How To Manage Security Risks & Threats | Google Cybersecurity Certificate

ASHLEY: My name is Ashley, and I am a Customer Engineering Enablement Lead for Security Operations Sales at Google. I'm excited to be your instructor for this course. Let's start by quickly reviewing what we've covered so far. Earlier, we defined security and explored some common job responsibilities for entry level analysts. We also discussed core skills and knowledge that analysts need to develop. Then we shared some key events, like the love letter and Morris attacks, that led to the development and ongoing evolution of the security field. We also introduced you to frameworks, controls, and the CIA triad,

which are all used to reduce risk. In this course, we'll discuss the focus of Certified Information Systems Security Professional's, or CISSP's, eight security domains. We'll also cover security frameworks and controls in more detail with a focus on NIST's Risk Management Framework. Additionally, we'll explore security audits, including common elements of internal audits. Then we'll introduce some basic security tools, and you'll have a chance to explore How to use security tools to protect assets and data from threats, risks, and vulnerabilities. Securing an organization and its assets from threats, risks, and vulnerabilities is an important step in maintaining

business operations. In my experience as a security analyst, I helped respond to a severe breach that cost the organization nearly $250,000. So I hope you're feeling motivated to continue your security journey. I know I'm excited. Let's get started. The world of security, which we also refer to as cybersecurity throughout this program, is vast. So making sure that you have the knowledge, skills, and tools to successfully navigate this world is why we're here. In the following videos, you'll learn about the focus of CISSP's eight security domains. Then we'll discuss threats, risks, and vulnerabilities in more detail.

We'll also introduce you to the three layers of the web and share some examples to help you understand The different types of attacks that we'll discuss throughout the program. Finally, we'll examine how to manage risks by using the National Institute of Standards and Technologies Risk Management Framework known as the NIST RMF. Because these topics and related technical skills are considered core knowledge in the security field, continuing to build your understanding of them will help you mitigate and manage the risks and threats that organizations face on a daily basis. In the next video, we'll further discuss

the focus of the eight security domains introduced In the first course. Welcome back. You might remember from course one that there are eight security domains or categories identified by CISSP. Security teams use them to organize daily tasks and identify gaps in security that could cause negative consequences for an organization and to establish their security posture. Security posture refers to an organization's ability to manage its defense of critical assets and data And react to change. In this video, we'll discuss the focus of the first four domains, security and risk management, asset security, security architecture and engineering,

and communication and network security. The first domain is security and risk management. There are several areas of focus for this domain, defining security goals and objectives, risk mitigation, compliance, business continuity, and legal regulations. Let's discuss each area of focus in more detail. By defining security goals and objectives, organizations can reduce risks to critical assets and data, Like PII or Personally Identifiable Information. Risk mitigation means having the right procedures and rules in place to quickly reduce the impact of a risk, like a breach. Compliance is the primary method used to develop an organization's internal security policies,

regulatory requirements, and independent standards. Business continuity relates to an organization's ability to maintain their everyday productivity by establishing risk disaster recovery plans. And finally, while laws related to security and risk management Are different worldwide, the overall goals are similar. As a security professional, this means following rules and expectations for ethical behavior to minimize negligence, abuse, or fraud. The next domain is asset security. The asset security domain is focused on securing digital and physical assets. It's also related to the storage, maintenance, retention, and destruction of data. This means that assets, such as PII or SPII, should

be securely handled and protected, whether stored on a computer, transferred over a network, Like the internet, or even physically collected. Organizations also need to have policies and procedures that ensure data is properly stored, maintained, retained, and destroyed. Knowing what data you have and who has access to it is necessary for having a strong security posture that mitigates risk to critical assets and data. Previously, we provided a few examples that touched on the disposal of data. For example, an organization might have as a security analyst oversee the destruction of hard drives to make sure that they're

Properly disposed of. This ensures that private data stored on those drives can't be accessed by threat actors. The third domain is security architecture and engineering. This domain is focused on optimizing data security by ensuring effective tools, systems, and processes are in place to protect an organization's assets and data. One of the core concepts of secure design architecture is shared responsibility. Shared responsibility means that all individuals within an organization take an active role In lowering risk and maintaining both physical and virtual security. By having policies that encourage users to recognize and report security concerns, many issues

can be handled quickly and effectively. The fourth domain is communication and network security, which is mainly focused on managing and securing physical networks and wireless communications. Secure networks keep an organization's data and communications safe, whether on site, or in the Cloud, or when connecting to services remotely. For example, employees working remotely in public spaces need to be protected from vulnerabilities that can occur when they use insecure Bluetooth connections or public Wi-Fi hotspots. By having security team members remove access to those types of communication channels at the organizational level, employees may be discouraged from practicing insecure

behavior that could be exploited by threat actors. Now that we've reviewed the focus of our first four domains, let's discuss the last four domains. In this video, we'll cover the last four domains, identity And access management, security assessment and testing, security operations, and software development security. The fifth domain is Identity and Access Management, or IAM, and it's focused on access and authorization to keep data secure by making sure users follow established policies to control and manage assets. As an entry level analyst, it's essential to keep an organization's systems and data as secure as possible by

ensuring user access is limited to what employees need. Basically, the goal of IAM is to reduce the overall risk to systems and data. For example, if everyone at a company is using the same administrator login, there is no way to track who has access to what data. In the event of a breach, separating valid user activity from the threat actor would be impossible. There are four main components to IAM. Identification is when a user verifies who they are by providing a username, an access card, or biometric data, such as a fingerprint. Authentication is the verification

process to prove a person's identity, such as entering a password or pin. Authorization takes place after a user's identity has been confirmed and relates to their level of access, which depends on the role in the organization. Accountability refers to monitoring and recording user actions, like login attempts, to prove systems and data are used properly. The sixth security domain is security assessment and testing. This domain focuses on conducting security control testing, collecting and analyzing data, and conducting security audits to monitor for risks, threats, and vulnerabilities. Security control testing can help an organization identify new and better

ways to mitigate threats, risks, and vulnerabilities. This involves examining organizational goals and objectives and evaluating if the controls being used actually achieve those goals. Collecting and analyzing security data regularly also helps prevent threats and risk to the organization. Analysts might use security control testing evaluations and security assessment reports to improve existing controls or implement new controls. An example of implementing a new control Could be requiring the use of multi-factor authentication to better protect the organization from potential threats and risks. Next, let's discuss security operations. The security operations domain is focused on conducting investigations and implementing

preventative measures. Investigations begin once a security incident has been identified. This process requires a heightened sense of urgency in order to minimize potential risks to the organization. If there is an active attack, mitigating the attack And preventing it from escalating further is essential for ensuring that private information is protected from threat actors. Once the threat has been neutralized, the collection of digital and physical evidence to conduct a forensic investigation will begin. A digital forensic investigation must take place to identify when, how, and why the breach occurred. This helps security teams determine areas for improvement and

preventative measures that can be taken to mitigate future attacks. The eighth and final security domain is software development security. This domain focuses on using secure coding practices. As you may remember, secure coding practices are recommended guidelines that are used to create secure applications and services. The software development lifecycle is an efficient process used by teams to quickly build software products and features. In this process, security is an additional step. By ensuring that each phase of the software development lifecycle undergoes security reviews, Security can be fully integrated into the software product. For example, performing a secure

design review during the design phase, secure code reviews during the development and testing phases, and penetration testing during the deployment and implementation phase ensures that security is embedded into the software product at every step. This keeps software secure, and sensitive data protected, and mitigates unnecessary risk to an organization. Being familiar with these domains can help you better understand how they're Used to improve the overall security of an organization and the critical role security teams play. Next, we'll discuss security threats, risks, and vulnerabilities, including ransomware, and introduce you to the three layers of the web. As

an entry level security analyst, one of your many roles will be to handle an organization's digital and physical assets. As a reminder, an asset is an item perceived as having value to an organization. During their lifespan, organizations acquire all types of assets, including physical office Spaces, computers, customers' PII, intellectual property, such as patents or copyrighted data, and so much more. Unfortunately, organizations operate in an environment that presents multiple security threats, risks, and vulnerabilities to their assets. Let's review what threats, risks, and vulnerabilities are and discuss some common examples of each. A threat is any circumstance

or event that can negatively impact assets. One example of a threat is a social engineering attack. Social engineering is a manipulation technique That exploits human error to gain private information, access, or valuables. Malicious links in email messages that look like they're from legitimate companies or people is one method of social engineering known as phishing. As a reminder, phishing is a technique that is used to acquire sensitive data, such as usernames, passwords, or banking information. Risks are different from threats. A risk is anything that can impact the confidentiality, integrity, or availability of an asset. Think of

a risk as the likelihood Of a threat occurring. An example of a risk to an organization might be the lack of backup protocols for making sure its stored information can be recovered in the event of an accident or security incident. Organizations tend to rate risks at different levels, low, medium, and high, depending on possible threats and the value of an asset. A low risk asset is information that would not harm the organization's reputation or ongoing operations and would not cause financial damage if compromised. This includes public information, such as website content or published research data.

A medium risk asset might include information that's not available to the public and may cause some damage to the organization's finances, reputation, or ongoing operations. For example, the early release of a company's quarterly earnings could impact the value of their stock. A high risk asset is any information protected by regulations or laws, which, if compromised, would have a severe negative impact on an organization's finances, ongoing operations, or reputation. This could include leaked assets with SPII, PII, or intellectual property. Now, let's discuss vulnerabilities. A vulnerability is a weakness that can be exploited by a threat, and

it's worth noting that both a vulnerability and threat must be present for there to be a risk. Examples of vulnerabilities include an outdated firewall, software or application, weak passwords, or unprotected confidential data. People can also be considered a vulnerability. People's actions can significantly Affect an organization's internal network, whether it's a client, external vendor, or employee. Maintaining security must be a united effort. So entry level analysts need to educate and empower people to be more security conscious. For example, educating people on how to identify a phishing email is a great starting point. Using access cards to

grant employee access to physical spaces, while restricting outside visitors, is another good security measure. Organizations must continually improve their efforts when it comes to identifying and mitigating vulnerabilities To minimize threats and risks. Entry level analysts can support this goal by encouraging employees to report suspicious activity and actively monitoring and documenting employees access to critical assets. Now that you're familiar with some of the threats, risks, and vulnerabilities analysts frequently encounter, coming up, we'll discuss how they impact business operations. In this video, we'll discuss an expensive type of malware called ransomware. Then we'll cover three key impacts

of threats, risks, And vulnerabilities on organizational operations. Ransomware is a malicious attack, where threat actors encrypt an organization's data, then demand payment to restore access. Once ransomware is deployed by an attacker, it can freeze network systems, leave devices unusable, and encrypt or lock confidential data, making devices inaccessible. The threat actor then demands a ransom before providing a decryption key to allow organizations to return to their normal business operations. Think of a decryption key as a password provided to regain access to your data. Note that when ransom negotiations occur or data is leaked by threat actors,

these events can occur through the dark web. While many people use search engines to navigate to their social media accounts or to shop online, this is only a small part of what the web really is. The web is actually an interlinked network of online content that's made up of three layers, the surface web, the deep web, and the dark web. The surface web is the layer that most people use. It contains content that can be accessed using a web browser. The deep web generally requires authorization to access it. An organization's intranet is an example of

the deep web since it can only be accessed by employees or others who have been granted access. Lastly, the dark web can only be accessed by using special software. The dark web generally carries a negative connotation since it is the preferred web layer for criminals because of the secrecy that it provides. Now, let's discuss three key impacts of threats, risks, And vulnerabilities. The first impact we'll discuss is financial impact. When an organization's assets are compromised by an attack, such as the use of malware, the financial consequences can be significant for a variety of reasons. These

can include interrupted production and services, the cost to correct the issue, and fines if assets are compromised because of non-compliance with laws and regulations. The second impact is identity theft. Organizations must decide whether to store Private customer, employee, and outside vendor data and for how long. Storing any type of sensitive data presents a risk to the organization. Sensitive data can include personally identifiable information, or PII, which can be sold or leaked through the dark web. That's because the dark web provides a sense of secrecy, and threat actors may have the ability to sell data there

without facing legal consequences. The last impact we'll discuss is damage to an organization's reputation. A solid customer base supports an organization's mission, vision, and financial goals, and exploited vulnerability can lead customers to seek new business relationships with competitors or create bad press that causes permanent damage to an organization's reputation. The loss of customer data doesn't only affect an organization's reputation and financials. It may also result in legal penalties and fines. Organizations are strongly encouraged to take proper security measures and follow certain protocols to prevent the significant impact of threats, risks, and vulnerabilities. By using all

the tools in their tool kit, security teams are better prepared to handle an event, such as a ransomware attack. Coming up, we'll cover the NIST Risk Management Framework's seven steps for managing risk. As you might remember from earlier in the program, the National Institute of Standards and Technology, NIST, provides many frameworks that are used by security professionals to manage risks, threats, and vulnerabilities. In this video, we're going to focus on NIST's Risk Management Framework or RMF. As an entry level analyst, you may not engage in all of these steps, but it's important to be familiar

with this framework. Having a solid foundational understanding of how to mitigate and manage risks can set yourself apart from other candidates as you begin your job search in the field of security. There are seven steps in the RMF, prepare, categorize, select, implement, assess, authorize, and monitor. Let's start with step one, prepare. Prepare refers to activities that Are necessary to manage security and privacy risks before a breach occurs. As an entry level analyst, you'll likely use this step to monitor for risks and identify controls that can be used to reduce those risks. Step two is categorize,

which is used to develop risk management processes and tasks. Security professionals then use those processes and develop tasks by thinking about how the confidentiality, integrity, and availability of systems and information can be impacted by risk. As an entry level analyst, you'll Need to be able to understand how to follow the processes established by your organization to reduce risks to critical assets, such as private customer information. Step three is select. Select means to choose, customize, and capture documentation of the controls that protect an organization. An example of the select step would be keeping a playbook up

to date or helping to manage other documentation that allows you and your team to address issues more efficiently. Step four is to implement security and privacy Plans for the organization. Having good plans in place is essential for minimizing the impact of ongoing security risks. For example, if you notice a pattern of employees constantly needing password resets, implementing a change to password requirements may help solve this issue. Step five is assess. Assess means to determine if established controls are implemented correctly. An organization always wants to operate as efficiently as possible, so it's essential to take the

time to analyze whether the implemented Protocols, procedures, and controls that are in place are meeting organizational needs. During the step, analysts identify potential weaknesses and determine whether the organization's tools, procedures, controls, and protocols should be changed to better manage potential risks. Step six is authorize. Authorize means being accountable for the security and privacy risks that may exist in an organization. As an analyst, the authorization step could involve generating reports, developing plans of action, and establishing Project milestones that are aligned to your organization's security goals. Step seven is monitor. Monitor means to be aware of how

systems are operating. Assessing and maintaining technical operations are tasks that analysts complete daily. Part of maintaining a low level of risk for an organization is knowing how the current systems support the organization's security goals. If the systems in place don't meet those goals, changes may be needed. Although it may not be your job to establish these procedures, You will need to make sure they're working as intended, so that risks to the organization itself and the people it serves are minimized. You've now completed the first section of this course. Let's review what we've discussed so far.

We started out by exploring the focus of CISSP's eight security domains. Then we discussed threats, risks, and vulnerabilities, and how they can impact organizations. This included a close examination of ransomware and an introduction to the three layers of the web. Finally, we focused on seven steps of the NIST Risk Management Framework, also, called the RMF. You did a fantastic job adding new knowledge to your security analyst toolkit. In upcoming videos, we'll go into more detail about some common tools used by entry level security analysts. Then you'll have an opportunity to analyze data generated by those

tools to identify risks, threats, or vulnerabilities. You'll also have a chance to use a playbook to respond to incidents. That's all for now. Keep up the great work. Welcome back. As a security analyst, your job isn't just keeping organizations safe. Your role is much more important. You're also helping to keep people safe. Breaches that affect customers, vendors, and employees data can cause significant damage to people's financial stability and their reputations. As an analyst, your day to day work will help keep people and organizations safe. In this section of the course, we'll Discuss security frameworks, controls,

and design principles in more detail, and how they can be applied to security audits to help protect organizations and people. Keeping customer information confidential is a crucial part of my daily work at Google, and the NIST cybersecurity framework plays a large part in this. The framework ensures the protection and compliance of customer tools and personal work devices through the use of security controls. Welcome to the world of security frameworks and controls. Let's get started. In an organization, plans are put in place to protect against a variety of threats, risks, and vulnerabilities. However, the requirements used

to protect organizations and people often overlap. Because of this, organizations use security frameworks as a starting point to create their own security policies and processes. Let's start by quickly reviewing what frameworks are. Security frameworks are guidelines used for building plans to help mitigate risk and threats to data and privacy, such as social engineering attacks And ransomware. Security involves more than just the virtual space. It also includes the physical, which is why many organizations have plans to maintain safety in the work environment. For example, access to a building may require using a key card or badge.

Other security frameworks provide guidance for how to prevent, detect, and respond to security breaches. This is particularly important when trying to protect an organization From social engineering attacks, like phishing, that target their employees. Remember, people are the biggest threat to security. So frameworks can be used to create plans that increase employee awareness and educate them about how they can protect the organization, their coworkers, and themselves. Educating employees about existing security challenges is essential for minimizing the possibility of a breach. Providing employee training about how to recognize red flags or potential threats is essential along with

having plans in place To quickly report and address security issues. As an analyst, it will be important for you to understand and implement the plans your organization has in place to keep the organization, its employees, and the people it serves safe from social engineering attacks, breaches, and other harmful security incidents. Coming up, we'll review and discuss security controls, which are used alongside frameworks to achieve an organization's security goals. While frameworks are used to create plans to address security risks, threats, and vulnerabilities, Controls are used to reduce specific risks. If proper controls are not in place,

an organization could face significant financial impacts and damage to the reputation because of exposure to risks, including trespassing, creating fake employee accounts, or providing free benefits. Let's review the definition of controls. Security controls are safeguards designed to reduce specific security risks. In this video, we'll discuss three common types of controls, encryption, authentication, and authorization. Encryption is the process of converting data from a readable format to an encoded format. Typically, encryption involves converting data from plaintext to ciphertext. Ciphertext is the raw, encoded message that's unreadable to humans and computers. Ciphertext data cannot be read, until it's

been decrypted into its original plaintext form. Encryption is used to ensure confidentiality of sensitive data, such as customer's account information or Social Security numbers. Another control that can be used to protect sensitive data Is authentication. Authentication is the process of verifying who someone or something is. A real world example of authentication is logging into a website with your username and password. This basic form of authentication proves that you know the username and password and should be allowed to access the website. More advanced methods of authentication, such as Multi-Factor Authentication, or MFA, challenge the user to

demonstrate that they are who they claim to be by requiring both a password And an additional form of authentication, like a security code or biometrics, such as a fingerprint, voice, or face scan. Biometrics are unique, physical characteristics that can be used to verify a person's identity. Examples of biometrics are a fingerprint, an eye scan, or a palm scan. One example of a social engineering attack that can exploit biometrics is vishing. Vishing is the exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source. For example, vishing could be used to impersonate

a person's voice to steal their identity and then commit a crime. Another very important security control is authorization. Authorization refers to the concept of granting access to specific resources within a system. Essentially, authorization is used to verify that a person has permission to access a resource. As an example, if you're working as an entry level security analyst for the federal government, you could have permission to access data Through the deep web or other internal data that is only accessible if you're a federal employee. The security controls we discussed today are only one element of a

core security model known as the CIA triad. Coming up, we'll talk more about this model and how security teams use it to protect their organizations. Great to see you again. While working as an entry level security analyst, your main responsibility is to help protect your organization's sensitive assets and data from threat actors. The CIA triad is a core security model that will help you do that. In this video, we'll explore the CIA triad and discuss the importance of each component for keeping an organization safe from threats, risks, and vulnerabilities. Let's get started. The CIA triad

is a model that helps inform how organizations consider risk when setting up systems and security policies. As a reminder, the three letters in the CIA triad stand for Confidentiality, Integrity, and Availability. As an entry level analyst, you'll Find yourself constantly referring to these three core principles as you work to protect your organization and the people it serves. Confidentiality means that only authorized users can access specific assets or data. Sensitive data should be available on a need to know basis, so that only the people who are authorized to handle certain assets or data have access. Integrity

means that the data is correct, authentic, and reliable. Determining the integrity of data and analyzing how it's used will help you as a security professional decide Whether the data can or cannot be trusted. Availability means that the data is accessible to those who are authorized to access it. Inaccessible data isn't useful and can prevent people from being able to do their jobs. As a security professional, ensuring that systems, networks, and applications are functioning properly to allow for timely and reliable access may be a part of your everyday work responsibilities. Now that we've defined the CIA

triad and its components, let's explore how you might use the CIA triad to protect an organization. If you work for an organization that has large amounts of private data, like a bank, the principle of confidentiality is essential, because a bank must keep people's personal and financial information safe. The principle of integrity is also a priority. For example, if a person's spending habits or purchasing locations change dramatically, the bank will likely disable access to the account, until they can verify that the account owner, not a threat actor, is actually the one making purchases. The availability principle

is also critical. Banks put a lot of effort into making sure that people can access their account information easily on the web, and to make sure that information is protected from threat actors, banks use a validation process to help minimize damage if they suspect that customer accounts have been compromised. As an analyst, you'll regularly use each component of the triad to help protect your organization and the people it serves, and having the CIA triad constantly in mind will help you keep sensitive data and assets safe from a variety of threats, risks, and vulnerabilities, including the

social engineering attacks, malware, and data Theft we discussed earlier. Coming up, we'll explore specific frameworks and principles that will also help you protect your organization from threats, risks, and vulnerabilities. See you soon. Welcome back. Before we get started, let's quickly review the purpose of frameworks. Organizations use frameworks as a starting point to develop plans that mitigate risks, threats, and vulnerabilities to sensitive data and assets. And fortunately, there are organizations worldwide that create frameworks security professionals can use to develop those plans. In this video, we'll discuss two of the National Institute of Standards and Technology, or

NIST's, frameworks that can support ongoing security efforts for all types of organizations, including for profit and nonprofit businesses, as well as government agencies. And while NIST is a US based organization, the guidance it provides can help analysts all over the world understand how To implement essential cybersecurity practices. One NIST framework that we'll discuss throughout the program is the NIST Cybersecurity Framework or CSF. The CSF is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk. This framework is widely respected and essential for maintaining security, regardless of the organization you work

for. The CSF consists of five important core functions, identify, protect, detect, respond, and recover, which we'll discuss in detail in a future video. For now, we'll focus on how the CSF benefits organizations and how it can be used to protect against threats, risks, and vulnerabilities by providing a workplace example. Imagine that one morning, you receive a high risk notification that a workstation has been compromised. You identify the workstation and discover that there's an unknown device plugged into it. You block the unknown device remotely to stop any potential threat and protect the organization. Then you remove

the infected workstation to prevent the spread of the damage, and use tools to detect any additional threat actor Behavior, and identify the unknown device. You respond by investigating the incident to determine who used the unknown device, how the threat occurred, what was affected, and where the attack originated. In this case, you discover that an employee was charging their infected phone using a USB port on their work laptop. Finally, you do your best to recover any files or data that were affected and correct any damage the threat caused to the workstation itself. As demonstrated by the

previous example, The core functions of the NIST CSF provides specific guidance and direction for security professionals. This framework is used to develop plans to handle an incident appropriately and quickly to lower risk, protect an organization against a threat, and mitigate any potential vulnerabilities. The NIST CSF also expands into the protection of the United States federal government with NIST Special Publication or S.P. 800-53. It provides a unified framework for protecting the security of information systems Within the federal government, including the systems provided by private companies for federal government use. The security controls provided by this framework

are used to maintain the CIA triad for those systems used by the government. Isn't it amazing how all of these frameworks and controls work together? We've discussed some really important security topics in this video that will be very useful for you as you continue your security journey, because they're core elements of the security profession. The NIST CSF is a useful framework that most security professionals are familiar with and having an understanding of the NIST S.P. 800-53 is crucial if you have an interest in working for the US federal government. Coming up, we'll continue to explore

the five NIST CSF functions and how organizations use them to protect assets and data. Hello, again. I'm excited you're here. We have so much to discuss. Previously, we covered the uses and benefits of the NIST CSF. In this video, we'll focus specifically on the five core functions of the NIST CSF framework. Let's get started. NIST CSF focuses on five core functions, identify, protect, detect, respond, and recover. These core functions help organizations manage cybersecurity risks, implement risk management strategies, and learn from previous mistakes. Basically, when it comes to security operations, NIST CSF functions are key for

making sure an organization is protected against potential threats, risks, and vulnerabilities. So let's take a little time to explore how each function can be used to improve an organization's security. The first core function is identify, which is related to the management of cybersecurity risk and its effect on an organization's people and assets. For example, as a security analyst, you may be asked to monitor the systems and devices in your organization's internal network to identify potential security issues, like compromised devices on the network. The second core function is protect, which is the strategy used to protect

an organization through the implementation of policies, procedures, training, and tools that help mitigate cybersecurity threats. For example, as a security analyst, you and your team might encounter new and unfamiliar threats and attacks. For this reason, studying historical data and making improvements to policies and procedures is essential. The third core function is detect, which means identifying potential security incidents and improving monitoring capabilities to increase The speed and efficiency of detections. For example, as an analyst, you might be asked to review a new security tool set up to make sure it's flagging low, medium, or high risk

and then alerting the security team about any potential threats or incidents. The fourth function is respond, which means making sure that the proper procedures are used to contain, neutralize, and analyze security incidents and implement improvements to the security process. As an analyst, you could be working with a team to collect and organize data to document an incident And suggest improvements to processes to prevent the incident from happening again. The fifth core function is recover, which is the process of returning affected systems back to normal operation. For example, as an entry level security analyst, you might

work with your security team to restore systems, data, and assets, such as financial or legal files, that have been affected by an incident, like a breach. We've covered a lot of information in this video. Hopefully, it helped you understand The value of learning about NIST CSF and its five core functions. From proactive to reactive measures, all five functions are essential for making sure that an organization has effective security strategies in place. Security incidents are going to happen, but an organization must have the ability to quickly recover from any damage caused by an incident to minimize

their level of risk. Coming up, we'll discuss security principles that work hand in hand with NIST frameworks and the CIA Triad to help protect critical data and assets. It's important to understand how to protect an organization's data and assets, because that will be part of your role as a security analyst. Fortunately, there are principles and guidelines that can be used along with NIST frameworks and the CIA triad to help security teams minimize threats and risks. In this video, we'll explore some Open Web Application Security Project, or OWASP, security principles that are useful to know as

an entry level analyst. The first OWASP principle is to minimize the attack surface Area. An attack surface refers to all the potential vulnerabilities that a threat actor could exploit, like attack vectors, which are pathways attackers use to penetrate security defenses. Examples of common attack vectors are phishing emails and weak passwords. To minimize the attack surface and avoid incidents from these types of vectors, security teams might disable software features, restrict who can access certain assets, or establish more complex password requirements. The principle of least privilege means making sure that users have the least amount of access

required to perform their everyday tasks. The main reason for limiting access to organizational information and resources is to reduce the amount of damage a security breach could cause. For example, as an entry level analyst, you may have access to log data, but may not have access to change user permissions. Therefore, if a threat actor compromises your credentials, they'll only be able to gain limited access To digital or physical assets, which may not be enough for them to deploy their intended attack. The next principle we'll discuss is defense in depth. Defense in depth means that an

organization should have multiple security controls that address risks and threats in different ways. One example of a security control is Multi-Factor Authentication, or MFA, which requires users to take an additional step beyond simply entering their username and password to gain access to an application. Other controls include firewalls, intrusion detection Systems, and permission settings that can be used to create multiple points of defense a threat actor must get through to breach an organization. Another principle is separation of duties, which can be used to prevent individuals from carrying out fraudulent or illegal activities. This principle means that

no one should be given so many privileges that they can misuse the system. For example, the person in a company who signs the paychecks shouldn't also be the person who prepares them. Only two more principles to go. You're doing great. Keep security simple is the next principle. As the name suggests, when implementing security controls, unnecessarily complicated solutions should be avoided, because they can become unmanageable. The more complex the security controls are, the harder it is for people to work collaboratively. The last principle is to fix security issues correctly. Technology is a great tool, but can

also present challenges. When a security incident occurs, security professionals are expected to identify the root cause quickly. From there, it's important to correct any identified vulnerabilities and conduct tests to ensure That repairs are successful. An example of an issue is a weak password to access an organization's Wi-Fi, because it could lead to a breach. To fix this type of security issue, stricter password policies could be put in place. I know we've covered a lot, but understanding these principles increases your overall security knowledge and can help you stand out as a security professional. Now that we've

covered different frameworks, controls, security principles, and compliance regulations, the question is, how do they all work together? The answer to that question is by conducting security audits. A security audit is a review of an organization's security controls, policies, and procedures against a set of expectations. There are two main types of security audits, external and internal. We'll focus on internal security audits, because those are the types of audits that entry level analysts might be asked to contribute to. An internal security audit is typically conducted by a team of people that might include an organization's compliance officer,

security Manager, and other security team members. Internal security audits are used to help improve an organization's security posture and help organizations avoid fines from governing agencies due to a lack of compliance. Internal security audits help security teams identify organizational risk, assess controls, and correct compliance issues. Now that we've discussed the purposes of internal audits, let's cover some common elements of internal audits. These include establishing the scope and goals of the audit, conducting a risk assessment of the organization's assets, Completing a controls assessment, assessing compliance, and communicating results to stakeholders. In this video, we'll cover the

first two elements, which are a part of the audit planning process, establishing the scope and goals, then completing a risk assessment. Scope refers to the specific criteria of an internal security audit. Scope requires organizations to identify people, assets, policies, procedures, and technologies that might impact an organization's security posture. Goals are an outline of the organization's security objectives or what they want to achieve in order to improve their security posture. Although more senior level security team members and other stakeholders usually establish the scope and goals of the audit, entry level analysts might be asked to review

and understand the scope and goals in order to complete other elements of the audit. As an example, the scope of this audit involves assessing user permissions, identifying existing controls, policies, and procedures, And accounting for the technology currently in use by the organization. The goals outlined include implementing core functions of frameworks, like the NIST CSF, establishing policies and procedures to ensure compliance, and strengthening system controls. The next element is conducting a risk assessment, which is focused on identifying potential threats, risks, and vulnerabilities. This helps organizations consider what security measures should be implemented and monitored to ensure

the safety of assets. Similar to establishing the scope and goals, a risk assessment is oftentimes completed by managers or other stakeholders. However, you might be asked to analyze details provided in the risk assessment to consider what types of controls and compliance regulations need to be in place to help improve the organization's security posture. For example, this risk assessment highlights that there are inadequate controls, processes, and procedures in place to protect the organization's assets. Specifically, there is a lack of proper management of physical and digital assets, including employee equipment. The equipment used to store data is

not properly secured, and access to private information stored in the organization's internal network likely needs more robust controls in place. Now that we've discussed the initial planning elements of an internal security audit, coming up, we'll focus on the last three elements. Previously, we discussed the initial planning elements of an internal security audit. In this video, we'll cover the final elements That an entry level analyst might be asked to complete. As a reminder, the planning elements of internal security audits include establishing the scope and goals, then conducting a risk assessment. The remaining elements are completing a

controls assessment, assessing compliance, and communicating results. Before completing these last three elements, you'll need to review the scope and goals, as well as the risk assessment, and ask yourself some questions. For example, what is the audit meant to achieve? Which assets are most at risk? Are current controls sufficient to protect those assets? If not, what controls and compliance regulations need to be implemented? Considering questions like these can support your ability to complete the next element, a controls assessment. A controls assessment involves closely reviewing an organization's existing assets, then evaluating potential risks to those assets to

ensure internal controls and processes are effective. To do this, entry level analysts might be tasked with classifying controls Into the following categories, administrative controls, technical controls, and physical controls. Administrative controls are related to the human component of cybersecurity. They include policies and procedures that define how an organization manages data, such as the implementation of password policies. Technical controls are hardware and software solutions used to protect assets, such as the use of Intrusion Detection Systems, or ISS', and encryption. Physical controls refer to measures put in place to prevent physical access to protected Assets, such as surveillance

cameras and locks. The next element is determining whether or not the organization is adhering to necessary compliance regulations. As a reminder, compliance regulations are laws that organizations must follow to ensure private data remains secure. In this example, the organization conducts business in the European Union and accepts credit card payments, so they need to adhere to the GDPR and Payment Card Industry Data Security Standard or PCI DSS. The final common element of an internal security audit is communication. Once the internal security audit is complete, results and recommendations need to be communicated to stakeholders. In general, this

type of communication summarizes the scope and goals of the audit. Then it lists existing risks and notes how quickly those risks need to be addressed. Additionally, it identifies compliance regulations the organization needs to adhere to and provides recommendations for improving the organization's Security posture. Internal audits are a great way to identify gaps within an organization. When I worked at a previous company, my team and I conducted an internal password audit and found that many of the passwords were weak. Once we identified this issue, the compliance team took the lead and began enforcing stricter password policies.

Audits are an opportunity to determine what security measures an organization has in place and what areas need to be improved To achieve the organization's desired security posture. Security audits are quite involved, yet of extreme value to organizations. Later in the course, you'll have an opportunity to complete elements of an internal security audit for a fictional company, which you can include in your professional portfolio. Great job. Now, you've had an opportunity to learn more about security concepts that can help an organization protect data and assets. We've covered quite a bit, but it will all Be valuable

knowledge for you as you continue along your journey into the security profession. We started by defining what security frameworks are and how they help organizations protect critical information. We also explored security controls and the important role they play in protecting against risks, threats, and vulnerabilities. This included a discussion of the CIA triad, which is a core security model, and two NIST frameworks, the CSF and S.P. 800-53. Then we covered some of OWASP's secure design principles. We ended by introducing security audits With a focus on the elements of an internal audit that you may be asked

to complete or contribute to. Security professionals use the concepts we discussed to help protect organizations assets, data, systems, and people. As you continue along your journey into the security profession, a lot of these concepts will come up repeatedly. What we're doing now is giving you a foundational understanding of security practices and topics that will help you along the way. In the next section of the course, We'll discuss specific security tools you may one day use as an analyst. We'll cover how they're used to improve an organization's security posture and how they can help you achieve

your goal of keeping organizations and people safe. I'm excited to continue this journey with you. See you soon. Welcome back. Previously, we discussed security frameworks, controls, and design principles, and how security professionals apply these to security audits. In this section, we'll continue to explore security tools and how they can help you keep organizations and the people they serve safe. Security professionals often use a variety of tools to address specific security challenges, such as collecting security data, detecting and analyzing threats, or automating tasks. Security tools help organizations achieve a more comprehensive security posture. We'll begin by

covering different types of logs, what they track, and how they're used. Then we'll explore Security Information and Event Management, otherwise, known as SIEM, dashboards. Finally, we'll discuss some common SIEM tools used in the security industry. Let's get started. As a security analyst, one of your responsibilities might include analyzing log data to mitigate and manage threats, risks, and vulnerabilities. As a reminder, a log is a record of events that occur within an organization's systems and networks. Security analysts access a variety of logs from different sources. Three common log sources include firewall logs, network logs, and server

logs. Let's explore each of these log sources in more detail. A firewall log is a record of attempted or established connections for incoming traffic from the internet. It also includes outbound requests to the internet from within the network. A network log is a record of all computers and devices that enter and leave the network. It also records connections between devices and services on the network. Finally, a server log is a record Of events related to services, such as websites, emails, or file shares. It includes actions, such as log in, password, and username requests. By monitoring

logs, like the one shown here, security teams can identify vulnerabilities and potential data breaches. Understanding logs is important, because SIEM tools rely on logs to monitor systems and detect security threats. A Security Information and Event Management, or SIEM tool, is an application that collects and analyzes log data to monitor critical activities in an organization. It provides real time visibility, event monitoring and analysis, and automated alerts. It also stores all log data in a centralized location. Because SIEM tools index and minimize the number of logs a security professional must manually review and analyze, they increase efficiency

and save time. But SIEM tools must be configured and customized to meet each organization's unique security needs. As new threats and vulnerabilities emerge, organizations must continually customize their SIEM tools to ensure that threats are detected and quickly addressed. Later in the certificate program, you'll have a chance to practice using different SIEM tools to identify potential security incidents. Coming up, we'll explore SIEM dashboards and how cybersecurity professionals use them to monitor for threats, risks, and vulnerabilities. We've explored how SIEM tools are used to collect and analyze log data. However, this is just one of the many

ways SIEM tools are used in cybersecurity. SIEM tools can also be used to create dashboards. You might have encountered dashboards in an app On your phone or other device. They present information about your account or location in a format that's easy to understand. For example, weather apps display data, like temperature, precipitation, wind speed, and the forecast using charts, graphs, and other visual elements. This format makes it easy to quickly identify weather patterns and trends, so you can stay prepared and plan your day accordingly. Just like weather apps help people make quick and informed decisions based

on data, SIEM dashboards help security analysts quickly and easily Access their organization's security information as charts, graphs, or tables. For example, a security analyst receives an alert about a suspicious login attempt. The analyst accesses their SIEM dashboard to gather information about this alert. Using the dashboard, the analyst discovers that there have been 500 login attempts for Yamara's account in the span of five minutes. They also discover that the login attempts happen from geographic locations outside of Yamara's usual location and outside of her usual working Hours. By using a dashboard, the security analyst was able to

quickly review visual representations of the timeline of the login attempts, the location, and the exact time of the activity, then determined that the activity was suspicious. In addition to providing a comprehensive summary of security related data, SIEM dashboards also provide stakeholders with different metrics. Metrics are key technical attributes, such as response time, availability, and failure rate, which are used to assess the performance of a software Application. SIEM dashboards can be customized to display specific metrics or other data that are relevant to different members in an organization. For example, a security analyst may create a dashboard

that displays metrics for monitoring everyday business operations, like the volume of incoming and outgoing network traffic. We've examined how security analysts use SIEM dashboards to help organizations maintain their security posture. Well done. Coming up, we'll discuss some common SIEM tools used in the cybersecurity industry. Meet you there. Hello, again. Previously, we discussed how SIEM tools help security analysts monitor systems and detect security threats. In this video, we'll cover some industry leading SIEM tools that you'll likely encounter as a security analyst. First, let's discuss the different types of SIEM tools that organizations can choose from based

on their unique security needs. Self-hosted SIEM tools require organizations to install, operate, and maintain the tool using their own physical infrastructure, such as server capacity. These applications are then managed and maintained by the organization's IT department rather than a third party vendor. Self-hosted SIEM tools are ideal when an organization is required to maintain physical control over confidential data. Alternatively, Cloud-hosted SIEM tools are maintained and managed by the SIEM providers, making them accessible through the internet. Cloud-hosted SIEM tools are ideal for organizations that don't want to invest in creating and maintaining their own infrastructure, or an

organization can choose to use a combination of both self-hosted and Cloud-hosted SIEM tools known as a hybrid solution. Organizations might choose a hybrid SIEM solution to leverage the benefits of the Cloud, while also maintaining physical control over confidential data. Splunk Enterprise, Splunk Cloud, and Chronicle are common SIEM tools that many organizations use to help protect their data and systems. Let's begin by discussing Splunk. Splunk is a data analysis platform, and Splunk Enterprise provides SIEM solutions. Splunk Enterprise is a self-hosted tool used to retain, analyze, and search an organization's log data to provide security information and

alerts in real time. Splunk Cloud is a Cloud-hosted tool used to collect search and monitor log data. Splunk Cloud is helpful for organizations running hybrid or Cloud only environments, where some or all of the organization's services Are in the Cloud. Finally, there's Google's Chronicle. Chronicle is a Cloud native tool designed to retain, analyze, and search data. Chronicle provides log monitoring, data analysis, and data collection. Like Cloud-hosted tools, Cloud native tools are also fully maintained and managed by the vendor. But Cloud native tools are specifically designed to take full advantage of Cloud computing capabilities, such as

availability, flexibility, and scalability. Because threat actors are frequently improving their strategies to compromise the confidentiality, integrity, and availability of their targets, it's important for organizations to use a variety of security tools to help defend against attacks. The SIEM tools we just discussed are only a few examples of the tools available for security teams to use to help defend their organizations, and later in the certificate program, you'll have the exciting opportunity to practice using Splunk Cloud and Chronicle. Let's quickly review what we covered In this section of the course. We started by discussing the importance of

logs and cybersecurity, and we explored different log types, like firewall, network, and server logs. Next, we explored SIEM dashboards and how they use visual representations to provide security teams with quick and clear insights into the security posture of an organization. Finally, we introduced common SIEM tools used in the cybersecurity industry, including Splunk and Chronicle. We'll be exploring even more security tools later In the program, and you'll have opportunities to practice using them. Coming up, we'll discuss playbooks and how they help security professionals respond appropriately to identify threats, risks, and vulnerabilities. Meet you there. Hello, and

welcome back. You've reached the final section of this course. Previously, we discussed Security Information and Event Management, or SIEM tools, and how that can be used to help organizations Improve their security posture. Let's continue our security journey by exploring another tool security professionals use, playbooks. In this section, we'll explore how playbooks help security teams respond to threats, risks, or vulnerabilities identified by SIEM tools. Then we'll discuss the six phases of incident response. Let's get started. Previously, we discussed how SIEM tools are used to help protect an organization's critical assets and data. In this video, we'll

introduce another important tool for maintaining an organization's security known as a playbook. A playbook is a manual that provides details about any operational action. Playbooks also clarify what tools should be used in response to a security incident. In the security field, playbooks are essential. Urgency, efficiency, and accuracy are necessary to quickly identify and mitigate a security threat to reduce potential risk. Playbooks ensure that people follow a consistent list Of actions in a prescribed way, regardless of who is working on the case. Different types of playbooks are used. These include playbooks for incident response, security alerts,

team specific, and product specific purposes. Here, we'll focus on a playbook that's commonly used in cybersecurity called an incident response playbook. Incident response is an organization's quick attempt to identify an attack, contain the damage, and correct the effects of a security breach. An incident response playbook is a guide With six phases used to help mitigate and manage security incidents from beginning to end. Let's discuss each phase. The first phase is preparation. Organizations must prepare to mitigate the likelihood, risk, and impact of a security incident by documenting procedures, establishing staffing plans, and educating users. Preparation sets

the foundation for successful incident response. For example, organizations can create incident response plans and procedures that outline the roles and responsibilities Of each security team member. The second phase is detection and analysis. The objective of this phase is to detect and analyze events using defined processes and technology. Using appropriate tools and strategies during this phase helps security analysts determine whether a breach has occurred and analyze its possible magnitude. The third phase is containment. The goal of containment is to prevent further damage and reduce the immediate impact of a security incident. During this phase, security professionals

Take actions to contain an incident and minimize damage. Containment is a high priority for organizations, because it helps prevent ongoing risks to critical assets and data. The fourth phase in an incident response playbook is eradication and recovery. This phase involves the complete removal of an incidence artifacts, so that an organization can return to normal operations. During this phase, security professionals eliminate artifacts of the incident by removing malicious code and mitigating vulnerabilities. Once they've exercised due diligence, they can begin to restore the affected environment to a secure state. This is also known as IT restoration. The

fifth phase is post incident activity. This phase includes documenting the incident, informing organizational leadership, and applying lessons learned to ensure that an organization is better prepared to handle future incidents. Depending on the severity of the incident, organizations can conduct a full scale incident analysis To determine the root cause of the incident and implement various updates or improvements to enhance its overall security posture. The sixth and final phase in an incident response playbook is coordination. Coordination involves reporting incidents and sharing information throughout the incident response process based on the organization's established standards. Coordination is important for

many reasons. It ensures that organizations meet compliance requirements, and it allows for coordinated response and resolution. There are many ways security professionals May be alerted to an incident. You recently learned about SIEM tools and how they collect and analyze data. They use this data to detect threats and generate alerts, which can inform the security team of a potential incident. Then, when a security analyst receives a similar, they can use the appropriate playbook to guide the response process. SIEM tools and playbooks work together to provide a structured and efficient way of responding to potential security incidents.

Throughout the program, you'll have opportunities to continue to build your understanding of these important concepts. Welcome back. In this video, we're going to revisit SIEM tools and how they're used alongside playbooks to reduce organizational threats, risks, and vulnerabilities. An incident response playbook is a guide that helps security professionals mitigate issues with a heightened sense of urgency, while maintaining accuracy. Playbooks create structure, ensure compliance, and outline processes for communication and documentation. Organizations may use different types of incident response playbooks, depending on the situation. For example, an organization may have specific playbooks for addressing different types of

attacks, such as ransomware, malware, distributed denial of service, and more. To start, let's discuss how a security analyst might use a playbook to address a similar, like a potential malware attack. In this situation, a playbook is invaluable for guiding An analyst through the necessary actions to properly address the alert. The first action in the playbook is to assess the alert. This means determining if the alert is actually valid by identifying why the alert was generated by the SIEM. This can be done by analyzing log data and related metrics. Next, the playbook outlines the actions and

tools to use to contain the malware and reduce further damage. For example, this playbook instructs the analysts to isolate or disconnect the infected network system to prevent the malware from spreading Into other parts of the network. After containing the incident, step three of the playbook describes ways to eliminate all traces of the incident and restore the affected systems back to normal operations. For example, the playbook might instruct the analyst to restore the impacted operating system, then restore the affected data using a clean backup created before the malware outbreak. Finally, once the incident has been resolved,

step four of the playbook instructs the analyst to perform various post incident activities and coordination efforts with the security team. Some actions include creating a final report to communicate the security incident to stakeholders or reporting the incident to the appropriate authorities, like the US Federal Bureau of Investigations or other agencies that investigate cyber crimes. This is just one example of how you might follow the steps in a playbook since organizations develop their own internal procedures for addressing security incidents. What's most important to understand is that playbooks provide a consistent process for security professionals to follow.

Note that playbooks are living documents, meaning the security team will make frequent changes, updates, and improvements to address new threats and vulnerabilities. In addition, organizations learn from past security incidents to improve their security posture, refine policies and procedures, and reduce the likelihood and impact of future incidents. Then they update their playbooks accordingly. As an entry level security analyst, you may be required to use playbooks frequently, especially when monitoring networks and responding to incidents. Having an understanding of why playbooks are important and how they can help you achieve your working objectives will help ensure your success

within this field. Let's review what we covered in this section. We began by discussing the purpose of playbooks. Then we examined the six phases of an incident response playbook, including an example of how a playbook might be used to address an incident. Playbooks are just one of the essential tools you'll use as a security analyst. They provide a structured, consistent approach to handling security incidents and can help you respond To security incidents quickly. Knowing how and when to use a playbook will allow you to make informed decisions about how to respond to a security incident

when it occurs and help to minimize the impact and damage it may cause your organization and the people it serves. Following the steps of the playbook and communicating appropriately with your team will ensure your effectiveness as a security professional. Congratulations on completing this course. Let's recap what we've covered so far. First, we reviewed CISSP's eight security domains And focused on threats, risks, and vulnerabilities to business operations. Then we explored security frameworks and controls and how they're a starting point for creating policies and processes for security management. This included a discussion of the CIA triad, NIST

frameworks, and security design principles, and how they benefit the security community as a whole. This was followed by a discussion about how frameworks, controls, and principles are related to security audits. We also explored basic security tools, such as SIEM dashboards, And how they are used to protect business operations. And finally, we covered how to protect assets and data by using playbooks. As a security analyst, you may be working on multiple tasks at once. Understanding the tools you have at your disposal and how to use them will elevate your knowledge in the field, while helping you

successfully accomplish your everyday tasks. Coming up next in the program, my colleague Chris will provide more details about topics covered in this course and introduce you to some new core security concepts. I've enjoyed sharing this journey with you. [MUSIC PLAYING]