more informed approach in their response.
The power of crowdsourcing

Crowdsourcing is the practice of gathering information using public input and collaboration. Threat
intelligence platforms use crowdsourcing to collect information from the global cybersecurity
community. Traditionally, an organization's response to incidents was performed in isolation. A
security team would receive and analyze an alert, and then work to remediate it without additional
insights on how to approach it. Without crowdsourcing, attackers can perform the same attacks
against multiple organizations.
With crowdsourcing, organizations harness the knowledge of millions of other cybersecurity

professionals, including cybersecurity product vendors, government agencies, cloud providers, and
more. Crowdsourcing allows people and organizations from the global cybersecurity community to
openly share and access a collection of threat intelligence data, which helps to continuously improve
detection technologies and methodologies.
Examples of information-sharing organizations include Information Sharing and Analysis Centers

(ISACs), which focus on collecting and sharing sector-specific threat intelligence to companies within
specific industries like energy, healthcare, and others. Open-source intelligence (OSINT) is the
collection and analysis of information from publicly available sources to generate usable intelligence.
OSINT can also be used as a method to gather information related to threat actors, threats,
vulnerabilities, and more.
This threat intelligence data is used to improve the detection methods and techniques of security
products, like detection tools or anti-virus software. For example, attackers often perform the same
attacks on multiple targets with the hope that one of them will be successful. Once an organization
detects an attack, they can immediately publish the attack details, such as malicious files, IP
addresses, or URLs, to tools like VirusTotal. This threat intelligence can then help other
organizations defend against the same attack.
VirusTotal
VirusTotal is a service that allows anyone to analyze suspicious files, domains, URLs, and IP
addresses for malicious content. VirusTotal also offers additional services and tools for enterprise
use. This reading focuses on the VirusTotal website, which is available for free and non-commercial
use.
It can be used to analyze suspicious files, IP addresses, domains, and URLs to detect cybersecurity
threats such as malware. Users can submit and check artifacts, like file hashes or IP addresses, to
get VirusTotal reports, which provide additional information on whether an IoC is considered
malicious or not, how that IoC is connected or related to other IoCs in the dataset, and more.
Here is a breakdown of the reports summary:
1. Detection: The Detection tab provides a list of third-party security vendors and their detection
verdicts on an IoC. For example, vendors can list their detection verdict as malicious,
suspicious, unsafe, and more.
2. Details: The Details tab provides additional information extracted from a static analysis of the
IoC. Information such as different hashes, file types, file sizes, headers, creation time, and
first and last submission information can all be found in this tab.
3. Relations: The Relations tab provides related IoCs that are somehow connected to an
artifact, such as contacted URLs, domains, IP addresses, and dropped files if the artifact is
an executable.
4. Behavior: The Behavior tab contains information related to the observed activity and
behaviors of an artifact after executing it in a controlled or sandboxed environment. This
information includes tactics and techniques detected, network communications, registry and
file systems actions, processes, and more.
5. Community: The Community tab is where members of the VirusTotal community, such as
security professionals or researchers, can leave comments and insights about the IoC.
6. Vendors’ ratio and community score: The score displayed at the top of the report is the
vendors’ ratio. The vendors’ ratio shows how many security vendors have flagged the IoC as
malicious overall. Below this score, there is also the community score, based on the inputs of
the VirusTotal community. The more detections a file has and the higher its community score
is, the more likely that the file is malicious.
Note: Data uploaded to VirusTotal will be publicly shared with the entire VirusTotal community. Be
careful of what you submit, and make sure you do not upload personal information.
Other tools
There are other investigative tools that can be used to analyze IoCs. These tools can also share the
data that's uploaded to them to the security community.
Jotti malware scan

Jotti's malware scan is a free service that lets you scan suspicious files with several antivirus
programs. There are some limitations to the number of files that you can submit.
Urlscan.io
Urlscan.io is a free service that scans and analyzes URLs and provides a detailed report
summarizing the URL information.
MalwareBazaar
MalwareBazaar is a free repository for malware samples. Malware samples are a great source of
threat intelligence that can be used for research purposes.
Key takeaways
As a security analyst, you'll analyze IoCs. It's important to understand how adding context to
investigations can help improve detection capabilities and make informed and effective decisions.
Best practices for effective documentation
Documentation is any form of recorded content that is used for a specific purpose, and it is essential
in the field of security. Security teams use documentation to support investigations, complete tasks,
and communicate findings. This reading explores the benefits of documentation and provides you
with a list of common practices to help you create effective documentation in your security career.
Documentation benefits
You’ve already learned about many types of security documentation, including playbooks, final
reports, and more. As you’ve also learned, effective documentation has three benefits:
1. Transparency
2. Standardization
3. Clarity
Transparency
In security, transparency is critical for demonstrating compliance with regulations and internal
processes, meeting insurance requirements, and for legal proceedings. Chain of custody is the
process of documenting evidence possession and control during an incident lifecycle. Chain of
custody is an example of how documentation produces transparency and an audit trail.
Standardization
Standardization through repeatable processes and procedures supports continuous improvement
efforts, helps with knowledge transfer, and facilitates the onboarding of new team members.
Standards are references that inform how to set policies.
You have learned how NIST provides various security frameworks that are used to improve security
measures. Likewise, organizations set up their own standards to meet their business needs. An
example of documentation that establishes standardization is an incident response plan, which is
a document that outlines the procedures to take in each step of incident response. Incident response
plans standardize an organization’s response process by outlining procedures in advance of an
incident. By documenting an organization’s incident response plan, you create a standard that
people follow, maintaining consistency with repeatable processes and procedures.
Clarity
Ideally, all documentation provides clarity to its audience. Clear documentation helps people quickly
access the information they need so they can take necessary action. Security analysts are required
to document the reasoning behind any action they take so that it’s clear to their team why an alert
was escalated or closed.
Best practices
As a security professional, you’ll need to apply documentation best practices in your career. Here
are some general guidelines to remember:
Know your audience

Before you start creating documentation, consider your audience and their needs. For instance, an
incident summary written for a security operations center (SOC) manager will be written differently
than one that's drafted for a chief executive officer (CEO). The SOC manager can understand
technical security language but a CEO might not. Tailor your document to meet your audience’s
needs.
Be concise
You might be tasked with creating long documentation, such as a report. But when documentation is
too long, people can be discouraged from using it. To ensure that your documentation is useful,
establish the purpose immediately. This helps people quickly identify the objective of the document.
For example, executive summaries outline the major facts of an incident at the beginning of a final
report. This summary should be brief so that it can be easily skimmed to identify the key findings.
Update regularly
In security, new vulnerabilities are discovered and exploited constantly. Documentation must be
regularly reviewed and updated to keep up with the evolving threat landscape. For example, after an
incident has been resolved, a comprehensive review of the incident can identify gaps in processes
and procedures that require changes and updates. By regularly updating documentation, security
teams stay well informed and incident response plans stay updated.
Key takeaways
Effective documentation produces benefits for everyone in an organization. Knowing how to create
documentation is an essential skill to have as a security analyst. As you continue in your journey to
become a security professional, be sure to consider these practices for creating effective
documentation.
The triage process

Previously, you learned that triaging is used to assess alerts and assign priority to incidents. In this
reading, you'll explore the triage process and its benefits. As a security analyst, you'll be responsible
for analyzing security alerts. Having the skills to effectively triage is important because it allows you
to address and resolve security alerts efficiently.
Triage process
Incidents can have the potential to cause significant damage to an organization. Security teams
must respond quickly and efficiently to prevent or limit the impact of an incident before it becomes
too late. Triage is the prioritizing of incidents according to their level of importance or urgency. The
triage process helps security teams evaluate and prioritize security alerts and allocate resources
effectively so that the most critical issues are addressed first.
The triage process consists of three steps:
1. Receive and assess
2. Assign priority
3. Collect and analyze
Receive and assess

During this first step of the triage process, a security analyst receives an alert from an alerting
system like an intrusion detection system (IDS). You might recall that an IDS is an application that
monitors system activity and alerts on possible intrusions. The analyst then reviews the alert to verify
its validity and ensure they have a complete understanding of the alert.
This involves gathering as much information as possible about the alert, including details about the
activity that triggered the alert, the systems and assets involved, and more. Here are some
questions to consider when verifying the validity of an alert:
 Is the alert a false positive? Security analysts must determine whether the alert is a genuine
security concern or a false positive, or an alert that incorrectly detects the presence of a
threat.
 Was this alert triggered in the past? If so, how was it resolved? The history of an alert can
help determine whether the alert is a new or recurring issue.
 Is the alert triggered by a known vulnerability? If an alert is triggered by a known vulnerability,

security analysts can leverage existing knowledge to determine an appropriate response and
minimize the impact of the vulnerability.
 What is the severity of the alert? The severity of an alert can help determine the priority of the
response so that critical issues are quickly escalated.
Assign priority
Once the alert has been properly assessed and verified as a genuine security issue, it needs to be
prioritized accordingly. Incidents differ in their impact, size, and scope, which affects the response
efforts. To manage time and resources, security teams must prioritize how they respond to various
incidents because not all incidents are equal. Here are some factors to consider when determining
the priority of an incident:
 Functional impact: Security incidents that target information technology systems impact the
service that these systems provide to its users. For example, a ransomware incident can
severely impact the confidentiality, availability, and integrity of systems. Data can be
encrypted or deleted, making it completely inaccessible to users. Consider how an incident
impacts the existing business functionality of the affected system.
 Information impact: Incidents can affect the confidentiality, integrity, and availability of an
organization’s data and information. In a data exfiltration attack, malicious actors can steal
sensitive data. This data can belong to third party users or organizations. Consider the
effects that information compromise can have beyond the organization.
 Recoverability: How an organization recovers from an incident depends on the size and
scope of the incident and the amount of resources available. In some cases, recovery might
not be possible, like when a malicious actor successfully steals proprietary data and shares it
publicly. Spending time, effort, and resources on an incident with no recoverability can be
wasteful. It’s important to consider whether recovery is possible and consider whether it’s
worth the time and cost.
Note: Security alerts often come with an assigned priority or severity level that classifies the urgency
of the alert based on a level of prioritization.
Collect and analyze

The final step of the triage process involves the security analyst performing a comprehensive
analysis of the incident. Analysis involves gathering evidence from different sources, conducting
external research, and documenting the investigative process. The goal of this step is to gather
enough information to make an informed decision to address it. Depending on the severity of the
incident, escalation to a level two analyst or a manager might be required. Level two analysts and
managers might have more knowledge on using advanced techniques to address the incident.
Benefits of triage
By prioritizing incidents based on their potential impact, you can reduce the scope of impact to the
organization by ensuring a timely response. Here are some benefits that triage has for security
teams:
 Resource management: Triaging alerts allows security teams to focus their resources on
threats that require urgent attention. This helps team members avoid dedicating time and
resources to lower priority tasks and might also reduce response time.
 Standardized approach: Triage provides a standardized approach to incident handling.

Process documentation, like playbooks, help to move alerts through an iterative process to
ensure that alerts are properly assessed and validated. This ensures that only valid alerts
are moved up to investigate.
Key takeaways
Triage allows security teams to prioritize incidents according to their level of importance or urgency.
The triage process is important in ensuring that an organization meets their incident response goals.
As a security professional, you will likely utilize triage to effectively respond to and resolve security
incidents.
Business continuity considerations
Previously, you learned about how security teams develop incident response plans to help ensure
that there is a prepared and consistent process to quickly respond to security incidents. In this
reading, you'll explore the importance that business continuity planning has in recovering from
incidents.
Business continuity planning

Security teams must be prepared to minimize the impact that security incidents can have on their
normal business operations. When an incident occurs, organizations might experience significant
disruptions to the functionality of their systems and services. Prolonged disruption to systems and
services can have serious effects, causing legal, financial, and reputational damages. Organizations
can use business continuity planning so that they can remain operational during any major
disruptions.
Similar to an incident response plan, a business continuity plan (BCP) is a document that outlines the
procedures to sustain business operations during and after a significant disruption. A BCP helps
organizations ensure that critical business functions can resume or can be quickly restored when an
incident occurs.
Entry level security analysts aren't typically responsible for the development and testing of a BCP.
However, it's important that you understand how BCPs provide organizations with a structured way
to respond and recover from security incidents.
Note: Business continuity plans are not the same as disaster recovery plans. Disaster recovery plans
are used to recover information systems in response to a major disaster. These disasters can range
from hardware failure to the destruction of facilities from a natural disaster, like a flood.
Consider the impacts of ransomware to business continuity

Impacts of a security incident such as ransomware can be devastating for business operations.
Ransomware attacks targeting critical infrastructure such as healthcare can have the potential to
cause significant disruption. Depending on the severity of a ransomware attack, the accessibility,
availability, and delivery of essential healthcare services can be impacted. For example,
ransomware can encrypt data, resulting in disabled access to medical records, which prevents
healthcare providers from accessing patient records. At a larger scale, security incidents that target
the assets, systems, and networks of critical infrastructure can also undermine national security,
economic security, and the health and safety of the public. For this reason, BCPs help to minimize
interruptions to operations so that essential services can be accessed.
Recovery strategies
When an outage occurs due to a security incident, organizations must have some sort of a functional
recovery plan set to resolve the issue and get systems fully operational. BCPs can include strategies
for recovery that focus on returning to normal operations. Site resilience is one example of a
recovery strategy.
Site resilience
Resilience is the ability to prepare for, respond to, and recover from disruptions. Organizations can
design their systems to be resilient so that they can continue delivering services despite facing
disruptions. An example is site resilience, which is used to ensure the availability of networks, data
centers, or other infrastructure when a disruption happens. There are three types of recovery sites
used for site resilience:
 Hot sites: A fully operational facility that is a duplicate of an organization's primary

environment. Hot sites can be activated immediately when an organization's primary site
experiences failure or disruption.
 Warm sites: A facility that contains a fully updated and configured version of the hot site.
Unlike hot sites, warm sites are not fully operational and available for immediate use but can
quickly be made operational when a failure or disruption occurs.
 Cold sites: A backup facility equipped with some of the necessary infrastructure required to
operate an organization's site. When a disruption or failure occurs, cold sites might not be
ready for immediate use and might need additional work to be operational.
Key takeaways
Security incidents have the potential to seriously disrupt business operations. Having the right plans
in place is essential so that organizations can continue to function. Business continuity plans help
organizations understand the impact that serious security incidents can have on their operations and
work to mitigate these impacts so that regular operations can resume.
Post-incident review
Previously, you explored the Containment, Eradication and Recovery phase of the NIST Incident
Response Lifecycle. This reading explores the activities involved in the final phase of the lifecycle:
Post-incident activity. As a security analyst, it's important to familiarize yourself with the activities
involved in this phase because each security incident will provide you with an opportunity to learn
and improve your responses to future incidents.
Post-incident activity
The Post-incident activity phase of the NIST Incident Response Lifecycle is the process of reviewing
an incident to identify areas for improvement during incident handling.
Lessons learned
After an organization has successfully contained, eradicated, and recovered from an incident, the
incident comes to a close. However, this doesn’t mean that the work of security professionals is
complete. Incidents provide organizations and their security teams with an opportunity to learn from
what happened and prioritize ways to improve the incident handling process.
This is typically done through a lessons learned meeting, also known as a post-mortem. A lessons
learned meeting includes all involved parties after a major incident. Depending on the scope of an
incident, multiple meetings can be scheduled to gather sufficient data. The purpose of this meeting is
to evaluate the incident in its entirety, assess the response actions, and identify any areas of
improvement. It provides an opportunity for an organization and its people to learn and improve, not
to assign blame. This meeting should be scheduled no later than two weeks after an incident has
been successfully remediated.
Not all incidents require their own lessons learned meeting; the size and severity of an incident will
dictate whether the meeting is necessary. However, major incidents, such as ransomware attacks,
should be reviewed in a dedicated lessons learned meeting. This meeting consists of all parties who
participated in any aspect of the incident response process. Here are some examples of questions
that are addressed in this meeting:
 What happened?
 What time did it happen?
 Who discovered it?
 How did it get contained?
 What were the actions taken for recovery?
 What could have been done differently?
Besides having the opportunity to learn from the incident, there are additional benefits to conducting
a lessons learned meeting. For large organizations, lessons learned meetings offer a platform for
team members across departments to share information and recommendations for future
prevention.
Pro tip: Before a team hosts a lessons learned meeting, organizers should make sure all attendees
come prepared. The meeting hosts typically develop and distribute a meeting agenda beforehand,
which contains the topics of discussion and ensures that attendees are informed and prepared.
Additionally, meeting roles should be assigned in advance, including a moderator to lead and
facilitate discussion and a scribe to take meeting notes.
Recommendations
Lessons learned meetings provide opportunities for growth and improvement. For example, security
teams can identify errors in response actions, gaps in processes and procedures, or ineffective
security controls. A lessons learned meeting should result in a list of prioritized actions or actionable
recommendations meant to improve an organization’s incident handling processes and overall
security posture. This ensures that organizations are implementing the lessons they’ve learned after
an incident so that they are not vulnerable to experiencing the same incident in the future. Examples
of changes that can be implemented include updating and improving playbook instructions or
implementing new security tools and technologies.
Final report
Throughout this course, you explored the importance that documentation has in recording details
during the incident response lifecycle. At a minimum, incident response documentation should
describe the incident by covering the 5 W's of incident investigation: who, what, where, why, and
when. The details that are captured during incident response are important for developing additional
documents during the end of the lifecycle.
One of the most essential forms of documentation that gets created during the end of an incident is
the final report. The final report provides a comprehensive review of an incident. Final reports are
not standardized, and their formats can vary across organizations. Additionally, multiple final reports
can be created depending on the audience it’s written for. Here are some examples of common
elements found in a final report:
 Executive summary: A high-level summary of the report including the key findings and
essential facts related to the incident
 Timeline: A detailed chronological timeline of the incident that includes timestamps dating
the sequence of events that led to the incident
 Investigation: A compilation of the actions taken during the detection and analysis of the
incident. For example, analysis of a network artifact such as a packet capture reveals
information about what activities happen on a network.
 Recommendations: A list of suggested actions for future prevention
Pro tip: When writing the final report, consider the audience that you’re writing the report for.
Oftentimes, business executives and other non-security professionals who don’t have the expertise
to understand technical details will read post-incident final reports. Considering the audience when
writing a final report will help you effectively communicate the most important details.
Key takeaways
Post-incident actions represent the end of the incident response lifecycle. This phase provides the
opportunity for security teams to meet, evaluate the response actions, make recommendations for
improvement, and develop the final report.

Analysis: The investigation and validation of alerts
Broken chain of custody: Inconsistencies in the collection and logging of evidence in the chain of
custody
Business continuity plan (BCP): A document that outlines the procedures to sustain business
operations during and after a significant disruption
Chain of custody: The process of documenting evidence possession and control during an incident
lifecycle
Containment: The act of limiting and preventing additional damage caused by an incident
Crowdsourcing: The practice of gathering information using public input and collaboration
Detection: The prompt discovery of security events
Documentation: Any form of recorded content that is used for a specific purpose
Eradication: The complete removal of the incident elements from all affected systems
Final report: Documentation that provides a comprehensive review of an incident
Honeypot: A system or resource created as a decoy vulnerable to attacks with the purpose of
attracting potential intruders
Incident response plan: A document that outlines the procedures to take in each step of incident
response
Indicators of attack (IoA): The series of observed events that indicate a real-time incident
Indicators of compromise (IoC): Observable evidence that suggests signs of a potential security
incident
intrusions
Lessons learned meeting: A meeting that includes all involved parties after a major incident
Open-source intelligence (OSINT): The collection and analysis of information from publicly available
sources to generate usable intelligence
Post-incident activity: The process of reviewing an incident to identify areas for improvement during
incident handling
Recovery: The process of returning affected systems back to normal operations
Resilience: The ability to prepare for, respond to, and recover from disruptions
Standards: References that inform how to set policies
Threat hunting: The proactive search for threats on a network
Threat intelligence: Evidence-based threat information that provides context about existing or
emerging threats
Triage: The prioritizing of incidents according to their level of importance or urgency
VirusTotal: A service that allows anyone to analyze suspicious files, domains, URLs, and IP
addresses for malicious content
Best practices for log collection and management

In this reading, you’ll examine some best practices related to log management, storage, and
protection. Understanding the best practices related to log collection and management will help
improve log searches and better support your efforts in identifying and resolving security incidents.
Logs
Data sources such as devices generate data in the form of events. A log is a record of events that
occur within an organization's systems. Logs contain log entries and each entry details information
corresponding to a single event that happened on a device or system. Originally, logs served the
sole purpose of troubleshooting common technology issues. For example, error logs provide
information about why an unexpected error occurred and help to identify the root cause of the error
so that it can be fixed. Today, virtually all computing devices produce some form of logs that provide
valuable insights beyond troubleshooting.
Security teams access logs from logging receivers like SIEM tools which consolidate logs to provide
a central repository for log data. Security professionals use logs to perform log analysis, which is the
process of examining logs to identify events of interest. Logs help uncover the details surrounding
the 5 W's of incident investigation: who triggered the incident, what happened, when the incident
took place, where the incident took place, and why the incident occurred.
Types of logs
Depending on the data source, different log types can be produced. Here’s a list of some common
log types that organizations should record:
 Network: Network logs are generated by network devices like firewalls, routers, or switches.
 System: System logs are generated by operating systems like Chrome OS™, Windows,
Linux, or macOS®.
 Application: Application logs are generated by software applications and contain information
relating to the events occurring within the application such as a smartphone app.
 Security: Security logs are generated by various devices or systems such as antivirus
software and intrusion detection systems. Security logs contain security-related information
such as file deletion.
 Authentication: Authentication logs are generated whenever authentication occurs such as a

successful login attempt into a computer.
Log details
Generally, logs contain a date, time, location, action, and author of the action. Here is an example of
an authentication log:
Login Event [05:45:15] User1 Authenticated successfully
Logs contain information and can be adjusted to contain even more information. Verbose logging
records additional, detailed information beyond the default log recording. Here is an example of the
same log above but logged as verbose.
Login Event [2022/11/16 05:45:15.892673] auth_performer.cc:470 User1 Authenticated successfully from

device1 (192.168.1.2)
Log management
Because all devices produce logs, it can quickly become overwhelming for organizations to keep
track of all the logs that are generated. To get the most value from your logs, you need to choose
exactly what to log, how to access it easily, and keep it secure using log management. Log
management is the process of collecting, storing, analyzing, and disposing of log data.
What to log
The most important aspect of log management is choosing what to log. Organizations are different,
and their logging requirements can differ too. It's important to consider which log sources are most
likely to contain the most useful information depending on your event of interest. This might be
configuring log sources to reduce the amount of data they record, such as excluding excessive
verbosity. Some information, including but not limited to phone numbers, email addresses, and
names, form personally identifiable information (PII), which requires special handling and in some
jurisdictions might not be possible to be logged.
The issue with overlogging

From a security perspective, it can be tempting to log everything. This is the most common mistake
organizations make. Just because it can be logged, doesn't mean it needs to be logged. Storing
excessive amounts of logs can have many disadvantages with some SIEM tools. For example,
overlogging can increase storage and maintenance costs. Additionally, overlogging can increase the
load on systems, which can cause performance issues and affect usability, making it difficult to
search for and identify important events.
Log retention
Organizations might operate in industries with regulatory requirements. For example, some
regulations require organizations to retain logs for set periods of time and organizations can
implement log retention practices in their log management policy.
Organizations that operate in the following industries might need to modify their log management
policy to meet regulatory requirements:
 Public sector industries, like the Federal Information Security Modernization Act (FISMA)
 Healthcare industries, like the Health Insurance Portability and Accountability Act of 1996
(HIPAA)
 Financial services industries, such as the Payment Card Industry Data Security Standard
(PCI DSS), the Gramm-Leach-Bliley Act (GLBA), and the Sarbanes-Oxley Act of 2002 (SOX)
Log protection
Along with management and retention, the protection of logs is vital in maintaining log integrity. It’s
not unusual for malicious actors to modify logs in attempts to mislead security teams and to even
hide their activity.
Storing logs in a centralized log server is a way to maintain log integrity. When logs are generated,
they get sent to a dedicated server instead of getting stored on a local machine. This makes it more
difficult for attackers to access logs because there is a barrier between the attacker and the log
location.
Key takeaways
It's important to understand how to properly collect, store, and protect logs because they are integral
to incident investigations. Having a detailed plan for log management helps improve the usefulness
of logs and resource efficiency.
Overview of log file formats
You’ve learned about how logs record events that happen on a network, or system. In security, logs
provide key details about activities that occurred across an organization, like who signed into an
application at a specific point in time. As a security analyst, you’ll use log analysis, which is the
process of examining logs to identify events of interest. It’s important to know how to read and
interpret different log formats so that you can uncover the key details surrounding an event and
identify unusual or malicious activity. In this reading, you’ll review the following log formats:
 JSON
 Syslog
 XML
 CSV
 CEF
JavaScript Object Notation (JSON)

JavaScript Object Notation (JSON) is a file format that is used to store and transmit data. JSON is
known for being lightweight and easy to read and write. It is used for transmitting data in web
technologies and is also commonly used in cloud environments. JSON syntax is derived from
JavaScript syntax. If you are familiar with JavaScript, you might recognize that JSON contains
components from JavaScript including:
 Key-value pairs
 Commas
 Double quotes
 Curly brackets
 Square brackets
Key-value pairs
A key-value pair is a set of data that represents two linked items: a key and its corresponding value.
A key-value pair consists of a key followed by a colon, and then followed by a value. An example of
a key-value pair is "Alert": "Malware".
Note: For readability, it is recommended that key-value pairs contain a space before or after the
colon that separates the key and value.
Commas
Commas are used to separate data. For example: "Alert": "Malware", "Alert code": 1090, "severity":
10.
Double quotes
Double quotes are used to enclose text data, which is also known as a string, for example: "Alert":
"Malware". Data that contains numbers is not enclosed in quotes, like this: "Alert code": 1090.
Curly brackets
Curly brackets enclose an object, which is a data type that stores data in a comma-separated list of
key-value pairs. Objects are often used to describe multiple properties for a given key. JSON log
entries start and end with a curly bracket. In this example, User is the object that contains multiple
properties:
"User": { "id": "1234", "name": "user", "role": "engineer" }
Square brackets
Square brackets are used to enclose an array, which is a data type that stores data in a comma-
separated ordered list. Arrays are useful when you want to store data as an ordered collection, for
example: ["Administrators", "Users", "Engineering"].
Syslog
Syslog is a standard for logging and transmitting data. It can be used to refer to any of its three
different capabilities:
1. Protocol: The syslog protocol is used to transport logs to a centralized log server for log
management. It uses port 514 for plaintext logs and port 6514 for encrypted logs.
2. Service: The syslog service acts as a log forwarding service that consolidates logs from
multiple sources into a single location. The service works by receiving and then forwarding
any syslog log entries to a remote server.
3. Log format: The syslog log format is one of the most commonly used log formats that you
will be focusing on. It is the native logging format used in Unix® systems. It consists of three
components: a header, structured-data, and a message.
Syslog log example

Here is an example of a syslog entry that contains all three components: a header, followed by
structured-data, and a message:
<236>1 2022-03-21T01:11:11.003Z virtual.machine.com evntslog - ID01 [user@32473 iut="1"

eventSource="Application" eventID="9999"] This is a log entry!
Header
The header contains details like the timestamp; the hostname, which is the name of the machine
that sends the log; the application name; and the message ID.
 Timestamp: The timestamp in this example is 2022-03-21T01:11:11.003Z, where 2022-03-21 is

the date in YYYY-MM-DD format. T is used to separate the date and the time. 01:11:11.003 is
the 24-hour format of the time and includes the number of milliseconds 003. Z indicates the
timezone, which is Coordinated Universal Time (UTC).
 Hostname: virtual.machine.com
 Application: evntslog
 Message ID: ID01
Structured-data
The structured-data portion of the log entry contains additional logging information. This information
is enclosed in square brackets and structured in key-value pairs. Here, there are three keys with
corresponding values: [user@32473 iut="1" eventSource="Application" eventID="9999"].
Message
The message contains a detailed log message about the event. Here, the message is This is a log
entry!.
Priority (PRI)
The priority (PRI) field indicates the urgency of the logged event and is contained with angle
brackets. In this example, the priority value is <236> . Generally, the lower the priority level, the more
urgent the event is.
Note: Syslog headers can be combined with JSON, and XML formats. Custom log formats also exist.
XML (eXtensible Markup Language)

XML (eXtensible Markup Language) is a language and a format used for storing and transmitting
data. XML is a native file format used in Windows systems. XML syntax uses the following:
 Tags
 Elements
 Attributes
Tags
XML uses tags to store and identify data. Tags are pairs that must contain a start tag and an end
tag. The start tag encloses data with angle brackets, for example <tag>, whereas the end of a tag
encloses data with angle brackets and a forward slash like this: </tag>.
Elements
XML elements include both the data contained inside of a tag and the tags itself. All XML entries
must contain at least one root element. Root elements contain other elements that sit underneath
them, known as child elements.
Here is an example:
<Event> <EventID>4688</EventID> <Version>5</Version> </Event>
In this example, <Event> is the root element and contains two child elements <EventID> and
<Version>. There is data contained in each respective child element.
Attributes
XML elements can also contain attributes. Attributes are used to provide additional information about
elements. Attributes are included as the second part of the tag itself and must always be quoted
using either single or double quotes.
For example:
<EventData> <Data Name='SubjectUserSid'>S-2-3-11-160321</Data> <Data

Name='SubjectUserName'>JSMITH</Data> <Data Name='SubjectDomainName'>ADCOMP</Data> <Data
Name='SubjectLogonId'>0x1cf1c12</Data> <Data Name='NewProcessId'>0x1404</Data> </EventData>
In the first line for this example, the tag is <Data> and it uses the attribute Name='SubjectUserSid' to
describe the data enclosed in the tag S-2-3-11-160321.
CSV (Comma Separated Value)

CSV (Comma Separated Value) uses commas to separate data values. In CSV logs, the position of
the data corresponds to its field name, but the field names themselves might not be included in the
log. It’s critical to understand what fields the source device (like an IPS, firewall, scanner, etc.) is
including in the log.
Here is an example:
2009-11-24T21:27:09.534255,ALERT,192.168.2.7, 1041,x.x.250.50,80,TCP,ALLOWED,1:2001999:9,"ET
MALWARE BTGrab.com Spyware Downloading Ads",1
CEF (Common Event Format)

Common Event Format (CEF) is a log format that uses key-value pairs to structure data and identify
fields and their corresponding values. The CEF syntax is defined as containing the following fields:
CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension
Fields are all separated with a pipe character |. However, anything in the Extension part of the CEF
log entry must be written in a key-value format. Syslog is a common method used to transport logs
like CEF. When Syslog is used a timestamp and hostname will be prepended to the CEF message.
Here is an example of a CEF log entry that details malicious activity relating to a worm infection:
Sep 29 08:26:10 host CEF:1|Security|threatmanager|1.0|100|worm successfully stopped|10|src=10.0.0.2
dst=2.1.2.2 spt=1232
Here is a breakdown of the fields:
 Syslog Timestamp: Sep 29 08:26:10
 Syslog Hostname: host
 Version: CEF:1
 Device Vendor: Security
 Device Product: threatmanager
 Device Version: 1.0
 Signature ID: 100
 Name: worm successfully stopped
 Severity: 10
 Extension: This field contains data written as key-value pairs. There are two IP addresses,
src=10.0.0.2 and dst=2.1.2.2, and a source port number spt=1232. Extensions are not required
and are optional to add.
This log entry contains details about a Security application called threatmanager that successfully
stopped a worm from spreading from the internal network at 10.0.0.2 to the external network 2.1.2.2
through the port 1232. A high severity level of 10 is reported.
Note: Extensions and syslog prefix are optional to add to a CEF log.
Key takeaways
There is no standard format used in logging, and many different log formats exist. As a security
analyst, you will analyze logs that originate from different sources. Knowing how to interpret different
log formats will help you determine key information that you can use to support your investigations.
Detection tools and techniques
In this reading, you’ll examine the different types of intrusion detection system (IDS) technologies
and the alerts they produce. You’ll also explore the two common detection techniques used by
detection systems. Understanding the capabilities and limitations of IDS technologies and their
detection techniques will help you interpret security information to identify, analyze, and respond to
security events.
As you’ve learned, an intrusion detection system (IDS) is an application that monitors system activity
and alerts on possible intrusions. IDS technologies help organizations monitor the activity that
happens on their systems and networks to identify indications of malicious activity. Depending on
the location you choose to set up an IDS, it can be either host-based or network-based.
Host-based intrusion detection system

A host-based intrusion detection system (HIDS) is an application that monitors the activity of the host
on which it's installed. A HIDS is installed as an agent on a host. A host is also known as an
endpoint, which is any device connected to a network like a computer or a server.
Typically, HIDS agents are installed on all endpoints and used to monitor and detect security threats.
A HIDS monitors internal activity happening on the host to identify any unauthorized or abnormal
behavior. If anything unusual is detected, such as the installation of an unauthorized application, the
HIDS logs it and sends out an alert.
In addition to monitoring inbound and outbound traffic flows, HIDS can have additional capabilities,
such as monitoring file systems, system resource usage, user activity, and more.
This diagram shows a HIDS tool installed on a computer. The dotted circle around the host indicates
that it is only monitoring the local activity on the single computer on which it’s installed.
Network-based intrusion detection system
A network-based intrusion detection system (NIDS) is an application that collects and monitors
network traffic and network data. NIDS software is installed on devices located at specific parts of
the network that you want to monitor. The NIDS application inspects network traffic from different
devices on the network. If any malicious network traffic is detected, the NIDS logs it and generates
an alert.
This diagram shows a NIDS that is installed on a network. The highlighted circle around the server
and computers indicates that the NIDS is installed on the server and is monitoring the activity of the
computers.
Using a combination of HIDS and NIDS to monitor an environment can provide a multi-layered
approach to intrusion detection and response. HIDS and NIDS tools provide a different perspective
on the activity occurring on a network and the individual hosts that are connected to it. This helps
provide a comprehensive view of the activity happening in an environment.
Detection techniques
Detection systems can use different techniques to detect threats and attacks. The two types of
detection techniques that are commonly used by IDS technologies are signature-based analysis and
anomaly-based analysis.
Signature-based analysis
Signature analysis, or signature-based analysis, is a detection method that is used to find events of
interest. A signature is a pattern that is associated with malicious activity. Signatures can contain
specific patterns like a sequence of binary numbers, bytes, or even specific data like an IP address.
Previously, you explored the Pyramid of Pain, which is a concept that prioritizes the different types of
indicators of compromise (IoCs) associated with an attack or threat, such as IP addresses, tools,
tactics, techniques, and more. IoCs and other indicators of attack can be useful for creating targeted
signatures to detect and block attacks.
Different types of signatures can be used depending on which type of threat or attack you want to
detect. For example, an anti-malware signature contains patterns associated with malware. This can
include malicious scripts that are used by the malware. IDS tools will monitor an environment for
events that match the patterns defined in this malware signature. If an event matches the signature,
the event gets logged and an alert is generated.
Advantages
 Low rate of false positives: Signature-based analysis is very efficient at detecting known
threats because it is simply comparing activity to signatures. This leads to fewer false
positives. Remember that a false positive is an alert that incorrectly detects the presence of a
threat.
Disadvantages
 Signatures can be evaded: Signatures are unique, and attackers can modify their attack
behaviors to bypass the signatures. For example, attackers can make slight modifications to
malware code to alter its signature and avoid detection.
 Signatures require updates: Signature-based analysis relies on a database of signatures to

detect threats. Each time a new exploit or attack is discovered, new signatures must be
created and added to the signature database.
 Inability to detect unknown threats: Signature-based analysis relies on detecting known

threats through signatures. Unknown threats can't be detected, such as new malware
families or zero-day attacks, which are exploits that were previously unknown.
Anomaly-based analysis
Anomaly-based analysis is a detection method that identifies abnormal behavior. There are two
phases to anomaly-based analysis: a training phase and a detection phase. In the training phase, a
baseline of normal or expected behavior must be established. Baselines are developed by collecting
data that corresponds to normal system behavior. In the detection phase, the current system activity
is compared against this baseline. Activity that happens outside of the baseline gets logged, and an
alert is generated.
Advantages
 Ability to detect new and evolving threats: Unlike signature-based analysis, which uses known
patterns to detect threats, anomaly-based analysis can detect unknown threats.
Disadvantages
 High rate of false positives: Any behavior that deviates from the baseline can be flagged as
abnormal, including non-malicious behaviors. This leads to a high rate of false positives.
 Pre-existing compromise: The existence of an attacker during the training phase will include
malicious behavior in the baseline. This can lead to missing a pre-existing attacker.
Key takeaways
IDS technologies are an essential security tool that you will encounter in your security journey. To
recap, a NIDS monitors an entire network, whereas a HIDS monitors individual endpoints. IDS
technologies generate different types of alerts. Lastly, IDS technologies use different detection
techniques like signature-based or anomaly-based analysis to identify malicious activity.
Overview of Suricata
So far, you've learned about detection signatures and you were introduced to Suricata, an intrusion
detection system (IDS).
In this reading, you’ll explore more about Suricata. You'll also learn about the value of writing
customized signatures and configuration. This is an important skill to build in your cybersecurity
career because you might be tasked with deploying and maintaining IDS tools.
Introduction to Suricata
Suricata is an open-source intrusion detection system, intrusion prevention system, and network
analysis tool.
Suricata features
There are three main ways Suricata can be used:
 Intrusion detection system (IDS): As a network-based IDS, Suricata can monitor network
traffic and alert on suspicious activities and intrusions. Suricata can also be set up as a host-
based IDS to monitor the system and network activities of a single host like a computer.
 Intrusion prevention system (IPS): Suricata can also function as an intrusion prevention
system (IPS) to detect and block malicious activity and traffic. Running Suricata in IPS mode
requires additional configuration such as enabling IPS mode.
 Network security monitoring (NSM): In this mode, Suricata helps keep networks safe by
producing and saving relevant network logs. Suricata can analyze live network traffic,
existing packet capture files, and create and save full or conditional packet captures. This
can be useful for forensics, incident response, and for testing signatures. For example, you
can trigger an alert and capture the live network traffic to generate traffic logs, which you can
then analyze to refine detection signatures.
Rules
Rules or signatures are used to identify specific patterns, behavior, and conditions of network traffic
that might indicate malicious activity. The terms rule and signature are often used interchangeably in
Suricata. Security analysts use signatures, or patterns associated with malicious activity, to detect
and alert on specific malicious activity. Rules can also be used to provide additional context and
visibility into systems and networks, helping to identify potential security threats or vulnerabilities.
Suricata uses signatures analysis, which is a detection method used to find events of interest.
Signatures consist of three components:
 Action: The first component of a signature. It describes the action to take if network or
system activity matches the signature. Examples include: alert, pass, drop, or reject.
 Header: The header includes network traffic information like source and destination IP
addresses, source and destination ports, protocol, and traffic direction.
 Rule options: The rule options provide you with different options to customize signatures.
Here's an example of a Suricata signature:
Rule options have a specific ordering and changing their order would change the meaning of the
rule.
Note: The terms rule and signature are synonymous.
Note: Rule order refers to the order in which rules are evaluated by Suricata. Rules are processed in
the order in which they are defined in the configuration file. However, Suricata processes rules in a
different default order: pass, drop, reject, and alert. Rule order affects the final verdict of a packet
especially when conflicting actions such as a drop rule and an alert rule both match on the same
packet.
Custom rules
Although Suricata comes with pre-written rules, it is highly recommended that you modify or
customize the existing rules to meet your specific security requirements.
There is no one-size-fits-all approach to creating and modifying rules. This is because each
organization's IT infrastructure differs. Security teams must extensively test and modify detection
signatures according to their needs.
Creating custom rules helps to tailor detection and monitoring. Custom rules help to minimize the
amount of false positive alerts that security teams receive. It's important to develop the ability to write
effective and customized signatures so that you can fully leverage the power of detection
technologies.
Configuration file
Before detection tools are deployed and can begin monitoring systems and networks, you must
properly configure their settings so that they know what to do. A configuration file is a file used to
configure the settings of an application. Configuration files let you customize exactly how you want
your IDS to interact with the rest of your environment.
Suricata's configuration file is suricata.yaml, which uses the YAML file format for syntax and
structure.
Log files
There are two log files that Suricata generates when alerts are triggered:
 eve.json: The eve.json file is the standard Suricata log file. This file contains detailed
information and metadata about the events and alerts generated by Suricata stored in JSON
format. For example, events in this file contain a unique identifier called flow_id which is
used to correlate related logs or alerts to a single network flow, making it easier to analyze
network traffic. The eve.json file is used for more detailed analysis and is considered to be a
better file format for log parsing and SIEM log ingestion.
 fast.log: The fast.log file is used to record minimal alert information including basic IP
address and port details about the network traffic. The fast.log file is used for basic logging
and alerting and is considered a legacy file format and is not suitable for incident response or
threat hunting tasks.
The main difference between the eve.json file and the fast.log file is the level of detail that is
recorded in each. The fast.log file records basic information, whereas the eve.json file contains
additional verbose information.
Key takeaways
In this reading, you explored some of Suricata's features, rules syntax, and the importance of
configuration. Understanding how to configure detection technologies and write effective rules will
provide you with clear insight into the activity happening in an environment so that you can improve
detection capability and network visibility. Go ahead and start practicing using Suricata in the
upcoming activity!
Log sources and log ingestion

In this reading, you’ll explore more on the importance of log ingestion. You may recall that security
information and event management (SIEM) tools collect and analyze log data to monitor critical
activities in an organization. You also learned about log analysis, which is the process of examining
logs to identify events of interest. Understanding how log sources are ingested into SIEM tools is
important because it helps security analysts understand the types of data that are being collected,
and can help analysts identify and prioritize security incidents.
SIEM process overview

Previously, you covered the SIEM process. As a refresher, the process consists of three steps:
1. Collect and aggregate data: SIEM tools collect event data from various data sources.
2. Normalize data: Event data that's been collected becomes normalized. Normalization
converts data into a standard format so that data is structured in a consistent way and
becomes easier to read and search. While data normalization is a common feature in many
SIEM tools, it's important to note that SIEM tools vary in their data normalization capabilities.
3. Analyze data: After the data is collected and normalized, SIEM tools analyze and correlate
the data to identify common patterns that indicate unusual activity.
This reading focuses on the first step of this process, the collection and aggregation of data.
Log ingestion
Data is required for SIEM tools to work effectively. SIEM tools must first collect data using log
ingestion. Log ingestion is the process of collecting and importing data from log sources into a SIEM
tool. Data comes from any source that generates log data, like a server.
In log ingestion, the SIEM creates a copy of the event data it receives and retains it within its own
storage. This copy allows the SIEM to analyze and process the data without directly modifying the
original source logs. The collection of event data provides a centralized platform for security analysts
to analyze the data and respond to incidents. This event data includes authentication attempts,
network activity, and more.
Log forwarders
There are many ways SIEM tools can ingest log data. For instance, you can manually upload data or
use software to help collect data for log ingestion. Manually uploading data may be inefficient and
time-consuming because networks can contain thousands of systems and devices. Hence, it's easier
to use software that helps collect data.
A common way that organizations collect log data is to use log forwarders. Log forwarders are
software that automate the process of collecting and sending log data. Some operating systems
have native log forwarders. If you are using an operating system that does not have a native log
forwarder, you would need to install a third-party log forwarding software on a device. After installing
it, you'd configure the software to specify which logs to forward and where to send them. For
example, you can configure the logs to be sent to a SIEM tool. The SIEM tool would then process
and normalize the data. This allows the data to be easily searched, explored, correlated, and
analyzed.
Note: Many SIEM tools utilize their own proprietary log forwarders. SIEM tools can also integrate
with open-source log forwarders. Choosing the right log forwarder depends on many factors such as
the specific requirements of your system or organization, compatibility with your existing
infrastructure, and more.
Key takeaways
SIEM tools require data to be effective. As a security analyst, you will utilize SIEM tools to access
events and analyze logs when you're investigating an incident. In your security career, you may even
be tasked with configuring a SIEM to collect log data. It's important that you understand how data is
ingested into SIEM tools because this enables you to understand where log sources come from
which can help you identify the source of a security incident.
Search methods with SIEM tools

So far, you’ve learned about how you can use security information and event management (SIEM)
tools to search for security events such as failed login attempts. Remember, SIEM is an application
that collects and analyzes log data to monitor critical activities in an organization. In this reading,
you’ll examine how SIEM tools like Splunk and Chronicle use different search methods to find, filter,
and transform search results.
Not all organizations use the same SIEM tool to gather and centralize their security data. As a
security analyst, you’ll need to be ready to learn how to use different SIEM tools. It’s important to
understand the different types of searches you can perform using SIEM tools so that you can find
relevant event data to support your security investigations.
Splunk searches
As you’ve learned, Splunk has its own querying language called Search Processing Language (SPL).
SPL is used to search and retrieve events from indexes using Splunk’s Search & Reporting app. An
SPL search can contain many different commands and arguments. For example, you can use
commands to transform your search results into a chart format or filter results for specific
information.
Here is an example of a basic SPL search that is querying an index for a failed event:
index=main fail
 index=main: This is the beginning of the search command that tells Splunk to retrieve events
from an index named main. An index stores event data that's been collected and processed
by Splunk.
 fail: This is the search term. This tells Splunk to return any event that contains the term fail.
Knowing how to effectively use SPL has many benefits. It helps shorten the time it takes to return
search results. It also helps you obtain the exact results you need from various data sources. SPL
supports many different types of searches that are beyond the scope of this reading. If you would
like to learn more about SPL, explore Splunk's Search Reference.
Pipes
Previously, you might have learned about how piping is used in the Linux bash shell. As a refresher,
piping sends the output of one command as the input to another command.
SPL also uses the pipe character | to separate the individual commands in the search. It's also used
to chain commands together so that the output of one command combines into the next command.
This is useful because you can refine data in various ways to get the results you need using a single
command.
Here is an example of two commands that are piped together:
index=main fail| chart count by host
 index=main fail: This is the beginning of the search command that tells Splunk to retrieve
events from an index named main for events containing the search term fail.
 |: The pipe character separates and chains the two commands index=main and chart count by
host. This means that the output of the first command index=main is used as the input of the
second command chart count by host.
 chart count by host: This command tells Splunk to transform the search results by creating a
chart according to the count or number of events. The argument by host tells Splunk to list
the events by host, which are the names of the devices the events come from. This
command can be helpful in identifying hosts with excessive failure counts in an environment.
Wildcard
A wildcard is a special character that can be substituted with any other character. A wildcard is
usually symbolized by an asterisk character *. Wildcards match characters in string values. In
Splunk, the wildcard that you use depends on the command that you are using the wildcard with.
Wildcards are useful because they can help find events that contain data that is similar but not
entirely identical. Here is an example of using a wildcard to expand the search results for a search
term:
index=main fail*
 index=main: This command retrieves events from an index named main.
 fail*: The wildcard after fail represents any character. This tells Splunk to search for all
possible endings that contain the term fail. This expands the search results to return any
event that contains the term fail such as “failed” or “failure”.
Pro tip: Double quotations are used to specify a search for an exact phrase or string. For example, if
you want to only search for events that contain the exact phrase login failure, you can enclose the
phrase in double quotations "login failure". This search will match only events that contain the exact
phrase login failure and not other events that contain the words failure or login separately.
Chronicle searches
In Chronicle, you can search for events using the Search field. You can also use Procedural Filtering
to apply filters to a search to further refine the search results. For example, you can use Procedural
Filtering to include or exclude search results that contain specific information relating to an event
type or log source. There are two types of searches you can perform to find events in Chronicle, a
Unified Data Mode (UDM) Search or a Raw Log Search.
Unified Data Model (UDM) Search

The UDM Search is the default search type used in Chronicle. You can perform a UDM search by
typing your search, clicking on “Search,” and selecting “UDM Search.” Through a UDM Search,
Chronicle searches security data that has been ingested, parsed, and normalized. A UDM Search
retrieves search results faster than a Raw Log Search because it searches through indexed and
structured data that’s normalized in UDM.
A UDM Search retrieves events formatted in UDM and these events contain UDM fields. There are
many different types of UDM fields that can be used to query for specific information from an event.
Discussing all of these UDM fields is beyond the scope of this reading, but you can learn more about
UDM fields by exploring Chronicle's UDM field list. Know that all UDM events contain a set of
common fields including:
 Entities: Entities are also known as nouns. All UDM events must contain at least one entity.
This field provides additional context about a device, user, or process that’s involved in an
event. For example, a UDM event that contains entity information includes the details of the
origin of an event such as the hostname, the username, and IP address of the event.
 Event metadata: This field provides a basic description of an event, including what type of
event it is, timestamps, and more.
 Network metadata: This field provides information about network-related events and protocol
details.
 Security results: This field provides the security-related outcome of events. An example of a
security result can be an antivirus software detecting and quarantining a malicious file by
reporting "virus detected and quarantined."
Here’s an example of a simple UDM search that uses the event metadata field to locate events
relating to user logins:
metadata.event_type = “USER_LOGIN”
 metadata.event_type = “USER_LOGIN”: This UDM field metadata.event_type contains

information about the event type. This includes information like timestamp, network
connection, user authentication, and more. Here, the event type specifies USER_LOGIN,
which searches for events relating to authentication.
Using just the metadata fields, you can quickly start searching for events. As you continue practicing
searching in Chronicle using UDM Search, you will encounter more fields. Try using these fields to
form specific searches to locate different events.
Raw Log Search

If you can't find the information you are searching for through the normalized data, using a Raw Log
Search will search through the raw, unparsed logs. You can perform a Raw Log Search by typing
your search, clicking on “Search,” and selecting “Raw Log Search.” Because it is searching through
raw logs, it takes longer than a structured search. In the Search field, you can perform a Raw Log
Search by specifying information like usernames, filenames, hashes, and more. Chronicle will
retrieve events that are associated with the search.
Pro tip: Raw Log Search supports the use of regular expressions, which can help you narrow down
a search to match on specific patterns.
Key takeaways
SIEM tools like Splunk and Chronicle have their own methods for searching and retrieving event
data. As a security analyst, it's important to understand how to leverage these tools to quickly and
efficiently find the information you need. This will allow you to explore data in ways that support
detecting threats, as well as rapidly responding to security incidents.
Follow-along guide for Splunk sign-up

Note: The following reading is an optional supplement to the following course item, Activity: Perform
a query with Splunk. Both this reading and the following activity are optional and will not affect your
completion of the course. You may choose to skip this reading and/or the activity for any reason, and
continue progressing through the remainder of the course.
This reading includes detailed instructions for getting started with the following course item, Activity:
Perform a query with Splunk. Use this reading for step-by-step instructions on how to create a Splunk
Cloud account, activate a Splunk Cloud free trial, and upload data to a Splunk Cloud instance.
The following guide identifies parts of the video that may require adjustment. This reference guide
can also serve as a usability reminder when using Splunk Cloud in the future.
Instructions
Part 1 - Create a Splunk Cloud account
1. Go to the Splunk Cloud Platform Trial page.
2. Fill in the fields in the Start Your Cloud Platform Trial sign-up form.
3. Click Create Your Account.

Part 2 - Verify your email
1. Check the inbox for the email address that you used to sign up for the Splunk account. Find the
verification email from Splunk with the subject line Confirm your email address.
2. Open the email and click the Verify Your Email button.
Note: Check your spam folder if you didn't receive the verification email.
Part 3 - Activate a Splunk Cloud trial

After clicking the Verify Your Email button, you'll be redirected to the Splunk Cloud Trial page.
Note: You can activate one Splunk Cloud trial instance at a time, and you can use a maximum of
three trials per Splunk account. The Splunk Cloud free trial expires after 14 days, so you may want
to complete this activity before the free trial expires.
Note: Alternatively, you can also access the Splunk Cloud Trial page by visiting Splunk Cloud
Platform Trial and logging into your account, then clicking Start Trial.
1. Click the Start Trial button.

2. Check your inbox for an email from Team Splunk with the subject line Welcome to Splunk Cloud
Platform!
3. Open the email to access your Splunk Cloud login information.
4. Click the link beside URL to access the Splunk Cloud Platform.
5. Enter the username and password credentials that were included in the email.
6. You will be prompted to change the password of the Splunk Cloud Platform account. Enter a new
password and click Save Password.
7. Check the box next to I accept these terms and click Ok.
Part 4 - Download and upload Splunk data

After you've accepted the Terms of Service, you'll automatically be redirected to the Splunk Home
dashboard.
1. Go to Activity: Perform a query with Splunk.

2. Go to Step 1: Access supporting materials.
3. Beside Link to supporting materials click tutorialdata.zip.
4. Click the download icon to download the zip file.
5. Go to the Splunk Home dashboard.
6. On the Splunk bar, click Settings and then click Add Data.
7. Click Upload.
8. Click Select File to upload the tutorialdata.zip file. Alternatively, you can also drag and drop your
file in the Drop your data file here box.
9. Once the file is uploaded, click Next to continue to Input Settings.
10. By the Host section, select Segment in path and enter 1 as the segment number.
11. Click Review and check the details of the upload before you submit. The details should be as
follows:
 Input Type: Uploaded File
 File Name: tutorialdata.zip
 Source Type: Automatic
 Host: Source path segment number: 1
 Index: Default
12. After you've verified that the details are correct, click Submit.
13. Once Splunk has ingested the data, you will receive a confirmation message stating that the file
has been uploaded successfully.
14. Click the Splunk Cloud logo to return to the home page.
You're done! Once your Splunk Cloud account is set up, you can begin the next course item, Activity:
Perform a query with Splunk.
Anomaly-based analysis: A detection method that identifies abnormal behavior
Array: A data type that stores data in a comma-separated ordered list
Common Event Format (CEF): A log format that uses key-value pairs to structure data and
identify fields and their corresponding values
Configuration file: A file used to configure the settings of an application
Endpoint: Any device connected on a network
Endpoint detection and response (EDR): An application that monitors an endpoint for
malicious activity
False positive: An alert that incorrectly detects the presence of a threat
Host-based intrusion detection system (HIDS): An application that monitors the activity of the
host on which it’s installed
Intrusion detection systems (IDS): An application that monitors system activity and alerts on
possible intrusions
Key-value pair: A set of data that represents two linked items: a key, and its corresponding
value
Log analysis: The process of examining logs to identify events of interest
Log management: The process of collecting, storing, analyzing, and disposing of log data
Logging: The recording of events occurring on computer systems and networks

Network-based intrusion detection system (NIDS): An application that collects and monitors
network traffic and network data
Object: A data type that stores data in a comma-separated list of key-value pairs
Search Processing Language (SPL): Splunk’s query language
Security information and event management (SIEM): An application that collects and
analyzes log data to monitor critical activities in an organization
Signature: A pattern that is associated with malicious activity
Signature analysis: A detection method used to find events interest
Suricata: An open-source intrusion detection system, intrusion prevention system, and network
analysis tool
Telemetry: The collection and transmission of data for analysis
Wildcard: A special character that can be substituted with any other character
YARA-L: A computer language used to create rules for searching through ingested log data
Zero-day: An exploit that was previously unknown
Get to know Python

In this reading, you will explore how programming works, how a computer processes the Python
programming language, and how Python is used in cybersecurity.
How programming works

Programming is a process that can be used to create a specific set of instructions for a computer to
execute tasks. Computer programs exist everywhere. Computers, cell phones, and many other
electronic devices are all given instructions by computer programs.
There are multiple programming languages used to create computer programs. Python is one of
these. Programming languages are converted to binary numbers, which are a series of 0s and 1s
that represent the operations that the computer's central processing unit (CPU) should perform.
Each instruction corresponds to a specific operation, such as adding two numbers or loading a value
from memory.
It would be very time-consuming for humans to communicate this way. Programming languages like
Python make it easier to write code because you can use less syntax when instructing computers to
perform complex processes.
Using Python to program

Python is a general purpose programming language that can be used to solve a variety of problems.
For example, it can be used to build websites, perform data analysis, and automate tasks.
Python code must be converted through an interpreter before the computer can process it. An
interpreter is a computer program that translates Python code into runnable instructions line by line.
Python versions
There are multiple versions of Python. In this course, you are using Python 3. While using Python,
it's important to keep track of the version you're using. There are differences in the syntax of each
version. Syntax refers to the rules that determine what is correctly structured in a computing
language.
Python in cybersecurity
In cybersecurity, Python is used especially for automation. Automation is the use of technology to
reduce human and manual effort to perform common and repetitive tasks. These are some specific
areas of cybersecurity in which Python might be used to automate specific tasks:
 Log analysis
 Malware analysis
 Access control list management
 Intrusion detection
 Compliance checks
 Network scanning
Key takeaways
Python is a programming language, or in other words, a language used to create instructions for a
computer to complete tasks. Programming languages are converted to binary numbers that a
machine can understand. It's important to be aware that there are multiple versions of Python, and
they have differences in syntax. Python is especially useful in cybersecurity for automating repetitive
tasks.
Python environments
You can run Python through a variety of environments. These environments include notebooks,
integrated development environments (IDEs), and the command line. This reading will introduce you
to these environments. It will focus primarily on notebooks because this is how you'll interact with
Python in this course.
Notebooks
One way to write Python code is through a notebook. In this course, you'll interact with Python
through notebooks. A notebook is an online interface for writing, storing, and running code. They also
allow you to document information about the code. Notebook content either appears in a code cell or
markdown cell.
Code cells
Code cells are meant for writing and running code. A notebook provides a mechanism for running
these code cells. Often, this is a play button located within the cell. When you run the code, its
output appears after the code.
Markdown cells
Markdown cells are meant for describing the code. They allow you to format text in the markdown
language. Markdown language is used for formatting plain text in text editors and code editors. For
example, you might indicate that text should be in a certain header style.
Common notebook environments

Two common notebook environments are Jupyter Notebook and Google Colaboratory (or Google
Colab). They allow you to run several programming languages, including Python.
Integrated development environments (IDEs)

Another option for writing Python code is through an integrated development environment (IDE), or a
software application for writing code that provides editing assistance and error correction tools.
Integrated development environments include a graphical user interface (GUI) that provides
programmers with a variety of options to customize and build their programs.
Command line
The command line is another environment that allows you to run Python programs. Previously, you
learned that a command-line interface (CLI) is a text-based user interface that uses commands to
interact with the computer. By entering commands into the command line, you can access all files
and directories saved on your hard drive, including files containing Python code you want to run. You
can also use the command line to open a file editor and create a new Python file.
Key takeaways
Security analysts can access Python through a variety of environments, including notebooks,
integrated development environments, and the command line. In this course, you'll use notebooks,
which are online interfaces for interacting with code. Notebooks contain code cells for writing and
running code as well as markdown cells for plain text descriptions.
More about data types

Previously, you explored data types in Python. A data type is a category for a particular type of data
item. You focused on string, list, float, integer, and Boolean data. These are the data types you'll
work with in this course. This reading will expand on these data types. It will also introduce three
additional types.
String
In Python, string data is data consisting of an ordered sequence of characters. Characters in a string
may include letters, numbers, symbols, and spaces. These characters must be placed within
quotation marks. These are all valid strings:
 "updates needed"
 "20%"
 "5.0"
 "35"
 "**/**/**"
 ""
Note: The last item (""), which doesn't contain anything within the quotation marks, is called an
empty string.
You can use the print() function to display a string. You can explore this by running this code:
print("updates needed")
RunReset
The code prints "updates needed".
You can place strings in either double quotation marks ("") or single quotation marks (''). The
following code demonstrates that the same message prints when the string is in single quotation
marks:
print('updates needed')
RunReset
Note: Choosing one type of quotation marks and using it consistently makes it easier to read your
code. This course uses double quotation marks.
List
In Python, list data is a data structure that consists of a collection of data in sequential form. Lists
elements can be of any data type, such as strings, integers, Booleans, or even other lists. The
elements of a list are placed within square brackets, and each element is separated by a comma.
The following lists contains elements of various data types:
 [12, 36, 54, 1, 7]
 ["eraab", "arusso", "drosas"]
 [True, False, True, True]
 [15, "approved", True, 45.5, False]
 []
Note: The last item [], which doesn't contain anything within the brackets, is called an empty list.
You can also use the print() function to display a list:
print([12, 36, 54, 1, 7])

RunReset
This displays a list containing the integers 12, 36, 54, 1, and 7.
Integer
In Python, integer data is data consisting of a number that does not include a decimal point. These
are all examples of integer data:
 -100
 -12
 -1
 0
 1
 20
 500
Integers are not placed in quotation marks. You can use the print() function to display an integer.
When you run this code, it displays 5:
print(5)
RunReset
You can also use the print() function to perform mathematical operations with integers. For example,
this code adds two integers:
print(5 + 2)
RunReset
The result is 7. You can also subtract, multiply, or divide two integers.
Float
Float data is data consisting of a number with a decimal point. All of the following are examples of
float data:
 -2.2
 -1.34
 0.0
 0.34
Just like integer data, float data is not placed in quotation marks. In addition, you can also use the
print() function to display float data or to perform mathematical calculations with float data. You can
run the following code to review the result of this calculation:
print(1.2 + 2.8)
RunReset
The output is 4.0.
Note: Dividing two integer values or two float values results in float output when you use the symbol
/:
print(1/4)
print(1.0/4.0)
RunReset
The output of both calculations is the float value of .25.
If you want to return a whole number from a calculation, you must use the symbol // instead:
print(1//4)
print(1.0//4.0)
RunReset
It will round down to the nearest whole number. In the case of print(1//4), the output is the integer
value of 0 because using this symbol rounds down the calculation from .25 to the nearest whole
number. In the case of print(1.0//4.0), the output is the float value of 0.0 because it maintains the float
data type of the values in the calculation while also rounding down to the nearest whole number.
Boolean
Boolean data is data that can only be one of two values: either True or False.
You should not place Boolean values in quotation marks. When you run the following code, it
displays the Boolean value of True:
1
print(True)
RunReset
You can also return a Boolean value by comparing numbers. Because 9 is not greater than 10, this
code evaluates to False:
print(9 > 10)

RunReset
Additional data types

In this course, you will work with the string, list, integer, float and Boolean data types, but there are
other data types. These additional data types include tuple data, dictionary data, and set data.
Tuple
Tuple data is a data structure that consists of a collection of data that cannot be changed. Like lists,
tuples can contain elements of varying data types.
A difference between tuple data and list data is that it is possible to change the elements in a list, but
it is not possible to change the elements in a tuple. This could be useful in a cybersecurity context.
For example, if software identifiers are stored in a tuple to ensure that they will not be altered, this
can provide assurance that an access control list will only block the intended software.
The syntax of a tuple is also different from the syntax of a list. A tuple is placed in parentheses rather
than brackets. These are all examples of the tuple data type:
 ("wjaffrey", "arutley", "dkot")

 (46, 2, 13, 2, 8, 0, 0)
 (True, False, True, True)
 ("wjaffrey", 13, True)

Pro tip: Tuples are more memory efficient than lists, so they are useful when you are working with a
large quantity of data.
Dictionary
Dictionary data is data that consists of one or more key-value pairs. Each key is mapped to a value.
A colon (:) is placed between the key and value. Commas separate key-value pairs from other key-
value pairs, and the dictionary is placed within curly brackets ({}).
Dictionaries are useful when you want to store and retrieve data in a predictable way. For example,
the following dictionary maps a building name to a number. The building name is the value, and the
number is the key. A colon is placed after the key.
{ 1: "East",
2: "West",
3: "North",
4: "South" }
Set
In Python, set data is data that consists of an unordered collection of unique values. This means no
two values in a set can be the same.
Elements in a set are always placed within curly brackets and are separated by a comma. These
elements can be of any data type. This example of a set contains strings of usernames:
{"jlanksy", "drosas", "nmason"}
Key takeaways
It's important for security analysts who program in Python to be familiar with various Python data
types. The data types that you will work with in this course are string, list, integer, float and Boolean.
Additional data types include tuple, dictionary, and set. Each data type has its own purpose and own
syntax.
Assign and reassign variables in Python

Previously, you've explored variables and how to assign and reassign them in Python. In this
reading, you'll expand your understanding of these topics. You’ll also learn about the general
practice of naming variables so that you can avoid syntax errors and improve code readability.
What are variables?

In a programming language, a variable is a container that stores data. It's a named storage location
in a computer's memory that can hold a value. It stores the data in a particular data type, such as
integer, string, or Boolean. The value that is stored in a variable can change.
You can think of variables as boxes with labels on them. Even when you change the contents of a
box, the label on the box itself remains the same. Similarly, when you change the value stored in a
variable, the name of the variable remains the same.
Security analysts working in Python will use a variety of variables. Some examples include variables
for login attempts, allow lists, and addresses.
Working with variables
In Python, it's important to know both how to assign variables and how to reassign them.
Assigning and reassigning variables

If you want to create a variable called username and assign it a value of "nzhao", place the variable to
the left of the equals sign and its value to the right:
# Assign 'username'
username = "nzhao"
If you later reset this username to "zhao2", you still refer to that variable container as username.
# Reassign 'username'
username = "zhao2"
Although the contents have changed from "nzhao" to "zhao2", the variable username remains the
same.
Note: You must place "nzhao" and "zhao2" in quotation marks because they're strings. Python
automatically assigns a variable its data type when it runs. For example, when the username variable
contains the string "nzhao", it’s assigned a string data type.
Assigning variables to variables

Using a similar process, you can also assign variables to other variables. In the following example,
the variable username is assigned to a new variable old_username:
# Assign a variable to another variable
username = "nzhao"
old_username = username
Because username contains the string value of "nzhao" and old_username contains the value of
username, old_username now contains a value of "nzhao".
Putting it together
The following code demonstrates how a username can be updated. The username variable is
assigned an initial value, which is then stored in a second variable called old_username. After this, the
username variable is reassigned a new value. You can run this code to get a message about the
previous username and the current username:
3
4
username = "nzhao"
old_username = username
username = "zhao2"
print("Previous username:", old_username)
print("Current username:", username)

RunReset
Best practices for naming variables

You can name a variable almost anything you want, but there are a few guidelines you should follow
to ensure correct syntax and prevent errors:
 Use only letters, numbers, and underscores in variable names. Valid examples: date_3,
username, interval2
 Start a variable name with a letter or underscore. Do not start it with a number. Valid
examples: time, _login
 Remember that variable names in Python are case-sensitive. These are all different
variables: time, Time, TIME, timE.
 Don't use Python’s built-in keywords or functions for variable names. For example, variables
shouldn't be named True, False, or if.
Additionally, you should follow these stylistic guidelines to make your code easier for you and other
security analysts to read and understand:
 Separate two or more words with underscores. Valid examples: login_attempts, invalid_user,
status_update
 Avoid variables with similar names. These variables could be easily confused with one
another: start_time, starting_time, time_starting.
 Avoid unnecessarily long names for variables. For instance, don't give variables names like
variable_that_equals_3.
 Names should describe the data and not be random words. Valid examples:
num_login_attempts, device_id, invalid_usernames
Note: Using underscores to separate multiple words in variables is recommended, but another
convention that you might encounter is capitalizing the first letter of each word except the first word.
Example: loginAttempt
Key takeaways
It's important for security analysts to have a fundamental understanding of variables. Variables are
containers of data. They are assigned values and can also be reassigned other values or variables.
It's helpful to remember the best practices for naming variables in order to create more functional,
readable code.
More on conditionals in Python

Previously, you explored conditional statements and how they’re useful in automating tasks in
Python. So far, you’ve focused on the if and else keywords. In this reading, you’ll review these and
learn another keyword, elif. You’ll also learn how you can apply the and, or, and not operators to your
conditions.
How conditional statements work

A conditional statement is a statement that evaluates code to determine whether it meets a specific
set of conditions. When a condition is met, it evaluates to a Boolean value of True and performs
specified actions. When the condition isn’t met, it evaluates a Boolean value of False and doesn’t
perform the specified actions.
In conditional statements, the condition is often based on a comparison of two values. This table
summarizes common comparison operators used to compare numerical values.
operator use
> greater than
< less than
>= greater than or equal to
<= less than or equal to
== equal to
!= not equal to
Note: The equal to (==) and not equal to (!=) operators are also commonly used to compare string
data.
if statements
The keyword if starts a conditional statement. It’s a necessary component of any conditional
statement. In the following example, if begins a statement that tells Python to print an "OK"
message when the HTTP response status code equals 200:
if status == 200:
print("OK")
This code consists of a header and a body.
The header of an if statement

The first line of this code is the header. In the header of an if statement, the keyword if is followed by
the condition. Here, the condition is that the status variable is equal to a value of 200. The condition
can be placed in parentheses:
if (status == 200):
print("OK")
In cases like this one, placing parentheses around conditions in Python is optional. You might want
to include them if it helps you with code readability. However, this condition will be processed the
same way if written without parentheses.
In other situations, because Python evaluates the conditions in parentheses first, parentheses can
affect how Python processes conditions. You will read more about one of these in the section of this
reading on not.
Note: You must always place a colon (:) at the end of the header. Without this syntax, the code will
produce an error.
The body of an if statement
After the header of an if statement comes the body of the if statement. This tells Python what action
or actions to perform when the condition evaluates to True. In this example, there is just one action,
printing "OK" to the screen. In other cases, there might be more lines of code with additional
actions.
Note: For the body of the if statement to execute as intended, it must be indented further than the
header. Additionally, if there are multiple lines of code within the body, they must all be indented
consistently.
Continuing conditionals with else and elif

In the previous example, if the HTTP status response code was not equal to 200, the condition would
evaluate to False and Python would continue with the rest of the program. However, it’s also possible
to specify alternative actions with else and elif.
else statements
The keyword else precedes a code section that only evaluates when all conditions that precede it
within the conditional statement evaluate to False.
In the following example, when the HTTP response status code is not equal to 200, it prints an
alternative message of "check other status":
if status == 200:
print("OK")
else:
print("check other status")
Note: Like with if, a colon (:) is required after else, and the body that follows the else header is
indented.
elif statements
In some cases, you might have multiple alternative actions that depend on new conditions. In that
case, you can use elif. The elif keyword precedes a condition that is only evaluated when previous
conditions evaluate to False. Unlike with else, there can be multiple elif statements following if.
For example, you might want to print one message if the HTTP response status code is 200, one
message if it is 400, and one if it is 500. The following code demonstrates how you can use elif for
this:
if status == 200:
print("OK")
elif status == 400:
print("Bad Request")
elif status == 500:
print("Internal Server Error")
Python will first check if the value of status is 200, and if this evaluates to False, it will go onto the first
elif statement. There, it will check whether the value of status is 400. If that evaluates to True, it will
print "Bad Request", but if it evaluates to False, it will go on to the next elif statement.
If you want the code to print another message when all conditions evaluate to False, then you can
incorporate else after the last elif. In this example, if it reaches the else statement, it prints a message
to check the status:
if status == 200:
print("OK")
elif status == 400:
print("Bad Request")
elif status == 500:
print("Internal Server Error")

else:
print("check other status")
Just like with if and else, it’s important to place a colon (:) after the elif header and indent the code
that follows this header.
Note: Python processes multiple elif statements differently than multiple if statements. When it
reaches an elif statement that evaluates to True, it won’t check the following elif statements. On the
other hand, Python will run all if statements.
Logical operators for multiple conditions

In some cases, you might want Python to perform an action based on a more complex condition.
You might require two conditions to evaluate to True. Or, you might require only one of two
conditions to evaluate to True. Or, you might want Python to perform an action when a condition
evaluates to False. The operators and, or, and not can be used in these cases.
and
The and operator requires both conditions on either side of the operator to evaluate to True. For
example, all HTTP status response codes between 200 and 226 relate to successful responses. You
can use and to join a condition of being greater than or equal to 200 with another condition of being
less than or equal to 226:
if status >= 200 and status <= 226:
print("successful response")
When both conditions are True, then the "successful response" message will print.
or
The or operator requires only one of the conditions on either side of the operator to evaluate to True.
For example, both a status code of 100 and a status code of 102 are informational responses. Using
or, you could ask Python to print an "informational response" message when the code is either 100 or
102:
if status == 100 or status == 102:
print("informational response")
Only one of these conditions needs to be met for Python to print the message.
not
The not operator negates a given condition so that it evaluates to False if the condition is True and to
True if it is False. For example, if you want to indicate that Python should check the status code when
it’s something outside of the successful range, you can use not:
if not(status >= 200 and status <= 226):

print("check status")
Python first checks whether the value of status is greater than or equal to 200 and less than or equal
to 226, and then because of the operator not, it inverts this. This means it will print the message if
status is less than 200 or greater than 226.
Note: In this case, the parentheses are necessary for the code to apply not to both conditions.
Python will evaluate the conditions within the parentheses first. This means it will first evaluate the
conditions on either side of the and operator and then apply not to both of them.
Key takeaways
It’s important for security analysts to be familiar with conditional statements. Conditional statements
require the if keyword. You can also use else and elif when working with conditionals to specify
additional actions to take. The logical operators and, or, and not are also useful when writing
conditionals.
More on loops in Python

Previously, you explored iterative statements. An iterative statement is code that repeatedly
executes a set of instructions. Depending on the criteria, iterative statements execute zero or
more times. We iterated through code using both for loops and while loops. In this reading,
you’ll recap the syntax of loops. Then, you'll learn how to use the break and continue keywords
to control the execution of loops.
for loops
If you need to iterate through a specified sequence, you should use a for loop.
The following for loop iterates through a sequence of usernames. You can run it to observe the
output:
for i in ["elarson", "bmoreno", "tshah", "sgilmore"]:
print(i)
RunReset
The first line of this code is the loop header. In the loop header, the keyword for signals the
beginning of a for loop. Directly after for, the loop variable appears. The loop variable is a
variable that is used to control the iterations of a loop. In for loops, the loop variable is part of
the header. In this example, the loop variable is i.
The rest of the loop header indicates the sequence to iterate through. The in operator appears
before the sequence to tell Python to run the loop for every item in the sequence. In this example,
the sequence is the list of usernames. The loop header must end with a colon (:).
The second line of this example for loop is the loop body. The body of the for loop might consist
of multiple lines of code. In the body, you indicate what the loop should do with each iteration.
In this case, it's to print(i), or in other words, to display the current value of the loop variable
during that iteration of the loop. For Python to execute the code properly, the loop body must be
indented further than the loop header.
Note: When used in a for loop, the in operator precedes the sequence that the for loop will
iterate through. When used in a conditional statement, the in operator is used to evaluate whether
an object is part of a sequence. The example if "elarson" in ["tshah", "bmoreno", "elarson"]
evaluates to True because "elarson" is part of the sequence following in.
Looping through a list

Using for loops in Python allows you to easily iterate through lists, such as a list of computer
assets. In the following for loop, asset is the loop variable and another variable,
computer_assets, is the sequence. The computer_assets variable stores a list. This means that on
the first iteration the value of asset will be the first element in that list, and on the second
iteration, the value of asset will be the second element in that list. You can run the code to
observe what it outputs:
computer_assets = ["laptop1", "desktop20", "smartphone03"]
for asset in computer_assets:
print(asset)
RunReset
Note: It is also possible to loop through a string. This will return every character one by one.
You can observe this by running the following code block that iterates through the string
"security":
2
3
string = "security"
for character in string:
print(character)
RunReset
Using range()
Another way to iterate through a for loop is based on a sequence of numbers, and this can be
done with range(). The range() function generates a sequence of numbers. It accepts inputs for
the start point, stop point, and increment in parentheses. For example, the following code
indicates to start the sequence of numbers at 0, stop at 5, and increment each time by 1:
range(0, 5, 1)
Note: The start point is inclusive, meaning that 0 will be included in the sequence of numbers,
but the stop point is exclusive, meaning that 5 will be excluded from the sequence. It will
conclude one integer before the stopping point.
When you run this code, you can observe how 5 is excluded from the sequence:
for i in range(0, 5, 1):
print(i)
RunReset
You should be aware that it's always necessary to include the stop point, but if the start point is
the default value of 0 and the increment is the default value of 1, they don't have to be specified
in the code. If you run this code, you will get the same results:
for i in range(5):
print(i)
RunReset
Note: If the start point is anything other than 0 or the increment is anything other than 1, they
should be specified.
while loops
If you want a loop to iterate based on a condition, you should use a while loop. As long as the
condition is True, the loop continues, but when it evaluates to False, the while loop exits. The
following while loop continues as long as the condition that i < 5 is True:
i = 1
while i < 5:
print(i)
i = i + 1
RunReset
In this while loop, the loop header is the line while i < 5:. Unlike with for loops, the value of a
loop variable used to control the iterations is not assigned within the loop header in a while loop.
Instead, it is assigned outside of the loop. In this example, i is assigned a starting value of 1 in a
line preceding the loop.
The keyword while signals the beginning of a while loop. After this, the loop header indicates the
condition that determines when the loop terminates. This condition uses the same comparison
operators as conditional statements. Like in a for loop, the header of a while loop must end with
a colon (:).
The body of a while loop indicates the actions to take with each iteration. In this example, it is to
display the value of i and to increment the value of i by 1. In order for the value of i to change
with each iteration, it's necessary to indicate this in the body of the while loop. In this example,
the loop iterates four times until it reaches a value of 5.
Integers in the loop condition

Often, as just demonstrated, the loop condition is based on integer values. For example, you
might want to allow a user to log in as long as they've logged in less than five times. Then, your
loop variable, login_attempts, can be initialized to 0, incremented by 1 in the loop, and the loop
condition can specify to iterate only when the variable is less than 5. You can run the code below
and review the count of each login attempt:
2
3
login_attempts = 0
while login_attempts < 5:
print("Login attempts:", login_attempts)
login_attempts = login_attempts + 1
RunReset
The value of login_attempts went from 0 to 4 before the loop condition evaluated to False.
Therefore, the values of 0 through 4 print, and the value 5 does not print.
Boolean values in the loop condition

Conditions in while loops can also depend on other data types, including comparisons of Boolean
data. In Boolean data comparisons, your loop condition can check whether a loop variable equals
a value like True or False. The loop iterates an indeterminate number of times until the Boolean
condition is no longer True.
In the example below, a Boolean value is used to exit a loop when a user has made five login
attempts. A variable called count keeps track of each login attempt and changes the login_status
variable to False when the count equals 4. (Incrementing count from 0 to 4 represents five login
attempts.) Because the while condition only iterates when login_status is True, it will exit the
loop. You can run this to explore this output:
count = 0
login_status = True
while login_status == True:
print("Try again.")
count = count + 1
if count == 4:
login_status = False
RunReset
The code prints a message to try again four times, but exits the loop once login_status is set to
False.
Managing loops
You can use the break and continue keywords to further control your loop iterations. Both are
incorporated into a conditional statement within the body of the loop. They can be inserted to
execute when the condition in an if statement is True. The break keyword is used to break out of
a loop. The continue keyword is used to skip an iteration and continue with the next one.
break
When you want to exit a for or while loop based on a particular condition in an if statement
being True, you can write a conditional statement in the body of the loop and write the keyword
break in the body of the conditional.
The following example demonstrates this. The conditional statement with break instructs Python
to exit the for loop if the value of the loop variable asset is equal to "desktop20". On the second
iteration, this condition evaluates to True. You can run this code to observe this in the output:
if asset == "desktop20":
break
print(asset)
RunReset
As expected, the values of "desktop20" and "smartphone03" don't print because the loop breaks
on the second iteration.
continue
When you want to skip an iteration based on a certain condition in an if statement being True,
you can add the keyword continue in the body of a conditional statement within the loop. In this
example, continue will execute when the loop variable of asset is equal to "desktop20". You can
run this code to observe how this output differs from the previous example with break:
if asset == "desktop20":
continue
print(asset)
RunReset
The value "desktop20" in the second iteration doesn't print. However, in this case, the loop
continues to the next iteration, and "smartphone03" is printed.
Infinite loops
If you create a loop that doesn't exit, this is called an infinite loop. In these cases, you should
press CTRL-C or CTRL-Z on your keyboard to stop the infinite loop. You might need to do this
when running a service that constantly processes data, such as a web server.
Key takeaways
Security analysts need to be familiar with iterative statements. They can use for loops to perform
tasks that involve iterating through lists a predetermined number of times. They can also use
while loops to perform tasks based on certain conditions evaluating to True. The break and
continue keywords are used in iterative statements to control the flow of loops based on
additional conditions.
Automation: The use of technology to reduce human and manual effort to perform common and
repetitive tasks
Boolean data: Data that can only be one of two values: either True or False
Command-line interface: A text-based user interface that uses commands to interact with the
computer
Comment: A note programmers make about the intention behind their code
Conditional statement: A statement that evaluates code to determine if it meets a specified set
of conditions
Data type: A category for a particular type of data item
Dictionary data: Data that consists of one or more key-value pairs
Float data: Data consisting of a number with a decimal point
Integer data: Data consisting of a number that does not include a decimal point
Integrated development environment (IDE): A software application for writing code that
provides editing assistance and error correction tools
Interpreter: A computer program that translates Python code into runnable instructions line by
line
Iterative statement: Code that repeatedly executes a set of instructions
List data: Data structure that consists of a collection of data in sequential form
Loop variable: A variable that is used to control the iterations of a loop
Notebook: An online interface for writing, storing, and running code
Programming: A process that can be used to create a specific set of instructions for a computer
to execute tasks
Set data: Data that consists of an unordered collection of unique values
Syntax: The rules that determine what is correctly structured in a computing language
Tuple data: Data structure that consists of a collection of data that cannot be changed
Type error: An error that results from using the wrong data type
Variable: A container that stores data
Python functions in cybersecurity

Previously, you explored how to define and call your own functions. In this reading, you’ll revisit what
you learned about functions and examine how functions can improve efficiency in a cybersecurity
setting.
Functions in cybersecurity
A function is a section of code that can be reused in a program. Functions are important in Python
because they allow you to automate repetitive parts of your code. In cybersecurity, you will likely
adopt some processes that you will often repeat.
When working with security logs, you will often encounter tasks that need to be repeated. For
example, if you were responsible for finding malicious login activity based on failed login attempts,
you might have to repeat the process for multiple logs.
To work around that, you could define a function that takes a log as its input and returns all
potentially malicious logins. It would be easy to apply this function to different logs.
Defining a function
In Python, you'll work with built-in functions and user-defined functions. Built-in functions are
functions that exist within Python and can be called directly. The print() function is an example of a
built-in function.
User-defined functions are functions that programmers design for their specific needs. To define a
function, you need to include a function header and the body of your function.
Function header
The function header is what tells Python that you are starting to define a function. For example, if
you want to define a function that displays an "investigate activity" message, you can include this
function header:
def display_investigation_message():
The def keyword is placed before a function name to define a function. In this case, the name of that
function is display_investigation_message.
The parentheses that follow the name of the function and the colon ( :) at the end of the function
header are also essential parts of the syntax.
Pro tip: When naming a function, give it a name that indicates what it does. This will make it easier
to remember when calling it later.
Function body
The body of the function is an indented block of code after the function header that defines what the
function does. The indentation is very important when writing a function because it separates the
definition of a function from the rest of the code.
To add a body to your definition of the display_investigation_message() function, add an indented line
with the print() function. Your function definition becomes the following:
print("investigate activity")
Calling a function
After defining a function, you can use it as many times as needed in your code. Using a function
after defining it is referred to as calling a function. To call a function, write its name followed by
parentheses. So, for the function you previously defined, you can use the following code to call it:
display_investigation_message()
Although you'll use functions in more complex ways as you expand your understanding, the following
code provides an introduction to how the display_investigation_message() function might be part of a
larger section of code. You can run it and analyze its output:
9
10
print("investigate activity")
application_status = "potential concern"
email_status = "okay"
if application_status == "potential concern":
print("application_log:")
if email_status == "potential concern":
print("email log:")
RunReset
The display_investigation_message() function is used twice within the code. It will print "investigate
activity" messages about two different logs when the specified conditions evaluate to True. In this
example, only the first conditional statement evaluates to True, so the message prints once.
This code calls the function from within conditionals, but you might call a function from a variety of
locations within the code.
Note: Calling a function inside of the body of its function definition can create an infinite loop. This
happens when it is not combined with logic that stops the function call when certain conditions are
met. For example, in the following function definition, after you first call func1(), it will continue to call
itself and create an infinite loop:
def func1():
func1()
Key takeaways
Python’s functions are important when writing code. To define your own functions, you need the two
essential components of the function header and the function body. After defining a function, you
can call it when needed.
Functions and variables
Previously, you focused on working with multiple parameters and arguments in functions and
returning information from functions. In this reading, you’ll review these concepts. You'll also be
introduced to a new concept: global and local variables.
Working with variables in functions

Working with variables in functions requires an understanding of both parameters and arguments.
The terms parameters and arguments have distinct uses when referring to variables in a function.
Additionally, if you want the function to return output, you should be familiar with return statements.
Parameters
A parameter is an object that is included in a function definition for use in that function. When you
define a function, you create variables in the function header. They can then be used in the body of
the function. In this context, these variables are called parameters. For example, consider the
following function:
def remaining_login_attempts(maximum_attempts, total_attempts):
print(maximum_attempts - total_attempts)
This function takes in two variables, maximum_attempts and total_attempts and uses them to perform
a calculation. In this example, maximum_attempts and total_attempts are parameters.
Arguments
In Python, an argument is the data brought into a function when it is called. When calling
remaining_login_attempts in the following example, the integers 3 and 2 are considered arguments:
remaining_login_attempts(3, 2)
These integers pass into the function through the parameters that were identified when defining the
function. In this case, those parameters would be maximum_attempts and total_attempts. 3 is in the
first position, so it passes into maximum_attempts. Similarly, 2 is in the second position and passes
into total_attempts.
Return statements
When defining functions in Python, you use return statements if you want the function to return
output. The return keyword is used to return information from a function.
The return keyword appears in front of the information that you want to return. In the following
example, it is before the calculation of how many login attempts remain:

return maximum_attempts - total_attempts
Note: The return keyword is not a function, so you should not place parentheses after it.
Return statements are useful when you want to store what a function returns inside of a variable to
use elsewhere in the code. For example, you might use this variable for calculations or within
conditional statements. In the following example, the information returned from the call to
remaining_login_attempts is stored in a variable called remaining_attempts. Then, this variable is used
in a conditional that prints a "Your account is locked" message when remaining_attempts is less than
or equal to 0. You can run this code to explore its output:
remaining_attempts = remaining_login_attempts(3, 3)
if remaining_attempts <= 0:
print("Your account is locked")

RunReset
In this example, the message prints because the calculation in the function results in 0.
Note: When Python encounters a return statement, it executes this statement and then exits the
function. If there are lines of code that follow the return statement within the function, they will not be
run. The previous example didn't contain any lines of code after the return statement, but this might
apply in other functions, such as one containing a conditional statement.
Global and local variables

To better understand how functions interact with variables, you should know the difference between
global and local variables.
When defining and calling functions, you're working with local variables, which are different from the
variables you define outside the scope of a function.
Global variables
A global variable is a variable that is available through the entire program. Global variables are
assigned outside of a function definition. Whenever that variable is called, whether inside or outside
a function, it will return the value it is assigned.
For example, you might assign the following variable at the beginning of your code:
device_id = "7ad2130bd"
Throughout the rest of your code, you will be able to access and modify the device_id variable in
conditionals, loops, functions, and other syntax.
Local variables
A local variable is a variable assigned within a function. These variables cannot be called or
accessed outside of the body of a function. Local variables include parameters as well as other
variables assigned within a function definition.
In the following function definition, total_string and name are local variables:
def greet_employee(name):
total_string = "Welcome" + name
return total_string
The variable total_string is a local variable because it's assigned inside of the function. The
parameter name is a local variable because it is also created when the function is defined.
Whenever you call a function, Python creates these variables temporarily while the function is
running and deletes them from memory after the function stops running.
This means that if you call the greet_employee() function with an argument and then use the
total_string variable outside of this function, you'll get an error.
Best practices for global and local variables

When working with variables and functions, it is very important to make sure that you only use a
certain variable name once, even if one is defined globally and the other is defined locally.
When using global variables inside functions, functions can access the values of a global variable.
You can run the following example to explore this:
username = "elarson"
def identify_user():
print(username)
identify_user()
RunReset
The code block returns "elarson" even though that name isn't defined locally. The function accesses
the global variable. If you wanted the identify_user() function to accommodate other usernames, you
would have to reassign the global username variable outside of the function. This isn't good practice.
A better way to pass different values into a function is to use a parameter instead of a global
variable.
There's something else to consider too. If you reuse the name of a global variable within a function, it
will create a new local variable with that name. In other words, there will be both a global variable
with that name and a local variable with that name, and they'll have different values. You can
consider the following code block:
print("1:" + username)
def greet():
username = "bmoreno"
greet()
RunReset
The first print statement occurs before the function, and Python returns the value of the global
username variable, "elarson". The second print statement is within the function, and it returns the
value of the local username variable, which is "bmoreno". But this doesn't change the value of the
global variable, and when username is printed a third time after the function call, it's still "elarson".
Due to this complexity, it's best to avoid combining global and local variables within functions.
Key takeaways
Working with variables in functions requires understanding various concepts. A parameter is an
object that is included in a function definition for use in that function, an argument is the data brought
into a function when it is called, and the return keyword is used to return information from a function.
Additionally, global variables are variables accessible throughout the program, and local variables
are parameters and variables assigned within a function that aren't usable outside of a function. It's
important to make sure your variables all have distinct names, even if one is a local variable and the
other is a global variable.
Work with built-in functions

Previously, you explored built-in functions in Python, including print(), type(), max(), and sorted().
Built-in functions are functions that exist within Python and can be called directly. In this reading,
you’ll explore these further and also learn about the min() function. In addition, you'll review how to
pass the output of one function into another function.
print()
The print() function outputs a specified object to the screen. The print() function is one of the most
commonly used functions in Python because it allows you to output any detail from your code.
To use the print() function, you pass the object you want to print as an argument to the function. The
print() function takes in any number of arguments, separated by a comma, and prints all of them. For
example, you can run the following code that prints a string, a variable, another string, and an
integer together:
month = "September"
print("Investigate failed login attempts during", month, "if more than", 100)
RunReset
type()
The type() function returns the data type of its argument. The type() function helps you keep track of
the data types of variables to avoid errors throughout your code.
To use it, you pass the object as an argument, and it returns its data type. It only accepts one
argument. For example, you could specify type("security") or type(7).
Passing one function into another

When working with functions, you often need to pass them through print() if you want to output the
data type to the screen. This is the case when using a function like type(). Consider the following
code:
1
print(type("This is a string"))
RunReset
It displays str, which means that the argument passed to the type() function is a string. This happens
because the type() function is processed first and its output is passed as an argument to the print()
function.
max() and min()

The max() function returns the largest numeric input passed into it. The min() function returns the
smallest numeric input passed into it.
The max() and min() functions accept arguments of either multiple numeric values or of an iterable
like a list, and they return the largest or smallest value respectively.
In a cybersecurity context, you could use these functions to identify the longest or shortest session
that a user logged in for. If a specific user logged in seven times during a week, and you stored their
access times in minutes in a list, you can use the max() and min() functions to find and print their
longest and shortest sessions:
time_list = [12, 2, 32, 19, 57, 22, 14]
print(min(time_list))
print(max(time_list))
RunReset
sorted()
The sorted() function sorts the components of a list. The sorted() function also works on any iterable,
like a string, and returns the sorted elements in a list. By default, it sorts them in ascending order.
When given an iterable that contains numbers, it sorts them from smallest to largest; this includes
iterables that contain numeric data as well as iterables that contain string data beginning with
numbers. An iterable that contains strings that begin with alphabetic characters will be sorted
alphabetically.
The sorted() function takes an iterable, like a list or a string, as an input. So, for example, you can
use the following code to sort the list of login sessions from shortest to longest:
time_list = [12, 2, 32, 19, 57, 22, 14]

print(sorted(time_list))
RunReset
This displays the sorted list.
The sorted() function does not change the iterable that it sorts. The following code illustrates this:
time_list = [12, 2, 32, 19, 57, 22, 14]
print(sorted(time_list))
print(time_list)
RunReset
The first print() function displays the sorted list. However, the second print() function, which does not
include the sorted() function, displays the list as assigned to time_list in the first line of code.
One more important detail about the sorted() function is that it cannot take lists or strings that have
elements of more than one data type. For example, you can’t use the list [1, 2, "hello"].
Key takeaways
Built-in functions are powerful tools in Python that allow you to perform tasks with one simple
command. The print() function prints its arguments to the screen, the type() function returns the data
type of its argument, the min() and max() functions return the smallest and largest values of an
iterable respectively, and sorted() organizes its argument.
Import modules and libraries in Python

Previously, you explored libraries and modules. You learned that a module is a Python file that
contains additional functions, variables, classes, and any kind of runnable code. You also learned
that a library is a collection of modules that provide code users can access in their programs.
You were introduced to a few modules in the Python Standard Library and a couple of external
libraries. In this reading, you'll learn how to import a module that exists in the Python Standard
Library and use its functions. You'll also expand your understanding of external libraries.
The Python Standard Library

The Python Standard Library is an extensive collection of Python code that often comes
packaged with Python. It includes a variety of modules, each with pre-built code centered around
a particular type of task.
For example, you were previously introduced to the following modules in the Python Standard
Library:
 The re module, which provides functions used for searching for patterns in log files
 The csv module, which provides functions used when working with .csv files
 The glob and os modules, which provide functions used when interacting with the
command line
 The time and datetime modules, which provide functions used when working with
timestamps
Another Python Standard Library module is statistics. The statistics module includes functions
used when calculating statistics related to numeric data. For example, mean() is a function in the
statistics module that takes numeric data as input and calculates its mean (or average).
Additionally, median() is a function in the statistics module that takes numeric data as input and
calculates its median (or middle value).
How to import modules from the Python Standard Library

To access modules from the Python Standard Library, you need to import them. You can choose
to either import a full module or to only import specific functions from a module.
Importing an entire module

To import an entire Python Standard Library module, you use the import keyword. The import
keyword searches for a module or library in a system and adds it to the local Python
environment. After import, specify the name of the module to import. For example, you can
specify import statistics to import the statistics module. This will import all the functions inside
of the statistics module for use later in your code.
As an example, you might want to use the mean() function from the statistics module to
calculate the average number of failed login attempts per month for a particular user. In the
following code block, the total number of failed login attempts for each of the twelve months is
stored in a list called monthly_failed_attempts. Run this code and analyze how mean() can be
used to calculate the average of these monthly failed login totals and store it in
mean_failed_attempts:
1
import statistics
monthly_failed_attempts = [20, 17, 178, 33, 15, 21, 19, 29, 32, 15, 25, 19]
mean_failed_attempts = statistics.mean(monthly_failed_attempts)
print("mean:", mean_failed_attempts)
RunReset
The output returns a mean of 35.25. You might notice the outlying value of 178 and want to find
the middle value as well. To do this through the median() function, you can use the following
code:
import statistics
median_failed_attempts = statistics.median(monthly_failed_attempts)
print("median:", median_failed_attempts)
RunReset
This gives you the value of 20.5, which might also be useful for analyzing the user's failed login
attempt statistics.
Note: When importing an entire Python Standard Library module, you need to identify the name
of the module with the function when you call it. You can do this by placing the module name
followed by a period (.) before the function name. For example, the previous code blocks use
statistics.mean() and statistics.median() to call those functions.
Importing specific functions from a module

To import a specific function from the Python Standard Library, you can use the from keyword.
For example, if you want to import just the median() function from the statistics module, you
can write from statistics import median.
To import multiple functions from a module, you can separate the functions you want to import
with a comma. For instance, from statistics import mean, median imports both the mean() and
the median() functions from the statistics module.
An important detail to note is that if you import specific functions from a module, you no longer
have to specify the name of the module before those functions. You can examine this in the
following code, which specifically imports only the median() and the mean() functions from the
statistics module and performs the same calculations as the previous examples:
from statistics import mean, median
mean_failed_attempts = mean(monthly_failed_attempts)
print("mean:", mean_failed_attempts)
median_failed_attempts = median(monthly_failed_attempts)
print("median:", median_failed_attempts)
RunReset
It is no longer necessary to specify statistics.mean() or statistics.median() and instead the code

incorporates these functions as mean() and median().
External libraries
In addition to the Python Standard Library, you can also download external libraries and
incorporate them into your Python code. For example, previously you were introduced to
Beautiful Soup (bs4) for parsing HTML files and NumPy (numpy) for arrays and mathematical
computations. Before using them in a Jupyter Notebook or a Google Colab environment, you
need to install them first.
To install a library, such as numpy, in either environment, you can run the following line prior to
importing the library:
%pip install numpy
This installs the library so you can use it in your notebook.

After a library is installed, you can import it directly into Python using the import keyword in a
similar way to how you used it to import modules from the Python Standard Library. For
example, after the numpy install, you can use this code to import it:
import numpy
Key takeaways
The Python Standard Library contains many modules that you can import, including re, csv, os,
glob, time, datetime, and statistics. To import these modules, you must use the import keyword.
Syntax varies depending on whether or not you want to import the entire module or just specific
functions from it. External libraries can also be imported into Python, but they need to be
installed first.
Ensure proper syntax and readability in Python

Previously, you were introduced to the PEP 8 style guide and its stylistic guidelines for programmers
working in Python. You also learned about how adding comments and using correct indentation
makes your code more readable. Additionally, correct indentation ensures your code is executed
properly. This reading explores these ideas further and also focuses on common items to check in
the syntax of your code to ensure it runs.
Comments
A comment is a note programmers make about the intentions behind their code. Comments make it
easier for you and other programmers to read and understand your code.
It’s important to start your code with a comment that explains what the program does. Then,
throughout the code, you should add additional comments about your intentions behind specific
sections.
When adding comments, you can add both single-line comments and multi-line comments.
Single-line comments
Single-line comments in Python begin with the (#) symbol. According to the PEP 8 style guide, it’s
best practice to keep all lines in Python under 79 characters to maintain readability, and this includes
comments.
Single-line comments are often used throughout your program to explain the intention behind
specific sections of code. For example, this might be when you're explaining simpler components of
your program, such as the following for loop:
# Print elements of 'computer_assets' list
print(asset)
Note: Comments are important when writing more complex code, like functions, or multiple loops or
conditional statements. However, they're optional when writing less complex code like reassigning a
variable.
Multi-line comments
Multi-line comments are used when you need more than 79 characters in a single comment. For
example, this might occur when defining a function if the comment describes its inputs and their data
types as well as its output.
There are two commonly used ways of writing multi-line comments in Python. The first is by using
the hashtag (#) symbol over multiple lines:
# remaining_login_attempts() function takes two integer parameters,
# the maximum login attempts allowed and the total attempts made,
# and it returns an integer representing remaining login attempts
Another way of writing multi-line comments is by using documentation strings and not assigning
them to a variable. Documentation strings, also called docstrings, are strings that are written over
multiple lines and are used to document code. To create a documentation string, use triple quotation
marks (""" """).
You could add the comment to the function in the previous example in this way too:
"""
remaining_login_attempts() function takes two integer parameters,

the maximum login attempts allowed and the total attempts made,
and it returns an integer representing remaining login attempts
"""
Correct indentation
Indentation is space added at the beginning of a line of code. In Python, you should indent the body
of conditional statements, iterative statements, and function definitions. Indentation is not only
necessary for Python to interpret this syntax properly, but it can also make it easier for you and other
programmers to read your code.
The PEP 8 style guide recommends that indentations should be four spaces long. For example, if
you had a conditional statement inside of a while loop, the body of the loop would be indented four
spaces and the body of the conditional would be indented four spaces beyond that. This means the
conditional would be indented eight spaces in total.
count = 0
login_status = True
while login_status == True:
print("Try again.")
count = count + 1
if count == 4:
login_status = False
Maintaining correct syntax

Syntax errors involve invalid usage of the Python language. They are incredibly common with
Python, so focusing on correct syntax is essential in ensuring that your code runs. Awareness of
common errors will help you more easily fix them.
Syntax errors often occur because of mistakes with data types or in the headers of conditional or
iterative statements or of function definitions.
Data types
Correct syntax varies depending on data type:
 Place string data in quotation marks.
o Example: username = "bmoreno"
 Do not add quotation marks around integer, float, or Boolean data types.
o Examples: login_attempts = 5, percentage_successful = .8, login_status = True
 Place lists in brackets and separate the elements of a list with commas.
o Example: username_list = ["bmoreno", "tshah"]
Colons in headers
The header of a conditional or iterative statement or of a function definition must end with a colon.
For example, a colon appears at the end of the header in the following function definition:
Key takeaways
The PEP 8 style guide provides recommendations for writing code that can be easily understood and
read by other Python programmers. In order to make your intentions clear, you should incorporate
comments into your code. Depending on the length of the comment, you can follow conventions for
single-line or multi-line comments. It's also important to use correct indentation; this ensures your
code will run as intended and also makes it easier to read. Finally, you should also be aware of
common syntax issues so that you can more easily fix them.

Argument (Python): The data brought into a function when it is called
Built-in function: A function that exists within Python and can be called directly
Comment: A note programmers make about the intention behind their code
Function: A section of code that can be reused in a program
Global variable: A variable that is available through the entire program
Indentation: Space added at the beginning of a line of code

Library: A collection of modules that provide code users can access in their programs
Local variable: A variable assigned within a function
Module: A Python file that contains additional functions, variables, classes, and any kind of
runnable code
Parameter (Python): An object that is included in a function definition for use in that function
PEP 8 style guide: A resource that provides stylistic guidelines for programmers working in
Python
Python Standard Library: An extensive collection of Python code that often comes packaged
with Python
Return statement: A Python statement that executes inside a function and sends information
back to the function call
Style guide: A manual that informs the writing, formatting, and design of documents
User-defined function: A function that programmers design for their specific needs
Strings and the security analyst

The ability to work with strings is important in the cybersecurity profession. Previously, you were
introduced to several ways to work with strings, including functions and methods. You also learned
how to extract elements in strings using bracket notation and indices. This reading reviews these
concepts and explains more about using the .index() method. It also highlights examples of string
data you might encounter in a security setting.
String data in a security setting

As an analyst, string data is one of the most common data types you will encounter in Python. String
data is data consisting of an ordered sequence of characters. It's used to store any type of
information you don't need to manipulate mathematically (such as through division or subtraction). In
a cybersecurity context, this includes IP addresses, usernames, URLs, and employee IDs.
You'll need to work with these strings in a variety of ways. For example, you might extract certain
parts of an IP address, or you might verify whether usernames meet required criteria.
Working with indices in strings
Indices
An index is a number assigned to every element in a sequence that indicates its position. With
strings, this means each character in the string has its own index.
Indices start at 0. For example, you might be working with this string containing a device ID:
"h32rb17". The following table indicates the index for each character in this string:
character index
h 0
3 1
2 2
r 3
b 4
1 5
7 6
You can also use negative numbers as indices. This is based on their position relative to the last
character in the string:
character index
h -7
3 -6
2 -5
r -4
b -3
1 -2
7 -1
Bracket notation
Bracket notation refers to the indices placed in square brackets. You can use bracket notation to
extract a part of a string. For example, the first character of the device ID might represent a certain
characteristic of the device. If you want to extract it, you can use bracket notation for this:
"h32rb17"[0]
This device ID might also be stored within a variable called device_id. You can apply the same
bracket notation to the variable:
device_id = "h32rb17"
device_id[0]
In both cases, bracket notation outputs the character h when this bracket notation is placed inside a
print() function. You can observe this by running the following code:
1
2
device_id = "h32rb17"
print("h32rb17"[0])
print(device_id[0])
RunReset
You can also take a slice from a string. When you take a slice from a string, you extract more than
one character from it. It's often done in cybersecurity contexts when you’re only interested in a
specific part of a string. For example, this might be certain numbers in an IP address or certain parts
of a URL.
In the device ID example, you might need the first three characters to determine a particular quality
of the device. To do this, you can take a slice of the string using bracket notation. You can run this
line of code to observe that it outputs "h32":
print("h32rb17"[0:3])
RunReset
Note: The slice starts at the 0 index, but the second index specified after the colon is excluded. This
means the slice ends one position before index 3, which is at index 2.
String functions and methods

The str() and len() functions are useful for working with strings. You can also apply methods to
strings, including the .upper(), .lower(), and .index() methods. A method is a function that belongs to a
specific data type.
str() and len()

The str() function converts its input object into a string. As an analyst, you might use this in security
logs when working with numerical IDs that aren't going to be used with mathematical processes.
Converting an integer to a string gives you the ability to search through it and extract slices from it.
Consider the example of an employee ID 19329302 that you need to convert into a string. You can
use the following line of code to convert it into a string and store it in a variable:
string_id = str(19329302)
The second function you learned for strings is the len() function, which returns the number of
elements in an object.
As an example, if you want to verify that a certain device ID conforms to a standard of containing
seven characters, you can use the len() function and a conditional. When you run the following code,
it will print a message if "h32rb17" has seven characters:
1
device_id_length = len("h32rb17")
if device_id_length == 7:
print("The device ID has 7 characters.")

RunReset
.upper() and .lower()

The .upper() method returns a copy of the string with all of its characters in uppercase. For example,
you can change this department name to all uppercase by running the code "Information
Technology".upper(). It would return the string "INFORMATION TECHNOLOGY".
Meanwhile, the .lower() method returns a copy of the string in all lowercase characters. "Information
Technology".lower() would return the string "information technology".
.index()
The .index() method finds the first occurrence of the input in a string and returns its location. For
example, this code uses the .index() method to find the first occurrence of the character "r" in the
device ID "h32rb17":
print("h32rb17".index("r"))
RunReset
The .index() method returns 3 because the first occurrence of the character "r" is at index 3.
In other cases, the input may not be found. When this happens, Python returns an error. For
instance, the code print("h32rb17".index("a")) returns an error because "a" is not in the string
"h32rb17".
Also note that if a string contains more than one instance of a character, only the first one will be
returned. For instance, the device ID "r45rt46" contains two instances of "r". You can run the
following code to explore its output:
print("r45rt46".index("r"))
RunReset
The output is 0 because .index() returns only the first instance of "r", which is at index 0. The
instance of "r" at index 3 is not returned.
Finding substrings with .index()
A substring is a continuous sequence of characters within a string. For example, "llo" is a substring
of "hello".
The .index() method can also be used to find the index of the first occurrence of a substring. It returns
the index of the first character in that substring. Consider this example that finds the first instance of
the user "tshah" in a string:
tshah_index = "tsnow, tshah, bmoreno - updated".index("tshah")
print(tshah_index)
RunReset
The .index() method returns the index 7, which is where the substring "tshah" starts.
Note: When using the .index() method to search for substrings, you need to be careful. In the
previous example, you want to locate the instance of "tshah". If you search for just "ts", Python will
return 0 instead of 7 because "ts" is also a substring of "tsnow".
Key takeaways
As a security analyst, you will work with strings in a variety of ways. First, you might need to use
bracket notation to work with string indices. Two functions you will likely use are str(), which converts
an input into a string, and len(), which finds the length of a string. You can also use string methods,
functions that only work on strings. These include .upper(), which converts all letters in a string into
uppercase letters, .lower(), which converts all letters in a string into lowercase letters, and .index(),
which returns the index of the first occurrence of its input within a string.
Lists and the security analyst
Previously, you examined how to use bracket notation to access and change elements in a list and
some fundamental methods for working with lists. This reading will review these concepts with new
examples, introduce the .index() method as it applies to lists, and highlight how lists are used in a
cybersecurity context.
List data in a security setting

As a security analyst, you'll frequently work with lists in Python. List data is a data structure that
consists of a collection of data in sequential form. You can use lists to store multiple elements in a
single variable. A single list can contain multiple data types.
In a cybersecurity context, lists might be used to store usernames, IP addresses, URLs, device IDs,
and data.
Placing data within a list allows you to work with it in a variety of ways. For example, you might
iterate through a list of device IDs using a for loop to perform the same actions for all items in the
list. You could incorporate a conditional statement to only perform these actions if the device IDs
meet certain conditions.
Working with indices in lists

Indices
Like strings, you can work with lists through their indices, and indices start at 0. In a list, an index is
assigned to every element in the list.
This table contains the index for each element in the list ["elarson", "fgarcia", "tshah", "sgilmore"]:
element index
"elarson" 0
"fgarcia" 1
"tshah" 2
"sgilmore" 3
Bracket notation
Similar to strings, you can use bracket notation to extract elements or slices in a list. To extract an
element from a list, after the list or the variable that contains a list, add square brackets that contain
the index of the element. The following example extracts the element with an index of 2 from the
variable username_list and prints it. You can run this code to examine what it outputs:
username_list = ["elarson", "fgarcia", "tshah", "sgilmore"]
print(username_list[2])
RunReset
This example extracts the element at index 2 directly from the list:
print(["elarson", "fgarcia", "tshah", "sgilmore"][2])

RunReset
Extracting a slice from a list

Just like with strings, it's also possible to use bracket notation to take a slice from a list. With lists,
this means extracting more than one element from the list.
When you extract a slice from a list, the result is another list. This extracted list is called a sublist
because it is part of the original, larger list.
To extract a sublist using bracket notation, you need to include two indices. You can run the
following code that takes a slice from a list and explore the sublist it returns:
print(username_list[0:2])
RunReset
The code returns a sublist of ["elarson", "fgarcia"]. This is because the element at index 0, "elarson",
is included in the slice, but the element at index 2, "tshah", is excluded. The slice ends one element
before this index.
Changing the elements in a list

Unlike strings, you can also use bracket notation to change elements in a list. This is because a
string is immutable and cannot be changed after it is created and assigned a value, but lists are not
immutable.
To change a list element, use similar syntax as you would use when reassigning a variable, but
place the specific element to change in bracket notation after the variable name. For example, the
following code changes the element at index 1 of the username_list variable to "bmoreno".
print("Before changing an element:", username_list)

username_list[1] = "bmoreno"
print("After changing an element:", username_list)

RunReset
This code has updated the element at index 1 from "fgarcia" to "bmoreno".
List methods
List methods are functions that are specific to the list data type. These include the .insert() , .remove(),
.append() and .index().
.insert()
The .insert() method adds an element in a specific position inside a list. It has two parameters. The
first is the index where you will insert the new element, and the second is the element you want to
insert.
You can run the following code to explore how this method can be used to insert a new username
into a username list:
username_list = ["elarson", "bmoreno", "tshah", "sgilmore"]
print("Before inserting an element:", username_list)
username_list.insert(2,"wjaffrey")
print("After inserting an element:", username_list)

RunReset
Because the first parameter is 2 and the second parameter is "wjaffrey", "wjaffrey" is inserted at
index 2, which is the third position. The other list elements are shifted one position in the list. For
example, "tshah" was originally located at index 2 and now is located at index 3.
.remove()
The .remove() method removes the first occurrence of a specific element in a list. It has only one
parameter, the element you want to remove.
The following code removes "elarson" from the username_list:
2
3
username_list = ["elarson", "bmoreno", "wjaffrey", "tshah", "sgilmore"]
print("Before removing an element:", username_list)
username_list.remove("elarson")
print("After removing an element:", username_list)

RunReset
This code removes "elarson" from the list. The elements that follow "elarson" are all shifted one
position closer to the beginning of the list.
Note: If there are two of the same element in a list, the .remove() method only removes the first
instance of that element and not all occurrences.
.append()
The .append() method adds input to the end of a list. Its one parameter is the element you want to
add to the end of the list.
For example, you could use .append() to add "btang" to the end of the username_list:
username_list = ["bmoreno", "wjaffrey", "tshah", "sgilmore"]
print("Before appending an element:", username_list)
username_list.append("btang")
print("After appending an element:", username_list)

RunReset
This code places "btang" at the end of the username_list, and all other elements remain in their
original positions.
The .append() method is often used with for loops to populate an empty list with elements. You can
explore how this works with the following code:
2
3
numbers_list = []
print("Before appending a sequence of numbers:", numbers_list)
for i in range(10):
numbers_list.append(i)
print("After appending a sequence of numbers:", numbers_list)

RunReset
Before the for loop, the numbers_list variable does not contain any elements. When it is printed, the
empty list is displayed. Then, the for loop iterates through a sequence of numbers and uses the
.append() method to add each of these numbers to numbers_list. After the loop, when the numbers_list
variable is printed, it displays these numbers.
.index()
Similar to the .index() method used for strings, the .index() method used for lists finds the first
occurrence of an element in a list and returns its index. It takes the element you're searching for as
an input.
Note: Although it has the same name and use as the .index() method used for strings, the .index()
method used for lists is not the same method. Methods are defined when defining a data type, and
because strings and lists are defined differently, the methods are also different.
Using the username_list variable, you can use the .index() method to find the index of the username
"tshah":
username_list = ["bmoreno", "wjaffrey", "tshah", "sgilmore", "btang"]
username_index = username_list.index("tshah")
print(username_index)
RunReset
Because the index of "tshah" is 2, it outputs this number.
Similar to the .index() method used for strings, it only returns the index of the first occurrence of a list
item. So if the username "tshah" were repeated twice, it would return the index of the first instance,
and not the second.
Key takeaways
Python offers a lot of ways to work with lists. Bracket notation allows you to extract elements and
slices from lists and also to alter them. List methods allow you to alter lists in a variety of ways. The
.insert() and .append() methods add elements to lists while the .remove() method allows you to remove
them. The .index() method allows you to find the index of an element in a list.
More about regular expressions

You were previously introduced to regular expressions and a couple of symbols that you can use to
construct regular expression patterns. In this reading, you'll explore additional regular expression
symbols that can be used in a cybersecurity context. You'll also learn more about the re module and
its re.findall() function.
Basics of regular expressions

A regular expression (regex) is a sequence of characters that forms a pattern. You can use these in
Python to search for a variety of patterns. This could include IP addresses, emails, or device IDs.
To access regular expressions and related functions in Python, you need to import the re module
first. You should use the following line of code to import the re module:
import re
Regular expressions are stored in Python as strings. Then, these strings are used in re module
functions to search through other strings. There are many functions in the re module, but you will
explore how regular expressions work through re.findall(). The re.findall() function returns a list of
matches to a regular expression. It requires two parameters. The first is the string containing the
regular expression pattern, and the second is the string you want to search through.
The patterns that comprise a regular expression consist of alphanumeric characters and special
symbols. If a regular expression pattern consists only of alphanumeric characters, Python will review
the specified string for matches to this pattern and return them. In the following example, the first
parameter is a regular expression pattern consisting only of the alphanumeric characters "ts". The
second parameter, "tsnow, tshah, bmoreno", is the string it will search through. You can run the
following code to explore what it returns:
1
2
import re
re.findall("ts", "tsnow, tshah, bmoreno")

RunReset
The output is a list of only two elements, the two matches to "ts": ['ts', 'ts'].
If you want to do more than search for specific strings, you must incorporate special symbols into
your regular expressions.
Regular expression symbols

Symbols for character types
You can use a variety of symbols to form a pattern for your regular expression. Some of these
symbols identify a particular type of character. For example, \w matches with any alphanumeric
character.
Note: The \w symbol also matches with the underscore ( _ ).
You can run this code to explore what re.findall() returns when applying the regular expression of "\
w" to the device ID of "h32rb17".
import re
re.findall("\w", "h32rb17")
RunReset
Because every character within this device ID is an alphanumeric character, Python returns a list
with seven elements. Each element represents one of the characters in the device ID.
You can use these additional symbols to match to specific kinds of characters:
 . matches to all characters, including symbols
 \d matches to all single digits [0-9]
 \s matches to all single spaces
 \. matches to the period character
The following code searches through the same device ID as the previous example but changes the
regular expression pattern to "\d". When you run it, it will return a different list:
1
2
import re
re.findall("\d", "h32rb17")
RunReset
This time, the list contains only four elements. Each element is one of the numeric digits in the string.
Symbols to quantify occurrences

Other symbols quantify the number of occurrences of a specific character in the pattern. In a regular
expression pattern, you can add them after a character or a symbol identifying a character type to
specify the number of repetitions that match to the pattern.
For example, the + symbol represents one or more occurrences of a specific character. In the
following example, the pattern places it after the "\d" symbol to find matches to one or more
occurrences of a single digit:
import re
re.findall("\d+", "h32rb17")
RunReset
With the regular expression "\d+", the list contains the two matches of "32" and "17".
Another symbol used to quantify the number of occurrences is the * symbol. The * symbol
represents zero, one, or more occurrences of a specific character. The following code substitutes
the * symbol for the + used in the previous example. You can run it to examine the difference:
import re
re.findall("\d*", "h32rb17")
RunReset
Because it also matches to zero occurrences, the list now contains empty strings for the characters
that were not single digits.
If you want to indicate a specific number of repetitions to allow, you can place this number in curly
brackets ({ }) after the character or symbol. In the following example, the regular expression pattern
"\d{2}" instructs Python to return all matches of exactly two single digits in a row from a string of
multiple device IDs:
1
2
import re
re.findall("\d{2}", "h32rb17 k825t0m c2994eh")

RunReset
Because it is matching to two repetitions, when Python encounters a single digit, it checks whether
there is another one following it. If there is, Python adds the two digits to the list and goes on to the
next digit. If there isn't, it proceeds to the next digit without adding the first digit to the list.
Note: Python scans strings left-to-right when matching against a regular expression. When Python
finds a part of the string that matches the first expected character defined in the regular expression,
it continues to compare the subsequent characters to the expected pattern. When the pattern is
complete, it starts this process again. So in cases in which three digits appear in a row, it handles
the third digit as a new starting digit.
You can also specify a range within the curly brackets by separating two numbers with a comma.
The first number is the minimum number of repetitions and the second number is the maximum
number of repetitions. The following example returns all matches that have between one and three
repetitions of a single digit:
import re
re.findall("\d{1,3}", "h32rb17 k825t0m c2994eh")

RunReset
The returned list contains elements of one digit like "0", two digits like "32" and three digits like
"825".
Constructing a pattern
Constructing a regular expression requires you to break down the pattern you're searching for into
smaller chunks and represent those chunks using the symbols you've learned. Consider an example
of a string that contains multiple pieces of information about employees at an organization. For each
employee, the following string contains their employee ID, their username followed by a colon ( :),
their attempted logins for the day, and their department:
employee_logins_string = "1001 bmoreno: 12 Marketing 1002 tshah: 7 Human Resources 1003 sgilmore: 5
Finance"
Your task is to extract the username and the login attempts, without the employee's ID number or
department.
To complete this task with regular expressions, you need to break down what you're searching for
into smaller components. In this case, those components are the varying number of characters in a
username, a colon, a space, and a varying number of single digits. The corresponding regular
expression symbols are \w+, :, \s, and \d+ respectively. Using these symbols as your regular
expression, you can run the following code to extract the strings:
import re
pattern = "\w+:\s\d+"
employee_logins_string = "1001 bmoreno: 12 Marketing 1002 tshah: 7 Human Resourc

es 1003 sgilmore: 5 Finance"
print(re.findall(pattern, employee_logins_string))
RunReset
Note: Working with regular expressions can carry the risk of returning unneeded information or
excluding strings that you want to return. Therefore, it's useful to test your regular expressions.
Key takeaways
Regular expressions allow you to search through strings to find matches to specific patterns. You
can use regular expressions by importing the re module. This module contains multiple functions,
including re.findall(), which returns all matches to a pattern in the form of a list. To form a pattern,
you use characters and symbols. Symbols allow you to specify types of characters and to quantify
how many repetitions of a character or type of character can occur in the pattern.

Algorithm: A set of rules that solve a problem
Bracket notation: The indices placed in square brackets
Debugging: The practice of identifying and fixing errors in code

Immutable: An object that cannot be changed after it is created and assigned a value
Index: A number assigned to every element in a sequence that indicates its position
List concatenation: The concept of combining two lists into one by placing the elements of the
second list directly after the elements of the first list
List data: Data structure that consists of a collection of data in sequential form
Method: A function that belongs to a specific data type
Regular expression (regex): A sequence of characters that forms a pattern
String concatenation: The process of joining two strings together
Substring: A continuous sequence of characters within a string
Essential Python components for automation

Throughout this course, you explored coding in Python. You've focused on variables, conditional
statements, iterative statements, functions, and a variety of ways to work with strings and lists. In
this reading, you will explore why these are all essential components when automating tasks
through Python, and you'll be introduced to another necessary component: working with files.
Automating tasks in Python

Automation is the use of technology to reduce human and manual effort to perform common
and repetitive tasks. As a security analyst, you will primarily use Python to automate tasks.
You have encountered multiple examples of how to use Python for automation in this course,
including investigating logins, managing access, and updating devices.
Automating cybersecurity-related tasks requires understanding the following Python components

that you've worked with in this course:
Variables
A variable is a container that stores data. Variables are essential for automation. Without them,
you would have to individually rewrite values for each action you took in Python.
Conditional statements
A conditional statement is a statement that evaluates code to determine if it meets a specified
set of conditions. Conditional statements allow you to check for conditions before performing
actions. This is much more efficient than manually evaluating whether to apply an action to each
separate piece of data.
Iterative statements
An iterative statement is code that repeatedly executes a set of instructions. You explored two
kinds of iterative statements: for loops and while loops. In both cases, they allow you to perform
the same actions a certain number of times without the need to retype the same code each time.
Using a for loop allows you to automate repetition of that code based on a sequence, and using a
while loop allows you to automate the repetition based on a condition.
Functions
A function is a section of code that can be reused in a program. Functions help you automate
your tasks by reducing the need to incorporate the same code multiple places in a program.
Instead, you can define the function once and call it wherever you need it.
You can develop your own functions based on your particular needs. You can also incorporate
the built-in functions that exist directly in Python without needing to manually code them.
Techniques for working with strings

String data is one of the most common data types that you'll encounter when automating
cybersecurity tasks through Python, and there are a lot of techniques that make working with
strings efficient. You can use bracket notation to access characters in a string through their
indices. You can also use a variety of functions and methods when working with strings,
including str(), len(), and .index().
Techniques for working with lists

List data is another common data type. Like with strings, you can use bracket notation to access
a list element through its index. Several methods also help you with automation when working
with lists. These include .insert(), .remove(), .append(), and .index().
Example: Counting logins made by a flagged user

As one example, you may find that you need to investigate the logins of a specific user who has
been flagged for unusual activity. Specifically, you are responsible for counting how many times
this user has logged in for the day. If you are given a list identifying the username associated
with each login attempt made that day, you can automate this investigation in Python.
To automate the investigation, you'll need to incorporate the following Python components:
 A for loop will allow you to iterate through all the usernames in the list.
 Within the for loop, you should incorporate a conditional statement to examine whether
each username in the list matches the username of the flagged user.
 When the condition evaluates to True, you also need to increment a counter variable that
keeps track of the number of times the flagged user appears in the list.
Additionally, if you want to reuse this code multiple times, you can incorporate it into a function.
The function can include parameters that accept the username of the flagged user and the list to
iterate through. (The list would contain the usernames associated with all login attempts made
that day.) The function can use the counter variable to return the number of logins for that
flagged user.
Working with files in Python

One additional component of automating cybersecurity-related tasks in Python is understanding
how to work with files. Security-related data will often be initially found in log files. A log is a
record of events that occur within an organization's systems. In logs, lines are often appended to
the record as time progresses.
Two common file formats for security logs are .txt files and .csv files. Both .txt and .csv files are
types of text files, meaning they contain only plain text. They do not contain images and do not
specify graphical properties of the text, including font, color, or spacing. In a .csv file, or a
"comma-separated values" file, the values are separated by commas. In a .txt file, there is not a
specific format for separating values, and they may be separated in a variety of ways, including
spaces.
You can easily extract data from .txt and .csv files. You can also convert both into other file
formats.
Coming up, you'll learn how to import, read from, and write to files. You will also explore how
to structure the information contained in files.
Key takeaways
It is important for security analysts to be able to automate tasks in Python. This requires
knowledge of fundamental Python concepts, including variables, conditional statements, iterative
statements, and techniques for working with strings and lists. In addition, the ability to work with
files is also essential for automation in Python.
Import files into Python
Previously, you explored how to open files in Python, convert them into strings, and read them. In
this reading, you'll review the syntax needed for this. You'll also focus on why the ability to work with
files is important for security analysts using Python, and you will learn about writing files.
Working with files in cybersecurity

Security analysts may need to access a variety of files when working in Python. Many of these files
will be logs. A log is a record of events that occur within an organization's systems.
For instance, there may be a log containing information on login attempts. This might be used to
identify unusual activity that signals attempts made by a malicious actor to access the system.
As another example, malicious actors that have breached the system might be capable of attacking
software applications. An analyst might need to access a log that contains information on software
applications that are experiencing issues.
Opening files in Python

To open a file called "update_log.txt" in Python for purposes of reading it, you can incorporate the
following line of code:
with open("update_log.txt", "r") as file:
This line consists of the with keyword, the open() function with its two parameters, and the as
keyword followed by a variable name. You must place a colon (:) at the end of the line.
with
The keyword with handles errors and manages external resources when used with other functions.
In this case, it's used with the open() function in order to open a file. It will then manage the resources
by closing the file after exiting the with statement.
Note: You can also use the open() function without the with keyword. However, you should close the
file you opened to ensure proper handling of the file.
open()
The open() function opens a file in Python.
The first parameter identifies the file you want to open. In the following file structure, "update_log.txt"
is located in the same directory as the Python file that will access it, "log_parser.ipynb":
Because they're in the same directory, only the name of the file is required. The code can be written
as with open("update_log.txt", "r") as file:.
However, "access_log.txt" is not in the same directory as the Python file "log_parser.ipynb".
Therefore, it's necessary to specify its absolute file path. A file path is the location of a file or
directory. An absolute file path starts from the highest-level directory, the root. In the following code,
the first parameter of the open() function includes the absolute file path to "access_log.txt":
with open("/home/analyst/logs/access_log.txt", "r") as file:
Note: In Python, the names of files or their file paths can be handled as string data, and like all string
data, you must place them in quotation marks.
The second parameter of the open() function indicates what you want to do with the file. In both of
these examples, the second parameter is "r", which indicates that you want to read the file.
Alternatively, you can use "w" if you want to write to a file or "a" if you want to append to a file.
as
When you open a file using with open(), you must provide a variable that can store the file while you
are within the with statement. You can do this through the keyword as followed by this variable name.
The keyword as assigns a variable that references another object. The code with
open("update_log.txt", "r") as file: assigns file to reference the output of the open() function within the
indented code block that follows it.
Reading files in Python

After you use the code with open("update_log.txt", "r") as file: to import "update_log.txt" into the file
variable, you should indicate what to do with the file on the indented lines that follow it. For example,
this code uses the .read() method to read the contents of the file:
updates = file.read()
print(updates)
The .read() method converts files into strings. This is necessary in order to use and display the
contents of the file that was read.
In this example, the file variable is used to generate a string of the file contents through .read(). This
string is then stored in another variable called updates. After this, print(updates) displays the string.
Once the file is read into the updates string, you can perform the same operations on it that you might
perform with any other string. For example, you could use the .index() method to return the index
where a certain character or substring appears. Or, you could use len() to return the length of this
string.
Writing files in Python

Security analysts may also need to write to files. This could happen for a variety of reasons. For
example, they might need to create a file containing the approved usernames on a new allow list. Or,
they might need to edit existing files to add data or to adhere to policies for standardization.
To write to a file, you will need to open the file with "w" or "a" as the second argument of open().
You should use the "w" argument when you want to replace the contents of an existing file. When
working with the existing file update_log.txt, the code with open("update_log.txt", "w") as file: opens it
so that its contents can be replaced.
Additionally, you can use the "w" argument to create a new file. For example, with
open("update_log2.txt", "w") as file: creates and opens a new file called "update_log2.txt".
You should use the "a" argument if you want to append new information to the end of an existing file
rather than writing over it. The code with open("update_log.txt", "a") as file: opens "update_log.txt" so
that new information can be appended to the end. Its existing information will not be deleted.
Like when opening a file to read from it, you should indicate what to do with the file on the indented
lines that follow when you open a file to write to it. With both "w" and "a", you can use the .write()
method. The .write() method writes string data to a specified file.
The following example uses the .write() method to append the content of the line variable to the file
"access_log.txt".
line = "jrafael,192.168.243.140,4:56:27,True"
with open("access_log.txt", "a") as file:
file.write(line)
Note: Calling the .write() method without using the with keyword when importing the file might result
in its arguments not being completely written to the file if the file is not properly closed in another
way.
Key takeaways
It's important for security analysts to be able to import files into Python and then read from or write to
them. Importing Python files involves using the with keyword, the open() function, and the as
keyword. Reading from and writing to files requires knowledge of the .read() and .write() methods
and the arguments to the open() function of "r", "w", and "a".
Work with files in Python

You previously explored how to open files in Python as well as how to read them and write to
them. You also examined how to adjust the structure of file contents through the .split() method.
In this reading, you'll review the .split() method, and you'll also learn an additional method that
can help you work with file contents.
Parsing
Part of working with files involves structuring its contents to meet your needs. Parsing is the
process of converting data into a more readable format. Data may need to become more readable
in a couple of different ways. First, certain parts of your Python code may require modification
into a specific format. By converting data into this format, you enable Python to process it in a
specific way. Second, programmers need to read and interpret the results of their code, and
parsing can also make the data more readable for them.
Methods that can help you parse your data include .split() and .join().
.split()
The basics of .split()
The .split() method converts a string into a list. It separates the string based on a specified
character that's passed into .split() as an argument.
In the following example, the usernames in the approved_users string are separated by a comma.
For this reason, a string containing the comma (",") is passed into .split() in order to parse it into
a list. Run this code and analyze the different contents of approved_users before and after the
.split() method is applied to it:
approved_users = "elarson,bmoreno,tshah,sgilmore,eraab"
print("before .split():", approved_users)
approved_users = approved_users.split(",")
print("after .split():", approved_users)

RunReset
Before the .split() method is applied to approved_users, it contains a string, but after it is
applied, this string is converted to a list.
If you do not pass an argument into .split(), it will separate the string every time it encounters a
whitespace.
Note: A variety of characters are considered whitespaces by Python. These characters include
spaces between characters, returns for new lines, and others.
The following example demonstrates how a string of usernames that are separated by space can
be split into a list through the .split() method:
removed_users = "wjaffrey jsoto abernard jhill awilliam"
print("before .split():", removed_users)
removed_users = removed_users.split()
print("after .split():", removed_users)

RunReset
Because an argument isn't passed into .split(), Python splits the removed_users string at each
space when separating it into a list.
Applying .split() to files

The .split() method allows you to work with file content as a list after you've converted it to a
string through the .read() method. This is useful in a variety of ways. For example, if you want to
iterate through the file contents in a for loop, this can be easily done when it's converted into a
list.
The following code opens the "update_log.txt" file. It then reads all of the file contents into the
updates variable as a string and splits the string in the updates variable into a list by creating a
new element at each whitespace:
updates = updates.split()
After this, through the updates variable, you can work with the contents of the "update_log.txt"
file in parts of your code that require it to be structured as a list.
Note: Because the line that contains .split() is not indented as part of the with statement, the file
closes first. Closing a file as soon as it is no longer needed helps maintain code readability. Once
a file is read into the updates variable, it is not needed and can be closed.
.join()
The basics of .join()
If you need to convert a list into a string, there is also a method for that. The .join() method
concatenates the elements of an iterable into a string. The syntax used with .join() is distinct from
the syntax used with .split() and other methods that you've worked with, such as .index().
In methods like .split() or .index(), you append the method to the string or list that you're
working with and then pass in other arguments. For example, the code usernames.index(2),
appends the .index() method to the variable usernames, which contains a list. It passes in 2 as the
argument to indicate which element to return.
However, with .join(), you must pass the list that you want to concatenate into a string in as an
argument. You append .join() to a character that you want to separate each element with once
they are joined into a string.
For example, in the following code, the approved_users variable contains a list. If you want to
join that list into a string and separate each element with a comma, you can use
",".join(approved_users). Run the code and examine what it returns:
approved_users = ["elarson", "bmoreno", "tshah", "sgilmore", "eraab"]
print("before .join():", approved_users)
approved_users = ",".join(approved_users)
print("after .join():", approved_users)

RunReset
Before .join() is applied, approved_users is a list of five elements. After it is applied, it is a

string with each username separated by a comma.
Note: Another way to separate elements when using the .join() method is to use "\n", which is
the newline character. The "\n" character indicates to separate the elements by placing them on
new lines.
Applying .join() to files

When working with files, it may also be necessary to convert its contents back into a string. For
example, you may want to use the .write() method. The .write() method writes string data to a
file. This means that if you have converted a file's contents into a list while working with it,
you'll need to convert it back into a string before using .write(). You can use the .join() method
for this.
You already examined how .split() could be applied to the contents of the "update_log.txt" file
once it is converted into a string through .read() and stored as updates:
updates = updates.split()
After you're through performing operations using the list in the updates variable, you might want
to replace "update_log.txt" with the new contents. To do so, you need to first convert updates
back into a string using .join(). Then, you can open the file using a with statement and use the
.write() method to write the updates string to the file:
updates = " ".join(updates)
with open("update_log.txt", "w") as file:
file.write(updates)
The code " ".join(updates) indicates to separate each of the list elements in updates with a space
once joined back into a string. And because "w" is specified as the second argument of open(),
Python will overwrite the contents of "update_log.txt" with the string currently in the updates
variable.
Key takeaways
An important element of working with files is being able to parse the data it contains. Parsing
means converting the data into a readable format. The .split() and .join() methods are both useful
for parsing data. The .split() method allows you to convert a string into a list, and the .join()
method allows you to convert a list into a string.
Explore debugging techniques

Previously, you examined three types of errors you may encounter while working in Python and
explored strategies for debugging these errors. This reading further explores these concepts with
additional strategies and examples for debugging Python code.
Types of errors
It's a normal part of developing code in Python to get error messages or find that the code you're
running isn't working as you intended. The important thing is that you can figure out how to fix
errors when they occur. Understanding the three main types of errors can help. These types
include syntax errors, logic errors, and exceptions.
Syntax errors
A syntax error is an error that involves invalid usage of a programming language. Syntax errors
occur when there is a mistake with the Python syntax itself. Common examples of syntax errors
include forgetting a punctuation mark, such as a closing bracket for a list or a colon after a
function header.
When you run code with syntax errors, the output will identify the location of the error with the
line number and a portion of the affected code. It also describes the error. Syntax errors often
begin with the label "SyntaxError:" . Then, this is followed by a description of the error. The
description might simply be "invalid syntax" . Or if you forget a closing parentheses on a
function, the description might be "unexpected EOF while parsing". "EOF" stands for "end of
file."
The following code contains a syntax error. Run it and examine its output:
message = "You are debugging a syntax error
print(message)
RunReset
This outputs the message "SyntaxError: EOL while scanning string literal". "EOL" stands for
"end of line". The error message also indicates that the error happens on the first line. The error
occurred because a quotation mark was missing at the end of the string on the first line. You can
fix it by adding that quotation mark.
Note: You will sometimes encounter the error label "IndentationError" instead of
"SyntaxError". "IndentationError" is a subclass of "SyntaxError" that occurs when the
indentation used with a line of code is not syntactically correct.
Logic errors
A logic error is an error that results when the logic used in code produces unintended results.
Logic errors may not produce error messages. In other words, the code will not do what you
expect it to do, but it is still valid to the interpreter.
For example, using the wrong logical operator, such as a greater than or equal to sign (>=)
instead of greater than sign (>) can result in a logic error. Python will not evaluate a condition as
you intended. However, the code is valid, so it will run without an error message.
The following example outputs a message related to whether or not a user has reached a
maximum number of five login attempts. The condition in the if statement should be
login_attempts < 5, but it is written as login_attempts >= 5. A value of 5 has been assigned to
login_attempts so that you can explore what it outputs in that instance:
1
login_attempts = 5
if login_attempts >= 5:
print("User has not reached maximum number of login attempts.")
else:
print("User has reached maximum number of login attempts.")

RunReset
The output displays the message "User has not reached maximum number of login attempts."
However, this is not true since the maximum number of login attempts is five. This is a logic
error.
Logic errors can also result when you assign the wrong value in a condition or when a mistake
with indentation means that a line of code executes in a way that was not planned.
Exceptions
An exception is an error that involves code that cannot be executed even though it is
syntactically correct. This happens for a variety of reasons.
One common cause of an exception is when the code includes a variable that hasn't been
assigned or a function that hasn't been defined. In this case, your output will include
"NameError" to indicate that this is a name error. After you run the following code, use the
error message to determine which variable was not assigned:
8
month = "March"
total_logins = 75
failed_logins = 18
print("Login report for", username, "in", month)
print("Total logins:", total_logins)
print("Failed logins:", failed_logins)
print("Unusual logins:", unusual_logins)

RunReset
The output indicates there is a "NameError" involving the unusual_logins variable. You can fix
this by assigning this variable a value.
In addition to name errors, the following messages are output for other types of exceptions:
 "IndexError": An index error occurs when you place an index in bracket notation that
does not exist in the sequence being referenced. For example, in the list usernames =
["bmoreno", "tshah", "elarson"], the indices are 0, 1, and 2. If you referenced this list
with the statement print(usernames[3]), this would result in an index error.
 "TypeError": A type error results from using the wrong data type. For example, if you
tried to perform a mathematical calculation by adding a string value to an integer, you
would get a type error.
 "FileNotFound": A file not found error occurs when you try to open a file that does not
exist in the specified location.
Debugging strategies
Keep in mind that if you have multiple errors, the Python interpreter will output error messages
one at a time, starting with the first error it encounters. After you fix that error and run the code
again, the interpreter will output another message for the next syntax error or exception it
encounters.
When dealing with syntax errors, the error messages you receive in the output will generally help
you fix the error. However, with logic errors and exceptions, additional strategies may be
needed.
Debuggers
In this course, you have been running code in a notebook environment. However, you may write
Python code in an Integrated Development Environment (IDE). An Integrated Development
Environment (IDE) is a software application for writing code that provides editing assistance
and error correction tools. Many IDEs offer error detection tools in the form of a debugger. A
debugger is a software tool that helps to locate the source of an error and assess its causes.
In cases when you can't find the line of code that is causing the issue, debuggers help you narrow
down the source of the error in your program. They do this by working with breakpoints.
Breakpoints are markers placed on certain lines of executable code that indicate which sections
of code should run when debugging.
Some debuggers also have a feature that allows you to check the values stored in variables as
they change throughout your code. This is especially helpful for logic errors so that you can
locate where variable values have unintentionally changed.
Use print statements

Another debugging strategy is to incorporate temporary print statements that are designed to
identify the source of the error. You should strategically incorporate these print statements to
print at various locations in the code. You can specify line numbers as well as descriptive text
about the location.
For example, you may have code that is intended to add new users to an approved list and then
display the approved list. The code should not add users that are already on the approved list. If
you analyze the output of this code after you run it, you will realize that there is a logic error:
new_users = ["sgilmore", "bmoreno"]
approved_users = ["bmoreno", "tshah", "elarson"]
def add_users():
for user in new_users:
if user in approved_users:
print(user,"already in list")
approved_users.append(user)
add_users()
print(approved_users)
RunReset
Even though you get the message "bmoreno already in list", a second instance of "bmoreno" is
added to the list. In the following code, print statements have been added to the code. When you
run it, you can examine what prints:
10
11
12
new_users = ["sgilmore", "bmoreno"]
approved_users = ["bmoreno", "tshah", "elarson"]
def add_users():
for user in new_users:
print("line 5 - inside for loop")
if user in approved_users:
print("line 7 - inside if statement")
print(user,"already in list")
print("line 9 - before .append method")
approved_users.append(user)
add_users()
print(approved_users)
RunReset
The print statement "line 5 - inside for loop" outputs twice, indicating that Python has entered
the for loop for each username in new_users. This is as expected. Additionally, the print
statement "line 7 - inside if statement" only outputs once, and this is also as expected because
only one of these usernames was already in approved_users.
However, the print statement "line 9 - before .append method" outputs twice. This means the
code calls the .append() method for both usernames even though one is already in
approved_users. This helps isolate the logic error to this area. This can help you realize that the
line of code approved_users.append(user) should be the body of an else statement so that it only
executes when user is not in approved_users.
Key takeaways
There are three main types of errors you'll encounter while coding in Python. Syntax errors
involve invalid usage of the programming language. Logic errors occur when the logic produced
in the code produces unintended results. Exceptions involve code that cannot be executed even
though it is syntactically correct. You will receive error messages for syntax errors and
exceptions that can help you fix these mistakes. Additionally, using debuggers and inserting print
statements can help you identify logic errors and further debug exceptions.

Automation: The use of technology to reduce human and manual effort to perform common and
repetitive tasks
Conditional statement: A statement that evaluates code to determine if it meets a specified set
of conditions
Debugger: A software tool that helps to locate the source of an error and assess its causes
Debugging: The practice of identifying and fixing errors in code
Exception: An error that involves code that cannot be executed even though it is syntactically
correct
Function: A section of code that can be reused in a program
Integrated development environment (IDE): A software application for writing code that
provides editing assistance and error correction tools
Iterative statement: Code that repeatedly executes a set of instructions
Log: A record of events that occur within an organization's systems
Logic error: An error that results when the logic used in code produces unintended results
Parsing: The process of converting data into a more readable format
Syntax error: An error that involves invalid usage of a programming language
Variable: A container that stores data
Data and asset classification

Protecting an organization’s business operations and assets from security threats, risks, and
vulnerabilities is important. You previously learned what it means to have a security mindset. That
mindset can help you identify and reduce security risks and potential incidents.
In this reading, you will learn about key data classification types and the difference between the low-
level and high-level assets of an organization.
Classifying for safety

Security professionals classify data types to help them properly protect an organization from cyber
attacks that negatively impact business operations. Here is a review of the most common data types:
 Public data
 Private data
 Sensitive data
 Confidential data
Public data
This data classification does not need extra security protections. Public data is already accessible to
the public and poses a minimal risk to the organization if viewed or shared by others. Although this
data is open to the public, it still needs to be protected from security attacks. Examples of public data
include press releases, job descriptions, and marketing materials.
Private data
This data classification type has a higher security level. Private data is information that should be
kept from the public. If an individual gains unauthorized access to private data, that event has the
potential to pose a serious risk to an organization.
Examples of private data can include company email addresses, employee identification numbers,
and an organization’s research data.
Sensitive data
This information must be protected from everyone who does not have authorized access.
Unauthorized access to sensitive data can cause significant damage to an organization’s finances
and reputation.
Sensitive data includes personally identifiable information (PII), sensitive personally identifiable
information (SPII), and protected health information (PHI). Examples of these types of sensitive data
are banking account numbers, usernames and passwords, social security numbers (which U.S.
citizens use to report their wages to the government), passwords, passport numbers, and medical
information.
Confidential data
This data classification type is important for an organization’s ongoing business
operations. Confidential data often has limits on the number of people who have access to it. Access
to confidential data sometimes involves the signing of non-disclosure agreements (NDAs)— legal
contracts that bind two or more parties to protect information—to further protect the confidentiality of
the data.
Examples of confidential data include proprietary information such as trade secrets, financial
records, and sensitive government data.
Asset classification
Asset classification means labeling assets based on sensitivity and importance to an organization.
The classification of an organization's assets ranges from low- to high-level.
Public data is a low-level asset. It is readily available to the public and will not have a negative
impact on an organization if compromised. Sensitive data and confidential data are high-level
assets. They can have a significantly negative impact on an organization if leaked publicly. That
negative impact can lead to the loss of a company’s competitive edge, reputation, and customer
trust. A company’s website address is an example of a low-level asset. An internal email from that
company discussing trade secrets is an example of a high-level asset.
Key takeaways
Every company has their own data classification policy that identifies what type of data is in each
category. It will be important to your success as a security professional to familiarize yourself with
that policy. Understanding different data and asset classification types is important. It helps you
prioritize what data needs to be protected most. It also helps you recognize what assets need higher
levels of security and what assets need minimal security.
Disaster recovery and business continuity

The role of a security professional is to ensure a company’s data and assets are protected from
threats, risks, and vulnerabilities. However, sometimes things don’t go as planned. There are times
when security incidents happen. You’ve already learned that security breaches can lead to financial
consequences and the loss of credibility with customers or other businesses in the industry.
This reading will discuss the need to create business continuity and disaster recovery plans to
minimize the impact of a security incident on an organization’s business operations. Analysts need
to consider the sequence of steps to be taken by the security team before business continuity and
disaster recovery plans are implemented.
Identify and protect

Creating business continuity and disaster recovery plans are the final steps of a four-part process
that most security teams go through to help ensure the security of an organization.
First, the security team identifies the assets that must be protected in the organization. Next, they
determine what potential threats could negatively impact those assets. After the threats have been
determined, the security team implements tools and processes to detect potential threats to assets.
Lastly, the IT or appropriate business function creates the business continuity and disaster recovery
plans. These plans are created in conjunction with one another. The plans help to minimize the
impact of a security incident involving one of the organization’s assets.
Business continuity plan

The impact of successful security attacks on an organization can be significant. Loss of profits and
customers are two possible outcomes that organizations never want to happen. A business continuity
plan is a document that outlines the procedures to sustain business operations during and after a
significant disruption. It is created alongside a disaster recovery plan to minimize the damage of a
successful security attack. Here are four essential steps for business continuity plans:
 Conduct a business impact analysis. The business impact analysis step focuses on the
possible effects a disruption of business functions can have on an organization.
 Identify, document, and implement steps to recover critical business functions and processes.
This step helps the business continuity team create actionable steps toward responding to a
security event.
 Organize a business continuity team. This step brings various members of the organization
together to help execute the business continuity plan, if it is needed. The members of this
team are typically from the cybersecurity, IT, HR, communications, and operations
departments.
 Conduct training for the business continuity team. The team considers different risk scenarios
and prepares for security threats during these training exercises.
Disaster recovery plan

A disaster recovery plan allows an organization’s security team to outline the steps needed to
minimize the impact of a security incident, such as a successful ransomware attack that has stopped
the manufacturing team from retrieving certain data. It also helps the security team resolve the
security threat. A disaster recovery plan is typically created alongside a business continuity plan.
Steps to create a disaster recovery plan should include:
 Implementing recovery strategies to restore software
 Implementing recovery strategies to restore hardware functionality
 Identifying applications and data that might be impacted after a security incident has taken
place
Key takeaways
Disaster recovery and business continuity plans are important for an organization’s security posture.
It’s essential that the security team has plans in place to keep the organization’s business operations
moving forward in case a security incident does occur.
Meet Juliana Soto, who recently completed an online cybersecurity certificate program and was
hired as a cybersecurity analyst for Right-On-Time Payment Solutions, a fictional payment
processing company allowing individuals to transfer money to friends and family. Right-On-
Time also allows companies to accept payments from customers or organizations.
In this reading, you will begin a three-part journey that follows Juliana as she takes on new roles
and responsibilities within the cybersecurity team of her new company.
Juliana decides that one of her first objectives is to gain a better understanding of the most
important assets to the company by reviewing various company reading materials that will help
her learn what is most valuable to them. On her first day, she is given reading materials to help
her familiarize herself with the company. She learns that customers must create unique
usernames and passwords and provide their full name or company name to sign up for the
service as an individual. Business customers can also sign up for the service if they provide their
employee identification number (EIN). Finally, customers must enter their bank account
information or debit card number for payments to be accepted.
Juliana discovers that this company handles a lot of personally identifiable information (PII)
from its customers. This kind of information is considered sensitive data. Unauthorized access to
it can lead to significant damage to the organization’s finances, its customers, and its reputation.
Juliana realizes that the most important asset to this company is customer data.
After finishing the required onboarding materials, she decides to put together an information
lifecycle strategy. She learned about this when completing her online cybersecurity certificate
program.
Information lifecycle strategy

Juliana recalls the following steps of the information lifecycle:
 The first step in the information lifecycle is to identify the important assets to the
company, including sensitive customer information such as PII, financial information,
social security numbers, and EINs.
 The second step is to assess the security measures in place to protect the identified assets
and review the company’s information security policies. There are different components
to this step, ranging from vulnerability scanning to reviewing processes and procedures
that are already in place. Juliana is new to the company and might not be ready to
conduct vulnerability scans.
 The third step of the information lifecycle is to protect the identified assets of the
organization. Once again, this is only Juliana’s first day on the job. She asks her
supervisor if she can observe a more senior security analyst for a day. This will give her
the opportunity to learn how the security team monitors the company’s systems and
network.
 The last step of the security lifecycle is to monitor the security processes that have been
implemented to protect the organization’s assets. She contacts her supervisor and gives
them a detailed report of what she has learned on her first day. She requests to finish her
day by monitoring a few of the systems that are in place. Her supervisor is impressed
with her initiative and prepares Juliana to monitor the security systems. What a great first
day for Juliana!
Key takeaways
Identifying the important assets of a company is a key security analyst responsibility. Once you
identify the assets, it can be helpful to follow the information lifecycle strategy to help ensure
those assets are being protected effectively. Reviewing a company’s security policies will also
help an analyst understand what is important to the company and how the analyst should be
protecting that data.

Business continuity plan (BCP): A document that outlines the procedures to sustain business
operations during and after a significant disruption
Confidential data: Data that often has limits on the number of people who have access to it
Disaster recovery plan: A plan that allows an organization’s security team to outline the steps
needed to minimize the impact of a security incident
Private data: Information that should be kept from the public

Public data: Data that is already accessible to the public and poses a minimal risk to the
organization if viewed or shared by others
Security mindset: The ability to evaluate risk and constantly seek out and identify the potential
or actual breach of a system, application, or data
Sensitive data: A type of data that includes personally identifiable information (PII), sensitive
personally identifiable information (SPII), and protected health information (PHI)
Escalate with a purpose

You previously learned about security incident escalation and the skills needed to help you
escalate incidents. In this reading, you’ll learn the importance of escalating security issues and
the potential impact of failing to escalate an issue.
Incident escalation
Security incident escalation is the process of identifying a potential security incident. During this
process, potential incidents are transferred to a more experienced department or team member.
As a security analyst, you’ll be expected to recognize potential issues, such as when an employee
excessively enters the wrong credentials to their account, and report it to the appropriate person.
When you join a new organization, you’ll learn about the specific processes and procedures for
escalating incidents.
Notification of breaches
Many countries have breach notification laws, so it's important to familiarize yourself with the
laws applicable in the area your company is operating in. Breach notification laws require
companies and government entities to notify individuals of security breaches involving
personally identifiable information (PII). PII includes personal identification numbers (e.g.,
Social Security numbers, driver’s license numbers, etc.), medical records, addresses, and other
sensitive customer information. As an entry-level security analyst, you’ll need to be aware of
various security laws, especially because they are regularly updated.
Low-level security issues
Low-level security issues are security risks that do not result in the exposure of PII. These issues
can include the following and other risks:
 An employee having one failed login attempt on their account
 An employee downloading unapproved software onto their work laptop
These issues are not significant security challenges, but they must be investigated further in case
they need to be escalated. An employee typing in a password two to three times might not be of
concern. But if that employee types in a password 15 times within 30 minutes, there might be an
issue that needs to be escalated. What if the multiple failed login attempts were a malicious actor
attempting to compromise an employee’s account? What if an employee downloads an internet
game or software on their work laptop that is infected with malware? You previously learned
that malware is software designed to harm devices or networks. If malware is downloaded onto
an organization’s network, it can lead to financial loss and even loss of reputation with the
organization’s customers. While low-level security issues are not considered significant security
threats, they should still be investigated to ensure they result in minimal impact to the
organization.
The escalation process

Every company has different protocols and procedures, including unique escalation policies.
These policies detail who should be notified when a security alert is received and who should be
contacted if the first responder is not available. The policy will also determine how someone
should specifically escalate an incident, whether it’s via the IT desk, an incident management
tool, or direct communication between security team members.
Key takeaways
Incident escalation is essential for protecting an organization’s data. Every organization might
have a different way of escalating security incidents. A security analyst should be aware of the
escalation protocols that are in place at their organization. Both small and large security issues
should be escalated to the appropriate team or team member.
Escalation timing
You previously learned about the potential impact even the smallest incident can have on an
organization if the incident is not escalated properly. You also discovered just how important your
role as an entry-level analyst will be to the effectiveness of an organization’s escalation process.
This reading will go into more detail about the role you’ll play in protecting an organization’s data and
assets when it comes to escalating incidents.
Your decisions matter

Security is a fast-paced environment with bad actors constantly trying to compromise an
organization’s systems and data. This means security analysts must be prepared to make daily
decisions to help keep a company’s data and systems safe. Entry-level security analysts help the
security team escalate potential security incidents to the right team members. A big part of your role
as a security analyst will be making decisions about which security events to escalate before they
become major security incidents.
Trust your instincts and ask questions

Confidence is an important attribute for a security analyst to have, especially when it comes to the
escalation process. The security team will depend on you to be confident in your decision-making.
You should be intentional about learning the organization’s escalation policy. This will help you gain
confidence in making the right decisions when it comes to escalating security events. But remember
to ask questions when necessary. It shows that you’re committed to constantly learning the right way
to do your job.
All security events are not equal

An important part of escalation is recognizing which assets and data are the most important for your
organization. You can determine this information by reading through your onboarding materials,
asking your supervisor directly about which assets and data are most important, and reviewing your
company’s security policies. When you have that type of understanding, it allows you to recognize
when one incident should be given a higher priority over others. You previously learned about the
following incident classification types:
 Malware infections: Occur when malicious software designed to disrupt a system infiltrates
an organization’s computers or network
 Unauthorized access: Occurs when an individual gains digital or physical access to a system,
data, or application without permission
 Improper usage: Occurs when an employee of an organization violates the organization’s

acceptable use policies
Identifying a specific incident type allows you to properly prioritize and quickly escalate those
incidents. Remember, an incident which directly impacts assets that are essential to business
operations should always take priority over incidents that do not directly impact business operations.
For example, an incident where unauthorized access has been gained to a manufacturing
application should take priority over an incident where malware has infected a legacy system that
does not impact business operations. As you gain experience in the cybersecurity field, you will learn
how to quickly assess the priority levels of incident types.
Quick escalation tips
A big part of your role in cybersecurity will be determining when to escalate a security event. Here
are a few tips to help with this:
 Familiarize yourself with the escalation policy of the organization you work for.
 Follow the policy at all times.
 Ask questions.
Key takeaways
Incident escalation will be an important part of your role within a security team. Entry-level analysts
are expected to identify and escalate incidents related to their daily work. Reading and
understanding your organization’s escalation policy will be helpful in this responsibility. The
escalation policy will describe how and to whom you should escalate incidents. When in doubt,
never be afraid to ask a supervisor about the escalation process. This will help you stay
knowledgeable about your job and make informed decisions.
-----------=======
Data controller: A person that determines the procedure and purpose for processing data
Data processor: A person that is responsible for processing data on behalf of the data controller
Data protection officer (DPO): An individual that is responsible for monitoring the compliance
of an organization's data protection procedures
Escalation policy: A set of actions that outlines who should be notified when an incident alert
occurs and how that incident should be handled
Improper usage: An incident type that occurs when an employee of an organization violates the
organization’s acceptable use policies
Incident escalation: The process of identifying a potential security incident, triaging it, and
handing it off to a more experienced team member
Malware infection: An incident type that occurs when malicious software designed to disrupt a
system infiltrates an organization’s computers or network
Unauthorized access: An incident type that occurs when an individual gains digital or physical
access to a system or an application without permission
The purpose and impact of stakeholders

You previously learned about incident escalation and the various security incident classification
types. You also learned about the impact these incidents can have on an organization’s business
operations.
This reading will explore the individuals who have a significant interest in those business operations:
stakeholders.
Who are stakeholders?

A stakeholder is defined as an individual or group that has an interest in any decision or activity of an
organization. A big part of what you’ll do as a security analyst is report your findings to various
security stakeholders.
Levels of stakeholders
There are many levels of stakeholders within larger organizations. As an entry-level analyst, you
might only communicate directly with a few of them. Although you might not communicate with all of
the security stakeholders in an organization, it’s important to have an understanding of who key
stakeholders are:
 A cybersecurity risk manager is a professional responsible for leading efforts to identify,

assess, and mitigate security risks within an organization.
 A Chief Executive Officer, also known as the CEO, is the highest ranking person in an
organization. You are unlikely to communicate directly with this stakeholder as an entry-level
analyst.
 A Chief Financial Officer, also known as the CFO, is another high-level stakeholder that
you’re unlikely to communicate with directly.
 A Chief Information Security Officer, also known as the CISO, is the highest level of security
stakeholder. You are also unlikely to communicate directly with this stakeholder as an entry-
level analyst.
 An operations manager oversees the day-to-day security operations. These individuals lead
teams related to the development and implementation of security strategies that protect an
organization from cyber threats.
CFOs and CISOs are focused on the big picture, like the potential financial burden of a security
incident, whereas other roles like operations managers are more focused on the impact on day-to-
day operations. Although you will rarely interact directly with high-level security stakeholders, it’s still
important to recognize their relevance.
Stakeholder communications for entry-level analysts

Two examples of security stakeholders with whom you might regularly communicate are operations
managers and risk managers. When you report to these stakeholders, you'll need to clearly
communicate the current security issue and its possible causes. The operations managers will then
determine next steps and coordinate other team members to remediate or resolve the issue.
For example, you might report multiple failed login attempts by an employee to your operations
manager. This stakeholder might contact the employee’s supervisor to ensure the occurrence is a
genuine issue of entering the wrong password or determine if the account has been compromised.
The stakeholder and supervisor might also need to discuss the consequences for day-to-day
operations if genuine failed login attempts can lead to account lockouts that might impact business
operations. As an entry-level security analyst, you might play a role in implementing preventative
measures once next steps have been determined.
From one stakeholder to the next

Operations managers and risk managers are stakeholders who rely on entry-level analysts and other
team members to keep them informed of security events in day-to-day operations. These
stakeholders commonly report back to the CISOs and CFOs to give a broader narrative of the
organization's overall security picture. Although you won't regularly communicate with high-level
stakeholders, it's important to recognize that your efforts still reach the highest levels of security
stakeholders in the organization. These other members of your team keep those top-level
stakeholders informed on the security measures and protocols in place that are continuously helping
to protect the organization.
Key takeaways
Stakeholders play a major role in ensuring the security of an organization. Entry-level analysts
should have a foundational understanding of the different levels of security stakeholders within an
organization. Entry-level analysts will not communicate with every security stakeholder in a
company, but there are certain stakeholders that the analyst will need to provide updates to. Those
updates will eventually be reported up to the more senior-level stakeholders, such as the CISO and
the CFO.
Communicate effectively with stakeholders

You previously learned about security stakeholders and their significance in an organization. In this
reading, you’ll learn the importance of clearly communicating to stakeholders to ensure they have a
thorough understanding of the information you’re sharing and why it’s meaningful to the
organization.
Get to the point

Security stakeholders have roles and responsibilities that are time sensitive and impact the
business. It’s important that any communications they receive, and the actions they need to take, are
clear. To get to the point in your communications, ask yourself:
 What do I want this person to know?
 Why is it important for them to know it?
 When do they need to take action?
 How do I explain the situation in a nontechnical manner?
Follow the protocols

When you first join a security team, you’ll want to learn about the different protocols and procedures
in place for communicating with stakeholders and other members of the organization. It’s important
to make sure you know what applications and forms of communications are acceptable before you
begin communicating with stakeholders, such as in-person meetings, video-conferencing, emails, or
company chat applications.
Communicate with impact

You previously learned about the different stakeholders within an organization and what specific
areas they’re focused on. When you first begin your career in the cybersecurity field, you're more
likely to interact with lower-level stakeholders, like operations managers or security risk managers,
who are interested in the day-to-day operations, such as logging. Senior-level stakeholders might be
more interested in the underlying risks, such as the potential financial burden of a security incident—
as opposed to the details around logs.
When you communicate with an operations manager, make sure you address relevant information
that relates to their daily responsibilities, such as anomalies in data logs that you are escalating.
Concentrating on a manager’s daily responsibilities will help you communicate the need-to-know
information to that individual.
Communication methods
Your method of communication will vary, depending on the type of information you’re sharing.
Knowing which communication channels are appropriate for different scenarios is a great skill to help
you communicate effectively with stakeholders. Here are a few ways you might choose to
communicate:
 Instant messaging
 Emailing
 Video calling
 Phone calls
 Sharing a spreadsheet of data
 Sharing a slideshow presentation
If your message is straightforward, an instant message or phone call might be the route to take. If
you have to describe a complex situation with multiple layers, an email or in-person meeting might
be the better option. If you’re providing a lot of data and numbers, sharing a graph might be the best
solution. Each situation helps you determine the best means of communication.
Key takeaways
Stakeholders are busy people who have very specific interests within the organization. Therefore, it’s
important to only communicate information that is specific to their interests and impacts their role in
the company.
Be mindful of the kind of information you’re communicating because that will help determine what
method of communication you should use.
Create visual dashboards for impactful cybersecurity
communications
You previously learned about security stakeholders, the people responsible for protecting the
data and systems of various departments of an organization. An entry-level analyst might
communicate directly or indirectly with these individuals. If you do end up communicating with
a stakeholder, it’s important to use the right method of communication. This reading will further
elaborate on the significance of using visual dashboards to communicate information to
stakeholders. Dashboards can include charts, graphs, and even infographics. You’ll learn more
about when to use visual communication strategies in this reading.
Using visuals to communicate effectively

Security is about protecting a company from threats that can affect its reputation and finances.
Oftentimes, responding to threats quickly and effectively depends on clear communications
between the stakeholders who are involved.
In the cybersecurity field, the stakeholders you'll deal with will often be busy with other
responsibilities. Showing them important information visually is a great way to gain their input
and support to address security challenges that arise. Visuals help provide these decision-makers
with actionable information that can help them identify potential risks to the organization's
security posture.
Visual dashboards
A visual dashboard is a way of displaying various types of data quickly in one place. Visual
dashboards are useful tools that can be used to communicate stories to stakeholders about
security events—especially when they involve numbers and data.
Dashboards can be simple or complex depending on the information you're communicating. A

simple dashboard might contain a single chart, while a complex one can include multiple
detailed charts, graphs, and tables. Deciding which type to use will depend on the situation and
story you are telling. However, attention to detail and accurately representing information is
important anytime you're communicating data to stakeholders.
Pro tip: Programs like Google Sheets and Apache OpenOffice are tools that can be used to
create visual dashboards.
When to use visual communication

Security is often a team effort. Everyone must work together to ensure an organization is
properly protected from bad actors. Knowing how to communicate with your colleagues is a big
part of the team-focused aspect.
Sometimes it’s enough to send a simple email update. Other times you might want to include a
document attachment that further elaborates on a specific topic. A simple phone call can also be
valuable because it allows you to quickly communicate the necessary information without having
to wait for a response to an email or message. Other times, the best way to communicate is
through visuals.
For example, consider a situation where your supervisor has asked you to provide them with
results from a recent internal audit of five different departments within the organization. The
audit gathered data showing how many phishing emails each department clicked over the last
five months. This is an ideal opportunity to tell this story using visualization tools. Instead of
sending an email that simply describes what the findings are, a graph or chart will clearly
illustrate those findings, making them easier for the stakeholder to understand quickly and
easily.
Key takeaways
Stakeholders, like the rest of the security team, are busy. With that in mind, be clear and concise
any time you communicate with them. This makes everyone’s job easier! It’s important to
recognize when visual dashboards are the most effective communication method. A visual
dashboard is often best to use when you’re communicating information that involves numbers
and data.
Strategies for engaging with the cybersecurity community
You have learned a lot about the security field, from the origins of security and its importance to
organizations around the world to recognizing security incidents and communicating with
stakeholders.
Security is a rapidly evolving industry, so it’s important to stay up-to-date on the latest news and
trends. This reading will focus on how to stay engaged with the cybersecurity community after
completing this program.
Security organizations and conferences

Attending security conferences and joining organizations gives you the opportunity to gain
knowledge from seasoned professionals who are constantly seeking out new ways to improve on
their security strategies and techniques.
Find the right organization
What security organization should you join? This question depends on your specific interest in
security. Are you someone who wants to focus on reacting to security incidents or preventing
them from happening? Are you interested in forensic security or data logging? Do you have
aspirations of being a CISO one day? It’s important to have a clear understanding of what your
interests are before you narrow down your search for a cybersecurity organization or
conference.
Begin the search
Once you understand what your interests are, do a web search for organizations or conferences in
your area. For example, you can type in “incident response cybersecurity conferences in my
area.” This search will give you a list of cybersecurity conferences focused on incident response.
If you’re interested in forensic security, you can type “forensic security organizations in my
area” or a similar phrase into your web search engine. No matter what your interests are, you can
do a web search online to find a cybersecurity organization or conference focused on that area.
Use social media

Social media is another great way to find cybersecurity organizations or conferences. LinkedIn®,
for example, is a social media platform that connects business professionals with one another.
You can use LinkedIn® to find security groups or organizations to join. In the LinkedIn® search
bar, you can try search queries such as:
 “Incident response cybersecurity groups”
 “Organizations for cybersecurity analysts”
Be aware of social engineering

While social media is a good way to connect with other professionals in the security industry, it’s
also important to be mindful that hackers use social media to trick users into giving up private
information. You've previously learned that social engineering is a manipulation technique that
exploits human error to gain private information, access, or valuables. To protect yourself from
social engineering when using social media to find resources, always remember not to click on
unexpected links or attachments sent from unfamiliar users on social media.
Mailing lists for security

Another great way to stay connected with the security industry is to sign up for different
cybersecurity mailing lists. These mailing lists send out information periodically on various
security topics. The Cybersecurity & Infrastructure Security Agency (CISA) offers two
cybersecurity mailing lists for you to join:
 A list focused on security threat information, best practices for cybersecurity, and
analysis from CISA’s domestic and international security partners
 A list providing weekly summaries of new vulnerabilities that might pose a risk to an
organization’s network
Key takeaways
Attackers are always developing new ways to compromise corporate and personal data from
users. Cybersecurity organizations and conferences are a great way for security professionals to
stay up-to-date on the latest news, tools, and trends in the industry. Be sure to find organizations
that align with your security interests.
Connect with other cybersecurity professionals
You’ve learned the importance of staying engaged with the cybersecurity community after
completing this certificate program. The security industry is always evolving, so it’s important
that security professionals continue to learn about the field.
This reading will focus on providing more tips to help you stay engaged with the security
community and advance your career by engaging with the cybersecurity community.
LinkedIn® with CISOs

Earlier in the program, you learned about Chief Information Security Officers, also known as
CISOs. It’s their job to be up-to-date on every aspect of security, including all of the latest
trends and news in the security world. With this in mind, it’s a great idea to follow CISOs on
LinkedIn® professional networking services. When you follow a CISO on social media, you’ll
have an opportunity to discover the kinds of information they share with their audience. That
information might provide you with useful tips and relevant news. Staying informed about
security news and trends can help progress your cybersecurity career because it helps sharpen
your security mindset.
Finding other security professionals on LinkedIn®

Whether you’d like to connect with other entry-level analysts or more seasoned professionals,
LinkedIn® is a great way to connect with others. When connecting with others, it’s important to
send a well-written message. This message can help the person understand your intentions. It
also helps people determine that you’re not a scammer looking to exploit them. Here are a few
tips to help you write your first message in a way that engages and interests the recipient:
 Use a conversational tone.
 Provide a clear reason for wanting to connect.
 Avoid spelling and grammatical errors.
Here is an example of an effective LinkedIn® message to send to a security professional:
“Hi, Tim. I recently completed the Google Cybersecurity Certificate program, and I’d like to
connect with other security professionals. It seems like you have a lot of experience in the
security industry that I can learn from. Let’s keep in touch!”
This example provides a clear reason for why you want to connect with this person and is
presented in a conversational tone. You also did not give the impression that you are a scammer
by asking the person to do something suspicious to connect with you, like downloading an
unusual file attachment.
Key takeaways
Attackers are always developing new ways to compromise corporate and personal data.
Connecting with other cybersecurity professionals on social media is a great way to stay ahead of
the latest trends in security. CISOs are great professionals to connect with because they are
responsible for all aspects of an organization's security. Because of that, CISOs tend to share
important security tips, news, and trends on their social media pages that could be valuable to
you as a newcomer to industry.
Tips for finding and applying for a job

As you learned previously, connecting with security professionals on social media and joining
different cybersecurity conferences and organizations are two ways to use your network to find
job opportunities. You were also introduced to a few online resources to help you find jobs in the
security field. In this reading, you’ll learn about specific sites and resources you can use to apply
for jobs.
ZipRecruiter
ZipRecruiter is a popular website for job seekers and employers worldwide; the website helps
connect job seekers with available roles in their industry. When you enter the site, you’re asked
to fill out specific geographical and work preference questions to help ZipRecruiter match you
with opportunities in your field. Then you can upload your resume on the platform and search for
jobs in your industry. Employers can reach out to you directly, too, based on your profile and
responses.
Indeed
Indeed is another popular website that helps connect job seekers with available roles in their
industry. When you first enter the site, search for jobs using the job title, a keyword, or a
company that you’re interested in working at. Then, specify your preferred job location. You can
also upload your resume on Indeed, which allows recruiters to reach out to you if your resume is
a match for a job opportunity.
Monster®
Monster is a frequently used website in both the United States and internationally that helps
connect job seekers with available roles in their industry. Similar to the other job search sites,
search for a role using the job title, keyword, or company you’re interested in working at, as well
as your preferred working location. If you upload your resume to Monster, recruiters might reach
out to you if your resume is a match for a job opportunity.
LinkedIn®
LinkedIn® professional services is a social networking site where you can also find jobs in the
cybersecurity field. When you first enter LinkedIn®, click on the “jobs” tab. From here, enter the
location where you’d want to work and the particular job title that you’d be interested in.
LinkedIn is also a great way to learn about a company's culture, values, and even community
initiatives. This can help you determine if the company is the right fit for you.
Key takeaways
Building a network of security professionals, viewing and applying for jobs on various sites, and
using professional networking applications like LinkedIn are great ways to find a job in the
cybersecurity profession. So, use all of these resources to your advantage
The interview process

You previously learned how to create a resume and cover letter to apply for security jobs. In this
reading, you’ll concentrate on how to prepare for the interview process. Although the interview
process can vary widely from one company to another, most companies follow the steps described
in this reading.
Getting contacted by a recruiter

After you apply for a job, you might receive a call, an email, or a message from a recruiter
expressing interest in your application and asking to schedule a call or meeting. Reply as soon as
possible to show that you’re responsive and interested in the position.
Preliminary interview or phone screening

In most cases, the first step in the interview process is a preliminary interview, sometimes referred to
as a phone screening. This usually involves a conversation with a recruiter over the phone, in
person, or on a video call.
The preliminary interview is typically shorter than a regular interview. The recruiter will share
information about the company and the job opening. Then they’ll ask you questions to get to know
you and your work experience better. The recruiter will also provide time for you to ask questions
about the role and the company, so be sure to prepare a few questions before the interview. For
example, you might ask: “What is the work culture like at the company?” or “What will my average
day be like in this role?” Asking questions helps demonstrate your interest and will help you
determine whether the job will be a good fit for you.
After the interview, send a thank-you email to the recruiter within 24 hours. Express your gratitude
for their time and briefly restate why you would be a good fit for the position.
Additional interviews
Once you’ve passed the preliminary interview, you might be invited for multiple additional interviews.
These interviews are typically with the hiring manager. You might also meet with other individuals on
the team and be required to go through a technical interview. You’ll learn more about technical
interviews in a later reading.
This interview is often longer than the preliminary interview. It could be in person, over the phone, or
on a video call.
The interview usually opens with introductions and a brief description of the company and job
position. Then, the interviewer will ask you questions about your background, skills, and experience.
Next, you’ll have an opportunity to ask questions about the company, the role, and job expectations.
Finally, you’ll learn about next steps in the hiring process.
There might be multiple rounds of interviews, depending on how the company’s interview process
works. These additional interviews could be longer, include future teammates or other employees at
the company, and feature questions that take more time and thought to answer.
As with the preliminary interview, send a thank-you note to the people you interviewed with after
each round of interviews.
Final offer
Now comes the exciting part: Receiving a job offer. The company might reach out to you by phone
or email. After the company extends their initial offer, you’ll need to decide whether or not to accept it
or negotiate for a higher salary or other benefits. Feel free to ask for a day or two to make your
decision.
Building perseverance
If the company lets you know that you didn’t get the job, take a moment to process your emotions. If
you’d like, you can let the company know that you appreciate the opportunity to be considered and
that you’d be interested in any future roles that might be a good fit. You can also ask for feedback on
what you could do better next time.
Key takeaways
Interviews are a great opportunity to learn more about a job and the company you’d be working for.
By preparing for the interview process and continuing to persevere in your job search, you’ll be well
on your way to building a career in cybersecurity.
Apply the STAR method during interviews
You’ve been learning about different techniques and strategies to use during future interviews for
jobs in the cybersecurity field. In this reading, you’ll learn more details about the STAR method for
answering interview questions. Implementing this strategy will help you answer interview questions
with confidence and clarity.
The STAR method
When interviewing for a job, it can be challenging to convey the right details about your professional
history and skills to your interviewers. Using the STAR method can help you share your success
stories effectively and strategically. STAR stands for Situation, Task, Action, and Result. Using this
method enables you to describe potential challenges you faced in previous roles and gives you the
opportunity to show how you thoughtfully approached solving those problems from start to finish.
Situation
The situation is the project you worked on or a challenge that you had to overcome. For example,
perhaps you had to manage a disgruntled customer’s negative feedback about your company, a
system error on your work device that slowed down a customer transaction, or being left alone in the
office for an extended period of time. Fully describing the situation allows the interviewer to gain a
clear understanding of the challenge you had to overcome.
Task
The task outlines the key responsibilities or role you played in solving the challenge described in the
situation phase of the STAR method. Specifying what the task is provides clarity about what your
objectives were in this scenario.
Action
The action describes the exact steps you took to resolve the challenging situation you described in
the beginning of the STAR method. The action is crucial to the STAR method because it allows the
employer to understand what choices you made to achieve your desired outcome during a real
conflict or challenge. Employers want employees who can think fast and make decisions that help
solve problems.
Result
Finally, sharing the result of your challenge or example shows the employers how the situation was
resolved as a direct result of the actions you took. When participating in an interview, you want to
make sure that any example you give with the STAR method ends in a positive result. Positive
results show an employer that you are someone who has demonstrated an ability to successfully
resolve issues and may lead an employer to offer you a job. Of course, not all situations have
completely positive outcomes; if an employer asks you about a situation that didn’t have a positive
outcome, try to focus on what you learned from the situation and how that experience helped you
become a better employee.
Key takeaways
The STAR method stands for Situation, Task, Action, and Result. Following this method helps you
communicate to an employer an example of a challenge you faced in the workplace. Remember to
use one of your success stories when using the STAR method on an interview. Challenges arise all
the time in the security world, so being able to demonstrate an ability to overcome any type of
challenge is a great trait to show off during an interview. Plus, since cybersecurity is such a team-
driven industry, being able to communicate effectively to an interviewer will help you be a
competitive applicant.
ss

Google Cybersecurity Coursera Study Materials Notes

Uploaded by

Copyright:

Available Formats

Google Cybersecurity Coursera Study Materials Notes

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Google Cybersecurity Coursera Study Materials Notes

Uploaded by

Copyright:

Available Formats

Determine the type of attack

Social engineering attack

 Malicious USB cable

Physical attacks fall under the asset security domain.

Adversarial artificial intelligence

Threat actor types

New and unskilled threat actors have various goals, including:

 To learn and enhance their hacking skills

Glossary terms from module 2

Malware: Software designed to harm devices or networks

Physical social engineering: An attack in which a threat actor impersonates an employee,

Virus: refer to “computer virus”

Vishing: The exploitation of electronic voice communication to obtain sensitive information or

How controls, frameworks, and compliance are related

1. Identifying and documenting security goals

Specific controls, frameworks, and compliance

The Federal Energy Regulatory Commission - North American Electric

The Federal Risk and Authorization Management Program (FedRAMP®)

Center for Internet Security (CIS®)

General Data Protection Regulation (GDPR)

The Health Insurance Portability and Accountability Act (HIPAA)

International Organization for Standardization (ISO)

System and Organizations Controls (SOC type 1, SOC type 2)

Ethical concepts that guide

Ethical concerns and laws related to counterattacks

International standpoint on counterattacks

Ethical principles and methodologies

Glossary terms from module 3

Hacktivist: A person who uses hacking to achieve a political goal

Security controls: Safeguards designed to reduce specific security risks

Security ethics: Guidelines for making appropriate decisions as a security professional

Use tools to protect business operations

Tools and their purposes

Intrusion detection system

Glossary terms from module 4

Database: An organized collection of information or data

Data point: A specific piece of information

Linux: An open-source operating system

Log: A record of events that occur within an organization’s systems

Manage common threats, risks, and

 Social Security Numbers (SSNs), or unique national identification numbers assigned to

Examples of physical assets include:

Some common strategies used to manage risks include:

 Acceptance: Accepting a risk to avoid disrupting business continuity

Additionally, organizations implement risk management processes based on widely accepted

Today’s most common threats, risks, and

 ProxyLogon: A pre-authenticated vulnerability that affects the Microsoft Exchange server.

The relationship between frameworks

Frameworks and controls

Cyber Threat Framework (CTF)

International Organization for Standardization/International Electrotechnical

Examples of physical controls:

 Gates, fences, and locks

Examples of technical controls:

Examples of administrative controls:

Use the CIA triad to protect

The CIA triad for analysts

Additional OWASP security principles

Establish secure defaults

Avoid security by obscurity