My name is Ashley, and I’m
a Customer Engineering Enablement Lead for Security Operation Sales at Google. I’m excited to be your instructor for
this course. Let’s start by quickly reviewing
what we’ve covered so far. Earlier, we defined security and explored some common job responsibilities
for entry-level analysts. We also discussed core skills and
knowledge that analysts need to develop. Then, we shared some key events like
the LoveLetter and Morris attacks that led to the development and
ongoing evolution of the security field. We also introduced you to frameworks,
controls, and the CIA triad, which are all
used to reduce risk. In this course, we’ll discuss the focus
of Certified Information Systems Security Professional’s, or CISSP’s,
eight security domains. We’ll also cover security frameworks and
controls in more detail, with a focus on NIST’s Risk
Management Framework. Additionally, we’ll explore
security audits, including common elements of internal audits. Then, we’ll introduce some
basic security tools, and you’ll have a chance to explore how to
use security tools to protect assets and data from threats, risks,
and vulnerabilities. Securing an organization and
its assets from threats, risks, and vulnerabilities is an important step
in maintaining business operations. In my experience as a security analyst,
I helped respond to a severe breach that cost
the organization nearly $250,000. So, I hope you’re feeling motivated
to continue your security journey. I know I’m excited. Let’s get started!

The world of security,
which we also refer to as cybersecurity throughout
this program, is vast. So making sure that you have
the knowledge, skills, and tools to successfully navigate
this world is why we’re here. In the following videos, you’ll learn about the focus of
CISSP’s eight security domains. Then, we’ll discuss threats, risks,
and vulnerabilities in more detail. We’ll also introduce you to
the three layers of the web and share some examples to help you understand
the different types of attacks that we’ll discuss throughout the program. Finally, we’ll examine how to manage
risks by using the National Institute of Standards and Technology’s Risk Management
Framework, known as the NIST RMF. Because these topics and related technical skills are considered
core knowledge in the security field, continuing to build your understanding
of them will help you mitigate and manage the risks and threats that
organizations face on a daily basis. In the next video, we’ll further
discuss the focus of the eight security domains introduced in the first course.

In this video,
we’ll cover the last four domains: identity and access management,
security assessment and testing, security operations, and
software development security. The fifth domain is identity and
access management, or IAM. And it’s focused on access and
authorization to keep data secure by making sure users follow established
policies to control and manage assets. As an entry-level analyst, it’s essential
to keep an organization’s systems and data as secure as possible by ensuring user
access is limited to what employees need. Basically, the goal of IAM is to reduce
the overall risk to systems and data. For example, if everyone at a company
is using the same administrator login, there is no way to track who
has access to what data. In the event of a breach, separating valid user activity from
the threat actor would be impossible. There are four main components to IAM. Identification is when a user verifies
who they are by providing a user name, an access card, or
biometric data such as a fingerprint. Authentication is the verification
process to prove a person’s identity, such as entering a password or
PIN. Authorization takes place after a user’s
identity has been confirmed and relates to their level of access, which
depends on the role in the organization. Accountability refers to monitoring and
recording user actions, like login attempts, to prove systems and
data are used properly. The sixth security domain is
security assessment and testing. This domain focuses on conducting
security control testing, collecting and analyzing data, and
conducting security audits to monitor for risks, threats, and vulnerabilities. Security control testing can help
an organization identify new and better ways to mitigate threats,
risks, and vulnerabilities. This involves examining organizational
goals and objectives, and evaluating if the controls being used
actually achieve those goals. Collecting and analyzing security data
regularly also helps prevent threats and risks to the organization. Analysts might use security control
testing evaluations and security assessment reports to improve existing
controls or implement new controls. An example of implementing a new control
could be requiring the use of multi-factor authentication to better protect the
organization from potential threats and risks. Next, let’s discuss security operations. The security operations domain is
focused on conducting investigations and implementing preventative measures. Investigations begin once a security
incident has been identified. This process requires a heightened
sense of urgency in order to minimize potential risks to the organization. If there is an active attack,
mitigating the attack and preventing it from escalating further
is essential for ensuring that private information
is protected from threat actors. Once the threat has been neutralized,
the collection of digital and physical evidence to conduct
a forensic investigation will begin. A digital forensic investigation
must take place to identify when, how, and
why the breach occurred. This helps security teams determine
areas for improvement and preventative measures that can be
taken to mitigate future attacks. The eighth and final security domain
is software development security. This domain focuses on using
secure coding practices. As you may remember,
secure coding practices are recommended guidelines that are used to create
secure applications and services. The software development lifecycle is
an efficient process used by teams to quickly build software products and
features. In this process, security
is an additional step. By ensuring that each phase of the
software development lifecycle undergoes security reviews, security can be fully
integrated into the software product. For example, performing a secure
design review during the design phase, secure code reviews during
the development and testing phases, and penetration testing during
the deployment and implementation phase ensures that security is embedded into
the software product at every step. This keeps software secure and
sensitive data protected, and mitigates unnecessary
risk to an organization. Being familiar with these domains can
help you better understand how they’re used to improve the overall
security of an organization and the critical role security teams play. Next, we’ll discuss security threats,
risks, and vulnerabilities, including ransomware, and introduce
you to the three layers of the web.

My name is Ashley and
my role at Google is CE Enablement Lead
for SecOps sales. All that means is I
help set up training for customer engineers
that support our products. Grew up with a computer,
loved the Internet. I have one of the
earliest AOL screen names in history and I’m
very proud of that. My dad is an engineer and I think there was always
an interest in tech. But when I got out
of high school, there wasn’t a clear
path to get there. It wasn’t a linear path at all. I was a knucklehead growing up. I gave up in 10th grade
and I just didn’t care for a long time
and I was getting in trouble a lot and
I pretty much told myself if I don’t join the
military and get out of here, I will probably not be here in about 2-3 years if I
continue down this path. I joined the army right out of high school, graduated in June, and four days later I was at
bootcamp at Fort Jackson, South Carolina as
a trumpet player, believe it or not, I
come back and had to get a job and was not even tracking on tech jobs
or anything like that. I was pulling in carts
for a big hardware store, selling video games, retail, box slinger for a
freight company. All of that stuff has happened before I even figured out
that tech was an option. The military was kind
enough to retrain me in IT, and that’s kind of how I actually got the official first wave of schooling to be
able to actually say, hey, I have the skills to at
least be a PC technician. I went back to community
college and I actually did find a cybersecurity
associates degree program, worked on some certifications. I went to my first DEFCON, which is a big
hacking conference, and that set off a light bulb, I think to actually get that clarity on what the
path could look like. I landed my first
security analyst job back in 2017 and I went to a Veterans Training
Program at my last company that was free for
vets and ended up getting hired out
of the training. I was with that company for almost five years before
I came to Google. If you’re new and
you’re just coming in, you have to know how
to work with a team. I think a lot of us learned that in customer service settings. Some of the skills I
learned working in retail, dealing with hard customers, learning how to even talk
to people or diffuse a situation if people
are upset about things, just learning how
to talk to people. In IT we need that. It’s no longer just the
tech skills we need, the more T-shaped which
they’re soft skills, there’s people skills, and
there’s technical skills. You have to have good
analysis skills, and again, it doesn’t even have to be technical analysis, if you can read a book and pick apart the rhetorical
devices of that story, you can do analysis work. I didn’t have to be a software engineer to
work in this field. For many of us, there’s
like a math fear, programming is a big hurdle, but we work with people, we work with processes, and you don’t
necessarily need to have that coding knowledge to
understand people or processes. There’s so many
ways to break in, so do not get discouraged
and don’t be scared to think outside of the box to
get your foot in the door.

Introduction

Cybersecurity is the practice of protecting systems, networks, and data from digital attacks. Threats, risks, and vulnerabilities are three important concepts in cybersecurity.

• A threat is anything that can exploit a vulnerability to cause harm to an asset.
• A risk is the likelihood that a threat will occur and the impact it will have if it does.
• A vulnerability is a weakness in a system, network, or application that can be exploited by a threat.

Threats

There are many different types of threats, including:

• Malware: This is software that is designed to harm a computer system. Malware can include viruses, worms, trojan horses, and ransomware.
• Social engineering: This is a technique that uses human psychology to trick people into giving up their personal information or clicking on malicious links.
• Phishing: This is a type of social engineering attack that involves sending emails or text messages that appear to be from a legitimate source, such as a bank or credit card company. The emails or text messages often contain a link that, when clicked, takes the victim to a fake website that looks like the real website. Once the victim enters their personal information on the fake website, the attacker can steal it.
• DDoS attacks: These attacks involve flooding a website or server with so much traffic that it becomes unavailable.
• Zero-day attacks: These are attacks that exploit vulnerabilities in software that the software vendor is not aware of.

Risks

The risk of a threat occurring depends on a number of factors, including the likelihood of the threat, the impact of the threat, and the organization’s ability to mitigate the threat.

The likelihood of a threat occurring can be assessed by considering the following factors:

• The motivation of the threat actor.
• The resources available to the threat actor.
• The technical skills of the threat actor.
• The security measures in place to protect against the threat.

The impact of a threat can be assessed by considering the following factors:

• The value of the asset that is being targeted.
• The confidentiality, integrity, and availability of the asset.
• The legal and regulatory requirements that apply to the asset.

The organization’s ability to mitigate the threat can be assessed by considering the following factors:

• The security controls that are in place.
• The security awareness of employees.
• The organization’s incident response plan.

Vulnerabilities

Vulnerabilities can be introduced into systems, networks, and applications in a number of ways, including:

• Software bugs.
• Misconfigurations.
• Poor security practices.
• Human error.

Vulnerabilities can be exploited by threats to cause harm to an asset. Therefore, it is important to identify and mitigate vulnerabilities as early as possible.

Conclusion

Threats, risks, and vulnerabilities are all important concepts in cybersecurity. By understanding these concepts, organizations can better protect their systems, networks, and data from digital attacks.

Here are some additional tips for managing threats, risks, and vulnerabilities:

• Conduct regular security assessments to identify and mitigate vulnerabilities.
• Implement security controls to protect against threats.
• Train employees on security best practices.
• Have a plan for responding to security incidents.

By taking these steps, organizations can reduce their risk of a data breach or other security incident.

Phishing exploits human error to acquire sensitive data and private information.

True

Phishing exploits human error to acquire sensitive data and private information. It is one method of social engineering.

As an entry-level security analyst,
one of your many roles will be to handle an organization’s digital and
physical assets. As a reminder, an asset is an item perceived as
having value to an organization. During their lifespan, organizations
acquire all types of assets, including physical office spaces, computers,
customers’ PII, intellectual property, such as patents or copyrighted
data, and so much more. Unfortunately, organizations operate
in an environment that presents multiple security threats, risks,
and vulnerabilities to their assets. Let’s review what threats, risks,
and vulnerabilities are and discuss some common examples of each. A threat is any circumstance or
event that can negatively impact assets. One example of a threat is
a social engineering attack. Social engineering is a manipulation
technique that exploits human error to gain private information,
access, or valuables. Malicious links in email messages that
look like they’re from legitimate companies or people is one method of
social engineering known as phishing. As a reminder, phishing is a technique
that is used to acquire sensitive data, such as user names, passwords,
or banking information. Risks are different from threats. A risk is anything that can impact
the confidentiality, integrity, or availability of an asset. Think of a risk as the likelihood
of a threat occurring. An example of a risk to an organization
might be the lack of backup protocols for making sure its stored information can be
recovered in the event of an accident or security incident. Organizations tend to rate risks
at different levels: low, medium, and high, depending on possible
threats and the value of an asset. A low-risk asset is information that would
not harm the organization’s reputation or ongoing operations, and would not
cause financial damage if compromised. This includes public information
such as website content, or published research data. A medium-risk asset might include
information that’s not available to the public and may cause some
damage to the organization’s finances, reputation, or ongoing operations. For example, the early release of a
company’s quarterly earnings could impact the value of their stock. A high-risk asset is any information
protected by regulations or laws, which if compromised, would have
a severe negative impact on an organization’s finances,
ongoing operations, or reputation. This could include leaked assets with SPII,
PII, or intellectual property. Now, let’s discuss vulnerabilities. A vulnerability is a weakness that
can be exploited by a threat. And it’s worth noting that
both a vulnerability and threat must be present for
there to be a risk. Examples of vulnerabilities include:
an outdated firewall, software, or application; weak passwords; or
unprotected confidential data. People can also be
considered a vulnerability. People’s actions can significantly affect
an organization’s internal network. Whether it’s a client,
external vendor, or employee, maintaining security
must be a united effort. So entry-level analysts
need to educate and empower people to be
more security conscious. For example, educating people on how to identify a
phishing email is a great starting point. Using access cards to grant employee
access to physical spaces while restricting outside visitors is
another good security measure. Organizations must continually
improve their efforts when it comes to identifying and mitigating vulnerabilities
to minimize threats and risks. Entry-level analysts can support this
goal by encouraging employees to report suspicious activity and
actively monitoring and documenting employees’
access to critical assets. Now that you’re familiar with
some of the threats, risks, and vulnerabilities analysts
frequently encounter, coming up, we’ll discuss how
they impact business operations.

• Threats are anything that can potentially harm an organization’s information assets. This can include malware, phishing attacks, insider threats, and natural disasters.
• Risks are the likelihood and impact of a threat being realized. For example, a phishing attack is a threat that has a high likelihood of being successful, but the impact of the attack may be low if the user does not click on the malicious link.
• Vulnerabilities are weaknesses in an organization’s security posture that can be exploited by threats. For example, a misconfigured firewall is a vulnerability that can be exploited by an attacker to gain access to the organization’s network.

The key impacts of threats, risks, and vulnerabilities on organizational operations can be summarized as follows:

• Financial impact: When an organization’s assets are compromised by a threat, such as the use of malware, the financial consequences can be significant. This can include costs associated with data recovery, lost productivity, and legal fees.
• Identity theft: Organizations that store sensitive data, such as customerPII, are at risk of identity theft. This can lead to financial losses for the victims, as well as damage to their reputation.
• Damage to an organization’s reputation: A data breach can damage an organization’s reputation and lead to loss of customers and business partners.
• Operational disruption: A security incident can disrupt an organization’s operations, leading to lost revenue and productivity.

Organizations can take steps to prevent and mitigate the impact of threats, risks, and vulnerabilities. These steps include:

• Implementing security controls: Security controls can help to protect an organization’s information assets from threats. Examples of security controls include firewalls, intrusion detection systems, and data encryption.
• Educating employees: Employees should be trained on cybersecurity best practices, such as how to identify and avoid phishing attacks.
• Backing up data: Regularly backing up data can help to minimize the impact of a data breach.
• Having a plan for responding to security incidents: Organizations should have a plan in place for responding to security incidents. This plan should include steps for identifying and containing the incident, as well as steps for restoring operations.

By taking these steps, organizations can help to protect themselves from the financial, reputational, and operational damage that can be caused by threats, risks, and vulnerabilities.

Here are some additional resources that you may find helpful:

• NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
• ISO/IEC 27001: https://www.iso.org/isoiec-27001-information-security.html
• CIS Controls: https://www.cisecurity.org/controls/
• SecurityScorecard: https://securityscorecard.com/

In this video, we’ll discuss an expensive
type of malware called ransomware. Then we’ll cover three key
impacts of threats, risks, and vulnerabilities on
organizational operations. Ransomware is a malicious attack
where threat actors encrypt an organization’s data then
demand payment to restore access. Once ransomware is
deployed by an attacker, it can freeze network systems,
leave devices unusable, and encrypt, or lock confidential
data, making devices inaccessible. The threat actor then demands a ransom
before providing a decryption key to allow organizations to return to
their normal business operations. Think of a decryption key as a password
provided to regain access to your data. Note that when ransom negotiations occur
or data is leaked by threat actors, these events can occur
through the dark web. While many people use search engines to
navigate to their social media accounts or to shop online, this is only a small
part of what the web really is. The web is actually an interlinked
network of online content that’s made up of three layers: the surface web,
the deep web, and the dark web. The surface web is the layer
that most people use. It contains content that can be
accessed using a web browser. The deep web generally requires
authorization to access it. An organization’s intranet is
an example of the deep web, since it can only be accessed by employees
or others who have been granted access. Lastly, the dark web can only be
accessed by using special software. The dark web generally carries a negative
connotation since it is the preferred web layer for criminals because
of the secrecy that it provides. Now, let’s discuss three key impacts
of threats, risks, and vulnerabilities. The first impact we’ll
discuss is financial impact. When an organization’s assets are
compromised by an attack, such as the use of malware, the financial consequences can
be significant for a variety of reasons. These can include interrupted
production and services, the cost to correct the issue, and
fines if assets are compromised because of non-compliance with laws and
regulations. The second impact is identity theft. Organizations must decide whether
to store private customer, employee, and outside vendor data, and
for how long. Storing any type of sensitive data
presents a risk to the organization. Sensitive data can include personally
identifiable information, or PII, which can be sold or
leaked through the dark web. That’s because the dark web provides
a sense of secrecy and threat actors may have the ability to sell data there
without facing legal consequences. The last impact we’ll discuss is damage
to an organization’s reputation. A solid customer base supports
an organization’s mission, vision, and financial goals. An exploited vulnerability can lead
customers to seek new business relationships with competitors or create bad press that causes permanent
damage to an organization’s reputation. The loss of customer data doesn’t only
affect an organization’s reputation and financials, it may also result
in legal penalties and fines. Organizations are strongly encouraged
to take proper security measures and follow certain protocols to prevent
the significant impact of threats, risks, and vulnerabilities. By using all the tools in their toolkit,
security teams are better prepared to handle an event
such as a ransomware attack. Coming up, we’ll cover the NIST
risk management framework’s seven steps for managing risk.

My name is Herbert and
I am a Security Engineer at Google. I think I’ve always been
interested in security, in high school our school gave
us these huge Dell laptops. There wasn’t a whole lot of
security within those computers. So, many of my friends would have cracked
versions of like video games like Halo, that’s really where I learned how to start
manipulating computers to kind of do what I want. I guess [LAUGH] my day to day consists
of analyzing security risks and providing solutions to those risks. A typical task for cybersecurity analysts would usually
be something like exceptions requests. Analyzing if someone needs to have
special access to a device or document based on the role that the person has or
the project that they’re working on. One of the more common threats that we
come across is misconfigurations or requesting access for
something that you don’t really need. For example,
I recently had a case where a vendor we were working with had changed
their OAuth scope requests. And basically that means that they were
requesting more permissions to use Google services than they had before in the past. We weren’t sure really how to go
about that because that wasn’t a situation we’ve come across before. So it’s still ongoing, but we’re working with partner teams to
kind of develop a solution for that. I think another thing that
we’ve seen is outdated systems, machines that need to be patched. That sounds like an IT issue, but it’s
also definitely a cybersecurity issue. Having outdated machines, not having
proper device management policies, working with a team or
many teams is a huge part of the job. In order to get really anything done, you
need to communicate with not just the team that you’re a part of,
but with other teams. Ten years ago I was working at
a pizza joint and ten years later, here I am, at Google as a Security Engineer. If I told my 16 year old
self that I would be here, I wouldn’t have believed myself,
but it is possible.

The NIST RMF is a risk-based approach to managing information security. It is a framework that organizations can use to identify, assess, and mitigate risks to their information assets.

The RMF has seven steps:

1. Prepare. This step involves activities that are necessary to manage risk before a breach occurs. This includes developing a risk management plan, identifying assets, and assessing threats and vulnerabilities.
2. Categorize. This step involves identifying the assets that need to be protected and understanding the risks to those assets. This includes classifying assets and determining their impact on the organization if they were compromised.
3. Select. This step involves choosing the controls that will be used to mitigate the risks to the organization’s assets. This includes identifying, evaluating, and selecting appropriate security controls.
4. Implement. This step involves putting the selected controls into place. This includes developing and implementing security policies, procedures, and configurations.
5. Assess. This step involves evaluating whether the implemented controls are effective in mitigating the risks to the organization’s assets. This includes testing and monitoring the controls to ensure that they are effective.
6. Authorize. This step involves formally approving the use of the selected controls. This includes documenting the authorization decision and ensuring that the controls are in compliance with all applicable laws and regulations.
7. Monitor. This step involves continuously monitoring the effectiveness of the controls and making necessary changes as needed. This includes reviewing and updating security policies and procedures, as well as conducting periodic security assessments.

The NIST RMF is a cyclical process that should be continuously updated as the organization’s risk profile changes. It is a valuable tool for organizations of all sizes to help them protect their assets and information.

Here are some of the benefits of using the NIST RMF:

• It can help organizations to identify and assess risks to their information assets.
• It can help organizations to select and implement appropriate security controls.
• It can help organizations to monitor the effectiveness of their security controls.
• It can help organizations to comply with applicable laws and regulations.

If you are interested in learning more about the NIST RMF, there are many resources available online. The NIST website has a comprehensive guide to the framework, and there are also a number of training courses and workshops available.

As you might remember from
earlier in the program, the National Institute of
Standards and Technology, NIST, provides many
frameworks that are used by security professionals to manage risks, threats, and
vulnerabilities. In this video, we’re
going to focus on NIST’s Risk Management
Framework or RMF. As an entry-level analyst, you may not engage in
all of these steps, but it’s important to be
familiar with this framework. Having a solid
foundational understanding of how to mitigate
and manage risks can set yourself apart from
other candidates as you begin your job search in
the field of security. There are seven steps in the
RMF: prepare, categorize, select, implement, assess,
authorize, and monitor. Let’s start with
Step one, prepare. Prepare refers to activities
that are necessary to manage security and privacy risks
before a breach occurs. As an entry-level analyst, you’ll likely use this step
to monitor for risks and identify controls that can be
used to reduce those risks. Step two is categorize, which is used to develop risk management
processes and tasks. Security professionals then
use those processes and develop tasks by thinking
about how the confidentiality, integrity, and availability of systems and information
can be impacted by risk. As an entry-level analyst, you’ll need to be able
to understand how to follow the
processes established by your organization
to reduce risks to critical assets, such as
private customer information. Step three is select. Select means to
choose, customize, and capture documentation of the controls that
protect an organization. An example of the select
step would be keeping a playbook up-to-date
or helping to manage other documentation
that allows you and your team to address
issues more efficiently. Step four is to implement security and privacy plans
for the organization. Having good plans in
place is essential for minimizing the impact of
ongoing security risks. For example, if you
notice a pattern of employees constantly
needing password resets, implementing a change to password requirements may
help solve this issue. Step five is assess. Assess means to determine if established controls are
implemented correctly. An organization always wants to operate as
efficiently as possible. So it’s essential to
take the time to analyze whether the
implemented protocols, procedures, and
controls that are in place are meeting
organizational needs. During this step,
analysts identify potential weaknesses
and determine whether the
organization’s tools, procedures, controls, and protocols should be changed to better
manage potential risks. Step six is authorize. Authorize means being
accountable for the security and
privacy risks that may exist in an organization. As an analyst, the authorization step could
involve generating reports, developing plans of action, and establishing project
milestones that are aligned to your organization’s
security goals. Step seven is monitor. Monitor means to be aware of
how systems are operating. Assessing and maintaining
technical operations are tasks that analysts
complete daily. Part of maintaining
a low level of risk for an organization is knowing how the
current systems support the organization’s
security goals. If the systems in place
don’t meet those goals, changes may be needed. Although it may not be your job to establish
these procedures, you will need to make sure they’re working as
intended so that risks to the organization itself, and the people it
serves, are minimized.

You’ve now completed the first
section of this course! Let’s review what we’ve discussed so far. We started out by exploring the focus
of CISSP’s eight security domains. Then, we discussed threats, risks, and vulnerabilities, and
how they can impact organizations. This included a close
examination of ransomware and an introduction to the three
layers of the web. Finally, we focused on seven
steps of the NIST Risk Management Framework, also called the RMF. You did a fantastic job adding new
knowledge to your security analyst toolkit. In upcoming videos,
we’ll go into more detail about some common tools used by
entry-level security analysts. Then, you’ll have an opportunity to
analyze data generated by those tools to identify risks,
threats, or vulnerabilities. You’ll also have a chance to use
a playbook to respond to incidents. That’s all for now. Keep up the great work!