Module 3: Vulnerabilities in systems

Wow! We’ve covered a lot together! It’s hard to believe we’ve reached
the midpoint of this course. I hope you’re getting a clearer
picture of this exciting field and all the opportunities it has to offer. And most importantly,
I hope you’re having fun doing it. We’ve come a long ways
from where we started. When we began our journey together,
we were introduced to the three building blocks of every security program:
assets, threats, and vulnerabilities. We focused a lot on assets early on and the wide range of things security
professionals work to protect. We then turned our attention to
a core component of asset security, protecting assets. You learned about the importance
of guarding sensitive information. You also learned about some security
controls that protect information from being lost or stolen. On the next part of our journey, we’re going to turn our
focus to vulnerabilities. Every asset we protect has
a series of vulnerabilities, or flaws, that we need to be aware of. Staying informed of these things is
a critical part of protecting people and organizations from harm. In this next part of the course, you’ll gain an understanding of
the vulnerability management process. First, you’ll explore a common approach
to vulnerability management: the defense and depth model. Then, you will learn about how
vulnerabilities are documented in online libraries like the CVE list. We’ll discuss the attack surfaces
security teams protect. And lastly, you’ll expand your attacker
mindset by exploring the common attack vectors cybercriminals try to exploit. Security analysts play an important
role in identifying and correcting vulnerabilities in systems. I know I’m excited to keep exploring, are you? Then let’s go!

Introduction:

Vulnerability management is a crucial aspect of cybersecurity, aiming to identify, assess, and remediate vulnerabilities in systems and applications before they can be exploited by attackers. This tutorial provides a comprehensive overview of vulnerability management, covering its key principles, processes, and tools.

What is a Vulnerability?

A vulnerability is a weakness or flaw in a system or application that can be exploited by an attacker to gain unauthorized access, disrupt operations, or steal data. Vulnerabilities can arise from various factors, including software bugs, misconfigurations, and outdated software.

Why is Vulnerability Management Important?

Vulnerability management is essential for several reasons:

• Reduces risk of attacks: By identifying and addressing vulnerabilities, organizations reduce the attack surface and make it more difficult for attackers to exploit their systems.
• Protects critical assets: Vulnerability management helps protect sensitive information and critical assets from unauthorized access and data breaches.
• Minimizes damage from attacks: Even if an attack occurs, effective vulnerability management can minimize the damage by limiting the impact of the exploited vulnerability.
• Improves compliance: Many regulations require organizations to implement a vulnerability management program to meet compliance standards.

The Vulnerability Management Process:

Vulnerability management typically involves a four-step cyclic process:

1. Identify vulnerabilities:

• Scanning tools: Automated tools scan systems and applications for known vulnerabilities.
• Penetration testing: Simulating real-world attacks to identify unknown vulnerabilities.
• Manual review: Security professionals manually reviewing code and configurations.

2. Assess vulnerabilities:

• Severity: Analyzing the potential impact of a vulnerability if exploited.
• Exploitability: Evaluating the likelihood of a vulnerability being exploited.
• Priority: Ranking vulnerabilities based on their severity and exploitability.

3. Remediate vulnerabilities:

• Patching: Applying software updates to fix known vulnerabilities.
• Configuration changes: Modifying system and application configurations to mitigate vulnerabilities.
• Workarounds: Implementing temporary solutions until permanent fixes are available.

4. Report and review:

• Documenting findings and remediation activities.
• Reporting vulnerabilities to stakeholders.
• Regularly reviewing the effectiveness of the vulnerability management program.

Vulnerability Management Tools:

A variety of tools are available to support different stages of the vulnerability management process:

• Vulnerability scanners: Identify and categorize known vulnerabilities.
• Penetration testing tools: Simulate real-world attacks and identify unknown vulnerabilities.
• Patch management tools: Automate the process of applying software updates.
• Configuration management tools: Automate configuration changes and ensure consistent security settings.

Best Practices for Vulnerability Management:

• Establish a vulnerability management policy: Define roles, responsibilities, and procedures for vulnerability management.
• Prioritize vulnerabilities based on risk: Focus on addressing the most critical vulnerabilities first.
• Automate as much as possible: Automate scanning, patching, and configuration management to improve efficiency.
• Integrate vulnerability management with other security processes: Share information and collaborate between different security teams.
• Continuously monitor and improve: Regularly review the effectiveness of the vulnerability management program and make adjustments as needed.

Conclusion:

Vulnerability management is an essential practice in protecting organizations from cyberattacks. By implementing a comprehensive vulnerability management program, organizations can significantly reduce their risk of security incidents and ensure the confidentiality, integrity, and availability of their critical assets.

Additional Resources:

• Open Web Application Security Project (OWASP): https://owasp.org/
• SANS Institute: https://www.sans.org/
• National Institute of Standards and Technology (NIST): https://www.nist.gov/itl/smallbusinesscyber/nist-cybersecurity-framework-0

Please note: This is a general overview of vulnerability management. Specific tools and processes may vary depending on the organization and its security requirements.

For every asset that needs protecting,
there are dozens of vulnerabilities. Finding those vulnerabilities and fixing them before they become a problem
is the key to keep an asset safe. We’ve already covered what
a vulnerability is. Recall that a vulnerability is a weakness
that can be exploited by a threat. That word, can,
is an important part of this description. Why is that? Let’s explore that
together to find out more. Imagine I handed you an important
document and asked you to keep it safe. How would you do that? Some of you might first think about
locking it up in a safe place. Behind this is the understanding that,
because documents can be easily moved, they are vulnerable to theft. When other vulnerabilities come to mind,
like how paper burns easily or doesn’t resist water,
you might add other protections. Similar to this example,
security teams plan to protect assets according to their vulnerabilities
and how they can be exploited. In security, an exploit is a way of taking
advantage of a vulnerability. Besides finding vulnerabilities,
security planning relies a lot on thinking of exploits. For example, there are
burglars out there who want to cause harm. Homes have vulnerable systems that
can be exploited by a burglar. An example are the windows.
Glass is vulnerable to being broken. A burglar can exploit this vulnerability
by using a rock to break the window. Thinking of this vulnerability and exploit
ahead of time allows us to plan ahead. We can have an alarm system in place to scare
the burglar away and alert the police. Security teams spend a lot of
time finding vulnerabilities and thinking of how they can be exploited. They do this with the process
known as vulnerability management. Vulnerability management is the process
of finding and patching vulnerabilities. Vulnerability management
helps keep assets safe. It’s a method of stopping threats
before they can become a problem. Vulnerability management
is a four step process. The first step is to
identify vulnerabilities. The next step is to consider potential
exploits of those vulnerabilities. Third is to prepare defenses
against threats. And finally, the fourth step is to
evaluate those defenses. When the last step ends,
the process starts again. Vulnerability management
happens in a cycle. It’s a regular part of
what security teams do because there are always new
vulnerabilities to be concerned about. This is exactly why a diverse
set of perspectives is useful! Having a wide range of backgrounds and experiences only strengthens security
teams and their ability to find exploits. However, even large and diverse security
teams can’t keep track of everything. New vulnerabilities
are constantly being discovered. These are known as zero-day exploits. A zero-day is an exploit
that was previously unknown. The term zero-day refers to the fact that
the exploit is happening in real time with zero days to fix it. These kind of exploits are dangerous. They represent threats that
haven’t been planned for yet. For example, we can anticipate the possibility of
a burglar breaking into our home. We can plan for this type of threat
by having defenses in place, like locks on the doors and windows. A zero-day exploit would be
something totally unexpected, like the lock on the door
falling off from intense heat. Zero-day exploits are things that
don’t normally come to mind. For example, this might be a new form
of spyware infecting a popular website. When zero-day exploits happen, they can leave assets even more
vulnerable to threats than they already are. Vulnerability management is the process of
finding vulnerabilities and fixing their exploits. That’s why the process is
performed regularly at most organizations. Perhaps the most important step of the
process is identifying vulnerabilities. We’ll explore this step in more
details next time we get together. I’ll meet you again then!

Which of the following are steps in the vulnerability management process? Select three answers.

Consider potential exploits, Prepare defenses against threats, Identify vulnerabilities

Vulnerability management is a four-step process that includes the following steps: identify vulnerabilities, consider potential exploits, prepare defenses against threats, and evaluate those defenses.

In the realm of cybersecurity, defense in depth (DID) is a fundamental strategy for protecting valuable information and systems. Imagine a medieval castle with its layered defenses, including moats, walls, and archers. Each layer adds another obstacle for attackers, making it significantly harder to breach the castle’s inner sanctum. Similarly, DID implements multiple security measures across various layers to create a robust and resilient defense against cyber threats.

Why Defense in Depth?

• Reduces Vulnerability Surface: DID helps minimize the attack surface by employing multiple layers of security, making it more difficult for attackers to find and exploit vulnerabilities.
• Minimizes Damage: Even if one layer is breached, the remaining layers can still impede the attacker’s progress, potentially containing the damage and limiting the impact on critical assets.
• Improves Resilience: By having multiple layers of defense, the overall security posture is more resilient against attacks. If one layer fails, the others can still provide protection and buy time for further response.
• Flexibility and Scalability: DID allows for a flexible and scalable security approach. Organizations can customize the layers and their respective security controls based on their specific needs and risk profile.

The Five Layers of Defense in Depth:

1. Perimeter Security: This layer focuses on securing the outer edges of the network and preventing unauthorized access. Examples of controls include firewalls, intrusion detection/prevention systems (IDS/IPS), and access control lists (ACLs).
2. Network Security: This layer safeguards internal network communications and prevents lateral movement within the network. Security controls include network segmentation, virtual private networks (VPNs), and network monitoring tools.
3. Endpoint Security: This layer protects individual devices like laptops, desktops, and servers from malware, vulnerabilities, and unauthorized access. Examples of controls include anti-virus software, endpoint detection and response (EDR) solutions, and application whitelisting.
4. Application Security: This layer focuses on securing applications and mitigating vulnerabilities within the code itself. Security controls include secure coding practices, vulnerability scanning, and penetration testing.
5. Data Security: This layer protects sensitive data at rest and in transit. Examples of controls include data encryption, data loss prevention (DLP) solutions, and access controls for sensitive data repositories.

Implementation and Best Practices:

• Identify Critical Assets: Identify the most valuable and sensitive assets requiring the highest level of protection.
• Choose Appropriate Controls: Select suitable security controls for each layer based on risk assessment and specific security needs.
• Focus on Least Privilege: Implement the principle of least privilege, providing users with minimal access rights necessary for their tasks.
• Continuously Monitor and Evaluate: Regularly monitor security logs, conduct vulnerability assessments, and update security controls proactively.
• Incident Response Planning: Develop a comprehensive incident response plan to address potential security breaches effectively and efficiently.

Benefits of Defense in Depth:

• Enhanced Security Posture: DID provides a holistic and layered approach to security, significantly improving the overall security posture of an organization.
• Reduced Risk of Attacks: The multiple layers of defense make it more difficult for attackers to succeed, reducing the likelihood of successful cyberattacks.
• Improved Compliance: DID can help organizations comply with various security regulations and standards.
• Faster Incident Response: The layered approach can help isolate and contain security incidents quickly, minimizing potential damage.

Conclusion:

Defense in depth is a vital strategy for implementing comprehensive and effective cybersecurity. By employing multiple layers of security controls and focusing on continuous improvement, organizations can significantly reduce their risk of cyberattacks and ensure the protection of their valuable assets. Understanding and implementing DID is crucial for anyone involved in cybersecurity, whether individuals protecting their personal devices or organizations safeguarding critical infrastructure.

Which of the following is a layered approach to vulnerability management that reduces risk?

Defense in depth

Defense in depth is a layered approach to vulnerability management that reduces risk. It’s a security approach that protects assets by surrounding them with multiple layers of protection.

A layered defense is
difficult to penetrate. When one barrier fails, another takes its place
to stop an attack. Defense in depth is a security model that
makes use of this concept. It’s a layered approach to vulnerability management
that reduces risk. Defense in depth is
commonly referred to as the castle approach because it resembles the layered
defenses of a castle. In the Middle Ages, these structures were very
difficult to penetrate. They featured
different defenses, each unique in its design, that posed different challenges
for attackers. For example, a
water-filled barrier called a moat usually formed a circle around the castle,
preventing threats like large groups of attackers from
reaching the castle walls. The few soldiers that made
it past the first layer of defense were then faced with a new challenge,
giant stone walls. A vulnerability of
these structures were that they could be climbed. If attackers tried exploiting
that weakness, guess what? They were met with
another layer of defense, watch towers, filled
with defenders ready to shoot arrows and
keep them from climbing! Each level of defense of these medieval structures
minimized the risk of attacks by identifying
vulnerabilities and implementing a security control
should one system fail. Defense in depth works
in a similar way. The defense in depth concept can be used to
protect any asset. It’s mainly used in
cybersecurity to protect information using a
five layer design. Each layer features a number
of security controls that protect information as it travels in and out of the model. The first layer of defense in depth is the perimeter layer. This layer includes
some technologies that we’ve already explored, like usernames and passwords. Mainly, this is a user authentication layer
that filters external access. Its function is to
only allow access to trusted partners to reach
the next layer of defense. Second, the network
layer is more closely aligned
with authorization. The network layer is made up of other technologies like
network firewalls and others. Next, is the endpoint layer. Endpoints refer to the devices that have access on a network. They could be devices
like a laptop, desktop, or a server. Some examples of
technologies that protect these devices are
anti-virus software. After that, we get to
the application layer. This includes all the interfaces that are used to interact
with technology. At this layer,
security measures are programmed as part
of an application. One common example is
multi-factor authentication. You may be familiar
with having to enter both your password
and a code sent by SMS. This is part of the
application layer of defense. And finally, the fifth layer of
defense is the data layer. At this layer, we’ve arrived at the critical data that
must be protected, like personally
identifiable information. One security control
that is important here in this final layer of defense
is asset classification. Like I mentioned earlier, information passes in
and out of each of these five layers whenever
it’s exchanged over a network. There are many more security
controls aside from the few that I mentioned that are part of the defense in depth model. A lot of businesses design their security systems using
the defense in-depth model. Understanding this
framework hopefully gives you a better sense of how an organization’s
security controls work together to protect
important assets.

Every connected device and software program carries vulnerabilities, making them susceptible to cyberattacks. These vulnerabilities can be exploited by attackers to gain unauthorized access, steal sensitive information, or disrupt operations. Therefore, understanding and managing vulnerabilities is crucial for any organization or individual concerned about cybersecurity.

What are Common Vulnerabilities and Exposures (CVEs)?

Common Vulnerabilities and Exposures (CVEs) are a standardized way to identify and track publicly known vulnerabilities. They are maintained by MITRE Corporation, a non-profit organization that focuses on national security and public safety.

Each CVE is assigned a unique identifier and a detailed description, including:

• Vulnerability type: Describes the nature of the vulnerability (e.g., buffer overflow, SQL injection)
• Affected products: Lists the software or hardware products affected by the vulnerability
• Severity score: Uses the Common Vulnerability Scoring System (CVSS) to assess the potential impact of the vulnerability (0-10 scale)
• Public disclosure date: Date when the vulnerability was publicly disclosed
• References: Links to additional information about the vulnerability and its mitigation

Why are CVEs important?

CVEs are important for several reasons:

• Standardization: Provides a common language for discussing vulnerabilities across different organizations and tools.
• Information sharing: Enables researchers, vendors, and security teams to share information about vulnerabilities and coordinate mitigation efforts.
• Risk assessment: Helps organizations prioritize vulnerabilities based on their severity and potential impact.
• Patching and remediation: Provides a reference point for identifying affected systems and applying necessary patches or other mitigation measures.

How are CVEs used?

CVEs are used by various stakeholders in the cybersecurity ecosystem:

• Security teams: Use CVEs to identify vulnerabilities in their systems, prioritize patching efforts, and track the effectiveness of their vulnerability management program.
• Software vendors: Use CVEs to track vulnerabilities in their products and develop patches or other mitigation measures.
• Researchers: Use CVEs to track emerging threats and develop new security tools and techniques.
• Individuals: Use CVEs to understand the risks associated with the software they use and take steps to protect themselves from cyberattacks.

Where can I find more information about CVEs?

The official CVE website is the primary source for information about CVEs: https://cve.mitre.org/

Additional resources:

• National Institute of Standards and Technology (NIST) National Vulnerability Database: https://nvd.nist.gov/
• Open Web Application Security Project (OWASP) Top 10: https://owasp.org/www-project-top-ten/
• SANS Institute Internet Storm Center: https://isc.sans.edu/

How to stay informed about CVEs?

• Subscribe to CVE feeds or newsletters.
• Follow security researchers and organizations on social media.
• Attend security conferences and workshops.
• Regularly update your software and operating systems.

Conclusion:

Understanding and managing CVEs is an essential part of any comprehensive cybersecurity strategy. By using available resources and staying informed about emerging threats, individuals and organizations can minimize the risk of cyberattacks and protect their valuable assets.

Which of the following criteria need to be met before qualifying for a CVE® ID? Select three answers.

• Vulnerabilities must be recognized as a potential security risk.
• Vulnerabilities must only affect one codebase.
• Vulnerabilities must be submitted with supporting evidence.

Vulnerabilities must only affect a single codebase, be submitted with supporting evidence, and be recognized as potential security risks to qualify for a CVE® ID. They must also be independent of other issues.

We’ve discussed before that
security is a team effort. Did you know the group extends well beyond a single
security team? Protecting information
is a global effort! When it comes to
vulnerabilities, there are actually
online public libraries. Individuals and
organizations use them to share and document common
vulnerabilities and exposures. We’ve been focusing a
lot on vulnerabilities. Exposures are similar, but
they have a key difference. While a vulnerability is
a weakness of a system, an exposure is a mistake that can be exploited
by a threat. For example, imagine you’re asked to protect an
important document. Documents are vulnerable
to being misplaced. If you laid the document
down near an open window, it could be exposed
to being blown away. One of the most
popular libraries of vulnerabilities and
exposures is the CVE list. The common vulnerabilities and exposures list, or CVE list, is an openly
accessible dictionary of known vulnerabilities
and exposures. It is a popular resource. Many organizations
use a CVE list to find ways to improve
their defenses. The CVE list was
originally created by MITRE corporation in 1999. MITRE is a collection of non-profit research and
development centers. They’re sponsored by
the US government. Their focus is on improving security technologies
around the world. The main purpose of
the CVE list is to offer a standard
way of identifying and categorizing known
vulnerabilities and exposures. Most CVEs in the list are reported by independent
researchers, technology vendors,
and ethical hackers, but anyone can report one. Before a CVE can make
it onto the CVE list, it first goes through a
strict review process by a CVE Numbering
Authority, or CNA. A CNA is an organization
that volunteers to analyze and distribute
information on eligible CVEs. All of these groups have an established record of
researching vulnerabilities and demonstrating security
advisory capabilities. When a vulnerability or
exposure is reported to them, a rigorous testing
process takes place. The CVE list tests
four criteria that a vulnerability must have
before it’s assigned an ID. First, it must be
independent of other issues. In other words, the
vulnerability should be able to be fixed without having
to fix something else. Second, it must be recognized as a potential security risk
by whoever reports it. Third, the vulnerability must be submitted with
supporting evidence. And finally, the reported
vulnerability can only affect one codebase, or in other words, only
one program’s source code. For instance, the
desktop version of Chrome may be vulnerable, but the Android
application may not be. If the reported flaw passes
all of these tests, it is assigned a CVE ID. Vulnerabilities added
to the CVE list are often reviewed by other online
vulnerability databases. These organizations
put them through additional tests to reveal how significant the flaws are and to determine what kind of
threat they pose. One of the most popular is the NIST National
Vulnerabilities Database. The NIST National
Vulnerabilities Database uses what’s known as the common
vulnerability scoring system, or CVSS, which is a measurement system that scores the severity of a vulnerability. Security teams use
CVSS as a way of calculating the impact
a vulnerability could have on a system. They also use them
to determine how quickly a vulnerability
should be patched. The NIST National
Vulnerabilities Database provides a base score of CVEs
on a scale of 0-10. Base scores reflect the moment a vulnerability is evaluated, so they don’t change over time. In general, a CVSS that scores below a 4.0 is considered
to be low risk and doesn’t require
immediate attention. However, anything above a
9.0 is considered to be a critical risk to company assets that should
be addressed right away. Security teams commonly
use the CVE list and CVSS scores as part of their vulnerability
management strategy. These references
provide recommendations for prioritizing security fixes, like installing software
updates before patches. Libraries like the CVE list, help organizations
answer questions. Is a vulnerability
dangerous to our business? If so, how soon
should we address it? These online libraries
bring together diverse perspectives
from across the world. Contributing to this
effort is one of my favorite parts of
working in this field. Keep gaining experience, and I hope you’ll
participate too!

Introduction

In today’s digital world, where cyber threats are constantly evolving, organizations need a robust cybersecurity strategy to protect their valuable assets. Vulnerability assessments are a critical component of this strategy, helping identify and address weaknesses in systems before attackers can exploit them.

What are Vulnerability Assessments?

A vulnerability assessment is a systematic process for identifying, classifying, and prioritizing security weaknesses in an organization’s IT infrastructure. This process typically involves:

• Asset discovery: Identifying all hardware, software, and data assets within the organization’s IT environment.
• Vulnerability scanning: Using automated tools to scan for known vulnerabilities in these assets.
• Manual testing: Performing manual security testing to identify vulnerabilities that are not detected by automated tools.
• Vulnerability analysis: Evaluating the severity and risk of identified vulnerabilities based on factors such as exploitability, impact, and likelihood of occurrence.
• Reporting and remediation: Reporting the findings of the vulnerability assessment to stakeholders and developing a plan to remediate identified vulnerabilities.

Benefits of Vulnerability Assessments

Vulnerability assessments offer several benefits for organizations, including:

• Improved security posture: By identifying and addressing security weaknesses, organizations can significantly reduce their risk of attack.
• Compliance with regulations: Many industries have regulations that require organizations to conduct regular vulnerability assessments.
• Cost savings: Addressing vulnerabilities proactively can help organizations avoid the costs associated with data breaches and other cyberattacks.
• Enhanced business continuity: Minimizing downtime and disruption caused by cyberattacks.

The Vulnerability Assessment Process

The vulnerability assessment process typically involves the following steps:

1. Planning and Scoping:

• Define the scope of the assessment, including which systems and applications will be assessed.
• Identify the stakeholders who will be involved in the process.
• Develop a timeline and budget for the assessment.

2. Asset Discovery:

• Identify all hardware, software, and data assets within the organization’s IT environment.
• Create an inventory of assets, including their location, configuration, and ownership.
• Update the inventory regularly to reflect changes in the IT environment.

3. Vulnerability Scanning:

• Use automated tools to scan for known vulnerabilities in identified assets.
• Configure tools to scan for specific vulnerabilities relevant to the organization’s risk profile.
• Regularly update vulnerability scanning tools to ensure they detect the latest threats.

4. Manual Testing:

• Perform manual security testing to identify vulnerabilities that are not detected by automated tools.
• Focus on high-risk systems and applications.
• Document the results of manual testing.

5. Vulnerability Analysis:

• Evaluate the severity and risk of identified vulnerabilities.
• Consider factors such as exploitability, impact, and likelihood of occurrence.
• Assign a risk score to each vulnerability to prioritize remediation efforts.

6. Reporting and Remediation:

• Report the findings of the vulnerability assessment to stakeholders.
• Develop a plan to remediate identified vulnerabilities.
• Prioritize remediation efforts based on the risk scores assigned to vulnerabilities.
• Regularly monitor and update the vulnerability assessment process to ensure its effectiveness.

Tools and Resources

Several tools and resources are available to help organizations conduct vulnerability assessments, including:

• Vulnerability scanning tools: Nessus, OpenVAS, Qualys
• Manual testing tools: Burp Suite, OWASP ZAP
• Vulnerability databases: CVE, NVD

Best Practices for Vulnerability Assessments

Here are some best practices for conducting vulnerability assessments:

• Perform vulnerability assessments regularly.
• Automate as much of the process as possible.
• Prioritize the remediation of high-risk vulnerabilities.
• Integrate vulnerability assessments into your overall security program.
• Develop a culture of security within your organization.

By following these best practices, organizations can conduct effective vulnerability assessments that help them identify and address security weaknesses before attackers can exploit them.

Conclusion

Vulnerability assessments are a critical component of any effective cybersecurity strategy. By regularly identifying and addressing security weaknesses, organizations can significantly reduce their risk of attack and protect their valuable assets.

Additional Resources:

• SANS Institute: http://bok.ahima.org/doc?oid=25313
• Open Web Application Security Project (OWASP): https://owasp.org/
• National Institute of Standards and Technology (NIST): https://www.nist.gov/cybersecurity

Which of the following steps may be part of a vulnerability assessment? Select three answers.

Remediation, Identification, Risk assessment

A vulnerability assessment may include identification, risk assessment, and remediation. It may also include vulnerability analysis. During a risk assessment, a score is assigned to each vulnerability based on its likelihood and severity.

Our exploration of the
vulnerability management process so far has been focused
on a couple of topics. We’ve discussed how
vulnerabilities influence the
design of defenses. We’ve also talked about how common vulnerabilities
are shared. A topic we’re yet to cover is how vulnerabilities are
found in the first place. Weaknesses and
flaws are generally found during a
vulnerability assessment. A vulnerability assessment is the internal review process of an organization’s
security systems. These assessments work
similar to the process of identifying and categorizing
vulnerabilities on the CVE list. The main difference is the organization’s
security team performs, evaluates, scores, and
fixes them on their own. Security analysts play a key role throughout
this process. Overall, the goal of a vulnerability assessment is to identify weak points
and prevent attacks. They’re also how security
teams determine whether their security controls
meet regulatory standards. Organizations perform
vulnerability assessments a lot. Because companies
have so many assets to protect, security teams sometimes need to
select which area to focus on through
vulnerability assessments. Once they decide
what to focus on, vulnerability assessments
typically follow a four-step process. The first step is
identification. Here, scanning tools and manual testing are used
to find vulnerabilities. During the identification step, the goal is to understand the current state of
a security system, like taking a picture of it. A large number of findings usually appear after
identification. The next step of the process
is vulnerability analysis. During this step, each of the vulnerabilities that
were identified are tested. By being a digital
detective, the goal of vulnerability analysis is to find the source of the problem. The third step of the
process is risk assessment. During this step of the process, a score is assigned to
each vulnerability. This score is assigned
based on two factors: how severe the impact would
be if the vulnerability were to be exploited and the
likelihood of this happening. Vulnerabilities uncovered during the first two steps
of this process often outnumber the people
available to fix them. Risk assessments are a way
of prioritizing resources to handle the vulnerabilities
that need to be addressed based on their score. The fourth and final step of vulnerability assessment
is remediation. It’s during this step that
the vulnerabilities that can impact the
organization are addressed. Remediation occurs depending on the severity score assigned during the risk assessment step. This part of the
process is normally a joint effort between
the security staff and IT teams to come up with
the best approach to fixing the vulnerabilities
that were uncovered earlier. Examples of remediation
steps might include things like enforcing
new security procedures, updating operating systems, or implementing system patches. Vulnerability
assessments are great for identifying the
flaws of a system. Most organizations use them to search for problems
before they happen. But how do we know
where to search? When we get together again, we’ll explore how companies
figure this out.

[MUSIC] My name is Omad, I’m a corporate
operations engineer at Google. All I do is solve problems. Googlers have problems, they need somebody
to talk to, they usually talk to us. If you asked me at 18 years
old where I’d be now, I would have never told you I’d be
working as a security engineer. I would have told you I’d be working
in a prison or I’d be working as a police officer in some township and
just working a regular 9 to 5 shift. After high school,
I went on to work at Trenton State Prison, which is the only maximum
security prison in New Jersey. It was very stressful, but at the same
time it’s what I wanted to do at the time, or at least, that’s what I thought
I wanted to do at that time. Five years after becoming
a correction officer, I took the test again to
be a sheriff’s officer. And on the last day of that academy,
I decided this wasn’t for me. I was tired of being on my face doing
pushups, I was tired of being yelled at. I went home and I did what everybody
else would do, do a Google search. And I saw one for Google and
it was a residency program, it was at the top of the list and
I applied to it as a joke. I even told my friends at the time,
I’m just going to apply this, I’m not going to get in. I had no reference, no connections,
I knew nobody that worked at Google. And within a couple of days a recruiter
reached out to me, she said, “I think you’re a great fit,
you’re a career changer. I like your application, I like your
resume, I think you’d be a great fit.” All the interviewers liked my background,
they liked that I was self taught. A lot of interviewers were
able to relate to me. They said, “Hey, I did the same thing.” From there, I was offered the job and
I started my career. When I was in orientation, somebody right next to me was actually
the valedictorian of Princeton. Here I am with no college degree,
no exposure, no work experience, and I’m in the same company. For career changers, what you have that other people
don’t have is a different mindset. You’re coming from experience outside of
the technical space that you can transfer into the technical space. Don’t forget that we all have skillsets
that can help you in the field. That’s what employers are looking for, that’s what hiring
managers are looking for. One thing I learned as a correction
officer is how to assess risk. Every situation is different, just
like the security space. Every risk is different. Every vulnerability is
different. Every threat is different. You can teach somebody tech, but you can’t teach them a life
of skills outside of tech. If I were to go back and tell my 18 year
old self one piece of advice, it would be, don’t be scared, do it. A career in cybersecurity is very fun. It’s very interesting. It will work your brain. It changed my life,
it’ll change yours as well.

In the ever-evolving landscape of cyber threats, securing every entry point is paramount. Hackers constantly seek vulnerabilities, and your organization’s digital perimeter needs to be a fortress. This tutorial will equip you with strategies and best practices to protect all entry points and proactively prevent attacks.

Understanding the Entry Points:

Think of your organization’s cybersecurity as a castle. Every gate, window, and secret passage represents an entry point for attackers. These entry points can be physical (devices, servers) or digital (applications, networks). Here are some common ones:

• Network: The gateway to your internal systems. Hackers can exploit vulnerabilities in routers, firewalls, and network protocols.
• Applications: Web applications, mobile apps, and internal software can have vulnerabilities that attackers can exploit to gain access to data or systems.
• Endpoints: Devices like laptops, smartphones, and servers can be infected with malware or compromised through social engineering.
• Cloud: Cloud services and storage can introduce new entry points if not properly secured.
• Physical Security: Unlocked doors, unsecured devices, and social engineering can allow unauthorized access to physical assets and sensitive information.

Building Your Cybersecurity Defense:

Now that you understand the entry points, let’s explore strategies to protect them:

1. Network Security:

• Firewalls: Implement strong firewalls to filter incoming and outgoing traffic.
• Intrusion Detection and Prevention Systems (IDS/IPS): Monitor network traffic for suspicious activity and block potential attacks.
• Vulnerability Management: Regularly scan your network for vulnerabilities and patch them promptly.
• Network Segmentation: Divide your network into smaller segments to limit the impact of a breach.

2. Application Security:

• Secure coding practices: Develop and maintain applications with security in mind.
• Input validation: Sanitize user input to prevent SQL injection and other attacks.
• Regularly update applications: Apply security patches as soon as they become available.
• Penetration testing: Simulate attacks to identify and address vulnerabilities.

3. Endpoint Security:

• Antivirus and anti-malware software: Install and update security software on all devices.
• Endpoint Detection and Response (EDR): Monitor endpoints for suspicious activity and respond to threats quickly.
• Data encryption: Encrypt sensitive data at rest and in transit.
• Strong password policies: Enforce strong passwords and multi-factor authentication.

4. Cloud Security:

• Choose reliable cloud providers: Select providers with strong security practices and compliance certifications.
• Use cloud security services: Leverage cloud-based security tools and services like encryption and access control.
• Monitor and manage your cloud environment: Regularly monitor your cloud infrastructure for suspicious activity.
• Securely configure cloud resources: Configure your cloud resources according to security best practices.

5. Physical Security:

• Implement access controls: Restrict physical access to sensitive areas and equipment.
• Secure devices: Lock down devices and implement password protection.
• Train employees: Train employees on cybersecurity awareness and best practices.
• Be vigilant: Monitor physical security for suspicious activity and potential breaches.

Remember:

• Security is an ongoing process: Continuously monitor and update your security measures.
• Stay informed: Keep up with the latest cyber threats and vulnerabilities.
• Test and practice: Regularly test your incident response plan and conduct security drills.
• Build a culture of security: Make security a priority throughout your organization.

By implementing these strategies and remaining vigilant, you can effectively protect all entry points and build a robust cybersecurity posture. Remember, your organization’s security is only as strong as its weakest point. By proactively addressing all entry points, you can create a formidable defense against cyberattacks and safeguard your valuable data and assets.

Additional Resources:

• National Institute of Standards and Technology (NIST) Cybersecurity Framework: https://www.nist.gov/cyberframework
• Open Web Application Security Project (OWASP) Top 10: https://owasp.org/www-project-top-ten/
• SANS Institute: https://www.sans.org/information-security/

I hope this tutorial provides a valuable starting point for protecting your organization from cyber threats. By taking these steps and staying informed, you can build a secure and resilient digital environment.

There’s a wide range of vulnerabilities
and systems that need to be found. Assessing those weaknesses
is a time-consuming process. To position themselves
ahead of threats and make the most of their limited resources,
companies start by understanding the environment surrounding
their operations. An important part of this is getting
a sense of their attack surface. An attack surface is all the potential
vulnerabilities that a threat actor could exploit. Analyzing the attack surface is usually
the first thing security teams do. For example, imagine being part of
a security team of an old castle. Your team would need to decide how
to allocate resources to defenses. Giant walls, stone towers, and wooden gates are a few common security
controls of these structures. While these are all designed to protect
the assets inside from attacks, they don’t exactly account for
all the possibilities. What if the castle were near the ocean? If it were, these defenses would be
vulnerable to long range attacks by ship. A proper understanding of the attack
surface would mean your security team equipped the castle with catapults that
could deal with these kinds of threats. Modern organizations need to concern
themselves with both a physical and digital attack surface. The physical attack surface is made
up of people and their devices. This surface can be attacked
from both inside and outside the organization,
which makes it unique. For example, let’s consider an unattended laptop
in a public space, like a coffee shop. The person responsible for it walked away while sensitive company
information was visible on the screen. This information is vulnerable
to external threats, like a business competitor, who can easily
record the information and exploit it. An internal threat of this attack surface,
on the other hand, is often angry employees. These employees might share
an organization’s private information on purpose. In general, the physical attack surface
should be filled with obstacles that deter attacks from happening. We call this process security hardening. Security hardening is the process
of strengthening a system to reduce its vulnerabilities and
attack surface. In other words, hardening is the act of minimizing the attack surface
by limiting its points of entry. We do this a lot in security because
the smaller the attack surface, the easier it is to protect. In fact, some security controls
that we’ve explored previously, like organization policies and
access controls, are common ways that organizations harden their
physical attack surface. The digital attack surface
is a bit tougher to harden. The digital attack surface includes
everything that’s beyond our organization’s firewall. In other words, it includes anything
that connects to an organization online. In the past, organizations stored
their data in a single location. This mainly consisted of servers
that were managed on-site. Accessing the information stored on
those servers required connecting to the network the workplace managed. These days, information is accessed outside
of an organization’s network because it’s stored in the cloud. Information can be accessed
from anywhere in the world. A person can be in one part of the world,
fly to another place, and continue working. All while outside
of their organization’s network. Cloud computing has essentially
expanded the digital attack surface. Quicker access to information is
something we all benefit from, but it comes with a cost. Organizations of all sizes are under
more pressure to defend against threats coming from different entry points. When we get together next time, we’ll
explore why this is such a challenge.

Which of the following is an example of an organization's digital attack surface?

The organization’s website

The organization’s website is an example of its digital attack surface. An attack surface refers to all the potential vulnerabilities that a threat actor could exploit. The digital attack surface consists of everything that’s connected to an organization’s network.

Cybersecurity is a constant battle of wits. Defenders build walls, attackers find ways to climb them. To stay ahead of the curve, security professionals need to think like their adversaries – to adopt an attacker mindset. This tutorial will equip you with the tools and techniques to see systems through the eyes of a hacker, strengthening your defenses and making you a more effective security champion.

Step 1: Understand the Attacker’s Motivation

Before you can think like an attacker, you need to understand their why. What drives them to break into systems? Common motivations include:

• Financial gain: Stealing data, hijacking resources, or demanding ransom.
• Espionage: Gathering intelligence for governments, competitors, or other malicious actors.
• Disruption and vandalism: Causing chaos, damaging systems, or making a statement.
• Personal challenge: Testing their skills and proving their abilities.

Step 2: Master the Attacker’s Toolbox

Attackers have a vast arsenal of tools and techniques at their disposal. Familiarize yourself with the most common ones:

• Social engineering: Tricking users into revealing sensitive information or granting access.
• Phishing and malware: Luring victims into downloading malicious software or clicking on harmful links.
• Vulnerability scanning and exploitation: Identifying and exploiting weaknesses in software and systems.
• Password cracking and brute-forcing: Guessing or forcefully decrypting passwords to gain access.
• Network reconnaissance and enumeration: Mapping out systems and identifying potential targets.

Step 3: Think Like a Hacker, Not a Defender

Shift your perspective from building walls to finding cracks. Ask yourself:

• What are the weakest points in our systems?
• What assumptions are we making about our security posture?
• What valuable data or resources could attackers steal or disrupt?
• What are the most likely attack vectors and attack paths?
• How can we exploit social engineering vulnerabilities within our organization?

Step 4: Practice Makes Perfect: Hone Your Skills

Engage in ethical hacking exercises and competitions (CTFs) to test and refine your attacker mindset. This can involve:

• Penetration testing: Simulating real-world attacks to find and fix vulnerabilities.
• Bug bounties: Participating in programs where companies pay for discovered vulnerabilities.
• Hackathons and CTFs: Working with others to solve hacking challenges and learn new techniques.

Step 5: Share Your Knowledge, Build a Community

Cybersecurity is a collaborative effort. Share your attacker insights with your team, contribute to open-source security projects, and mentor others. By fostering a community of ethical hackers, you can collectively raise the bar for security across the industry.

Remember: Adopting an attacker mindset is not about condoning malicious activities. It’s about understanding the enemy, anticipating their moves, and proactively strengthening your defenses. By thinking like a hacker, you can become a more effective security professional, protecting your organization and its valuable assets from real-world threats.

Additional Resources:

• SANS Institute: https://www.sans.org/
• Offensive Security: https://www.offsec.com/
• MIT OpenCourseware: https://ocw.mit.edu/courses/6-857-network-and-computer-security-spring-2014/
• OWASP Top 10: https://owasp.org/www-project-top-ten/

By following these steps and engaging with the resources provided, you can develop a strong attacker mindset and become a valuable asset in any cybersecurity team. Remember, the more you understand the attackers, the better equipped you are to defend against them. So, go out there, hack ethically, and help make the digital world a safer place.

[MUSIC] Hi, I’m Niru, and
I lead the red team at Google. The red team at Google simulates attackers
that are trying to hack into Google. They function as a sparring partner for
the blue team, that is, the teams that build security controls, detection
pipelines, or respond to incidents. So we help test all of those
by simulating adversaries. So we hack into Google to make
it harder to hack into Google. So it’s like, hey,
we found these issues with your system, now here are some recommendations we have,
and how can we help you fix this? Thinking like an attacker is approaching
a problem like an adversary. I generally have a predisposition
to think like an attacker. [LAUGH]. It started when I was a kid and
I used to play video games, and I used to ask, oh, do I have to beat
the game in the way it’s intended? Do I have to get the objective
in the standard path? Looking at a system and
asking the question, can I break into it? How do I break into it? What is likely to fail? If it fails, what does that give me? It’s about taking apart systems and
trying to understand it. Threat modeling is integral to almost
anything a security professional does. It’s about challenging assumptions. It’s about approaching things
from a different perspective. Rather than looking at the system from
the perspective of a developer who is thinking about, how do I build the system
in a way that works for people? You’re putting on the hat of an attacker
and saying, if I looked at the system, how would I break into it? It’s important for all security
professionals to think like an attacker because you code more defensively,
you build things more defensively, and you break things more offensively. And what that means is you’re building
in this resilience into the system, and you’re building in all these safeguards
that are going to help protect the data, the systems, and the people. In order to build my attacker mindset, what I did is I would go
pick people’s brains. What that means is I can
grab time with them and say, hey, how do you approach the system? What are the assumptions you’re making? How do you build out the security
safeguards that you’re thinking about? My advice for people who are trying
to build their own attacker mindset is go talk to people,
be it in local meetups, in conferences, find yourself a CTF group and
play these competitions with them. See how each person in the team approaches
certain things and solves for it. Almost everything we do on a daily basis
is online these days, like banking is online, grocery shopping is online,
the electricity grid, the water supplies. All of this has happened in
a short span of time, and now people are taking a step back and
say, what does that mean for us? And cybersecurity folks are the ones who
help make sure these systems are locked down and
protected against these adversaries. If you’re inquisitive, if you like taking
things apart, if you like solving things, if you want to help make things secure,
you should join cybersecurity.

Fill in the blank: ____ refer to the pathways attackers use to penetrate security defenses.

Attack vectors

Attack vectors refer to the pathways attackers use to penetrate security defenses. Threat actors use attack vectors to exploit vulnerabilities and exposures.

To defend against attacks, organizations need
to have more than just the understanding of the growing digital
landscape around them. Positioning themselves ahead
of a cyber threat also takes understanding the type of attacks that can be
used against them. Last time, we began
exploring how the cloud has expanded the digital
attack surface that organizations protect. As a result, cloud
computing has led to an increase in the number
attack vectors available. Attack vectors refer
to the pathways attackers use to penetrate
security defenses. Like the doors and
windows of a home, these pathways are
the exploitable features of an attack surface. One example of an attack
vector would be social media. Another would be removable
media, like a USB drive. Most people outside of
security assume that cyber criminals
are the only ones out there exploiting
attack vectors. While attack vectors are used by malicious hackers to
steal information, other groups use them too. For example, employees occasionally exploit attack
vectors unintentionally. This happens a lot with
social media platforms. Sometimes, employees post
sensitive company news that shouldn’t have been shared. At times, this same kind of thing
happens on purpose. Social media platforms are also vectors that
disgruntled employees use to intentionally share confidential information
that can harm the company. We all treat attack vectors as critical risks to
asset security. Attackers typically
put forth a lot of effort planning their attacks
before carrying them out. It’s up to us as security
professionals to put an even greater amount of
effort into stopping them. Security teams do
this by thinking of each vector with an
attacker mindset. This starts with a
simple question, “how would we exploit
this vector?” We then go through a
step-by-step process to answer our question. First, when practicing
an attacker mindset, we identify a target. This could be specific
information, a system, a person, a group, or the organization itself. Next, we determine how the
target can be accessed. What information is
available that an attacker might take advantage of
to reach the target? Based on that information, the third step is to evaluate the attack vectors that can
be exploited to gain entry. And finally, we find the tools
and methods of attack. What will the attackers
use to carry this out? Along the way, practicing an attacker mindset
provides valuable insight into the best security
controls to implement and the vulnerabilities
that need to be monitored. Every organization
has a long list of attack vectors to defend. While there are a lot of
ways to protect them, there are a few common
rules for doing this. One key to defending
attack vectors is educating users about
security vulnerabilities. These efforts are usually
tied to an event. For example, advising them about a new phishing exploit that is targeting users in
the organization. Another rule is applying the principle of
least privilege. We’ve explored least privilege
earlier in this section. It’s the idea that
access rights should be limited to what’s required
to perform a task. Like we previously explored, this practice closes
multiple security holes inside an organization’s
attack surface. Next, using the right
security controls and tools can go a long way towards
defending attack vectors. Even the most
knowledgeable employees make security mistakes, like accidentally clicking on a malicious link in an email. Having the right
security tools in place, like antivirus software, helps to defend
attack vectors more efficiently and reduce
the risk of human error. Last but not least, is building a diverse
security team. This is one of the best
ways to reduce the risk of attack vectors and
prevent future attacks. Your own unique perspective can greatly improve the
security team’s ability to apply an attacker’s
mindset and stay one step ahead of
potential threats. Keeping yourself informed is always important in this field. You’re already off
to a great start, so keep up the good work!

Here we are at the end of this section! Can
you believe it? I had so much fun exploring
the world of vulnerabilities. I hope you felt the same. More importantly, I hope
you got a better sense of how complex a landscape
the digital world is. This environment is filled
with gaps that attackers can use to gain unauthorized
access to assets, making it a challenge to defend. We’ve explored a lot of
information this time around, so let’s quickly recap
what we’ve covered. You learned about the
vulnerability management process, starting with the
defense-in-depth model. You learned about the layers of this security framework and how each of them work together to build a stronger defense. You then learned
about the CVE list that’s used to find
cataloged vulnerabilities. This is a great addition to your growing security toolbox. After that, you learned of the attack surfaces that
businesses protect. We discussed physical
and digital surfaces and the challenges of
defending the cloud. We finished up by exploring
common attack vectors, where you learned
how security teams use an attacker mindset to identify the security gaps that cyber criminals
try to exploit. Every one of the vulnerabilities
that we’ve discussed so far is faced with
a number of threats. When we get back together, we’re going to expand
our attacker mindset even further by exploring specific
type of attacks that cybercriminals
commonly use. We’ll look at things like
malware and the techniques attackers use to compromise
defense systems. By exploring how these
tools and tactics work, you’ll gain a clearer
understanding of the threats they pose. We’ll then wrap up by
investigating how security teams stop these threats from damaging our
organizations’ operations, their reputation, and
most importantly, their customers and employees. You’ve done a fantastic
job getting to this point. When you’re ready, let’s
finish the journey together. I’m looking forward to
being back with you again.