Introduction to the Security Field

Name: Cybersecurity Assets, Network Threats & Vulnerabilities | Google Cybersecurity Certificate
Uploaded: 2026-02-23T13:35:22.243001+00:00
Channel: Google Career Certificates
Description: Summary and key takeaways on Introduction to the Security Field, covering to the Security Field Introduction to the Security Field Da’Queshia opens the course

Google Career Certificates

Feb 23, 2026

•

10 min read

YouTube video ID: Rgl7C0P6NsE

Source: YouTube video by Google Career Certificates — Watch original video

PDF

Introduction to the Security Field

Da’Queshia opens the course by challenging common images of security—dark rooms of analysts, lab technicians, or guards at doors. All of those roles belong to the wide world of security, a field that protects people, processes, and technology.

She introduces herself as a security engineer at Google, working on Gmail security: developing new features, fixing vulnerabilities, and collaborating with a diverse team that brings many backgrounds to the table.

1. The Building Blocks of Security

Security programs are built on three inter‑related pillars:

People – the individuals who design, implement, and operate security controls.
Processes – the policies, standards, and procedures that guide actions.
Technology (Tools) – the software and hardware that enforce protection.

Understanding how these pillars interact is the foundation of the entire course.

2. Asset Security

2.1 What Is an Asset?

An asset is anything of value to an organization. Examples include:

Physical items: buildings, doors, windows, equipment.
Digital items: data, applications, intellectual property.
People: employees, customers, partners.

2.2 Asset Inventory & Classification

Asset inventory – a catalog of every asset that must be protected.
Asset classification – labeling assets by sensitivity:

Classification	Typical Use
Public	Shareable with anyone.
Internal‑only	Shared within the organization only.
Confidential	Limited to specific projects or teams.
Restricted	Highly sensitive, need‑to‑know (e.g., health or payment data).

Classification determines whether an asset can be disclosed, altered, or destroyed.

2.3 Prioritizing Protection

Because resources are limited, security teams prioritize assets based on risk (the likelihood that a threat will exploit a vulnerability) and the asset’s importance to the organization.

3. Understanding Threats, Vulnerabilities, and Risk

Threat – any circumstance or event that can negatively impact an asset (e.g., burglars, storms, accidental damage).
Vulnerability – a weakness that can be exploited by a threat (e.g., a weak lock, cracked wood).
Risk – the potential impact on confidentiality, integrity, or availability (the CIA triad) when a threat exploits a vulnerability.

Security planning always starts with analyzing assets, threats, and vulnerabilities—the “what, why, and how” of security.

4. Data as a Critical Asset

4.1 The Three States of Data

State	Description	Example
Data in Use	Actively accessed by users or processes.	Reading email on a laptop.
Data in Transit	Moving between two points.	Sending a reply email.
Data at Rest	Stored but not currently accessed.	Email saved on a laptop’s hard drive.

4.2 Information Security (InfoSec)

Protecting data in all three states is essential to prevent identity theft, financial loss, and reputational damage.

5. Security Plans: Policies, Standards, and Procedures

Element	Role
Policy	High‑level rules that define what must be protected and why (e.g., Acceptable Use Policy).
Standard	Tactical references that specify how protection is measured (e.g., password length requirements).
Procedure	Step‑by‑step instructions for specific tasks (e.g., how to reset a password).

These three elements together communicate the security plan across the organization.

6. Compliance and the NIST Cybersecurity Framework (CSF)

Compliance – adhering to internal standards and external regulations (e.g., health, finance, energy).
NIST CSF – a voluntary framework consisting of:
Core Functions – Identify, Protect, Detect, Respond, Recover.
Tiers – Levels 1‑4 (Passive → Adaptive) that gauge performance of each function.
Profiles – Snapshots of an organization’s current and target states.

The CSF helps organizations manage cybersecurity risk and demonstrate a commitment to protecting customers and brand reputation.

7. Security Controls

7.1 Types of Controls

Category	Description	Examples
Technical	Technology that enforces protection.	Encryption, authentication systems.
Operational	Day‑to‑day activities.	Security awareness training, incident response.
Managerial	Governance and oversight.	Policies, standards, procedures.

7.2 Privacy Controls & the Principle of Least Privilege

Limit access to data based on need‑to‑know.
Distinguish data owners (decide who can access) from data custodians (handle storage and transport).

7.3 Cryptography Basics

Encryption – transforms plaintext into unreadable ciphertext; requires a cipher and a key.
Caesar Cipher – historic shift cipher; vulnerable to brute‑force attacks and single‑key compromise.
Modern Encryption – uses asymmetric (public/private key pair) and symmetric (single secret key) methods.

7.4 Public Key Infrastructure (PKI)

Asymmetric encryption establishes a secure channel (public key for encryption, private key for decryption).
Digital certificates issued by a trusted Certificate Authority (CA) bind a public key to an entity’s identity, solving the trust problem.

7.5 Hash Functions

One‑way algorithms (e.g., SHA‑256) generate a unique hash value for a file.
Used to verify integrity: any change to the file produces a different hash.

7.6 Access Controls (AAA Framework)

Component	Purpose
Authentication	Verifies who you are (knowledge, ownership, characteristic).
Authorization	Determines what you are allowed to do (least privilege, separation of duties).
Accounting	Logs what you did (session IDs, cookies, audit trails).

Single Sign‑On (SSO) reduces login friction but must be combined with Multi‑Factor Authentication (MFA) for security.
Session hijacking occurs when an attacker steals a valid session token; monitoring logs helps detect it.

8. Defense in Depth

A layered security model that mirrors a medieval castle:

Perimeter – authentication (usernames/passwords).
Network – firewalls, segmentation.
Endpoint – antivirus, host‑based protections.
Application – MFA, secure coding.
Data – classification, encryption, access controls.

If one layer fails, the next layer still protects the asset.

9. Vulnerability Management

9.1 The Process (Four Steps)

Identify – discover vulnerabilities.
Consider Exploits – analyze how threats could use them.
Prepare Defenses – design mitigations.
Evaluate – test and refine defenses.

The cycle repeats continuously because new vulnerabilities (including zero‑day exploits) appear regularly.

9.2 Defense‑in‑Depth Applied to Vulnerabilities

Layers of controls reduce the chance that a single flaw leads to compromise.

9.3 Public Vulnerability Libraries

CVE (Common Vulnerabilities and Exposures) – standardized IDs for known flaws.
CVE Numbering Authority (CNA) reviews submissions against four criteria before assigning an ID.
NIST National Vulnerability Database provides CVSS (Common Vulnerability Scoring System) scores (0‑10) to prioritize patching.

9.4 Vulnerability Assessment Steps

Identification – scanning tools & manual testing.
Analysis – confirm and understand each finding.
Risk Assessment – assign severity based on impact and likelihood.
Remediation – apply patches, change configurations, or implement new controls.

10. Attack Surfaces & Vectors

10.1 Physical vs. Digital Attack Surface

Physical – devices, people, facilities (e.g., an unattended laptop in a coffee shop).
Digital – everything beyond the corporate firewall, especially cloud services.

Security hardening reduces the attack surface by limiting entry points.

10.2 Common Attack Vectors

Vector	Typical Use
Social Media	Accidental data leaks or intentional sabotage.
Removable Media (USB)	Malware delivery.
Phishing (email, smishing, vishing)	Credential theft, malware distribution.
Web‑based exploits	Injection attacks (XSS, SQLi).

11. Social Engineering & Phishing

social engineering manipulates human trust to bypass technical controls.
Stages: Preparation → Pretexting (building trust) → Persuasion → Disconnection.

Phishing kits contain:

Malicious attachments.
Fake data‑collection forms.
Fraudulent web links.

Defenses: anti‑phishing policies, employee training, email filtering, allow/block lists, intrusion‑prevention systems.

12. Malware Overview

Type	Key Characteristic
Virus	Requires user action to execute; replicates within files.
Worm	Self‑propagates across networks without user interaction.
Trojan	Disguised as legitimate software; often a delivery mechanism for other malware.
Ransomware	Encrypts data and demands payment for decryption.
Spyware	Stealthily collects sensitive information.
Cryptojacking	Uses victim’s CPU/GPU to mine cryptocurrency.

Indicators of infection: system slowdown, high CPU usage, unexpected crashes, rapid battery drain, increased electricity costs.

13. Web‑Based Exploits

13.1 Injection Attacks

Cross‑Site Scripting (XSS) – injects malicious scripts into web pages. Types: Reflected, Stored, DOM‑based.
SQL Injection – inserts malicious SQL code into database queries, often via unsanitized input fields.

Mitigations: input sanitization, prepared statements, secure coding practices, regular code reviews.

14. Threat Modeling

A structured way to anticipate and mitigate threats.

14.1 General Steps

Define Scope – inventory and classify assets.
Identify Threat Actors – internal (e.g., disgruntled employee) and external (e.g., hacker).
Create Attack Tree – map how threats could reach assets.
Characterize Environment – consider users, partners, vendors.
Analyze Threats – evaluate existing controls, assign risk scores.
Mitigate Risks – decide to avoid, transfer, reduce, or accept each risk.
Evaluate Findings – document fixes, lessons learned, and update future models.

14.2 PASTA Framework (Example)

Process for Attack Simulation and Threat Analysis.
Seven stages: Business & security objectives → Technical scope → Decomposition → Threat analysis → Vulnerability analysis → Attack modeling → Risk & impact analysis.

The example follows a fitness‑app launch, showing how each stage guides the security team to protect customer data.

15. Recap of the Course Journey

Topic	Core Takeaway
Asset Security	Identify, inventory, and classify assets; prioritize protection.
Data States	Protect data in use, in transit, and at rest.
Security Plans	Use policies, standards, and procedures to guide actions.
Compliance & NIST CSF	Align with industry frameworks to manage risk.
Controls	Apply privacy, encryption, hashing, and access controls (AAA).
Cryptography & PKI	Secure communication with asymmetric/symmetric encryption and digital certificates.
Vulnerability Management	Continuous cycle of identification, analysis, mitigation, and evaluation.
Attack Surfaces & Vectors	Understand physical and digital exposure points.
Social Engineering & Phishing	Recognize human‑focused attacks and implement awareness & technical defenses.
Malware	Identify types, signs, and basic prevention measures.
Web Exploits	Guard against XSS and SQL injection through secure coding.
Threat Modeling	Systematically anticipate attacks and design mitigations.

16. What to Do Now – Action Steps

Create an Asset Inventory – list every physical, digital, and human asset your organization relies on.
Classify Each Asset – assign Public, Internal‑only, Confidential, or Restricted labels.
Map Your Attack Surface – document both physical entry points (devices, facilities) and digital entry points (cloud services, external APIs).
Adopt the AAA Framework:
Implement MFA for all privileged accounts.
Review and tighten authorization rules (least privilege, separation of duties).
Enable audit logging for critical systems and set up alerts for anomalous activity.
Establish a Vulnerability Management Cycle – schedule regular scans, prioritize CVEs using CVSS scores, and track remediation progress.
Deploy Defense‑in‑Depth Controls – ensure you have at least one protective layer at perimeter, network, endpoint, application, and data levels.
Develop a Phishing Awareness Program – conduct simulated phishing campaigns and provide clear reporting mechanisms.
Start a Threat Modeling Initiative – pick a high‑risk system, follow the six‑step process, and document findings in an attack tree.
Align with NIST CSF – map your current security activities to Identify, Protect, Detect, Respond, and Recover; identify gaps and set improvement targets.

By completing these steps, you’ll have a concrete foundation for protecting assets, managing risk, and staying ahead of evolving threats.

Congratulations on completing the course material! Your next steps are to apply these concepts in real‑world projects, continue learning about emerging threats, and contribute your unique perspective to any security team you join.

The article emphasizes that security is a multidisciplinary effort built on people, processes, and technology, requiring a clear understanding of assets and their classification. It underscores the importance of a layered defense strategy—combining policies, standards, procedures, and technical controls—to manage risk across data states, threat vectors, and vulnerabilities. Aligning with frameworks such as NIST CSF and implementing continuous vulnerability management ensures systematic risk mitigation. Finally, proactive measures like threat modeling, phishing awareness, and a robust AAA framework empower organizations to stay ahead of evolving attacks.

Takeaways

Effective security programs rely on the integrated pillars of people, processes, and technology to protect assets.
Classifying assets by sensitivity and prioritizing them based on risk enables focused protection efforts.
A defense-in-depth approach, supported by policies, standards, procedures, and technical controls, mitigates the impact of threats and vulnerabilities.
Adopting industry frameworks such as NIST CSF and maintaining a continuous vulnerability management cycle are essential for systematic risk reduction.
Implementing the AAA framework, threat modeling, and phishing awareness programs strengthens an organization’s overall security posture.

Frequently Asked Questions

Who is Google Career Certificates on YouTube?

Google Career Certificates is a YouTube channel that publishes videos on a range of topics. Browse more summaries from this channel below.

Does this page include the full transcript of the video?

Yes, the full transcript for this video is available on this page. Click 'Show transcript' in the sidebar to read it.

2.1 What Is an Asset?

An **asset** is anything of value to an organization. Examples include: - Physical items: buildings, doors, windows, equipment. - Digital items: data, applications, intellectual property. - People: employees, customers, partners.

Helpful resources related to this video

If you want to practice or explore the concepts discussed in the video, these commonly used tools may help.

Nist Cybersecurity Framework Guide Book Recommended

Provides detailed guidance on implementing NIST CSF to manage risk, helping organizations align security practices with current standards

Amazon →

Comptia Security+ Study Guide (Physical Book)

Covers foundational security concepts, including asset management and defense in depth, supporting learners in building a solid security knowledge base

Amazon →

Kali Linux Revealed: Mastering The Penetration Testing Distribution

Offers hands‑on techniques for vulnerability assessment and penetration testing, enabling practitioners to apply practical security testing skills today

Amazon →

Links may be affiliate links. We only include resources that are genuinely relevant to the topic.

Summarize another video

Full Transcript YouTube

DA'QUESHIA: What do
you picture when you
think about the security field?
This might make you think
of a dark room with people
hunched over their computers.
Maybe you picture a person
in a lab carefully analyzing
evidence.
Or maybe you imagine
a guard standing
watch in front of a building.
The truth is, no matter what
thoughts crossed your mind,
all of these examples are part
of the wide world of security.
Hi, my name is Da'Queshia.
I have worked as a security
engineer for four years.
I'm excited to be your
instructor for this course
and share some of my
experience with you.
At Google, I'm part of a diverse
team of security professionals
who all have
different backgrounds
and unique perspectives.
For example, in my role,
I work to secure Gmail.
Part of my daily
activities include
developing new security features
and fixing vulnerabilities
in the application to make
emails safer for our users.
Some members of my team
begin working in security
after graduating from college.
Many others found their
way into the field
after years of working
in another industry.
Security teams come in all
different shapes and sizes.
Each member of a team
has a role to play.
While our specific functions
within the group differ,
we all share the same
objective-- protecting
valuable assets from harm.
Accomplishing this mission
involves a combination
of people, processes, and tools.
In this course, you'll learn
about each of these in detail.
First, you'll be introduced to
the world of asset security.
You'll learn about
the variety of assets
that organizations
protect and how
these factor into a company's
overall approach to security.
Then you'll begin exploring
the security systems
and controls that teams
use to proactively protect
people and their information.
All systems have weaknesses
that can be improved upon.
When those weaknesses
are neglected or ignored,
they can lead to
serious problems.
In this section
of the course, you
focus on common
vulnerabilities and systems
and the way security teams stay
ahead of potential problems.
Finally, you'll learn about
the threats to asset security.
You'll also be introduced to
the threat modeling process
that security teams use
to stay one step ahead
of potential attacks.
In this field, we
try to do everything
possible to avoid being put
in a compromised position.
By the end of this
course, you'll
have a clearer picture
of the ways people,
processes, and
technology work together
to protect all that's important.
Throughout the
course, you'll also
get an idea of the site
and career opportunities
available to you.
Security truly is an
interdisciplinary field.
Your background and
perspective is an asset.
Whether you're a recent
college graduate or starting
a new career path,
the security field
presents a wide range
of possibilities.
So what do you say?
Are you ready to go on
this journey with me?
We all depend on technology
so much nowadays.
Examples of this
are all around us.
Personal devices
like smartphones
help keep us in touch
with friends and families
across the globe.
Wearable technologies help
us achieve personal goals
and be more productive.
Businesses have also come
to embrace technology
in everyday life.
From streamlining operations
to automating processes,
our world is more connected
because of technology.
The more we rely on technology,
the more information we share.
As a result, an enormous amount
of data is created every day.
This huge surge in data creation
presents unique challenges.
As businesses become more
reliant on technology,
cybercriminals become
more sophisticated in how
they affect organizations.
Data breaches are
becoming increasingly
serious due to all the sensitive
data businesses are storing.
One positive aspect
of these challenges
is a growing need for
individuals like you.
Security is a team effort.
Unique perspectives
like yours are
an asset to any organization.
A team filled with diverse
backgrounds, cultures,
and experiences is more likely
to solve problems and be
innovative.
As breach after breach
hits the headlines,
it's clear that organizations
need more professionals focused
on security.
Companies around the
globe are working hard
to keep up with the
demands of a rapidly
changing digital landscape.
As the environment
continues to transform,
the more your personal
experience is valuable.
In this section, we'll
start by exploring
how assets, threats, and
vulnerabilities factor
into security plans.
After that, we'll discuss
the use of asset inventories
and protecting the wide range
of assets that companies have.
Then we'll consider
the challenges
in this rapidly
changing digital world.
And finally, you'll gain an
understanding of the building
blocks of a security plan,
its policies, standards,
and procedures.
We'll examine the NIST
cybersecurity framework
that companies use to
create security plans that
protects their customers
and their brands.
I hope you're as excited
to go on this journey
into this world of
security as I am.
Now, let's get started.
Painting a portrait, perfecting
a new basketball move,
playing a solo on guitar.
They all share
something in common.
Can you guess what it is?
If you thought practice,
you're absolutely correct.
It takes time, dedication, and
focus to improve these skills.
The security profession
is no different.
Planning for the
future is a core skill
that you'll need to practice
all the time in security.
We all deal with uncertainty
by trying to solve problems
before they arise.
For example, if you're
going on a trip,
you might think about
the length of the trip
and how much to pack.
Maybe you're traveling
somewhere cold.
You might bring coats and
sweaters to help keep you warm.
We all want to feel the
security of knowing that there's
a plan if something goes wrong.
Businesses are no different.
Just like you, organizations
try their best to plan
ahead by analyzing risks.
Security teams help companies
by focusing on risks.
In security, a risk
is anything that
can impact the
confidentiality, integrity,
or availability of an asset.
Our primary focus as
security practitioners
is to maintain confidentiality,
integrity, and availability,
which are the three
components of the CIA triad.
The process of
security risk planning
is the first step towards
protecting these cornerstones.
Each organization has their
own unique security plan
based on the risks they face.
Thankfully, you don't
need to be familiar
with every possible
security plan
to be a good security
practitioner.
All you really need
to know are the basis
of how these plans
are put together.
Security plans are
based on the analysis
of three elements-- assets,
threats, and vulnerabilities.
Organizations
measure security risk
by analyzing how each can have
an effect on confidentiality,
integrity, and availability of
their information and systems.
Basically, they each
represent the what, why,
and how of security.
Let's spend a little
time exploring
each of these in more detail.
As you might
imagine, an asset is
an item perceived as having
value to an organization.
This often includes a
wide range of things.
Buildings, equipment,
data, and people
are all examples of assets that
businesses want to protect.
Let's examine this idea more by
analyzing the assets of a home.
Inside a home, there's a wide
range of assets, like people
and personal belongings.
The outside structure of a
home is made of assets too,
like the walls, roof,
windows, and doors.
All of these assets have
value, but they differ
in how they might be protected.
Someone might place
a lower priority
on protecting the outside
walls than on the front door,
for example.
This is because
a burglar is more
likely to enter through
the front door than a wall.
That's why we have locks.
With so many types of
assets to think of,
security plans need to
prioritize resources.
After all, no matter how
large a security team is,
it would be impossible to
monitor every single asset
at all hours of the day.
Security teams can prioritize
their efforts based on threats.
In security, a thread is any
circumstance or event that
can negatively impact assets.
Much like assets, threats
include a wide range of things.
Going back to the
example of a home,
a threat can be a burglar
who's trying to gain access.
Burglars aren't the
only type of threats
that affect the security
of windows and doors.
What if either
broke by accident?
Strong winds can blow the
door open during a bad storm,
or kids playing with a ball
nearby can accidentally
damage a window.
If any of these thoughts
crossed your mind, great job.
You're already demonstrating
a security mindset.
The final element of a security
plan that we're going to cover
are vulnerabilities.
In security, a vulnerability
is a weakness that
can be exploited by a threat.
A weak lock on a front
door, for example,
is a vulnerability that can
be exploited by a burglar.
And old, cracked wood is
a different vulnerability
on that same front
door that can increase
the chances of storm damage.
In other words, think
of vulnerabilities
as flaws within an asset.
Assets can have
many different types
of vulnerabilities that are
an easy target for attackers.
We'll explore different types
of threats and vulnerabilities
in greater detail later.
For now, just understand
that security teams
need to account for a wide
range of assets, threats,
and vulnerabilities
to effectively plan
for the future.
It can be really stressful
when you have trouble
finding something important.
You're late to an appointment
and can't find your keys.
We all find ourselves
in situations like these
at one time or another.
Believe it or not,
organizations deal
with the same kind of trouble.
Take a few seconds to think of
the number of important assets
you have nearby.
I'm thinking of my phone,
wallet, and keys, for example.
Next, imagine that you're
just joining the security team
for a small online retailer.
The company has been growing
over the past few years,
adding more and more customers.
As a result, they're expanding
their security department
to protect the increasing
numbers of assets they have.
Let's say each of you are
responsible for 10 assets.
That's a lot of assets.
Even in the small
business setting,
that's an incredible amount of
things that needs protecting.
A fundamental truth
of security is
you can only protect the
things you account for.
Asset management is the
process of tracking assets
and the risk that affects them.
All security plans revolve
around asset management.
Recall that assets include any
item perceived as having value
to our organization.
Equipment, data, and
intellectual property
are just a few of the
wide range of assets
businesses want to protect.
A critical part of every
organization's security plan
is keeping track of its assets.
Asset management
starts with having
an asset inventory,
a catalog of assets
that need to be protected.
This is an essential
part of protecting
organizational assets.
Without this record,
organizations
run the risk of losing track of
all that's important to them.
A good way to think of asset
inventories is as a shepherd
protecting sheep.
Having an accurate count
of the number of sheep
helped in a lot of ways.
For example, it would be easier
to allocate resources like food
to take care of them.
Another benefit
of asset inventory
might be that you get an alert
if one of them goes missing.
Once more, think of
the important assets
you have nearby.
Just like me, you're probably
able to rate them according
to the level of importance.
I would rank my wallet ahead
of my shoes, for example.
In security, this practice is
known as asset classification.
In general, asset
classification is the practice
of labeling assets based on
the sensitivity and importance
to an organization.
Organizations label
assets differently.
Many of them follow a basic
classification scheme--
public, internal-only,
confidential, and restricted.
Public assets can be
shared with anyone.
Internal-only can be shared
with anyone in the organization,
but should not be
shared outside of it.
And confidential
assets should only
be accessed by those working
on a specific project.
Assets classified as restricted
are typically highly sensitive
and must be protected.
Assets with this label are
considered need-to-know.
Examples include intellectual
property and health or payment
information.
For example, a growing
online retailer
might mark internal emails about
a new product as confidential
because those working on the new
product should know about it.
They might also label the
doors at their offices
with a restricted
sign to keep everyone
out who doesn't have a
specific reason to be in there.
These are just a couple
of everyday examples
that you may be familiar with
from your prior experience.
For the most part,
classification
determines whether an asset
can be disclosed, altered,
or destroyed.
Asset management is
a continuous process,
one that helps uncover
unexpected gaps in security
for potential risks.
Keeping track of all that's
important to an organization
is an essential part
of security planning.
Welcome back.
We've covered a lot
of information so far.
I hope you're having as much fun
exploring the world of security
as I am.
We have explored what
organization assets are
and why they need protection.
You've also gotten a sense of
the tremendous amount of assets
security teams protect.
Previously, we begin examining
security asset management
and the importance of keeping
track of everything that's
important to an organization.
Security teams classify
assets based on value.
Next, let's suspend
our security mindset
and think about this question.
What exactly is
valuable about an asset?
These days, the answer
is often information.
Most information is
in a digital form.
We call this data.
Data is information that
is translated, processed,
or stored by a computer.
We live in a connected world.
Billions of devices
around the world
are linked to the internet
and are exchanging data
with each other all the time.
In fact, millions
of pieces of data
are being passed to
your device right now.
When compared to
physical assets,
digital assets have
additional challenges.
What you will need to understand
is that protecting data
depends on where that data
is and what it's doing.
Security teams protect data
in three different states--
in use, in transit, and at rest.
Let's investigate this
idea in greater detail.
Data in use is data being
accessed by one or more users.
Imagine being at a
park with your laptop.
It's a nice, sunny
day, and you stop
at a bench to check your email.
This is an example
of data in use.
As soon as you
log in, your inbox
is considered to be in use.
Next is data in transit.
Data in transit is data
traveling from one point
to another.
While you're signed
into your account,
a message from one of
your friends appear.
They sent you an interesting
article about the growing
security industry.
You decide to reply, thanking
them for sending this to you.
When you click Send, this is now
an example of data in transit.
Finally, there's data at rest.
Data at rest is data not
currently being accessed.
In this state, data is typically
stored on a physical device.
An example of data
at rest would be
when you finish checking your
email and close your laptop.
You then decide
to pack up and go
to a nearby cafe for breakfast.
As you make your way from
the park towards the cafe,
the data in your
laptop is at rest.
So now that we understand
these states of data,
let's connect this back
to asset management.
Earlier, I mentioned
that information
is one of the most valuable
assets that companies can have.
Information
security, or InfoSec,
is the practice of
keeping data in all states
away from unauthorized users.
Weak information security
is a serious problem.
It can lead to things like
identity theft, financial loss,
and reputational damage.
These events have
potential to harm
organizations, their
partners, and their customers.
And there's more to
consider in your work
as a security analyst.
As our digital world
continually changes,
we are adapting our
understanding of data at rest.
Physical devices,
like our smartphones,
more commonly stored
data in the cloud,
meaning that our information
isn't necessarily at rest
just because our phone
is resting on a table.
We should always be mindful
of new vulnerabilities
as our world becomes
increasingly connected.
Remember, protecting data
depends on where the data is
and what it's doing.
Keeping track of information
is part of the puzzle
that companies solve when
considering their security
plan.
Understanding the
three states of data
enables security teams to
analyze risks and determine
an asset management plan
for different situations.
Security is all about people,
processes, and technology.
It's a team effort.
And I mean that literally.
Protecting assets extends well
beyond one person or a group
of people in an IT department.
The truth of the matter is
that security is a culture.
It's a shared set
of values that spans
all levels of an organization.
These values touch everyone,
from employees to vendors
to customers.
Protecting digital
and physical assets
requires everyone
to participate,
which can be a challenge.
That's what security
plans are for.
Plans come in many shapes
and sizes, but they all share
a common goal--
to be prepared for
risks when they happen.
Placing the focus
on people is what
leads to the most
effective security plans.
Considering the diverse
backgrounds and perspectives
of everyone involved ensure
that no one is left out
when something goes wrong.
We talked earlier
about the risks
as being anything that can
impact the confidentiality,
integrity, or
availability of an asset.
Most security
plans address risks
by breaking them down according
to categories and factors.
Some common risk
categories might
include the damage, disclosure,
or loss of information.
Any of these can
be due to factors
like the physical damage or
malfunctions of a device.
There are also factors like
attacks and human error.
For example, a
new school teacher
may be asked to sign a
contract before their first day
of class.
The agreement may warn against
some common risks associated
with human error, like
using a personal email
to send sensitive information.
A security plan may require
that all new hires sign off
on this agreement,
effectively spreading
the values that ensure
everyone's in alignment.
This is just one example of
the types and causes of risk
that a plan might address.
These things vary widely
depending on the company,
but how these plans
are communicated
is similar across industries.
Security plans consist
of three basic elements--
policies, standards,
and procedures.
These three elements are how
companies share their security
plans.
These words tend to be
used interchangeably
outside of security,
but you'll soon
discover that they each
have a very specific meaning
and function in this context.
A policy in security
is a set of rules
that reduce risks and
protects information.
Policies are the foundation
of every security plan.
They give everyone in and out
of an organization guidance
by addressing questions like,
what are we protecting and why?
Policies focus on the
strategic side of things
by identifying the scope,
objectives, and limitations
of a security plan.
For instance, newly hired
employees at many companies
are required to sign off on an
acceptable use policy, or AUP.
These provisions
outline secure ways
that an employee may
access corporate systems.
Standards are the next part.
These have a tactical function,
as they concern how well we're
protecting assets.
In security, standards
are references that
inform how to set policies.
A good way to think of
standards is that they
create a point of reference.
For example, many companies
use the password management
standard identified in this
special publication, 800-63B,
to improve their security
policies by specifying
that employees'
passwords must be
at least eight characters long.
The last part of a
plan is its procedures.
Procedures are
step-by-step instructions
to perform a specific
security task.
Organizations usually keep
multiple procedure documents
that are used
throughout the company,
like how employees can
choose secure passwords,
or how they can securely reset
a password if it's been locked.
Sharing clear and actionable
procedures with everyone
creates accountability,
consistency, and efficiency
across an organization.
Policies, standards,
and procedures
vary widely from one
company to another
because they are tailored to
each organization's goals.
Simply understanding the
structure of security plans
is a great start.
For now, I hope you
have a clearer picture
of what policies, standards,
and procedures are
and how they are essential to
making security a team effort.
Having a plan is just one
part of securing assets.
Once the plan is in
action, the other part
is making sure everyone's
following along.
In security, we call
this compliance.
Compliance is the process of
adhering to internal standards
and external regulations.
Small companies and large
organizations around the world
place security
compliance at the top
of their list of priorities.
At a high level, maintaining
trust, reputation, safety,
and the integrity of your
data are just a few reasons
to be concerned
about compliance.
Fines, penalties, and
lawsuits are other reasons.
This is particularly true for
companies in highly regulated
industries, like health
care, energy, and finance.
Being out of compliance
with the regulation
can cause long-lasting financial
and reputational effects
that can seriously
impact a business.
Regulations are rules set by a
government or other authority
to control the way
something is done.
Like policies, regulations
exist to protect
people and their information,
but on a larger scale.
Compliance can be
a complex process
because of the many
regulations that
exist all around the world.
For our purpose,
we're going to focus
on a framework of security
compliance, the US-based NIST
Cybersecurity Framework.
Earlier in the program, you
learned the National Institute
of Standards and
Technology, or NIST.
One of the primary
roles of NIST is
to openly provide companies
with a set of frameworks
and security
standards that reflect
key security-related
regulations.
The NIST cybersecurity framework
is a voluntary framework
that consists of standards,
guidelines, and best practices
to manage cybersecurity risks.
Commonly known as the
CSF, this framework
was developed to help businesses
secure one of their most
important assets--
information.
The CSF consists of three
main components, the core,
its tiers, and its profiles.
Let's explore each
of these together
to build a better understanding
of how NIST CSF is used.
The core is basically
a simplified version
of the functions, or
duties, of a security plan.
The CSF core identifies
five broad functions--
identify, protect, detect,
respond, and recover.
Think of these categories of the
core as a security checklist.
After the core, the next
NIST component we'll discuss
is its tiers.
These provide security
teams with a way
to measure performance
across each of the five
functions of the core.
Tiers range from
level 1 to level 4.
Level 1, or passive, indicates
a function is reaching
bare minimum standards.
Level 4, or adaptive,
is an indication
that a function
is being performed
at an exemplary standard.
You may have noticed that
CSF tiers aren't a yes
or no proposition.
Instead, there's
a range of values.
That's because
tiers are designed
as a way of showing
an organization what
is and isn't working with
their security plans.
Lastly, profiles are the
final component of CSF.
These provide insight
into the current state
of a security plan.
One way to think of
profiles is like photos
capturing a moment in time.
Comparing photos
of the same subject
taken at different times
can provide useful insights.
For example, without
these photos,
you might not notice how
this tree has changed.
It's the same with
NIST profiles.
Good security practice is
about more than avoiding fines
and attacks.
It demonstrates that
you care about people
and their information.
Before we go, let's visit
the core's functions one more
time to look at where we've
been and where we're going.
The first function is identify.
Our previous discussions
on asset management
and risk assessment
relate to that function.
Coming up, we're
going to focus on many
of the categories of the second
function, the protect function.
Meet you there.
Well done.
You made it to the
end of this section.
Being a security practitioner
takes commitment and a desire
to learn.
A big part of the
job involves keeping
current with best practices
and emerging trends.
Thinking back on my own journey
into the world of security,
I'm so proud of you for
your continued commitment.
We've covered a lot
of material this week,
and this is a good time
to reflect and look back
on the key concepts
we explored together.
We covered the building
blocks of organizational risk
management, assets, threats,
and vulnerabilities.
We also spent some time
demonstrating the importance
of asset inventories.
It's much easier to
protect companies' assets
if you know where they are and
who's responsible for them.
After that, we moved on
to explore the challenges
in a rapidly changing
digital world.
Part of protecting
data in this world
is understanding if it's in
use, in transit, or at rest.
Finally, in our
high-level exploration
of policies, standards,
and procedures,
we talked about how
each of them factor
into achieving security goals.
There is no one-size-fits-all
approach to achieving security.
While exploring the NIST
Cybersecurity Framework,
you gained an appreciation of
how it supports good security
practices.
Attackers are also constantly
building their skills
and finding new ways to break
through the defenses we put up.
Remember, the landscape
is always changing.
There's always more to learn.
If you want to be a good
security practitioner.
Next up, we're going to
expand our security mindset
by learning more about the
different systems security
teams use to protect
organizational assets.
I'm looking forward to it.
I was fascinated by
a worldwide malware
event that happened in 2017.
I started watching videos and
preparing to take certification
tests just like you.
I felt overwhelmed at first,
but my curiosity and passion
has driven me to continue
learning in this field.
I always remind myself that no
one is born knowing everything,
and everyone is on
a learning journey.
Even now, I still
remember what it
was like to start out
in this profession.
So believe me when I
tell you that you're
making great progress, and
I am proud of your effort.
Now, before looking
ahead to where
we're headed on our journey
into the world of security,
let's take a moment to look
back on where we've been.
Previously, we focused mostly on
the concept of assets and risk
in security.
We covered topics like the
importance of managing assets
and keeping them safe.
We discussed how the digital
world presents new challenges
and opportunities in
the field of security.
We also spent some time
exploring security plans.
With this solid
foundation, we're
ready to keep expanding
our security mindset.
In this section, we'll
cover the security controls
that are used to proactively
keep assets safe.
I use the word "proactively"
there on purpose.
As you will soon
discover, these controls
are the protections that we
put in place to stop problems
before they happen.
We're going to begin by taking
an in-depth look at privacy.
Here, you'll learn about
the effective data handling
processes that keep
information safe.
Next, you'll explore the role
of encryption and hashing
in safeguarding information.
Finally, you will learn about
the standard access controls
that companies use to authorize
and authenticate users.
Are you ready to
keep moving ahead?
I know I am.
These days, information is
in so many places at once.
As a result, organizations
are under a lot of pressure
to implement effective
security controls that
protects everyone's information
from being stolen or exposed.
Security controls are
safeguards designed
to reduce specific
security risks.
They include a
wide range of tools
that protect assets before,
during, and after an event.
Security controls can be
organized into three types--
technical, operational,
and managerial.
Technical control types
include the many technologies
used to protect assets.
This includes encryption,
authentication systems,
and others.
Operational controls
relate to maintaining
the day-to-day
security environment.
Generally, people perform
these controls, like awareness
training and incident response.
Managerial controls
are centered around how
the other two reduce risks.
Examples of management controls
include policies, standards,
and procedures.
Typically, an organization's
security policy
outlines of controls needed
to achieve their goals.
Information privacy plays a
key role in these decisions.
Information privacy
is the protection
of unauthorized access
and distribution of data.
Information privacy is
about the right to choose.
People and organizations
alike deserve
the right to decide when,
how, and to what extent
private information
about them is shared.
Security controls
are the technologies
used to regulate
information privacy.
For example, imagine using a
travel app to book a flight.
You might browse through
a list of flights
and find one at a good price.
To reserve a seat, you enter
some personal information,
like your name, email, and
credit card number for payment.
The transaction goes
through successfully,
and you've booked your flight.
Now, your reasonably
expect the airline company
to access this information
you enter when signing up
to complete the reservation.
However, should
everyone at the company
have access to your information?
A person working in the
marketing department
shouldn't need access to
your credit card information.
It makes sense to share that
information with a customer
support agent, except
they should only
need to access it while
helping with your reservation.
To maintain privacy,
security controls
are intended to
limit access based
on the user and situation.
This is known as the
principle of least privilege.
Security controls should be
designed with the principle
of least privilege in mind.
When they are, they rely on
differentiating between data
owners and data custodians.
A data owner is a
person who decides
who can access, edit, use,
or destroy their information.
The idea is very
straightforward,
except in cases where
there are multiple owners.
For example, the intellectual
property of an organization
can have multiple data owners.
A data custodian is
anyone or anything
that's responsible for the
safe handling, transport,
and storage of information.
Did you notice that
I mentioned anything?
That's because,
aside from people,
organizations in their
systems are also custodians
of people's information.
There are other considerations
besides these when
implementing security controls.
Remember that data is an asset.
Like any other asset,
information privacy
requires proper
classification and handling.
As we progress in
this section, we'll
continue exploring other
security controls that
make this possible.
The internet is an
open, public system
with a lot of data
flowing through it.
Even though we all send and
store information online,
there's some information that
we choose to keep private.
In security, this
type of data is
known as personally
identifiable information.
Personally identifiable
information, or PII,
is any information that can be
used to infer an individual's
identity.
This can include things
like someone's name,
medical and financial
information, photos, emails,
or fingerprints.
Maintaining the privacy of
PII online is difficult.
It takes the right
security controls to do so.
One of the main
security controls
used to protect information
online is cryptography.
Cryptography is the process
of transforming information
into a form that unintended
readers can't understand.
Data of any kind is kept secret
using a two-step process--
encryption to hide
the information
and decryption to unhide it.
Imagine sending an
email to a friend.
The process starts
by taking data
in its original and readable
form, known as plaintext.
Encryption takes
that information
and scrambles it into
an unreadable form
known as ciphertext.
We then use decryption to
unscramble the ciphertext back
into plaintext form,
making it readable again.
Hiding and unhiding
private information
is a practice that's been
around for a long time, way
before computers.
One of the earliest
cryptographic methods
is known as Caesar's cipher.
This method is named after a
Roman general, Julius Caesar,
who ruled the Roman Empire near
the end of the first century
BCE.
He used it to keep
messages between him
and his military
generals private.
Caesar's cipher is a
pretty simple algorithm
that works by shifting
letters in the Roman alphabet
forward by a fixed
number of spaces.
An algorithm is a set of
rules that solve a problem.
Specifically, in
cryptography, a cipher
is an algorithm that
encrypts information.
For example, a message
encoded with Caesar's cipher
using a shift of three
would encode an A as a D,
a a B as an E, a C
as an F, and so on.
In this example, you could send
a friend a message that said
"hello" using a shift of three
and it would read "K-H-O-O-R."
Now, you might be
wondering, how would
you know the shift a message
encrypted with Caesar's cipher
is using?
The answer to that
is, you need the key.
A cryptographic
key is a mechanism
that decrypts ciphertext.
In our example, the
key would tell you
that message is encrypted
by three shifts.
With that information, you
can unlock the hidden message.
Every form of encryption
relies on both a cipher and key
to secure the exchange
of information.
Caesar's cipher is not
widely used today because
of a couple of major flaws.
One concerns the cipher itself.
The other relates to the key.
This particular
cipher relies entirely
on the characters of the Roman
alphabet to hide information.
For example, consider
a message written
using the English alphabet,
which is only 26 characters.
Even without the key,
it's pretty simple
to crack a message secured
with Caesar's cipher
by shifting letters
26 different ways.
In information
security, this tactic
is known as brute force
attack, a trial and error
process of discovering
private information.
The other major flaw
of Caesar's cipher
is that it relies
on a single key.
If that key was lost
or stolen, there's
nothing stopping someone from
accessing private information.
Properly keeping track
of cryptographic keys
is an important
part of security.
To start, it's important to
ensure that these keys are not
stored in public places,
and to share them separately
from the information
they will decrypt.
Caesar's cipher is just
one of many algorithms used
to protect people's privacy.
Due to its limitations, we
rely on more complex algorithms
to secure information online.
Our next focus is exploring
how modern algorithms work
to keep information private.
Computers use a lot of
encryption algorithms
to send and store
information online.
They're all helpful
when it comes
to hiding private
information, but only as long
as their keys are protected.
Can you imagine having to keep
track of the encryption keys
protecting all of your
personal information online?
Neither can I. And we don't
have to, thanks to something
known as public
key infrastructure.
Public key
infrastructure, or PKI,
is an encryption framework
that secures the exchange
of information online.
It's a broad system that makes
access and information fast,
easy, and secure.
So how does it all work?
PKI is a two-step process.
It all starts with the change
of encrypted information.
This involves either
asymmetric encryption,
symmetric encryption, or both.
Asymmetric encryption
involves the use
of a public and private key pair
for encryption and decryption
of data.
Let's imagine this as a box that
can be opened with two keys.
One key, the public key, can
only be used to access the slot
and add items to the box.
Since the public key can't
be used to remove items,
it can be copied and shared
with people all around the world
to add items.
On the other hand, the
second key, the private key,
opens the box fully so that the
items inside can be removed.
Only the owner of the box
has access to the private key
that unlocks it.
Using a public key allows
the people and servers
you're communicating
with to see and send
you encrypted information
that only you can
decrypt with your private key.
This two-key system makes
asymmetric encryption
a secure way to exchange
information online.
However, it also slows
down the process.
Symmetric encryption,
on the other hand,
is a faster and simpler
approach to key management.
Symmetric encryption involves
the use of a single secret key
to exchange information.
Let's imagine the lockbox again.
Instead of two keys, symmetric
encryption uses the same key.
The owner can use
it to open the box,
add items, and close it again.
When they want to share access,
they can give the secret key
to anyone else to do the same.
Exchanging a single secret key
may make web communications
faster, but it also
makes it less secure.
PKI uses both asymmetric
and symmetric encryption,
sometimes, in conjunction
with one another.
It all depends on whether speed
or security is the priority.
For example, mobile
chat applications
use asymmetric
encryption to establish
a connection between people at
the start of a conversation,
when security is the priority.
Afterwards, when the
speed of communications
back and forth is the
priority, symmetric encryption
takes over.
While both have their own
strengths and weaknesses,
they share a common
vulnerability--
establishing trust between
the sender and receiver.
Both processes rely on sharing
keys that can be misused, lost,
or stolen.
This isn't a problem when we
exchange information in person,
because we can use
our senses to tell
the difference between those we
trust and those we don't trust.
Computers, on the other hand,
aren't naturally equipped
to make this distinction.
That's where the second
step of PKI applies.
PKI addresses the
vulnerability of key sharing
by establishing trust using a
system of digital certificates
between computers and networks.
A digital certificate
is a file that
verifies the identity
of a public key holder.
Most online information
is exchanged
using digital certificates.
Users, companies, and networks
hold one and exchange them
when communicating
information online
as a way of signaling trust.
Let's look at an example of
how digital certificates are
created.
Let's say an online business is
about to launch their website
and they want to obtain
a digital certificate.
When they register their
domain, the hosting company
sends certain information
over to a trusted certificate
authority, or CA.
The information provided
is usually basic things,
like the company name
and the country where
its headquarters are located.
A public key for the
site is also provided.
The certificate
authority then uses
this data to verify
the company's identity.
When it's confirmed,
the CA encrypts the data
with its own private key.
Finally, they create
a digital certificate
that contains the
encrypted company data.
It also contains CA
digital signature
to prove that it's authentic.
Digital certificates are
a lot like a digital ID
badge that's used online
to restrict or grant access
to information.
This is how PKI solves
the trust issue.
Combined with asymmetric
and symmetric encryption,
this two-step approach to
exchanging secure information
between trusted sources
is what makes PKI
such a useful security control.
Security professionals
are always
thinking about vulnerabilities.
It's how we stay
ahead of threats.
We spent some time
together exploring
a couple forms of encryption.
The two types we've
discussed produce
keys that are shared when
communicating information.
Encryption keys are vulnerable
to being lost or stolen,
which can lead to sensitive
information at risk.
Let's explore another security
control that helps companies
address this weakness.
A hash function is an
algorithm that produces
a code that can't be decrypted.
Unlike asymmetric and
symmetric algorithms,
hash functions are one-way
processes that do not
generate decryption keys.
Instead, these algorithms
produce a unique identifier,
known as a hash value or digest.
Here's an example
to demonstrate this.
Imagine a company has an
internal application that
is used by employees and is
stored in a shared drive.
After passing through
a hashing function,
the program receives
is hash value.
For example purposes, we created
this relatively short hash
value with the MD5
hashing function.
Generally, standard
hash functions
that produce longer
hashes are preferred
for being more secure.
Next, let's imagine an
attacker replaces the program
with a modified version that
performs malicious actions.
The malicious program may
work like the original.
However, if so much
as one line of code
is different from
the original, it
will produce a
different hash value.
By comparing the
hash values, we can
validate that the
programs are different.
Attackers use tricks like this
often because they're easily
overlooked.
Fortunately, hash values help
us identify when something
like this is happening.
In security, hashes are
primarily used as a way
to determine the integrity
of files and applications.
Data integrity relates to
the accuracy and consistency
of information.
This is known as
non-repudiation, the concept
that authenticity of
information can be denied.
Hash functions are
important security controls
that make proving data
integrity possible.
Analysts use them frequently.
One way to do this is by
finding the hash value of files
or applications
and comparing them
against known malicious files.
For example, we can
use the Linux command
line to generate the hash value
for any file on your computer.
We just launch a shell
and type the name
of the hashing algorithm
we want to use.
In this case, we're using a
common one known as SHA-256.
Next, we need to
enter the file name
of any file we want to hash.
Let's hash the contents
of newfile.txt.
Now, we'll press Enter.
The terminal generates this
unique hash value for the file.
These tools can be compared
with the hash values
of known online viruses.
One such database is VirusTotal.
This is a popular tool
among security practitioners
that's useful for analyzing
suspicious files, domains, IPs,
and URLs.
As we've explored, even the
slightest change in input
results in a totally
different hash value.
Hash functions are
intentionally designed this way
to assist with matters
of non-repudiation.
They equip computers
with a quick and easy way
to compare input
and output values
and validate data integrity.
Pretty cool, right?
Protecting data is a fundamental
feature of security controls.
When it comes to keeping
information safe and secure,
hashing and encryption are
powerful yet limited tools.
Managing who or what has
access to information
is also key to
safeguarding information.
The next series of controls
that we'll be exploring
are access controls,
the security
controls that manage
access, authorization,
and accountability
of information.
When done well, access controls
maintain data confidentiality,
integrity, and availability.
They also get users the
information they need quickly.
These systems are
commonly broken down
into three separate yet
related functions known
as the authentication,
authorization,
and accounting framework.
Each control has its
own protocol and systems
that make them work.
In this video, let's get
comfortable with the basics
of the first one on the
list, authentication.
Authentication systems
are access controls that
serve a very basic purpose.
They ask anything attempting
to access information
this simple question--
who are you?
Organizations go about
collecting answers
to these questions differently
depending on the objectives
of their security policy.
Some are more
thorough than others.
But in general, responses
to this question
can be based on three
factors of authentication.
The first is knowledge.
Authentication by
knowledge refers
to something the user knows,
like a password or the answer
to a security question
they provided previously.
Another factor is ownership,
referring to something
the user possesses.
A commonly used type of
authentication by ownership
is a one-time passcode, or OTP.
You probably experienced
these at one time or another.
They're a random number sequence
that an application or website
will send you via text or
email and ask you to provide.
Last is characteristic.
Authentication by this factor
is something the user is.
Biometrics, like fingerprint
scans on your smartphone,
are an example of this
type of authentication.
While not used everywhere,
this form of authentication
is becoming more common, because
it's much tougher for criminals
to impersonate
someone if they have
to mimic a fingerprint or facial
scan as opposed to a password.
The information provided
during authentication
needs to match the
information on file
for these access
controls to work.
When the credentials
don't match,
authentication fails
and access is denied.
When they match,
access is granted.
Incorrectly denying access
can be frustrating to anyone.
To make access systems
more convenient,
many organizations these
days rely on single sign-on.
Single sign-on, or
SSO, is a technology
that combines several
different logins into one.
Can you imagine having to
reintroduce yourself every time
you meet up with a friend?
That's exactly the sort
of problem SSO solves.
Instead of requiring users
to authenticate over and over
again, SSO establishes
their identity once,
allowing them to gain access
to company resources faster.
While SSO systems
are helpful when
it comes to speeding up
the authentication process,
they present a significant
vulnerability when used alone.
Denying access to authorized
users can be frustrating,
but you know what's even worse?
Incorrectly granting
access to the wrong user.
SSO technology is
great, but not if it
relies on just a single
factor of authentication.
Adding more
authentication factors
strengthen these systems.
Multifactor
authentication, or MFA,
is a security measure
which requires a user
to verify their identity
in two or more ways
to access a system or network.
MFA combines two or more
independent credentials,
like knowledge and ownership,
to prove that someone
is who they claim to be.
SSO and MFA are often used in
conjunction with one another
to layer the defense
capabilities of authentication
systems.
When both are
used, organizations
can ensure convenient
access that is also secure.
Now that we covered
authentication,
we're ready to explore the
second part of the framework.
Next, we'll learn
about authorization.
Access is as much
about authorization
as it is about authentication.
One of the most important
functions of access controls
is how they assign
responsibility
for certain systems
and processes.
Next up in our exploration
of access control systems
are the mechanisms
of authorization.
These protocols actually
work closely together
with authentication
technologies.
While one validates
who the user is,
the other determines what
they're allowed to do.
Let's take a look at the
next part of authentication,
authorization, and
accounting framework
that protects
private information.
Earlier, we learned about the
principle of least privilege.
Authorization is linked to the
idea that access to information
only lasts as long as needed.
Authorization systems are
also heavily influenced
by this idea, in addition to
another important security
principle-- the
separation of duties.
Separation of duties
is the principle
that users should not be given
levels of authorization that
will allow them to
misuse a system.
Separating duties reduces
the risk of system failures
and inappropriate
behavior from users.
For example, a person
responsible for providing
customer service shouldn't
also be authorized
to rate their own performance.
In this position, they could
easily neglect their duties
while continuing
to give themselves
high marks with no oversight.
Similarly, if one person was
authorized to develop and test
a security system,
they're much more
likely to be unaware
of its weaknesses.
Both the principle
of least privilege
and the concept of
separating duties
apply to more than just people.
They apply to all systems,
including networks, databases,
processes, and any other
aspect of an organization.
Ultimately,
authorization depends
on a system or user's role.
When it comes to securing
data over a network,
there are a couple of
frequently used access controls
that you should
be familiar with,
HTTP Basic Auth and OAuth.
Have you ever wondered what
the HTTP in web addresses
stood for?
It stands for hypertext
transfer protocol,
which is how communications
are established over a network.
HTTP uses what is
known as basic auth,
the technology used to
establish a user's request
to access a server.
Basic auth works by
sending an identifier
every time a user
communicates with a web page.
Some websites still
use basic auth
to tell whether or not someone
is authorized to access
information on that site.
However, the protocol
is considered
to be vulnerable to
attacks because it
transmits usernames
and passwords openly
over the network.
Most websites today
use HTTPS instead,
which stands for hypertext
transfer protocol secure.
This protocol doesn't expose
sensitive information,
like access credentials, when
communicating over the network.
Another secure authentication
technology used today is OAuth.
OAuth is an open-standard
authorization protocol
that shares designated
access between applications.
For example, you can
tell Google that it's
OK for another website
to access your profile
to create an account.
Instead of requesting and
sending sensitive usernames
and passwords over
the network, OAuth
uses API tokens to verify
access between you and a service
provider.
An API token is a small
block of encrypted code
that contains
information about a user.
These tokens contain
things like your identity,
site permissions, and more.
OAuth sends and
receives access requests
using API tokens by
passing them from a server
to a user's device.
Let's explore what's going
on behind the scenes.
When you authorize a site
to create an account using
your Google profile, all of
Google's usual login protocols
are still active.
If you have multifactor
authentication
enabled on your account--
and you should-- you'll still
have the security benefits
that it provides.
API tokens minimize
risk in a major way.
These APIs tokens serve as an
additional layer of encryption
that helps to keep
your Google password
safe in the event of a
breach on another platform.
Basic auth and OAuth are
just a couple examples
of authorization tools
that are designed
with the principles
of least privilege
and separation of duty in mind.
There are many
other controls that
help limit the risk
of unauthorized access
to information.
In addition to
controlling access,
it's also important
to monitor it.
In our next video, we'll focus
on the third and final part
of the authentication,
authorization, and accounting
framework.
Have you ever wondered
if your employer
is keeping a record when you
log into company systems?
Well, they are if
they're implementing
the third and final function
of the authentication,
authorization, and
accounting framework.
Accounting is the
practice of monitoring
the access logs of a system.
These logs contain information
like who accessed the system,
and when they accessed it,
and what resources they used.
Security analysts use
access logs a lot.
The data they contain
is a helpful way
to identify trends, like
failed login attempts.
They're also used to uncover
hackers who have gained access
to a system, and for
detecting an incident,
like a data breach.
In this field, access
logs are essential.
Oftentimes, analyzing them
is the first procedure
you'll follow when
investigating a security event.
So how do access logs compile
all this useful information?
Let's examine this more closely.
Any time a user
accesses a system,
they initiate what's
called a session.
A session is a
sequence of network
HTTP basic auth requests
and responses associated
with the same user, like
when you visit a website.
SS logs are essentially
records of sessions
that captured the moment
a user enters a system
and to the moment they leave it.
Two actions are triggered
when the session begins.
The first is the
creation of a session ID.
A session ID is a
unique token that
identifies a user
and their device
while accessing the system.
Session IDs are
attached to the user
until they either close their
browser or the session times
out.
The second action that takes
place at the start of a session
is an exchange of session
cookies between the server
and a user's device.
A session cookie is
a token that websites
use to validate a
session and determine how
long that session should last.
When cookies are exchanged
between your computer
and a server, your
session ID is read
to determine what information
the website should show you.
Cookies make web sessions
safer and more efficient.
The exchange of tokens mean
that no sensitive information,
like usernames and
passwords, are shared.
Session cookies
prevent attackers
from obtaining sensitive data.
However, there's other
damage that they can do.
With a stolen
cookie, an attacker
can impersonate a user
using their session token.
This kind of attack is
known as session hijacking.
Session hijacking is an
event when attackers obtain
a legitimate user's session ID.
During these kinds of
attacks, cybercriminals
impersonate the user,
causing all sorts of harm.
Money or private
data can be stolen.
If, for example,
hijackers obtain
a single sign-on credential
from stolen cookies,
they can even gain access
to additional systems
that otherwise seem secure.
This is one reason why
accounting and monitoring
session logs is so important.
Unusual activity on access
logs can be an indication
that information has been
improperly accessed or stolen.
At the end of the
day, accounting
is how we gain valuable insight
that makes information safer.
Our focus in this section was
on a major theme of security,
protecting assets.
A large part of this
relates to privacy.
We should all enjoy
the right to decide
who can access our information.
As we learned, there are
several controls in place
that help secure assets.
We begin this section by
exploring effective data
handling processes
that are founded
on the principle
of least privilege.
We then explored the role
of encryption and hashing
in safeguarding information.
We explored how asymmetric and
asymmetric encryption works
and how hashes further
safeguard data from harm.
We then turned our attention
to standard access controls.
Properly authenticating
and authorizing users
is what maintaining the
CIA triad of information
is all about.
We use the AAA
framework of security
to take a detailed tour of
identity and access management
systems and the access controls
that validate whether or not
someone is who they claim to be.
Well done making it through
the first half of the course.
You're making great progress so
far, and I hope you keep it up.
Remember, your background
and experiences
are valuable in this field.
This, combined with the
concepts we're covering,
will make you a valuable
contributor to any security
team.
Up until this point,
we've been exploring
the defensive side of security.
But security isn't all about
planning ahead and waiting
for something to happen.
In the next part of
our journey, we're
going to continue developing
a security mindset by taking
a more proactive
look at security,
from the perspective
of attackers.
I'll meet you there.
Wow.
We've covered a lot together.
It's hard to believe
we've reached
the midpoint of this course.
I hope you're getting
a clearer picture
of this exciting field
and all the opportunities
it has to offer.
And most importantly, I hope
you're having fun doing it.
We've come a long ways
from where we started.
When we began our
journey together,
we were introduced
to the three building
blocks of every security
program, assets, threats,
and vulnerabilities.
We focused a lot
on assets early on,
and the wide range of things
security professionals
work to protect.
We then turned our attention
to a core component of asset
security, protecting assets.
You learned about the
importance of guarding
sensitive information.
You also learned about
some security controls
that protect information
from being lost or stolen.
On the next part of
our journey, we're
going to turn our focus
to vulnerabilities.
Every asset we
protect has a series
of vulnerabilities, or flaws,
that we need to be aware of.
Staying informed of these
things is a critical part
of protecting people and
organizations from harm.
In this next part
of the course, you
will gain an understanding of
the vulnerability management
process.
First, you will explore
a common approach
to vulnerability management,
the defense in depth model.
Then you'll learn about
how vulnerabilities
are documented in online
libraries like the CVE list.
We'll discuss the
attack surfaces
security teams protect.
And lastly, you will expand
your attacker mindset
by exploring the common attack
vectors cybercriminals try
to exploit.
Security analysts
play an important role
in identifying and correcting
vulnerabilities in systems.
I know I'm excited
to keep exploring.
Are you?
Then let's go.
For every asset that
needs protecting,
there are dozens
of vulnerabilities.
Finding those vulnerabilities
and fixing them
before they become a problem is
the key to keeping assets safe.
We've already covered
what a vulnerability is.
Recall that a vulnerability
is a weakness that
can be exploited by a threat.
That word "can" is an important
part of this description.
Why is that?
Let's explore that
together to find out more.
Imagine I handed you
an important document
and asked you to keep it safe.
How would you do that?
Some of you might first
think about locking it up
in a safe place.
Behind this is the understanding
that because documents
can be easily moved, they
are vulnerable to theft.
When other vulnerabilities
come to mind,
like how paper burns easily
or doesn't resist water,
you might add other protections.
Similar to this
example, security teams
plan to protect assets according
to their vulnerabilities
and how they can be exploited.
In security, an exploit
is a way of taking
advantage of a vulnerability.
Besides finding vulnerabilities,
security planning
relies a lot on
thinking of exploits.
For example, there
are burglars out there
who want to cause harm.
Homes have vulnerable
systems that
can be exploited by a burglar.
An example are the windows.
Glass is vulnerable
to being broken.
A burglar can exploit
this vulnerability
by using a rock to
break the window.
Thinking of this vulnerability
and exploit ahead of time
allows us to plan ahead.
We can have an alarm
system in place
to scare the burglar away
and alert the police.
Security teams
spend a lot of time
finding vulnerabilities
and thinking
of how they can be exploited.
They do this with
a process known
as vulnerability management.
Vulnerability management is the
process of finding and patching
vulnerabilities.
Vulnerability management
helps keep assets safe.
It's a method of stopping
threats before they
can become a problem.
Vulnerability management
is a four-step process.
The first step is to
identify vulnerabilities.
The next step is to
consider potential exploits
of those vulnerabilities.
Third is to prepare
defenses against threats.
And finally, the fourth step
is to evaluate those defenses.
When the last step ends,
the process starts again.
Vulnerability management
happens in a cycle.
It's a regular part of
what security teams do,
because there are always
new vulnerabilities
to be concerned about.
This is exactly why a diverse
set of perspectives is useful.
Having a wide range of
backgrounds and experiences
only strengthens security
teams and their ability
to find exploits.
However, even large and
diverse security teams
can't keep track of everything.
New vulnerabilities are
constantly being discovered.
These are known as
zero-day exploits.
A zero day is an exploit
that was previously unknown.
The term "zero day"
refers to the fact
that the exploit is happening
in real time with zero days
to fix it.
These kind of exploits
are dangerous.
They represent threats that
haven't been planned for yet.
For example, we can anticipate
the possibility of a burglar
breaking into our home.
We can plan for
this type of threat
by having defenses
in place, like locks
on the doors and windows.
A zero-day exploit would be
something totally unexpected,
like the lock on the door
falling off from intense heat.
Zero-day exploits are
things that don't normally
come to mind.
For example, this might
be a new form of spyware
infecting a popular website.
When zero-day
exploits happen, they
can leave assets even
more vulnerable to threats
than they already are.
Vulnerability management
is the process
of finding vulnerabilities
and fixing their exploits.
That's why the process
is performed regularly
at most organizations.
Perhaps the most important
step of the process
is identifying vulnerabilities.
We'll explore this step
in more details next time
we get together.
I'll meet you again then.
A layered defense is
difficult to penetrate.
When one barrier fails,
another takes its place
to stop an attack.
Defense in depth
is a security model
that makes use of this concept.
It's a layered approach to
vulnerability management
that reduces risks.
Defense in depth is commonly
referred to as the castle
approach because it resembles
the layered defenses
of a castle.
In the Middle Ages,
these structures
were very difficult
to penetrate.
They featured
different defenses,
each unique in its design,
that posed different challenges
for attackers.
For example, a
water-filled barrier
called a moat usually formed
a circle around the castle,
preventing threats like
large groups of attackers
from reaching the castle walls.
The few soldiers that made it
past the first layer of defense
were then faced with a new
challenge, giant stone walls.
A vulnerability of
these structures
were that they could be climbed.
If attackers tried exploiting
that weakness, guess what?
They were met with another layer
of defense, watchtowers filled
with defenders ready to
shoot arrows and keep them
from climbing.
Each level of defense of these
medieval structures minimized
the risk of attacks by
identifying vulnerabilities
and implementing a security
control should one system fail.
Defense in depth works
in a similar way.
The defense in depth concept can
be used to protect any asset.
It's mainly used
in cybersecurity
to protect information
using a five-layer design.
Each layer features a
number of security controls
that protect information
as it travels
in and out of the model.
The first layer of defense in
depth is the perimeter layer.
This layer includes
some technologies
that we've already explored,
like usernames and passwords.
Mainly, this is a user
authentication layer
that filters external access.
Its function is to
only allow access
to trusted partners to reach
the next layer of defense.
Second, the network
layer is more closely
aligned with authorization.
The network layer is made
up of other technologies,
like network
firewalls and others.
Next is the endpoint layer.
Endpoints refer to the devices
that have access on a network.
They could be devices like a
laptop, desktop, or a server.
Some examples of technologies
that protect these devices
are antivirus software.
After that, we get to
the application layer.
This includes all
the interfaces that
are used to interact
with technology.
At this layer, security
measures are programmed
as part of an application.
One common example is
multi-factor authentication.
You may be familiar with having
to enter both your password
and a code sent by SMS.
This is part of the
application layer of defense.
And finally, the fifth layer
of defense is the data layer.
At this layer, we've
arrived at the critical data
that must be protected,
like personally
identifiable information.
One security control
that is important here
in this final layer of defense
is assets classification.
Like I mentioned earlier,
information passes in and out
of each of these
five layers whenever
it's exchanged over a network.
There are many more security
controls, aside from the few
that I mentioned, that are part
of the defense in depth model.
A lot of businesses design
their security systems
using the defense
in depth model.
Understanding this framework
hopefully gives you
a better sense of how an
organization's security
controls work together to
protect important assets.
We've discussed before that
security is a team effort.
Did you know the
group extends well
beyond a single security team?
Protecting information
is a global effort.
When it comes to
vulnerabilities,
there are actually
online public libraries.
Individuals and
organizations use
them to share and document
common vulnerabilities
and exposures.
We've been focusing a
lot on vulnerabilities.
Exposures are similar, but
they have a key difference.
While a vulnerability is
a weakness of a system,
an exposure is a mistake that
can be exploited by a threat.
For example, imagine
you're asked to protect
an important document.
Documents are vulnerable
to being misplaced.
If you laid the document
down near an open window,
it could be exposed
to being blown away.
One of the most popular
libraries of vulnerabilities
and exposures is the CVE list.
The Common Vulnerabilities and
Exposures list, or CVE list,
is an openly
accessible dictionary
of known vulnerabilities
and exposures.
It is a popular resource.
Many organizations
use the CVE list
to find ways to
improve their defenses.
The CVE list was
originally created
by MITRE Corporation in 1999.
MITRE is a collection
of nonprofit research
and development centers.
They're sponsored by
the US government.
Their focus is on improving
security technologies
around the world.
The main purpose
of the CVE list is
to offer a standard way of
identifying and categorizing
known vulnerabilities
and exposures.
Most CVEs in the
list are reported
by independent researchers,
technology vendors,
and ethical hackers.
But anyone can report one.
Before a CVE can make
it onto the CVE list,
it first goes through
a strict review process
by a CVE numbering
authority, or CNA.
A CNA is an organization
that volunteers
to analyze and distribute
information on eligible CVEs.
All of these groups have
an established record
of researching vulnerabilities
and demonstrating
security advisory capabilities.
When a vulnerability or
exposure is reported to them,
a rigorous testing
process takes place.
The CVE list tests four criteria
that a vulnerability must have
before it's assigned an ID.
First, it must be
independent of other issues.
In other words,
the vulnerability
should be able to be
fixed without having
to fix something else.
Second, it must be recognized
as a potential security risk
by whoever reports it.
Third, the vulnerability
must be submitted
with supporting evidence.
And finally, the
reported vulnerability
can only affect one code
base, or in other words, only
one program source code.
For instance, the
desktop version of Chrome
may be vulnerable, but the
Android application may not be.
If the reported flaw
passes all of these tests,
it is assigned a CVE ID.
Vulnerabilities
added to the CVE list
are often reviewed by other
online vulnerability databases.
These organizations put them
through additional tests
to reveal how
significant the flaws are
and to determine what
kind of threat they pose.
One of the most popular is the
NIST National Vulnerability
Database.
The NIST National
Vulnerability Database
uses what's known as the Common
Vulnerability Scoring System,
or CVSS, which is a
measurement system that
scores the severity
of a vulnerability.
Security teams use CVSS
as a way of calculating
the impact a vulnerability
could have on a system.
They also use them to determine
how quickly a vulnerability
should be patched.
The NIST National
Vulnerability Database
provide a base score of
CVEs on a scale of 0 to 10.
Base scores reflect the moment
a vulnerability is evaluated,
so they don't change over time.
In general, a CVSS
that scores below a 4.0
is considered to be
low-risk and doesn't
require immediate attention.
However, anything above
a 9.0 is considered
to be a critical risk
to company assets
that should be
addressed right away.
Security teams commonly use
the CVE list and CVSS scores
as part of their vulnerability
management strategy.
These references
provide recommendations
for prioritizing security
fixes, like installing software
updates before patches.
Libraries like the CVE list help
organizations answer questions.
Is a vulnerability
dangerous to our business?
If so, how soon
should we address it?
These online libraries bring
together diverse perspectives
from across the world.
Contributing to this effort
is one of my favorite parts
of working in this field.
Keep gaining experience, and I
hope you will participate too.
Our exploration of the
vulnerability management
process so far has been
focused on a couple of topics.
We've discussed how
vulnerabilities influence
the design of defenses.
We've also talked about how
common vulnerabilities are
shared.
A topic we've yet to cover
is how vulnerabilities
are found in the first place.
Weaknesses and
flaws are generally
found during a
vulnerability assessment.
A vulnerability assessment
is an internal review process
of an organization's
security systems.
These assessments work
similar to the process
of identifying and
categorizing vulnerabilities
on the CVE list.
The main difference is an
organization's security team
performs, evaluates, scores,
and fixes them on their own.
Security analysts play a key
role throughout this process.
Overall, the goal of a
vulnerability assessment
is to identify weak points
and prevent attacks.
They're are also how
security teams determine
whether their security controls
meet regulatory standards.
Organizations perform
vulnerability assessments
a lot.
Because companies have so
many assets to protect,
security teams
sometimes need to select
which areas to focus on through
vulnerability assessments.
Once they decide
what to focus on,
vulnerability
assessments typically
follow a four-step process.
The first step is
identification.
Here, scanning tools
and manual testing
are used to find
vulnerabilities.
During the identification
step, the goal
is to understand the current
state of a security system,
like taking a picture of it.
A large number of
findings usually
appear after identification.
The next step of the process
is vulnerability analysis.
During this step, each of
the vulnerabilities that
were identified are tested.
Like being a digital
detective, the goal
of vulnerability analysis is to
find the source of the problem.
The third step of the
process is risk assessment.
During this step of
the process, a score
is assigned to
each vulnerability.
This score is assigned
based on two factors--
how severe the impact would
be if the vulnerability were
to be exploited and the
likelihood of this happening.
Vulnerabilities uncovered
during the first two
steps of this process
often outnumber the people
available to fix them.
Risk assessments are a way
of prioritizing resources
to handle the vulnerabilities
that need to be addressed based
on their score.
The fourth and final step
of vulnerability assessment
is remediation.
It's during this step that the
vulnerabilities that can impact
the organization are addressed.
Remediation occurs depending
on the severity score assigned
during the risk assessment step.
This part of the process
is normally a joint effort
between the security
staff and IT teams
to come up with
the best approach
to fixing the vulnerabilities
that were uncovered earlier.
Examples of remediation
steps might include things
like enforcing new
security procedures,
updating operating systems, or
implementing system patches.
Vulnerability assessments
are great for identifying
the flaws of a system.
Most organizations use
them to search for problems
before they happen.
But how do we know
where to search?
When we get together
again, we'll
explore how companies
figure this out.
There's a wide range of
vulnerabilities and systems
that need to be found.
Assessing those weaknesses
is a time-consuming process.
To position themselves
ahead of threats
and make the most of
their limited resources,
companies start by understanding
the environment surrounding
their operations.
An important part of this is
getting a sense of their attack
surface.
An attack surface is all the
potential vulnerabilities
that a threat actor
could exploit.
Analyzing the attack surface
is usually the first thing
security teams do.
For example, imagine
being part of a security
team of an old castle.
Your team would need to decide
how to allocate resources
to defenses.
Giant walls, stone
towers, and wooden gates
are a few common security
controls of these structures.
While these are all designed
to protect the assets inside
from attacks, they
don't exactly account
for all the possibilities.
What if the castle
were near the ocean?
If it were, these
defenses would be
vulnerable to long-range
attacks by ships.
A proper understanding
of the attack surface
would mean your security
team equipped the castle
with catapults that could deal
with these kinds of threats.
Modern organizations need
to concern themselves
with both a physical and
digital attack surface.
The physical attack
surface is made up
of people and their devices.
This surface can be
attacked from both inside
and outside the organization,
which makes it unique.
For example, let's consider
an unattended laptop
in a public space,
like a coffee shop.
The person responsible
for it walked away
while sensitive
company information
was visible on the screen.
This information is vulnerable
to external threats,
like a business competitor
who can easily record
the information and exploit it.
An internal threat of
this attack surface,
on the other hand, is
often angry employees.
These employees might
share an organization's
private information on purpose.
In general, the
physical attack surface
should be filled
with obstacles that
deter attacks from happening.
We call this process
security hardening.
Security hardening
is the process
of strengthening a system to
reduce its vulnerabilities
and attack surface.
In other words,
hardening is the act
of minimizing the attack
surface by limiting
its points of entry.
We do this a lot in security,
because the smaller the attack
surface, the easier
it is to protect.
In fact, some security controls
that we've explored previously,
like organization policies
and access controls,
are common ways that
organizations harden
their physical attack surface.
The digital attack surface
is a bit tougher to harden.
The digital attack
surface includes
everything that's beyond
our organization's firewall.
In other words, it
includes anything
that connects to an
organization online.
In the past, organizations
stored their data
in a single location.
This mainly consists of servers
that were managed on-site.
Accessing the information
stored on those servers
require connecting to the
network the workplace managed.
These days, information
is accessed outside
of an organization's
network because it's
stored in the cloud.
Information can be accessed
from anywhere in the world.
A person can be in
one part of the world,
fly to another
place, and continue
working, all while outside of
their organization's network.
Cloud computing has essentially
expanded the digital attack
surface.
Quicker access to information is
something we all benefit from,
but it comes with a cost.
Organizations of all sizes
are under more pressure
to defend against threats coming
from different entry points.
When we get together
next time, we'll
explore why this is
such a challenge.
To defend against
attacks, organizations
need to have more than
just the understanding
of the growing digital
landscape around them.
Positioning themselves
ahead of a cyber threat
also takes understanding
the type of attacks
that can be used against them.
Last time, we
began exploring how
the cloud has expanded
the digital attack surface
that organizations protect.
As a result, cloud
computing has led
to an increase in the number
of attack vectors available.
Attack vectors refer to
the pathways attackers use
to penetrate security defenses.
Like the doors and
windows of a home,
these pathways are the
exploitable features
of an attack surface.
One example of an attack
vector would be social media.
Another would be removable
media, like a USB drive.
Most people outside
of security assume
that cybercriminals are the
only ones out there exploiting
attack vectors.
While attack vectors are
used by malicious hackers
to steal information,
other groups use them too.
For example,
employees occasionally
exploit attack vectors
unintentionally.
This happens a lot with
social media platforms.
Sometimes, employees post
sensitive company news that
shouldn't have been shared.
At times, this same kind of
thing happens on purpose.
Social media platforms
are also vectors
that disgruntled employees
use to intentionally share
confidential information
that can harm the company.
We all treat attack
vectors as critical risks
to asset security.
Attackers typically put
forward a lot of effort
planning their attacks
before carrying them out.
It's up to us as
security professionals
to put an even greater amount
of effort into stopping them.
Security teams do this by
thinking of each vector
with an attacker mindset.
This starts with
a simple question.
How would we
exploit this vector?
We then go through a
step-by-step process
to answer our question.
First, when practicing
the attacker mindset,
we identify a target.
This could be specific
information, a system,
a person, a group, or
the organization itself.
Next, we determine how the
target can be accessed.
What information is available
that an attacker might
take advantage of
to reach the target?
Based on that information,
the third step
is to evaluate the
attack vectors that
can be exploited to gain entry.
And finally, we find the
tools and methods of attack.
What will the attackers
use to carry this out?
Along the way, practicing
an attacker mindset
provides valuable insight
into the best security
controls to implement
and the vulnerabilities
that need to be monitored.
Every organization has a
long list of attack vectors
to defend.
And while there are a lot
of ways to protect them,
there are a few common
rules for doing this.
One key to defending
attack vectors
is educating users about
security vulnerabilities.
These efforts are usually
tied to an event--
for example, advising
them about a new phishing
exploit that is targeting
users and the organization.
Another rule is applying the
principle of least privilege.
We've explored at
least privilege earlier
in this section.
It's the idea that access rights
should be limited to what's
required to perform a task.
Like we previously
explored, this practice
closes multiple security holes
inside our organization's
attack surface.
Next, using the right
security controls and tools
can go a long way towards
defending attack vectors.
Even the most
knowledgeable employees
make security mistakes,
like accidentally
clicking on a malicious
link in an email.
Having the right
security tools in place,
like antivirus software,
helps to defend attack vectors
more efficiently and reduce
the risk of human error.
Last but not least is building
a diverse security team.
This is one of the
best ways to reduce
the risk of attack vectors
and prevent future attacks.
Your own unique
perspective can greatly
improve a security
team's ability
to apply an attacker's mindset
and stay one step ahead
of potential threats.
Keeping yourself informed is
always important in this field.
You're already off
to a great start,
so keep up the good work.
Here we are, at the
end of this section.
Can you believe it?
I had so much fun exploring
the world of vulnerabilities.
I hope you felt the same.
And more importantly,
I hope you got
a better sense of how complex a
landscape the digital world is.
This environment
is filled with gaps
that attackers can use to gain
unauthorized access to assets,
making it a challenge to defend.
We've explored a
lot of information
this time around,
so let's quickly
recap what we've covered.
You've learned about the
vulnerability management
process, starting with the
defense in depth model.
You learned about the layers
of this security framework
and how each of
them work together
to build a stronger defense.
You then learned
about the CVE list
that's used to find
cataloged vulnerabilities.
This is a great addition to
your growing security toolbox.
After that, you learned
of the attack surfaces
that businesses protect.
We discussed physical
and digital surfaces
and the challenges of
defending the cloud.
We finished up by exploring
common attack vectors,
where you learned how
security teams use an attacker
mindset to identify the security
gaps that cybercriminals
try to exploit.
Every one of the vulnerabilities
that we've discussed so far
is faced with a
number of threats.
When we get back
together, we're going
to expand our attacker
mindset even further
by exploring specific
types of attacks
that cyber criminals
commonly use.
We'll look at
things like malware
and the techniques attackers use
to compromise defense systems.
By exploring how these
tools and tactics work,
you'll gain a
clearer understanding
of the threats they pose.
Well then wrap up
by investigating
how security teams stop
these threats from damaging
our organization's operations,
their reputation, and most
importantly, their
customers and employees.
You've done a fantastic
job getting to this point.
When you're ready, let's
finish the journey together.
I'm looking forward to
being back with you again.
Here we are, the final
section of the course.
What an amazing job
you've done so far.
Putting in the time,
dedication, and hard work
to get to this
point is definitely
something to celebrate.
But we're not through yet.
As we near the end
of this course,
now's the time to focus
and finish strong.
Let's turn our
attention to threats.
We've already explored
assets, vulnerabilities,
and the controls
used to protect both.
A common theme between
those two topics
has been the wide range of
assets and vulnerabilities
out there.
The world of threats
is no different.
If you recall, threats are
any circumstance or event that
can negatively impact assets.
In this part of
the course, you're
going to expand your
security mindset
by getting a high-level view
of the most dangerous threats
facing organizations today.
First, we're going to begin by
exploring social engineering
tactics, psychological tricks
that attackers use to gain
unauthorized access to assets.
Next, we'll explore a
common type of threat
that's been around since the
start of personal computers--
malware.
We're going to spend
some time investigating
the major types of malware.
After that, we'll
turn our attention
to web-based exploits.
Most organizations these days
operate in a digital space,
and many of them are new to it.
In this section of
the course, you're
going to learn about some
of the most common threats
that organizations face online.
Finally, after
exploring common threats
that organizations
deal with, we're
going to wrap up by exploring
the threat modeling process.
Understanding threats is
essential for security
analysts, and there's a lot to
cover, so let's get started.
When you hear the word "cyber
criminal," what comes to mind?
You may imagine a hacker hunched
over a computer in a dark room.
If this is what came to
mind, you're not alone.
In fact, this is what most
people outside of security
think of.
But online criminals
aren't always
that different from those
operating in the real world.
Malicious hackers are just
one type of online criminal.
They are a specific
kind that relies
on sophisticated computer
programming skills
to pull off their attacks.
There are other ways to
commit crimes that don't
require programming skills.
Sometimes, criminals rely on
a more traditional approach--
manipulation.
Social engineering is a
manipulation technique
that exploits human error
to gain private information,
access, or valuables.
These tactics trick people
into breaking normal security
procedures on the
attacker's behalf.
This can lead to data exposures,
widespread malware infections,
or unauthorized access
to restricted systems.
Social engineering attacks
can happen anywhere.
They happen online, in person,
and through other interactions.
Threat actors use
many different tactics
to carry out their attacks.
Some attacks can take a
matter of seconds to perform.
For example, someone
impersonating tech support
asks an employee for their
password to fix their computer.
Other attacks can
take months or longer,
such as threat actors monitoring
an employee's social media.
The employee might
post a comment
saying they've gotten
a temporary position
in a new role at the company.
An attacker might use
an opportunity like this
to target the
temporary worker, who
is likely to be less
knowledgeable about security
procedures.
Regardless of the time frame,
knowing what to look for
can help you quickly
identify and stop
an attack in its tracks.
There are multiple stages of
social engineering attacks.
The first is usually to prepare.
At this stage, attackers gather
information about their target.
Using the intel, they'll
determine the best way
to exploit them.
In the next, stage
attackers establish trust.
This is often referred
to as pretexting.
Here, attackers
use the information
they gather earlier to open
a line of communication.
They'll typically
disguise themselves
to trick their target into
a false sense of trust.
After that, attackers
used persuasion tactics.
This stage is where the earlier
preparation really matters.
This is when the attacker
manipulates their target
into volunteering information.
Sometimes, they do this by
using specific vocabulary that
makes them sound like a
member of the organization.
The final stage
of the process is
to disconnect from the target.
After they collect the
information they want,
attackers break communication
with their target.
They disappear to
cover their tracks.
Criminals who use social
engineering are stealthy.
The digital world has
expanded their capabilities.
It's also created more ways
for them to go unnoticed.
Still, there are ways that
we can prevent their attacks.
Implementing
managerial controls,
like policies, standards,
and procedures,
are one of the first
lines of defense.
For example, businesses often
follow the patch management
standard defined in this
special publication 800-40.
These standards are used
to create procedures
for updating operating systems,
applications, and firmware
that can be exploited.
Staying informed of trends
is also a major priority
for any security professional.
An even better defense against
social engineering attacks
is sharing what you
know with others.
Attackers play on our
natural curiosity and desire
to help one another.
Their hope is that
targets won't think
too hard about what's going on.
Teaching the signs
of attack to others
goes a long way towards
preventing threats.
Social engineering is
a threat to the assets
and privacy of both
individuals and organizations.
Malicious attackers use
a variety of tactics
to confuse and
manipulate their targets.
When we get back
together next time,
we're going to explore
one of the most commonly
used techniques that's a major
problem for organizations
of all sizes.
Cyber criminals
prefer attacks that
do the most amount of
damage with the least
amount of effort.
One of the most popular forms
of social engineering that meets
this description is phishing.
Phishing is the use of
digital communications
to trick people into
revealing sensitive data
or deploying malicious software.
Phishing leverages many
communication technologies,
but the term is mainly
used to describe
attacks that arrive by email.
Phishing attacks don't
just affect individuals.
They are also harmful
to organizations.
A single employee that falls
for one of these tricks
can give malicious
attackers access to systems.
Once inside, attackers can
exploit sensitive data,
like customer names
and product secrets.
Attackers who carry
out these attacks
commonly use phishing kits.
A phishing kit is a collection
of software tools needed
to launch a phishing campaign.
People with little
technical background
can use one of these kits.
Each of the tools inside are
designed to avoid detection.
As a security
professional, you should
be aware of the three main
tools inside a phishing kit
so that you can quickly
identify when they're being used
and put a stop to it.
The first is
malicious attachments.
These are files that are
infected and can cause harm
to the organization's systems.
Phishing kits also include
fake data collection forms.
These forms look like
legitimate forms, like a survey.
Unlike a real survey, they
ask for sensitive information
that isn't normally
asked for in an email.
The third resource they include
are fraudulent web links.
These open to
malicious web pages
that are designed to
look like trusted brands.
Unlike actual websites,
these fraudulent sites
are built to steal information,
like login credentials.
Cybercriminals can use these
tools to launch a phishing
attack in many forms.
The most common is
through malicious emails.
However, they can use them in
other forms of communication
too.
Most recently,
cybercriminals are
using smishing and vishing to
trick people into revealing
private information.
Smishing is the use
of text messages
to obtain sensitive information
or to impersonate a known
source.
You probably received these
type of messages before.
Not only are smishing
messages annoying to receive,
they're also
difficult to prevent.
That's why some
attackers send them.
Some smishing messages
are easy to detect.
They might show signs
of being malicious,
like promising a cash reward for
clicking a attached link that
shouldn't be clicked.
Other times, smishing
is hard to spot.
Attackers sometimes
use local area codes
to appear legitimate.
Some hackers can even
send messages disguised
as friends and families
of their target
to fool them into disclosing
sensitive information.
Vishing is the exploitation of
electronic voice communication
to obtain sensitive information
or impersonate a known source.
During vishing
attacks, criminals
pretend to be
someone they're not.
For example, attackers
might call pretending
to be a company representative.
They might claim that there's
a problem with your account,
and they can offer to fix
it if you provide them
with sensitive information.
Most organizations use a
few basic security measures
to prevent these and any other
types of phishing attacks
from becoming a problem.
For example,
anti-phishing policies
spread awareness
and encourage users
to follow data security
procedures correctly.
Employee training
resources also help
inform employees about
things to look for when
an email looks suspicious.
Another line of defense
against phishing
is securing email inboxes.
Email filters are commonly
used to keep harmful messages
from reaching users.
For example, specific
email addresses
can be blocked
using a block list.
Organizations often use other
filters, like allow lists,
to specify IP addresses that
are approved to send mail
within the company.
Organizations also use
intrusion prevention systems
to look for unusual
patterns in email traffic.
Security analysts use
monitoring tools like this
to spot suspicious
emails, quarantine them,
and produce a log of events.
Phishing campaigns are
popular and dangerous forms
of social engineering that
organizations of all sizes
need to deal with.
Just a single
compromised password
that an attacker can
get their hands on
can lead to a
costly data breach.
Now that you're familiar with
the tools these attackers use,
you're better equipped to
spot phishing and prevent it.
People and computers are very
different from one another.
There is one way
that we're alike.
You know how?
We're both vulnerable
to getting an infection.
While humans can be
infected by a virus that
causes a cold or flu, computers
can be infected by malware.
Malware is software designed
to harm devices or networks.
Malware, which is short
for malicious software,
can be spread in many ways.
For example, it could be spread
through an infected USB drive,
or also commonly spread
between computers online.
Devices and systems that are
connected to the internet
are especially
vulnerable to infection.
When a device becomes
infected, malware
interferes with its
normal operations.
Attackers use malware to take
control of the infected system
without the user's
knowledge or permission.
Malware has been a threat
to people and organizations
for a long time.
Attackers have created many
different strains of malware.
They all vary in
how they're spread.
Five of the most
common types of malware
are a virus, worm, Trojan,
ransomware, and spyware.
Let's take a look at
how each of them work.
A virus is malicious
code written
to interfere with
computer operations
and cause damage to
data and software.
Viruses typically hide inside
of trusted applications.
When the infected
program is launched,
the virus clones
itself and spreads
to other files on the device.
An important
characteristic of viruses
is that they have to be
activated by the user
to start the infection.
The next kind of malware
doesn't have this limitation.
A worm is malware that can
duplicate and spread itself
across systems on its own.
While viruses require
users to perform an action,
like opening a
file to duplicate,
worms using infected
device as a host.
They scan the connected
network for other devices.
Worms then infect
everything on the network
without requiring an action
to trigger the spread.
Viruses and worms are delivered
through phishing emails
and other methods before
they infect a device.
Making sure you click links
only from trusted sources
is one way to avoid
these types of infection.
However, attackers have designed
another form of malware that
can get past this precaution.
A Trojan, or Trojan
horse, is malware
that looks like a
legitimate file or program.
The name is a reference
to an ancient Greek legend
that's set in the city of Troy.
In Troy, a group of soldiers
hid inside a giant wooden horse
that was presented as a
gift to their enemies.
It was accepted and brought
inside the city walls.
Later that evening, the
soldiers inside of the horse
climbed out and
attacked the city.
Like this ancient
tale, attackers design
Trojans to appear harmless.
This type of malware
is typically disguised
as files or useful applications
to trick their target
into installing them.
Attackers often use Trojans
to gain access and install
another kind of malware
called ransomware.
Ransomware is a type
of malicious attack
where attackers encrypt an
organization's data and demand
payment to restore access.
These kind of attacks have
become very common these days.
A unique feature of
ransomware attacks
is that they make themselves
known to their targets.
Without doing
this, they couldn't
collect the money they demand.
Normally, they decrypt
the hidden data
as soon as the sum
of money is paid.
Unfortunately,
there's no guarantee
they won't return
to demand more.
The last type of malware I
want to mention is spyware.
Spyware is malware that's used
to gather and sell information
without consent.
"Consent" is a key
word in this case.
Organizations also
collect information
about their customers,
like their browsing habits
and purchase history.
However, they always
give their customers
the ability to opt out.
Cybercriminals,
on the other hand,
use spyware to
steal information.
They use spyware
attacks to collect data
like login credentials,
account PINs,
and other types of
sensitive information
for their own personal gain.
There are many other types
of malware besides these,
and new forms are
always evolving.
They all pose a serious risk to
individuals and organizations.
Next time, we'll explore
how security teams detect
and remove these
kinds of threats.
Malware has been around
nearly as long as computers.
In its earliest forms, it
was used by troublemakers
as a form of digital vandalism.
In today's digital
world, malware
has become a profitable
crime that attackers use
for their own financial gain.
As a security professional,
it's important
that you remain aware of
the latest evolutions.
Let's take a closer look at
one way malware has evolved.
We'll then use this
example to consider
how malware can be spotted
and how you can proactively
protect against malware,.
Ransomware is one of the
types of malware attackers
use to steal money.
Another and more recent type
of malware is cryptojacking.
Cryptojacking is
a form of malware
that installs software
to illegally mine
cryptocurrencies.
You may be familiar with
cryptocurrency from the news.
If you're new to the
topic, cryptocurrencies
are a form of digital money
that have real-world value.
Like physical forms of currency,
there are many different types.
For the most part, they're
referred to as coins or tokens.
In simple terms, crypto
mining is a process
used to obtain new coins.
Crypto mining is similar
to the process for mining
for other resources, like gold.
Mining for something
like gold involves
machinery, such as
trucks and bulldozers
that can dig through the Earth.
Crypto coins, on the other
hand, use computers instead.
Rather than digging
through the Earth,
the computers run software
that dig through billions
of lines of encrypted code.
When enough code is processed,
a crypto coin can be found.
Generally, more computers
mining for coins
meaning more cryptocurrency
can be discovered.
Criminals unfortunately
figured this out.
Beginning in 2017,
cryptojacking malware
started being used to
gain unauthorized control
of personal computers
to mine cryptocurrency.
Since that time,
cryptojacking techniques
have become more sophisticated.
Criminals now regularly
target vulnerable servers
to spread their mining software.
Devices that communicate with
the infected server become
infected themselves.
The malicious code then runs
in the background, mining
for coins unknown to anyone.
Cryptojacking software
is hard to detect.
Luckily, security professionals
have sophisticated tools
that can help.
An intrusion detection
system, or IDS,
is an application that
monitors system activity
and alerts some
possible intrusions.
When abnormal
activity is detected,
like malware mining
for coins, the IDS
alerts security personnel.
Despite their usefulness,
detection systems
have a major drawback.
New forms of malware
can remain undetected.
Fortunately, there
are subtle signs
that indicate a
device is infected
with cryptojacking software
or other forms of malware.
By far the most telling sign
of a cryptojacking infection
is slowdown.
Other signs include increased
CPU usage, sudden system
crashes, and
fast-draining batteries.
Another side is unusually
high electricity costs
related to the
resource-intensive process
of crypto mining.
It's also good to know that
there are certain measures you
can take to reduce the
likelihood of experiencing
a malware attack
like cryptojacking.
These defenses include things
like using browser extensions
designed to block malware,
using ad blockers, disabling
JavaScript, and staying
alert on the latest trends.
Security analysts
can also educate
others in their organizations
on malware attacks.
While cryptojacking is
still relatively new,
attacks are becoming
more common.
The type of malicious
code cybercriminals spread
is continually evolving.
It takes many
years of experience
to analyze new forms of malware.
Nevertheless, you're
well on your way
towards helping defend
against these threats.
Previously, we explored
a few types of malware.
Whether it's installed
on an individual computer
or a network server,
all malicious software
needs to be delivered to the
target before it can work.
Phishing and other social
engineering techniques
are common ways for
malware to be delivered.
Another way it's spread is
using a broad class of threats
known as web-based exploits.
Web-based exploits are
malicious code or behavior
that's used to take advantage
of coding flaws in a web
application.
Cybercriminals target
web-based exploits
to obtain sensitive
personal information.
Attacks occur because
web applications
interact with multiple users
across multiple networks.
Malicious hackers
commonly exploit
this high level of interaction
using injection attacks.
An injection attack is
malicious code inserted
into a vulnerable application.
The infected application often
appears to work normally.
That's because the injected
code runs in the background,
unknown to the user.
Applications are vulnerable
to injection attacks
because they are programmed
to receive data inputs.
This could be something the user
types, clicks, or something one
program is sharing with another.
When coded correctly,
applications
should be able to interpret
and handle user inputs.
For example, let's
say an application
is expecting the user
to enter a phone number.
This application should
validate the input
from the user to make sure the
data is all numbers and not
more than 10 digits.
If the input from
the user doesn't
meet these requirements,
the application
should know how to handle it.
In programming, this is
known as input sanitization.
Input sanitization
is programming
that validates inputs from
users in other programs.
Injection attacks mainly
affect applications
that fail to sanitize inputs.
Because of this,
web applications
are one of the most vulnerable
targets for injection attacks.
Web apps interact with multiple
users across many platforms.
They also have a lot
of interactive objects,
like images and buttons.
This makes it challenging
for developers
to think of all the ways they
should sanitize their input.
A common and dangerous
type of injection attack
that's a threat to web apps
is cross-site scripting.
Cross-site scripting, or
XSS, is an injection attack
that inserts code into a
vulnerable website or web
application.
These attacks are
often delivered
by exploiting the two languages
used by most websites, HTML
and JavaScript.
Both can give cybercriminals
access to everything
that loads on the
infected web page.
This can include session
cookies, geolocation, and even
webcams and microphones.
There are three main types of
cross-site scripting attacks,
reflected, stored,
and DOM-based.
A reflected XSS
attack is an instance
where a malicious script
is sent to the server
and activated during
the server's response.
A common example of this is
the search bar of a website.
In a reflected XSS attack,
criminals send their target
a web link that appears
to go to a trusted site.
When they click the link,
it sends the HTTP request
to the vulnerable site server.
The attacker's script is then
returned, or reflected, back
to the innocent user's browser.
Here, the browser loads
the malicious script
because it trusts the
server's response.
With the script
loaded, information
like session cookies are
sent back to the attacker.
In a stored XSS attack,
the malicious script
isn't hidden in a link that
needs to be sent to the server.
Instead, a stored XSS
attack is an instance
where malicious script
is injected directly
on the server.
Here, attackers target
elements of a site
that are served to the user.
This could be things
like images and buttons
that load when the
site is visited.
Infected elements activate
the malicious code
when a user simply
visits the site.
Stored XSS attacks
can be damaging
because the user has no way of
knowing the site is infected
beforehand.
Finally, there's DOM-based XSS.
D-O-M stands for document
object model, which is basically
the source code of a website.
A DOM-based XSS
attack is an instance
where malicious script exists
in the web page a browser loads.
Unlike reflected
XSS, these attacks
don't need to be sent to
the server to activate.
In a DOM-based attack,
a malicious script
can be seen in the URL.
In this example, the website's
URL contains parameter values.
The parameter values
reflect input from the user.
Here, the site allows users
to select color themes.
When the user makes a selection,
it appears as part of the URL.
In a DOM-based attack,
criminals change the parameter
that's expecting an input.
For example, they could
hide malicious JavaScript
in the HTML tags.
The browser would
process the HTML
and execute the JavaScript.
Hackers use these methods
of cross-site scripting
to steal sensitive information.
Security analysts should
be familiar with this group
of injection attacks.
However, they're
not the only ones,
as we'll discover next time.
Let's keep exploring
injection attacks
by investigating another common
type of web-based exploit.
The next one we're going
to discuss exploits the way
websites access
information from databases.
Earlier in the program, you
may have learned about SQL.
You may recall, SQL is
a programming language
used to create, interact
with, and request information
from a database.
SQL is used by most
web applications.
For example, shopping
websites use it a lot.
Imagine the databases of
an online clothing store.
It likely contains
a full inventory
of all the items
the company sells.
Websites don't normally make
users enter the SQL queries
manually.
Instead, they use things like
menus, images, and buttons
to show users information
in a meaningful way.
For example, when
an online shopper
clicks a button to add
a sweater to their cart,
it triggers a SQL query.
The query runs in
the background,
where no one can see it.
You would never know from
using the menus and buttons
of a website, but sometimes,
those backend queries
are vulnerable to
injection attacks.
A SQL injection
is an attack that
executes unexpected
queries on a database.
Like cross-site
scripting, SQL injection
occurs due to the lack
of sanitized input.
The injections take
place in an area
of the website that are
designed to accept user input.
A common example is the
login form to access a site.
One of these forms might
trigger a backend SQL statement
like this when a user
enters their credentials.
Web forms like this
one are designed
to copy user input
into the statement
exactly as they're written.
The statement then
sends a request
to the server, which
runs the query.
Websites that are
vulnerable to SQL injection
inserts the user input
exactly as it's entered
before running the code.
Unfortunately, this is
a serious design flaw.
It commonly happens because
web developers expect people
to use their inputs correctly.
They don't anticipate
attackers exploiting them.
For example, an attacker might
insert additional SQL code.
This could cause the server
to run a harmful query of code
that it wasn't expecting.
Malicious hackers can
target these attack vectors
to obtain sensitive information,
modify tables, and even gain
administrative writes
to the database.
The best way to defend
against SQL injections
is code that will
sanitize the input.
Developers can
write code to search
for specific SQL characters.
This gives the server a clearer
idea of what inputs to expect.
One way this is done is
with prepared statements.
A prepared statement
is a coding technique
that executes SQL statements
before passing them
into the database.
When the user input is
unknown, the best practice
is to use these
prepared statements.
With just a few
extra lines of code,
a prepared statement
executes the code
before passing it
on to the server.
This means the code
can be validated
before performing the query.
Having well-written
code is one of the keys
to preventing SQL injection.
Security teams work
with program developers
to test applications for
these sort of vulnerabilities.
Like a lot of security
tasks, it's a team effort.
Injection attacks are
just one of many types
of web-based exploits that
security teams deal with.
We're going to explore
how security teams prepare
for injection attacks and
other kinds of threats.
Preparing for attacks
is an important job
that the entire security
team is responsible for.
Threat actors have many
tools they can use,
depending on their target.
For example, attacking
a small business
can be different from
attacking a public utility.
Each have different assets
and specific defenses
to keep them safe.
In all cases,
anticipating attacks
is the key to
preparing for them.
In security, we do that by
performing an activity known
as threat modeling.
Threat modeling is a
process of identifying
assets, their
vulnerabilities, and how
each is exposed to threats.
We apply threat modeling
to everything we protect.
Entire systems,
applications, or business
processes all get examined
from this security-related
perspective.
Creating threat models is a
lengthy and detailed activity.
They're normally performed by
a collection of individuals
with years of
experience in the field.
Because of that,
it's considered to be
an advanced skill in security.
However, that doesn't mean
you won't be involved.
There are several threat
modeling frameworks
used in the field.
Some are better suited
for network security.
Others are better for things
like information security
or application development.
In general, there are six
steps of a threat model.
The first is to define
the scope of the model.
At this stage, the
team determines
what they're building by
creating an inventory of assets
and classifying them.
The second step is
to identify threats.
Here, the team defines all
potential threat actors.
A threat actor is
any person or group
who presents a security risk.
Threat actors are characterized
as being internal or external.
For example, an
internal threat actor
could be an employee who
intentionally exposed an asset
to harm.
An example of an
external threat actor
could be a malicious hacker
or a competing business.
After threat actors
have been identified,
the team puts together what's
known as an attack tree.
An attack tree is a diagram
that maps threats to assets.
The team tries to be
as detailed as possible
when constructing this
diagram before moving on.
Step three of the
threat modeling process
is to characterize
the environment.
Here, the team applies
an attacker mindset
to the business.
They consider how the
customers and employees
interact with the environment.
Other factors they consider
are external partners
and third-party vendors.
At step four, their objective
is to analyze threats.
Here, the team works together
to examine existing protections
and identify gaps.
They then rank threats
according to their risk score
that they assign.
During step five, the team
decides how to mitigate risk.
At this point, the
group creates their plan
for defending against threats.
The choices here are to avoid
risk, transfer it, reduce it,
or accept it.
The sixth and final step
is to evaluate findings.
At this stage, everything that
was done during the exercise
is documented,
fixes are applied,
and the team makes note
of any successes they had.
They also record
any lessons learned
so they can inform how they
approach future threat models.
That's an overview of the
general threat modeling
process.
What we explored was just one
of many methods that exist.
Let's finish exploring
threat modeling
by taking a look at
real-world scenarios.
This time, we'll use a
standard threat modeling
process called PASTA.
Imagine that a
fitness company is
getting ready to launch
their first mobile app.
Before we can go
live, the company
asks their security team
to ensure the app will
protect customer data.
The team decides to
perform a threat model
using the PASTA framework.
PASTA is a popular threat
modeling framework that's
used across many industries.
PASTA is short for process for
attack simulation and threat
analysis.
There are seven stages
of the PASTA framework.
Let's go through each of
them to help this fitness
company get their app ready.
Stage one of the PASTA
threat model framework
is to define business
and security objectives.
Before starting
the threat model,
the team needs to decide
what their goals are.
The main objective
in our example
with the fitness company app
is protecting customer data.
The team starts by asking a
lot of questions at this stage.
They'll need to
understand things
like how personally identifiable
information is handled.
Answering these
questions is a key
to evaluating the
impact of threats
that they'll find along the way.
Stage two of the
pasta framework is
to define the technical scope.
Here, the team's focus is
to identify the application
components that
must be evaluated.
This is what we discussed
earlier as the attack surface.
For a mobile app,
this will include
technology that's involved while
data is at rest and in use.
This includes network
protocols, security controls,
and other data interactions.
At stage three of
PASTA, the team's job
is to decompose the application.
In other words, we
need to identify
the existing controls that will
protect user data from threats.
This normally means working
with the application developers
to produce a data flow diagram.
A diagram like
this would show how
data gets from a user's device
to the company's database.
It would also identify
the controls in place
to protect this
data along the way.
Stage four of PASTA is next.
The focus here is to
perform a threat analysis.
This is where the team gets
into their attacker mindset.
Here, research is
done to collect
the most up-to-date information
on the type of attacks
being used.
Like other technologies, mobile
apps have many attack vectors.
These changed
regularly, so the team
would reference resources
to stay up to date.
Stage five of pasta is
performing a vulnerability
analysis.
In this stage, the
team more deeply
investigates potential
vulnerabilities
by considering the
root of the problem.
Next is stage six of PASTA,
where the team conducts
attack modeling.
This is where the team tests
the vulnerabilities that
were analyzed in stage
five by simulating attacks.
The team does this by
creating an attack tree, which
looks like a flow chart.
For example, an attack
tree for our mobile app
might look like this.
Customer information, like
usernames and passwords,
is a target.
This data is normally
stored in a database.
We've learned that databases
are vulnerable to attacks
like SQL injection.
So we will add this attack
vector to our attack tree.
A threat actor might
exploit vulnerabilities
caused by unsanitized inputs
to attack this vector.
The security team uses
attack trees like this
to identify attack
vectors that need to be
tested to validate threats.
This is just one branch
of this attack tree.
An application
like a fitness app
typically has lots of branches
with a number of other attack
vectors.
Stage seven of pasta is to
analyze risk and impact.
Here, the team assembles
all the information
they've collected in
stages one through six.
By this stage, the
team is in position
to make informed risk
management recommendations
to business stakeholders
that align with their goals.
And with that, we
made it all the way
through a threat
modeling exercise
based on the PASTA framework.
Managing threats is
a major part of what
security professionals do.
In this part of
the course, we've
explored some common
types of cyber threats
that you will likely
encounter in the field.
Let's review.
We started off discussing
social engineering.
You learned that
attackers have a variety
of ways to trick their
targets into sharing
private information.
Social engineering
techniques rely
on exploiting people's trust
and willingness to help.
Phishing attacks are one
of the most common ways
that attackers go about
manipulating their targets.
Next, we explored malware.
Here, we discussed the
major classes of malware,
like viruses,
Trojans, and worms.
You learned how to spot
signs of infection.
You also learned how malware
has evolved and become more
sophisticated over the years.
After that, we
turned our attention
to web-based exploits,
specifically,
injection attacks.
You learned about cross-site
scripting and SQL injection,
two of the most common
types of attacks
facing organizations online.
We discussed how each of
these attacks are carried out.
You also learned about how
web applications can be
protected from malicious code.
Finally, we explored the
threat modeling process.
You learned the process
that security teams
use to perform these exercises.
Unfortunately, cyber attacks
and security breaches
are a reality that
we're challenged
with on a regular basis.
However, being aware of the
type of threats that exist
and the threat modeling
process provides
an important foundation for
your work as a security analyst.
Congratulations on making it
through the end of this course.
I can hardly believe our
time together is over.
Before moving on in the
certificate program,
I'd like to reflect on all the
amazing progress you've made.
When we started, were introduced
to a wide range of assets
organizations protect.
Our primary focus was
information security,
specifically,
digital information.
Here, you learned how
asset classification
helps security teams
focus their efforts
and prioritize resources.
We explored digital assets
and the three states of data.
We also learned how policies,
standards, and procedures can
mitigate organizational risks.
Our focus on the NIST
cybersecurity framework
introduced you to a
commonly used framework
for managing risks.
Afterwards, you learned about
fundamental security systems
and controls.
You got to explore
technology like encryption
that's used to protect
data in all its states.
You also learned
how technologies,
like public key infrastructure
and digital certificates,
are used to maintain the
confidentiality, integrity,
and availability of
information online.
And you also explored
access controls
that make up the
authentication, authorization,
and accounting framework.
Next, we explored common
vulnerabilities in systems.
During this part of the
course, you got an inside look
into how security teams position
themselves ahead of attacks.
We explored the defense
in depth strategy
that's applied to protect
information as it's exchanged
between parties online.
You also learned about
the Common Vulnerability
and Exposures list, the
vulnerability assessment
process, and attack
surfaces and attack vectors.
We then explored the major
threats to asset security,
like social
engineering, malware,
and web-based exploits.
Together, we discussed how
these attacks are carried out
and the way security teams
prevent them from doing damage.
We then finished up by exploring
the process of threat modeling.
We covered so much.
I really appreciate your
efforts through it all.
When I first started
my career in security,
my goal was to learn, network,
and embrace any opportunity.
I was able to attend security
conferences, received job tips,
earned references, and
volunteered to gain experience.
At that time, I would
have never imagined
that I'd be here teaching
what I've learned to others.
That just goes to show
you, your security journey
is only just beginning.
While our time
together is over, we
covered a lot of complex
topics, many of which
are areas of
specialization in security.
With the foundation
you built here,
you have a wide range of
possibilities to continue
growing in the field.
I'm so glad to
have played a part
in this step along your journey
into the world of security,
and I wish you all the best
as you continue forward
along your path.
[MUSIC PLAYING]

Help & FAQ

331. Working To Win

Transformed By Grace

Mar 28, 2026

Watch Read Summary

Why Some Goals Feel Effortless (and others hurt) - Chris Bailey

Chris Williamson

Mar 28, 2026

Watch Read Summary

Bulgaria's Forgotten Origins: What DNA Actually Proves About Their Ancestry

Viruses and Gods

Mar 28, 2026

Watch Read Summary

(more) cool websites to surf the web and stop doomscrolling

Ikoxun's Corner

Mar 28, 2026

Watch Read Summary

Nicholas Carlini - Black-hat LLMs | [un]prompted 2026

unprompted

GHL Wizard

Apr 04, 2026

Watch Read Summary

PDF

Introduction to the Security Field

1. The Building Blocks of Security

2. Asset Security

2.1 What Is an Asset?

2.2 Asset Inventory & Classification

2.3 Prioritizing Protection

3. Understanding Threats, Vulnerabilities, and Risk

4. Data as a Critical Asset

4.1 The Three States of Data

4.2 Information Security (InfoSec)

5. Security Plans: Policies, Standards, and Procedures

6. Compliance and the NIST Cybersecurity Framework (CSF)

7. Security Controls

7.1 Types of Controls

7.2 Privacy Controls & the Principle of Least Privilege

7.3 Cryptography Basics

7.4 Public Key Infrastructure (PKI)

7.5 Hash Functions

7.6 Access Controls (AAA Framework)

8. Defense in Depth

9. Vulnerability Management

9.1 The Process (Four Steps)

9.2 Defense‑in‑Depth Applied to Vulnerabilities

9.3 Public Vulnerability Libraries

9.4 Vulnerability Assessment Steps

10. Attack Surfaces & Vectors

10.1 Physical vs. Digital Attack Surface

10.2 Common Attack Vectors

11. Social Engineering & Phishing

12. Malware Overview

13. Web‑Based Exploits

13.1 Injection Attacks

14. Threat Modeling

14.1 General Steps

14.2 PASTA Framework (Example)

15. Recap of the Course Journey

16. What to Do Now – Action Steps

Takeaways

Frequently Asked Questions

Who is Google Career Certificates on YouTube?

Does this page include the full transcript of the video?

2.1 What Is an Asset?

Helpful resources related to this video

Share This Summary

Embed This Summary