Module 4: Threats to asset security

Here we are! The final
section of the course. What are amazing job
you’ve done so far! Putting in the time, dedication, and hard
work to get to this point is definitely
something to celebrate. But we’re not through yet. As we near the end
of this course, now’s the time to focus
and finish strong. Let’s turn our
attention to threats. We’ve already explored assets, vulnerabilities, and the
controls used to protect both. A common theme between
those two topics has been the wide range of assets and vulnerabilities out there. The world of threats
is no different. If you recall, threats
are any circumstance or event that can
negatively impact assets. In this part of the course, you’re going to expand your
security mindset by getting a high-level view of the most dangerous threats
facing organizations today. First, we’re going to begin by exploring social
engineering tactics, psychological tricks
that attackers use to gain unauthorized
access to assets. Next, we’ll explore a common
type of threat that’s been around since the start of
personal computers, malware. We’re going to spend some time investigating the major
types of malware. After that, we’ll turn our attention to
web-based exploits. Most organizations these days
operate in a digital space, and many of them are new to it. In this section of the course, you’re going to
learn about some of the most common threats that
organizations face online. Finally, after exploring common threats that
organizations deal with, we’re going to wrap
up by exploring the threat modeling process. Understanding threats
is essential for a security analyst, and
there’s a lot to cover. So, let’s get started!

In the realm of cybersecurity, the battlefield often isn’t fought with brute force but with cunning persuasion. Cybercriminals, the digital Moriartys of our time, have mastered the art of manipulation, weaving webs of deceit to ensnare unsuspecting victims.

This tutorial delves into the dark underbelly of social engineering, the art of using psychological tricks and ploys to gain unauthorized access to information, systems, or resources. We’ll explore the tools of this criminal trade, dissect their tactics, and equip you with the knowledge to defend yourself and your organization from these persuasive predators.

The Weaponry of Persuasion:

Social engineers wield a diverse arsenal of weapons, each designed to exploit human vulnerabilities. Here are a few common tools in their kit:

• Pretexting: Fabricating a believable scenario to gain trust and access. Imagine a “tech support” caller claiming your computer is infected, tricking you into revealing sensitive information.
• Phishing: Sending emails or messages disguised as legitimate sources, like banks or government agencies, to lure you into clicking malicious links or divulging personal details.
• Baiting: Offering seemingly irresistible deals or freebies laced with malware or hidden costs. Think tempting job offers or exclusive discounts too good to be true.
• Scare tactics: Invoking fear or urgency to pressure victims into quick decisions, often bypassing security protocols. Imagine a fake ransomware alert demanding immediate payment.
• Tailoring the approach: Skilled social engineers adapt their tactics to their target, exploiting specific interests, vulnerabilities, and knowledge gaps.

Dissecting the Persuasion Playbook:

Social engineering attacks typically follow a well-defined script:

1. Reconnaissance: Gathering information about the target, their habits, and potential weaknesses.
2. Building Rapport: Establishing trust and credibility through flattery, shared interests, or fabricated authority.
3. Exploiting Vulnerabilities: Identifying and manipulating the target’s emotions, such as fear, curiosity, or greed, to elicit a desired response.
4. Extracting the Prize: Obtaining the attacker’s desired information, access, or resources.
5. Disappearing Act: Covering their tracks and evading detection.

Fortress Yourself Against Persuasion:

Knowing the enemy’s tactics is half the battle. Here are some ways to fortify your defenses against social engineering:

• Critical Thinking: Approach every interaction with a healthy dose of skepticism. Question the sender, the urgency, and the legitimacy of any request.
• Cyber Hygiene: Practice good password management, avoid suspicious links and attachments, and keep software updated to patch vulnerabilities.
• Verify, Verify, Verify: Don’t hesitate to contact official sources directly to confirm the validity of any communication, especially those involving sensitive information.
• Report and Share: If you suspect a social engineering attempt, report it to the relevant authorities and share your experience to raise awareness.

Remember: Social engineering is a continuous arms race. Cybercriminals constantly evolve their tactics, so staying vigilant and informed is crucial. By understanding their methods and implementing robust security practices, you can turn the tables on these digital con artists and keep your information and systems safe.

Further Exploration:

• Kevin Mitnick, The Art of Deception: Learn from a reformed social engineer turned security expert.
• Social-Engineer.org: A treasure trove of resources and case studies on social engineering tactics.
• NIST Special Publication 800-53: US government guidelines for mitigating social engineering risks.

Let’s work together to build a more secure digital world, one where persuasion is used for good, not for criminal gain. Stay safe out there!

Bonus: Check out these TED Talks for deeper insights into the psychology of persuasion and social engineering:

• Amy Cuddy: Your Body Language Shapes Who You Are
• Derren Brown: Secrets of persuasion
• Pamela Meyer: How to Spot a Lie

By understanding the art of persuasion, both its positive and negative applications, we can become more discerning and resilient in the face of manipulation, both online and offline.

Which of the following may be stages of a social engineering attack? Select three answers.

Establish trust, Disconnect from the target, Use persuasion tactics

The stages of a social engineering attack may be to establish trust, use persuasion tactics, and disconnect from the target. An attack may also include preparing information about the target. The use of persuasion tactics is when the attacker manipulates their target into volunteering information.

When you hear the word
“cybercriminal”, what comes to mind? You may imagine a hacker hunched over a computer
in a dark room. If this is what came to
mind, you’re not alone. In fact, this is what most people outside
of security think of. But online criminals
aren’t always that different from those
operating in the real world. Malicious hackers are just
one type of online criminal. They are a specific
kind that relies on sophisticated computer
programming skills to pull off their attacks. There are other ways
to commit crimes that don’t require
programming skills. Sometimes, criminals rely on a more traditional
approach, manipulation. Social engineering is a manipulation
technique that exploits human error to gain private information,
access, or valuables. These tactics trick
people into breaking normal security procedures
on the attacker’s behalf. This can lead to data exposures, widespread malware
infections, or unauthorized access to
restricted systems. Social engineering attacks
can happen anywhere. They happen online, in-person, and through other interactions. Threat actors use many
different tactics to carry out their attacks. Some attacks can take a
matter of seconds to perform. For example, someone
impersonating tech support asks an employee for their password to
fix their computer. Other attacks can take
months or longer, such as threat actors monitoring an employee’s
social media. The employee might post a
comment saying they’ve gotten a temporary position in a
new role at the company. An attacker might use an
opportunity like this to target the temporary worker,
who is likely to be less knowledgeable about
security procedures. Regardless of the timeframe, knowing what to look for
can help you quickly identify and stop an
attack in its tracks. There are multiple stages of
social engineering attacks. The first is usually to prepare. At this stage, attackers gather information
about their target. Using the intel, they’ll determine the best
way to exploit them. In the next stage, attackers
establish trust. This is often referred
to as pretexting. Here, attackers use
the information they gathered earlier to open
a line of communication. They’ll typically disguise
themselves to trick their target into a
false sense of trust. After that, attackers
use persuasion tactics. This stage is where the
earlier preparation really matters. This is when the
attacker manipulates their target into
volunteering information. Sometimes they do this by
using specific vocabulary that makes them sound like a
member of the organization. The final stage of the process is to disconnect
from the target. After they collect the
information they want, attackers break communication
with their target. They disappear to
cover their tracks. Criminals who use social
engineering are stealthy. The digital world has
expanded their capabilities. It’s also created more ways
for them to go unnoticed. Still, there are ways that we
can prevent their attacks. Implementing managerial
controls like policies, standards, and procedures, are one of the first
lines of defense. For example, businesses
often follow the patch management
standard defined in NIST Special Publication 800-40. These standards
are used to create procedures for updating
operating systems, applications, and firmware
that can be exploited. Staying informed
of trends is also a major priority for any
security professional. An even better defense against social engineering attacks is sharing what you
know with others. Attackers play on our
natural curiosity and desire to help one another. Their hope is that
targets won’t think too hard about what’s going on. Teaching the signs
of attack to others goes a long way towards
preventing threats. Social engineering is a
threat to the assets and privacy of both individuals
and organizations. Malicious attackers
use a variety of tactics to confuse and
manipulate their targets. When we get back
together next time, we’re going to explore one of the most commonly
used techniques that’s a major problem for
organizations of all sizes.

Phishing, the art of tricking people into divulging sensitive information or downloading malware, is a prevalent and evolving threat in today’s digital landscape. As a security professional or an individual concerned about online safety, understanding phishing tactics is crucial to staying vigilant and protecting yourself and your organization.

The Bait:

Phishers cast their nets wide, using various communication channels to reach their targets. The most common bait is the email, often disguised as legitimate messages from banks, government agencies, or even trusted friends and family. These emails may contain:

• Urgent pleas: Warning of account closures, legal action, or missed opportunities to pressure immediate action.
• Enticing offers: Promising free gifts, discounts, or exclusive access to lure victims into clicking malicious links.
• Worrisome threats: Alerting of malware infections or security breaches to instill fear and encourage quick response.

The Hook:

Once the bait is taken, phishers reel victims in with:

• Personalized details: Emails may reference specific account information or past interactions to appear more convincing.
• Grammatical errors and typos: While not always present, these red flags can indicate a scam, as legitimate organizations typically have high standards for communication.
• Suspicious attachments or links: Clicking on these attachments can download malware or redirect you to phishing websites designed to steal your credentials.

The Bite:

If successful, phishers extract sensitive information like:

• Login credentials: usernames, passwords, and PINs for accessing bank accounts, social media profiles, or other online services.
• Financial information: credit card numbers, bank account details, or Social Security numbers.
• Personal data: home address, phone number, date of birth, or other personally identifiable information.

Beyond Email:

Phishing isn’t limited to emails. Phishers can also use:

• Smishing: Sending deceptive text messages to trick victims into clicking malicious links or downloading malware.
• Vishing: Making phone calls pretending to be representatives of legitimate organizations to extract information.
• Social media: Creating fake profiles or hijacking existing ones to spread phishing messages or lure victims to malicious websites.

Protecting Yourself:

Here are some tips to avoid becoming a phishing victim:

• Be skeptical: Don’t trust unsolicited emails, texts, or calls, even if they appear to come from a familiar source.
• Hover over links: Before clicking, check the actual URL to see if it matches the sender’s address.
• Inspect attachments: Don’t open attachments from unknown senders, and be cautious about opening attachments from even trusted sources.
• Strengthen passwords: Use strong, unique passwords for all your online accounts and enable two-factor authentication where available.
• Keep software updated: Regularly update your operating system, web browser, and other software to patch vulnerabilities.
• Report suspicious activity: If you suspect a phishing attempt, report it to the sender’s security team or relevant authorities.

Remember: Phishing is a continuous game of cat and mouse. New tactics and techniques emerge constantly. Staying informed about the latest phishing trends and practicing good cybersecurity hygiene are critical to staying safe in the digital world.

Additional Resources:

• OpenPhish: A real-time database of phishing websites and email addresses.
• Anti-Phishing Working Group (APWG): A non-profit organization dedicated to fighting phishing attacks.
• Federal Trade Commission (FTC): Consumer information and resources on phishing scams.

By understanding the different aspects of “phishing for information,” you can equip yourself with the knowledge and tools to navigate the online world safely and securely. Remember, vigilance and awareness are your best defenses against these cybercriminals.

Which of the following is a form of phishing? Select two answers.

Vishing, Smishing

Smishing and vishing are types of phishing. Smishing is a type of phishing that uses text messages to deceive users into sharing sensitive information.

Cybercriminals prefer attacks that do
the most amount of damage with the least amount of effort. One of the most popular forms of social
engineering that meets this description is phishing. Phishing is the use of digital
communications to trick people into revealing sensitive data or
deploying malicious software. Phishing leverages many
communication technologies, but the term is mainly used to describe
attacks that arrive by email. Phishing attacks don’t
just affect individuals. They are also harmful to organizations. A single employee that falls for one
of these tricks can give malicious attackers access to systems. Once inside, attackers can exploit
sensitive data like customer names and product secrets. Attackers who carry out these
attacks commonly use phishing kits. A phishing kit is a collection of
software tools needed to launch a phishing campaign. People with little technical
background can use one of these kits. Each of the tools inside
are designed to avoid detection. As a security professional, you should be aware of the three
main tools inside a phishing kit, so that you can quickly identify when
they’re being used and put a stop to it. The first is malicious attachments. These are files that are infected and can
cause harm to the organization’s systems. Phishing kits also include
fake-data collection forms. These forms look like legitimate forms,
like a survey. Unlike a real survey, they ask for sensitive information that
isn’t normally asked for in an email. The third resource they include
are fraudulent web links. These open to malicious web pages that
are designed to look like trusted brands. Unlike actual websites, these fraudulent sites are built to steal
information, like login credentials. Cybercriminals can use these tools to
launch a phishing attack in many forms. The most common is
through malicious emails. However, they can use them in
other forms of communication too. Most recently,
cybercriminals are using smishing and vishing to trick people into
revealing private information. Smishing is the use of text messages
to obtain sensitive information or to impersonate a known source. You’ve probably received these
types of messages before. Not only are smishing
messages annoying to receive, they’re also difficult to prevent.
That’s why some attackers send them. Some smishing messages are easy to detect. They might show signs of being malicious
like promising a cash reward for clicking an attached link
that shouldn’t be clicked. Other times, smishing is hard to spot. Attackers sometimes use local
area codes to appear legitimate. Some hackers can even send
messages disguised as friends and families of their target to fool them
into disclosing sensitive information. Vishing is the exploitation of
electronic voice communication to obtain sensitive information or
impersonate a known source. During vishing attacks, criminals
pretend to be someone they’re not. For example, attackers might call
pretending to be a company representative. They might claim that there’s
a problem with your account. And they can offer to fix it if you provide
them with sensitive information. Most organizations use a few basic
security measures to prevent these and any other types of phishing
attacks from becoming a problem. For example, anti-phishing
policies spread awareness and encourage users to follow data
security procedures correctly. Employee training resources also help
inform employees about things to look for when an email looks suspicious. Another line of defense against
phishing is securing email inboxes. Email filters are commonly used to keep
harmful messages from reaching users. For example, specific email addresses
can be blocked using a blocklist. Organizations often use other filters, like
allowlists, to specify IP addresses that are approved to send
mail within the company. Organizations also use intrusion
prevention systems to look for unusual patterns in email traffic. Security analysts use monitoring tools
like this to spot suspicious emails, quarantine them, and
produce a log of events. Phishing campaigns are popular and
dangerous forms of social engineering that organizations of all
sizes need to deal with. Just a single compromised password that an
attacker can get their hands on can lead to a costly data breach. Now that you’re familiar with
the tools these attackers use, you’re better equipped to
spot phishing and prevent it.

Welcome, aspiring cybersecurity warriors! Today, we delve into the dark side of the digital world – malicious software (malware). These digital villains lurk in the shadows, aiming to harm devices, steal data, and disrupt operations. But fear not, for knowledge is our ultimate weapon!

What is Malware?

Imagine a virus for your computer, not your body. Malware is malicious code designed to infiltrate and harm systems. It can be as simple as a pesky pop-up ad or as complex as a data-stealing Trojan horse.

Types of Malware:

• Viruses: These self-replicating pests attach to legitimate programs, spreading like wildfire and corrupting data. Think of them as digital hitchhikers.
• Worms: These network-loving nasties exploit vulnerabilities to crawl and infect other computers without user interaction. Imagine them as digital chain reactions.
• Trojans: Disguised as harmless files or programs, Trojans trick users into installing them, granting attackers backdoor access. Think of them as wolves in sheep’s clothing.
• Ransomware: These digital kidnappers encrypt your data, holding it hostage until you pay a ransom. Imagine them as digital pirates demanding treasure.
• Spyware: These sneaky snoopers steal your personal information and browsing habits, often without your knowledge. Think of them as digital peeping Toms.

How Does Malware Spread?

Malware can slither into your system through various sneaky ways:

• Phishing emails: Emails with malicious attachments or links can trick you into downloading malware.
• Infected websites: Visiting compromised websites can inject malware into your device without your notice.
• Social engineering: Attackers may manipulate you into downloading malware through social media or phone calls.
• USB drives: Infected USB drives can spread malware when plugged into your computer.
• Software vulnerabilities: Outdated software with unpatched vulnerabilities act as open doors for malware.

Protecting Yourself from Malware:

Don’t let malware be your digital downfall! Here are some tips to stay safe:

• Be cautious with emails and attachments: Don’t open suspicious emails or click on unknown links.
• Keep your software updated: Install the latest security patches and updates for your operating system and applications.
• Use a reputable antivirus and anti-malware software: These tools scan your system for threats and help prevent infections.
• Back up your data regularly: This ensures you have a clean copy of your data in case of a malware attack.
• Be mindful of what you download: Only download software from trusted sources.
• Be skeptical of unsolicited offers: Don’t fall for too-good-to-be-true deals or pressure tactics.
• Educate yourself: Stay informed about the latest malware threats and best practices for cybersecurity.

Remember: By understanding malware and taking proper precautions, you can become a cybersecurity champion and keep your digital world safe.

Bonus Round:

• Explore advanced malware detection and analysis techniques.
• Learn about incident response procedures to handle malware infections effectively.
• Discover ethical hacking techniques to stay ahead of the curve and understand attacker tactics.

The world of cybersecurity is constantly evolving, so stay vigilant and keep learning! Together, we can build a more secure digital future.

Fill in the blank: _____ is a type of malicious attack where attackers encrypt an organization's data and demand payment to restore access.

Ransomware

Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access.

People and computers are very
different from one another. There’s one way that we’re alike. You know how? We’re both vulnerable to getting
an infection. While humans can be
infected by a virus that causes a cold or flu, computers can be
infected by malware. Malware is software designed to
harm devices or networks. Malware, which is short
for malicious software, can be spread in many ways. For example, it can be spread through an
infected USB drive. Or also commonly spread
between computers online. Devices and systems
that are connected to the internet are especially
vulnerable to infection. When a device becomes infected, malware interferes with
its normal operations. Attackers use malware
to take control of the infected system without the user’s knowledge
or permission. Malware has been a
threat to people and organizations for a long time. Attackers have created many
different strains of malware. They all vary in
how they’re spread. Five of the most common types
of malware are a virus, worm, trojan,
ransomware, and spyware. Let’s take a look at
how each of them work. A virus is malicious code
written to interfere with computer operations and cause damage to data and software. Viruses typically hide inside
of trusted applications. When the infected
program is launched, the virus clones itself and spreads to other
files on the device. An important characteristic of viruses is that they have to be activated by the user
to start the infection. The next kind of malware
doesn’t have this limitation. A worm is malware that can duplicate and spread itself
across systems on its own. While viruses require
users to perform an action like opening
a file to duplicate, worms use an infected
device as a host. They scan the connected
network for other devices. Worms then infect
everything on the network without requiring an action
to trigger the spread. Viruses and worms are
delivered through phishing emails
and other methods before they infect a device. Making sure you click
links only from trusted sources is one way to avoid these
types of infection. However, attackers have designed another form of malware that can get past this precaution. A trojan, or Trojan horse, is malware that looks like a
legitimate file or program. The name is a reference to an ancient Greek legend that’s
set in the city of Troy. In Troy, a group of
soldiers hid inside a giant wooden horse that was presented as a gift
to their enemies. It was accepted and brought
inside the city walls. Later that evening,
the soldiers inside of the horse climbed out
and attacked the city. Like this ancient tale, attackers design trojans
to appear harmless. This type of malware is
typically disguised as files or useful applications to trick their target into
installing them. Attackers often use
trojans to gain access and install another kind of
malware called ransomware. Ransomware is a type of
malicious attack where attackers encrypt an
organization’s data and demand payment to
restore access. These kind of attacks have
become very common these days. A unique feature of ransomware attacks is that they make themselves known
to their targets. Without doing this, they couldn’t collect the
money they demand. Normally, they decrypt
the hidden data as soon as the sum
of money is paid. Unfortunately,
there’s no guarantee they won’t return
to demand more. The last type of malware I
want to mention is spyware. Spyware is malware
that’s used to gather and sell information
without consent. Consent is a keyword
in this case. Organizations also collect information
about their customers, like their browsing habits
and purchase history. However, they always give their customers the
ability to opt out. Cybercriminals, on
the other hand, use spyware to
steal information. They use spyware attacks to collect data like
login credentials, account PINs, and other types of sensitive information for
their own personal gain. There are many other
types of malware besides these and new forms
are always evolving. They all pose a serious risk to individuals and
organizations. Next time, we’ll explore how security teams detect and
remove these kinds of threats.

Welcome, cybersecurity adventurers! Today, we embark on a journey into the shadowy realm of cryptojacking, a growing threat in the digital landscape. Imagine pirates not after your gold, but your computer’s processing power, secretly using it to mine cryptocurrency for their own gain. Buckle up, and let’s uncover the secrets of this hidden digital heist!

What is Cryptojacking?

Cryptojacking refers to the unauthorized use of someone else’s computer resources (CPU, GPU) to mine cryptocurrency. Think of it as a digital piggybacking scheme, where attackers hitch a ride on your computing power to generate crypto coins for themselves.

Why is it Rising?

The allure of easy money and the increasing value of cryptocurrencies like Bitcoin and Ethereum have fueled the rise of cryptojacking. Compared to traditional malware that steals data or disrupts systems, cryptojacking can be more subtle and potentially more profitable for attackers.

How Does it Work?

Attackers employ various tactics to hijack your processing power:

• Malicious scripts: These scripts can be injected into legitimate websites or embedded in ads, silently running in the background and mining cryptocurrency when you visit the website.
• Drive-by downloads: Visiting compromised websites can automatically download cryptojacking malware onto your device without your knowledge.
• Pirated software: Downloading cracked or illegal software often comes bundled with hidden cryptojacking code.
• Browser extensions: Malicious browser extensions can hijack your CPU when you browse the web.

The Impact of Cryptojacking:

While cryptojacking might seem harmless at first glance, it can have significant consequences:

• Reduced performance: Your computer slows down as its resources are siphoned off for mining.
• Increased energy consumption: Mining cryptocurrencies is energy-intensive, leading to higher electricity bills.
• Security risks: Malicious scripts can be gateways for other malware infections.
• Ethical concerns: Cryptojacking exploits innocent users’ resources for personal gain without their consent.

Protecting Yourself from Cryptojacking:

Don’t let your computer become a crypto-mine without your knowledge! Here’s how to stay safe:

• Install a reputable antivirus and anti-malware software: These tools can detect and block malicious scripts and malware.
• Keep your software updated: Outdated software often contains vulnerabilities that attackers can exploit.
• Be cautious with websites and downloads: Avoid suspicious websites and only download software from trusted sources.
• Use ad blockers and script blockers: These tools can prevent malicious scripts from running on your browser.
• Monitor your resource usage: If you notice a sudden spike in CPU or GPU usage, it could be a sign of cryptojacking.
• Educate yourself: Stay informed about the latest cryptojacking threats and best practices for cybersecurity.

Remember: Cryptojacking is a real threat, but with awareness and proper precautions, you can protect your computer and keep your processing power where it belongs – in your hands!

Bonus Round:

• Explore advanced cryptojacking detection and analysis techniques.
• Learn about browser fingerprinting and how it can be used for cryptojacking.
• Discover cloud-based security solutions for comprehensive protection against cyber threats.

Stay vigilant, stay informed, and keep your digital fortress strong! The fight against cryptojacking and other cybersecurity threats is an ongoing battle, but together, we can emerge victorious.

Which of the following actions can be taken to protect against cryptojacking?

Using malware blocking browser extensions

Some actions that can be taken to protect against cryptojacking include using malware blocking browser extensions and setting up monitoring processes for increased CPU usage.

Malware has been around
nearly as long as computers. In its earliest forms, it was used by troublemakers as a form of digital vandalism. In today’s digital world, malware has become
a profitable crime that attackers use for
their own financial gain. As a security professional, it’s important that you remain aware of the latest evolutions. Let’s take a closer look at
one way malware has evolved. We’ll then use this example to consider how malware can be spotted and how you can proactively protect
against malware. Ransomware is one
of the types of malware attackers
use to steal money. Another more recent type of
malware is cryptojacking. Cryptojacking is a form
of malware that installs software to illegally
mine cryptocurrencies. You may be familiar with
cryptocurrency from the news. If you’re new to the topic, cryptocurrencies are a form
of digital money that have real-world value. Like
physical forms of currency, there are many different types. For the most part, they’re referred to
as coins or tokens. In simple terms, crypto mining is a process used to
obtain new coins. Crypto mining is
similar to the process for mining for other resources, like gold. Mining for something like
gold involves machinery, such as trucks and bulldozers, that
can dig through the Earth. Crypto coins, on the other hand, use computers instead. Rather than digging through the Earth, the computers run
software that dig through billions of
lines of encrypted code. When enough code is processed,
a crypto coin can be found. Generally, more
computers mining for coins mean more cryptocurrency
can be discovered. Criminals unfortunately
figured this out. Beginning in 2017, cryptojacking malware started being used to
gain unauthorized control of personal computers to
mine cryptocurrency. Since that time, cryptojacking techniques have
become more sophisticated. Criminals now regularly target vulnerable servers to spread
their mining software. Devices that communicate with the infected server become
infected themselves. The malicious code then
runs in the background, mining for coins
unknown to anyone. Cryptojacking software
is hard to detect. Luckily, security professionals have sophisticated
tools that can help. An intrusion detection system,
or IDS, is an application that monitors system activity and alerts some
possible intrusions. When abnormal activity is
detected like, malware mining for coins, the IDS
alerts security personnel. Despite their usefulness, detection systems have
a major drawback. New forms of malware
can remain undetected. Fortunately, there are subtle signs that
indicate a device is infected with
cryptojacking software or other forms of malware. By far the most telling sign of a cryptojacking
infection is slowdown. Other signs include
increased CPU usage, sudden system crashes, and
fast draining batteries. Another sign is unusually
high electricity costs related to the resource-
intensive process of crypto mining. It’s also good to
know that there are certain measures you can take to reduce the likelihood
of experiencing a malware attack
like cryptojacking. These defenses include
things like using browser extensions
designed to block malware, using ad blockers, disabling JavaScript, and staying
alert on the latest trends. Security analysts can
also educate others in their organizations
on malware attacks. While cryptojacking is
still relatively new, attacks are becoming
more common. The type of malicious code cybercriminals spread is
continually evolving. It takes many years
of experience to analyze new forms of malware. Nevertheless, you’re well on your way towards helping
defend against these threats.

Welcome, security warriors! Today, we delve into the dark realm of cross-site scripting (XSS), a sneaky and powerful attack that exploits website vulnerabilities to inject malicious code. Imagine an invisible puppet master pulling the strings behind the scenes of seemingly harmless websites, potentially stealing your data, hijacking your session, or even messing with your device. Brrr, chills, right? Fear not, for knowledge is our ultimate weapon!

What is XSS?

Think of XSS as a digital Trojan horse. Attackers inject malicious code (the script) into a website, disguised as seemingly innocent user input. When you visit the infected website, your browser unknowingly executes the script, granting the attacker unauthorized access and control. It’s like unknowingly clicking a hidden “poison apple” link on a website, unleashing chaos in your digital world.

Types of XSS:

Like many villains, XSS comes in different flavors:

• Reflected XSS: The most common, where malicious code injected into a search bar, comment box, or URL is reflected back to you in the server’s response.
• Stored XSS: The script is permanently saved on the server, infecting every user who visits the page. Imagine a poisoned cookie jar for web visitors!
• DOM-based XSS: Exploits vulnerabilities within the website’s Document Object Model (DOM), the internal structure of a web page. Think of manipulating the website’s puppet strings to make it dance to the attacker’s tune.

The Impact of XSS:

Don’t underestimate the danger of XSS! It can cause serious harm:

• Data theft: Cookies, session IDs, and other sensitive information can be stolen, compromising your accounts and privacy.
• Website defacement: Attackers can hijack the website, displaying unwanted content or even spreading malware to other visitors.
• Phishing attacks: Fake login forms or misleading links can be injected to trick users into revealing their credentials.
• Denial-of-service (DoS) attacks: Flooding the server with malicious requests can crash the website, disrupting legitimate users.

Protecting Yourself from XSS:

Stay vigilant and shield yourself from the XSS puppeteers:

• Be cautious with user input: Don’t trust everything you see online. Watch out for suspicious links, forms, and comments.
• Keep software updated: Outdated browsers and plugins often have vulnerabilities that attackers exploit.
• Use a web application firewall (WAF): This security tool can filter out malicious code before it reaches your browser.
• Choose secure websites: Stick to trustworthy sites with good security practices.
• Educate yourself: Stay informed about the latest XSS threats and best practices for cybersecurity.

Bonus Round:

• Explore advanced XSS detection and prevention techniques used by security professionals.
• Learn about other injection attacks like SQL injection and code injection.
• Discover ethical hacking techniques to understand how attackers exploit vulnerabilities and stay ahead of the curve.

Remember, XSS is a real threat, but by understanding its tactics and implementing proper precautions, you can become a cybersecurity champion and keep your digital life safe.

Join the fight against XSS! Share your knowledge and tips in the comments below, and let’s build a more secure web together!

Which of the following are types of cross-site scripting (XSS) attacks? Select three answers.

Reflected, DOM-based, Stored

Types of XSS attacks are: reflected, stored, and DOM-based. A DOM-based XSS attack is an instance when a malicious script exists in the webpage a browser loads.

Previously, we explored
a few types of malware. Whether it’s installed on an individual computer or a network server,
all malicious software needs to be delivered to the target
before it can work. Phishing and other social engineering techniques are common ways
for malware to be delivered. Another way it’s spread is using a broad class of threats known
as web based exploits. Web-based exploits are malicious code or behavior that’s used to take advantage of coding
flaws in a web application. Cybercriminals target web-based exploits
to obtain sensitive personal information. Attacks occur because web applications interact with multiple users
across multiple networks. Malicious hackers commonly exploit this high level of interaction
using injection attacks. An injection attack is malicious code
inserted into a vulnerable application. The infected application often
appears to work normally. That’s because the injected code runs
in the background, unknown to the user. Applications are vulnerable to injection attacks because they are
programmed to receive data inputs. This could be something the user types, clicks, or something one program
is sharing with another. When coded correctly, applications should be able
to interpret and handle user inputs. For example, let’s say an application is expecting the user
to enter a phone number. This application should validate the input from the user to make sure the data is
all numbers and not more than ten digits. If the input from the user doesn’t meet these requirements, the application
should know how to handle it. Web apps interact with multiple
users across many platforms. They also have a lot of interactive
objects like images and buttons. This makes it challenging for developers to think of all the ways they
should sanitize their input. A common and dangerous type of injection attack that’s a threat to web
apps is cross-site scripting. Cross site scripting, or XSS,
is an injection attack that inserts code into a vulnerable website
or web application. These attacks are often delivered by exploiting the two languages used
by most websites, HTML and JavaScript. Both can give cybercriminals access to everything that loads
on the infected web page. This can include session cookies, geolocation, and even
webcams and microphones. There are three main types of cross-site
scripting attacks reflected, stored, and DOM-based. A reflected XSS attack is an instance
where a malicious script is sent to the server and activated
during the server’s response. A common example of this is
the search bar of a website. In a reflected XSS attack, criminals send their target a web link
that appears to go to a trusted site. When they click the link, it sends a HTTP
request to the vulnerable site server. The attacker script is then returned or reflected back to the
innocent user’s browser. Here, the browser loads the malicious script because it trusts
the server’s response. With the script loaded, information like session cookies
are sent back to the attacker. In a stored XSS attack, the malicious script isn’t hidden in a
link that needs to be sent to the server. Instead a stored XSS attack is an instance when malicious script is
injected directly on the server. Here, attackers target elements
of a site that are served to the user. This could be things like images and buttons that load
when the site is visited. Infected elements activate the malicious
code when a user simply visits the site. Stored XSS attacks can be damaging because the user has no way of knowing
the site is infected beforehand. Finally there’s DOM-based XSS. DOM stands for Document Object Model, which is
basically the source code of a website. A DOM-based XSS attack is an instance when malicious script
exists in the web page a browser loads. Unlike reflected XSS, these attacks don’t need to be
sent to the server to activate. In a DOM-based attack, a malicious
script can be seen in the URL. In this example, the website’s
URL contains parameter values. The parameter values reflect
input from the user. Here, the site allows users
to select color themes. When the user makes a selection,
it appears as part of the URL. In a DOM-based attack, criminals change
the parameter that’s expecting an input. For example, they could hide malicious
JavaScript in the HTML tags. The browser would process the HTML
and execute the JavaScript. Hackers use these methods of cross-site
scripting to steal sensitive information. Security analysts should be familiar
with this group of injection attacks. However, they’re not the only ones,
as we’ll discover next time.

Welcome, intrepid security explorers! Today, we delve into the hidden depths of databases, unearthing potential vulnerabilities that lurk within. Databases, the storehouses of our digital information, can become treasure troves for attackers if not adequately secured. Let’s equip ourselves with the knowledge to identify and fortify these exploitable gaps, safeguarding our valuable data from malicious incursions.

What are Databases and Why are They Vulnerable?

Imagine a vast library, not of books, but of digital records – that’s a database. It stores and organizes critical information, from customer accounts to financial transactions, powering countless applications and websites. However, like any complex system, databases have their weaknesses.

Here are some common vulnerabilities that attackers exploit:

• Injection Attacks: Malicious code is injected through user input fields in web forms connected to the database. This code can manipulate queries, steal data, or even take control of the database.

• Misconfigurations: Improper database settings or outdated software can create security loopholes. Weak authentication protocols, for example, can grant unauthorized access to sensitive data.

• Access Control Issues: Inadequate access controls grant excessive privileges to users or applications, allowing them to view or modify data they shouldn’t. Think of a library giving everyone the master key!

• Data Leakage: Sensitive information can leak through various channels, such as unsecured backups, unencrypted transmissions, or poorly designed queries. Imagine confidential documents left lying around the library.

Identifying and Addressing the Gaps:

To effectively protect your databases, you need to know where to look for vulnerabilities. Here are some strategies:

• Vulnerability Scans: Regularly scan your databases for known vulnerabilities using specialized tools. Think of it as a security checkup for your digital library.

• Penetration Testing: Simulate real-world attack scenarios to identify exploitable weaknesses in your database defenses. Consider it as ethical hacking to find and patch the cracks before malicious actors do.

• Security Audits: Conduct thorough security audits to assess your overall database security posture, including access controls, encryption practices, and incident response procedures. Imagine a comprehensive inspection of your library’s security measures.

Fortifying Your Database Defenses:

Once you’ve identified the vulnerabilities, it’s time to take action:

• Implement Secure Coding Practices: Developers should use secure coding practices to prevent injection attacks and other vulnerabilities. Think of building your library with strong, secure bricks.

• Strengthen Access Controls: Implement granular access controls to ensure only authorized users have access to specific data. Imagine assigning individual keys to different sections of the library.
• Encrypt Sensitive Data: Encrypt sensitive data both at rest (stored) and in transit (transmitted) to render it unreadable to unauthorized eyes. Think of putting valuable documents in a locked safe within the library.

• Regularly Update Software: Keep your database software and related applications up-to-date with the latest security patches to address newly discovered vulnerabilities. Imagine patching up any holes in the library’s walls as soon as they appear.

Remember: Database security is an ongoing process, not a one-time fix. By continuously identifying and addressing vulnerabilities, implementing robust security practices, and staying vigilant, you can transform your databases from potential targets into secure fortresses, safeguarding your valuable data from the ever-evolving threats of the digital world.

Bonus Round:

• Explore advanced database security techniques like intrusion detection systems and data loss prevention.
• Learn about specific types of database attacks like SQL injection and zero-day exploits.
• Discover ethical hacking resources to further understand attacker tactics and improve your defenses.

Fill in the blank: A(n) _____  is an attack that executes unexpected queries on a database.

SQL injection

A SQL injection is an attack that executes unexpected queries on a database. The injections take place in areas of the website that are designed to accept user input.

Let’s keep exploring injection and attacks by investigating another
common type of web based exploit. The next one we’re going to discuss
exploits the way websites access information from databases. Early in the program,
you may have learned about SQL. You may recall, SQL is a programming
language used to create, interact with, and
request information from a database. SQL is used by most web applications. For
example, shopping websites use it a lot. Imagine the databases of
an online clothing store It likely contains a full inventory
of all the items the company sells. Websites don’t normally make users
enter the SQL queries manually. Instead, they use things like menus,
images, and buttons to show users
information in a meaningful way. For example, when an online shopper clicks
a button to add a sweater to their cart, it triggers a SQL query. The query runs in
the background where no one can see it. You’d never know from using the menus and
buttons of a website, but sometimes those back inquiries
are vulnerable to injection attacks. A SQL injection is an attack that
executes unexpected queries on a database. Like cross-site scripting, SQL injection
occurs due to a lack of sanitized input. The injections take place in the area
of the website that are designed to accept user input. A common example
is the login form to access a site. One of these forms might trigger
a backend SQL statement like this
when a user enters their credentials. Web forms, like this one, are designed
to copy user input into the statement exactly as they’re written. The statement then sends a request
to the server, which runs the query. Websites that are vulnerable to SQL
injection insert the user’s input exactly as it’s entered before running the code. Unfortunately, this is
a serious design flaw. It commonly happens because web developers
expect people to use these inputs correctly. They don’t anticipate attackers
exploiting them. For example, an attacker might insert
additional SQL code. This could cause the server to run
a harmful query of code that it wasn’t expecting. Malicious hackers can target these attack
vectors to obtain sensitive information, modify tables and even gain
administrative rights to the database. The best way to defend against SQL
injection is code that will sanitize the input. Developers can write code to search for
specific SQL characters. This gives the server a clearer
idea of what inputs to expect. One way this is done is
with prepared statements. A prepared statement is a coding
technique that executes SQL statements before passing
them on to the database. When the user’s input is unknown, the best practice is to use
these prepared statements. With just a few extra lines of code, a prepared statement executes the code
before passing it on to the server. This means the code can be validated
before performing the query. Having well written code is one of
the keys to preventing SQL injection. Security teams work with program
developers to test applications for these sort of vulnerabilities. Like a lot of security tasks,
it’s a team effort. Injection attacks are just one of many
types of web-based exploits that security teams deal with. We’re going to explore how security
teams prepare for injection attacks and other kinds of threats.

In today’s digital world, where cyber threats lurk around every corner, a reactive approach to cybersecurity simply isn’t enough. Just like a medieval knight facing down a dragon, modern organizations need to proactively build their defenses to stay ahead of the ever-evolving landscape of cybercrime.

This tutorial will equip you with the knowledge and tools to adopt a proactive cybersecurity posture, transforming you from a passive defender to a vigilant guardian of your digital assets.

1. Know Your Enemy: Understanding Threats and Vulnerabilities

Before building your defenses, you need to understand what you’re up against. Start by identifying the threats most relevant to your organization. These could include:

• Cyberattacks: Malware, phishing scams, ransomware, and data breaches are just a few examples.
• Insider threats: Disgruntled employees, accidental leaks, and social engineering can all compromise your security.
• System vulnerabilities: Outdated software, unpatched security holes, and misconfigurations create entry points for attackers.

Once you’ve identified the threats, it’s time to assess your vulnerabilities. These are the weaknesses in your systems and processes that attackers can exploit. Common vulnerabilities include:

• Weak passwords
• Unsecured Wi-Fi networks
• Lack of access controls
• Unprotected sensitive data

2. Building Your Defenses: Layering Your Security

Now that you know your enemy and their potential weapons, it’s time to build your defenses. Think of it like constructing a multi-layered castle, with each layer adding another barrier to potential attackers. Here are some key elements of a proactive approach:

• Prevention: Implement strong firewalls, intrusion detection systems, and email filtering to block known threats at the perimeter.
• Detection: Use security monitoring tools to identify suspicious activity within your network and systems.
• Response: Have a plan in place for how to respond to a security incident, including data recovery, communication, and remediation.
• Protection: Encrypt sensitive data, implement strong authentication measures, and regularly update software and firmware to patch vulnerabilities.
• Awareness: Educate your employees about cybersecurity best practices and train them to spot and report suspicious activity.

3. Continuous Vigilance: Monitoring and Adapting

Cybersecurity is not a one-time project; it’s an ongoing process that requires constant monitoring and adaptation. Regularly review your security posture, assess new threats and vulnerabilities, and update your defenses accordingly. Remember, attackers are constantly evolving their tactics, so your defenses need to evolve as well.

4. Tools and Resources for a Proactive Approach

Several tools and resources can help you implement a proactive security posture. Here are a few examples:

• Security information and event management (SIEM) systems: These tools collect and analyze data from multiple security sources to provide a holistic view of your security posture.
• Vulnerability scanners: These tools identify vulnerabilities in your systems and applications.
• Penetration testing: This simulated attack exercise helps you identify and address security weaknesses before they can be exploited by real attackers.
• Cybersecurity training: Train your employees to be aware of cybersecurity threats and best practices.

5. Conclusion: Building a Culture of Security

Ultimately, a proactive approach to cybersecurity is not just about implementing technology; it’s about building a culture of security within your organization. This means integrating security into every aspect of your operations and making everyone responsible for protecting your digital assets.

By following these steps and adopting a proactive mindset, you can build a robust and resilient cybersecurity posture that will keep your organization safe from even the most sophisticated threats. Remember, in the digital battlefield, a proactive approach is your best defense against the ever-present cyber dragons.

Additional Tips:

• Stay informed: Keep up-to-date on the latest cybersecurity threats and trends.
• Share information: Encourage open communication about cybersecurity within your organization.
• Test and refine: Regularly test your defenses and update your security plans as needed.
• Seek help: Don’t be afraid to seek help from cybersecurity professionals if you need it.

By taking these steps, you can build a proactive security posture that will protect your organization from the ever-evolving threats of the digital world.

Which of the following is a step of the threat modeling process? Select two answers.

Evaluate findings, Identify threats

There are six steps of the threat modeling process: define the scope, identify threats, characterize the environment, analyze threats, mitigate risks, and evaluate findings.

Preparing for attacks is an important job that the
entire security team is responsible for. Threat actors have many tools they
can use depending on their target. For example, attacking a small business can be
different from attacking a public utility. Each have different assets and
specific defenses to keep them safe. In all cases, anticipating attacks
is the key to preparing for them. In security, we do that by performing
an activity known as threat modeling. Threat modeling is a process
of identifying assets, their vulnerabilities, and
how each is exposed to threats. We apply threat modeling to everything we protect. Entire systems,
applications, or business processes all get examined from this
security-related perspective. Creating threat models is a lengthy and
detailed activity. They’re normally performed by a collection
of individuals with years of experience in the field. Because of that, it’s considered to
be an advanced skill in security. However, that doesn’t mean
you won’t be involved. There are several threat modeling
frameworks used in the field. Some are better suited for
network security. Others are better for things like information security,
or application development. In general,
there are six steps of a threat model. The first is to define
the scope of the model. At this stage, the team determines
what they’re building by creating an inventory of assets and
classifying them. The second step is to identify threats. Here, the team defines all
potential threat actors. A threat actor is any person or
group who presents a security risk. Threat actors are characterized
as being internal or external. For example, an internal threat
actor could be an employee who intentionally expose an asset to harm. An example of an external threat
actor could be a malicious hacker, or a competing business. After threat actors have been identified, the team puts together what’s
known as an attack tree. An attack tree is a diagram
that maps threats to assets. The team tries to be as detailed
as possible when constructing this diagram before moving on. Step three of the threat modeling process
is to characterize the environment. Here, the team applies an attacker
mindset to the business. They consider how the customers and
employees interact with the environment. Other factors they consider are external
partners and third party vendors. At step four, their objective
is to analyze threats. Here, the team works together to examine
existing protections and identify gaps. They then rank threats according to
their risk score that they assign. During step five,
the team decides how to mitigate risk. At this point, the group creates their
plan for defending against threats. The choices here are to avoid risk,
transfer it, reduce it, or accept it. The sixth and
final step is to evaluate findings. At this stage, everything that was done
during the exercise is documented, fixes are applied, and the team makes
note of any successes they had. They also record any lessons learned, so they can inform how they
approach future threat models. That’s an overview of the general
threat modeling process. What we’ve explored was just
one of many methods that exist.

My name is Chantelle. I’m a Security Engineer
here at Google, and I am part of the security and implement,
and scaling team. We secure and monitor systems that contain
sensitive information. My background, initially
I was going to be a heart surgeon and
then I took chemistry, I took chem 1, and I was like, no that’s not happening. My interest in cybersecurity came from a TV show called Mr. Robot. It’s about
a vigilante hacker trying to save the world. And from there, that kind of piqued
my interest in security, and so that’s a
great foundation. Valuing diversity in
security is important because we’re exposed to a
broad range of thinking. That helps to inspire a
lot of creative ideas and different perspectives
and different ways of tackling a problem and that kind of leads us forward into being better
security engineers. Our Manager, Laureen always
steps in to tell us, “Don’t be so quick
to find a solution. Don’t be so quick to solve
the problems yourselves.” We have a wide range of security engineers and
connections to our disposal, and she encourages us to
go out and seek them out, and then to come back and
then have us settle in and brainstorm all of
these ideas that we’ve collected after we’ve went
out and tried to find it. We’ve ultimately
almost always come up with the best possible outcome that we can ever come up with. My advice for people to get into the industry is get out
there and be proactive. I definitely recommend joining up the security
community on Twitter. There’s a huge security
community on Twitter right now. That shares a bunch
of resources, opportunities, job positions, and are definitely
open to talking to anyone that’s interested
in getting into the field but just don’t know how. I
recommend security as a career. Definitely, I think
that for me personally, I was able to tap into my
rebel side a lot in security. I found I was able to express myself a bit more in security. It’s just a whole
ball of goodness.

In the ever-evolving realm of cybersecurity, staying ahead of threats requires proactive measures. That’s where PASTA (Process for Attack Simulation and Threat Analysis) comes in. This robust framework equips you with the tools to systematically assess potential attacks, identify vulnerabilities, and fortify your defenses before attackers strike.

Why PASTA?

Traditional security approaches often focus on patching vulnerabilities after they’re discovered. PASTA takes a proactive stance, simulating potential attacks to uncover weaknesses before they’re exploited. By donning the attacker’s hat, you gain valuable insights into how your systems might be compromised, allowing you to implement targeted defenses.

The 7 Stages of PASTA:

1. Define Objectives:
   • Identify your primary goals (e.g., protecting sensitive data, ensuring system availability).
   • Clearly define the scope of the analysis (e.g., specific application, network segment).
2. Technical Scope:
   • Map out the attack surface – all potential entry points for attackers (e.g., network protocols, applications, user interfaces).
   • Consider data flow and storage mechanisms to understand how sensitive information is handled.
3. Decompose the Application:
   • Break down the system into smaller components for easier analysis.
   • Identify existing security controls in place (e.g., firewalls, access controls).
   • Create data flow diagrams to visualize the movement of sensitive information.
4. Threat Analysis:
   • Research and identify relevant threats targeting your system or industry.
   • Analyze attacker motives and capabilities to understand their potential actions.
   • Compile a list of potential attack vectors (e.g., phishing, malware, zero-day exploits).
5. Vulnerability Analysis:
   • Deep dive into identified vulnerabilities within your system and applications.
   • Assess the likelihood of exploitation and potential impact of each vulnerability.
   • Prioritize vulnerabilities based on their severity and exploitability.
6. Attack Modeling:
   • Construct attack trees that visually depict potential attack scenarios.
   • Map out the steps an attacker might take to exploit vulnerabilities and achieve their goals.
   • Use attack trees to identify critical security controls and potential mitigation strategies.
7. Analyze Risk and Impact:
   • Evaluate the overall risk posed by identified threats and vulnerabilities.
   • Consider the potential impact of successful attacks on your organization.
   • Develop recommendations for risk mitigation and prioritize them based on their effectiveness and cost.

Benefits of PASTA:

• Proactive approach: Identifies threats before they become real problems.
• Structured methodology: Provides a clear roadmap for conducting threat analysis.
• Improved decision-making: Enables informed prioritization of security investments.
• Enhanced collaboration: Fosters communication and teamwork between security and development teams.

Ready to put PASTA to the test?

Grab your metaphorical hacker hat and start exploring this powerful framework. Remember, the key to effective PASTA implementation lies in meticulous planning, thorough analysis, and a collaborative spirit. By embracing a proactive approach to security, you can build a robust defense against ever-evolving threats and keep your valuable assets safe.

Fill in the blank: PASTA is a popular _____ framework that’s used across many industries.

threat modeling

PASTA is a  popular threat modeling framework that’s used across many industries. Threat modeling is the process of identifying assets, their vulnerabilities, and how each is exposed to threats.

Let’s finish exploring threat modeling by
taking a look at real-world scenarios. This time, we’ll use a standard threat
modeling process called PASTA. Imagine that a fitness company is getting
ready to launch their first mobile app. Before we can go live, the company asks their security team to
ensure the app will protect customer data. The team decides to perform a threat
model using the PASTA framework. PASTA is a popular threat modeling
framework that’s used across many industries. PASTA is short for Process for
Attack Simulation and Threat Analysis. There are seven stages
of the PASTA framework. Let’s go through each of them to help
this fitness company get their app ready. Stage one of the PASTA threat model
framework is to define business and security objectives. Before starting the threat model, the team
needs to decide what their goals are. The main objective in our example
with the fitness company app is protecting customer data. The team starts by asking a lot
of questions at this stage. They’ll need to understand
things like how personally identifiable information is handled. Answering these questions is
a key to evaluate the impact of threats that they’ll
find along the way. Stage two of the PASTA framework is
to define the technical scope. Here, the team’s focus is to identify
the application components that must be evaluated. This is what we discussed
earlier as the attack surface. For a mobile app, this will include technology that’s
involved while data is at rest and in use. This includes network protocols, security
controls, and other data interactions. At stage three of PASTA, the team’s
job is to decompose the application. In other words, we need to identify the existing controls
that will protect user data from threats. This normally means working with the
application developers to produce a data flow diagram. A diagram like this will show how data
gets from a user’s device to the company’s database. It would also identify the controls in
place to protect this data along the way. Stage four of PASTA is next. The focus here is to
perform a threat analysis. This is where the team gets
into their attacker mindset. Here, research is done to collect the most
up-to-date information on the type of attacks being used. Like other technologies,
mobile apps have many attack vectors. These change regularly, so the team would
reference resources to stay up-to-date. Stage five of PASTA is performing
a vulnerability analysis. In this stage,
the team more deeply investigates potential vulnerabilities by
considering the root of the problem. Next is stage six of PASTA, where
the team conducts attack modeling. This is where the team tests
the vulnerabilities that were analyzed in stage five by simulating attacks. The team does this by creating an attack
tree, which looks like a flow chart. For example, an attack tree for
our mobile app might look like this. Customer information, like user names and
passwords, is a target. This data is normally
stored in a database. We’ve learned that databases are
vulnerable to attacks like SQL injection. So we will add this attack
vector to our attack tree. A threat actor might exploit
vulnerabilities caused by unsanitized inputs to attack this vector. The security team uses attack trees
like this to identify attack vectors that need to be tested
to validate threats. This is just one branch
of this attack tree. An application, like a fitness app,
typically has lots of branches with a number of other attack vectors. Stage seven of PASTA is to
analyze risk and impact. Here, the team assembles all
the information they’ve collected in stages one through six. By this stage, the team is in
position to make informed risk management recommendations to business
stakeholders that align with their goals. And with that, we made it all the way
through a threat modeling exercise based on the PASTA framework!

Managing threats is a major part of what security
professionals do. In this part of the course, we’ve explored some common types of cyber threats that you’ll likely encounter in the
field. Let’s review. We started off discussing
social engineering. You learned that attackers
have a variety of ways to trick their targets into
sharing private information. Social engineering
techniques rely on exploiting people’s trust
and willingness to help. Phishing attacks are one
of the most common ways that attackers go about
manipulating their targets. Next, we explored malware. Here, we discussed the
major classes of malware, like viruses,
trojans, and worms. You learned how to spot
signs of infection. You also learned how malware has evolved and become more
sophisticated over the years. After that, we turned
our attention to web-based exploits,
specifically injection attacks. You learned about
cross-site scripting and SQL injection, two of the most common types of attacks facing
organizations online. We discussed how each of these
attacks are carried out. You also learned about how web applications can be
protected from malicious code. Finally, we explored the
threat modeling process. You learned the process
that security teams use to perform these exercises. Unfortunately, cyberattacks and security breaches
are a reality that we’re challenged with
on a regular basis. However, being aware of the type of threats
that exist and the threat modeling
process provides an important foundation for your work as a security analyst.

Congratulations on making it
through the end of this course! I can hardly believe our
time together is over. Before moving on in
the certificate program, I’d like to reflect on all
the amazing progress you’ve made. When we started, you were introduced
to a wide range of assets organizations protect. Our primary focus was information
security, specifically digital information. Here, you learned how asset
classification helps security teams focus their efforts and prioritize resources. We explored digital assets in
the three states of data. We also learned how policies,
standards, and procedures can mitigate
organizational risk. Our focus on the NIST cybersecurity
framework introduced you to a commonly used framework for managing risk. Afterwards, you learned about fundamental
security systems and controls. You got to explore technology, like
encryption, that’s used to protect data in all its states. You also learned how technologies
like public key infrastructure and digital certificates are used
to maintain the confidentiality, integrity, and
availability of information online. And you also explored access controls
that make up the authentication, authorization, and accounting framework. Next, we explored common
vulnerabilities and systems. During this part of the course, you got
an inside look into how security teams position themselves ahead of attacks. We explored the defense in depth strategy
that’s applied to protect information as it’s exchanged between parties online. You also learned about the common
vulnerability and exposures list, the vulnerability assessment process,
and attack surfaces and attack vectors. We then explored the major
threats to asset security, like social engineering, malware,
and web-based exploits. Together, we discussed how these
attacks are carried out and the way security teams prevent
them from doing damage. We then finished up by exploring
the process of threat modeling. We covered so much! I really appreciate your
effort throughout it all. When I first started my career in
security, my goal was to learn, network, and embrace any opportunity. I was able to attend security conferences,
receive job tips, earned references, and
volunteered to gain experience. At that time, I would have never imagined that I’d be
here teaching what I’ve learned to others. That just goes to show you, your security
journey is only just beginning. While our time together is over,
we covered a lot of complex topics, many of which are areas of
specialization in security. With the foundation you’ve built here, you have a wide range of possibilities
to continue growing in the field. I’m so glad to have played a part in this
step along your journey into the world of security. And I wish you all the best as you
continue forward along your path.