Inside Module 1 of Google’s ‘Manage Security Risks’ Course: My Personal Notes and Insights

Introduction:

Welcome to Module 1 of Google’s “Manage Security Risks” course, where we delve into fundamental topics essential for mastering cybersecurity.

Throughout this module, we will comprehensively explore the CISSP 8 security domains, providing a solid foundation for understanding the core principles of information security. We’ll also examine the various types of risk and discuss the nuances between threats, risks, and vulnerabilities, crucial concepts for assessing and mitigating cybersecurity threats effectively.

Additionally, we’ll delve into the NIST Risk Management Framework (RMF), offering insights into structured approaches to managing organizational risks. Understanding RMF is vital as it provides a systematic process for identifying, assessing, and mitigating risks across different cybersecurity contexts.

By the end of this module, you’ll have a robust understanding of these foundational concepts, empowering you to navigate and manage cybersecurity risks with confidence.

Let’s embark on this journey together and build a solid understanding of cybersecurity fundamentals in Module 1.

Main content:

Explore the CISSP security domains

Security posture: an organization’s ability to manage it’s defense of critical assets and data, and react to change

Security and risk management: focused on defining security goals and objectives, risk mitigation, compliance, business continuity, and legal regulations

Risk mitigation: the process of having the right procedures and rules in place to quickly reduce the impact of a risk like a breach

Business continuity: an organization’s ability to maintain their everyday productivity by establishing risk disaster recovery plans

Asset security: focused on securing digital and physical assets. It’s also related to the storage, maintenance, retention, and destruction of data

Example:
an organization might have you, as a security analyst, oversee the destruction of hard drives to make sure that they’re properly disposed of. This ensures that private data stored on those drives can’t be accessed by threat actors.

Security architecture and engineering: focused on optimizing data security by ensuring effective tools, systems, and processes are in place to protect an organization’s assets and data

Shared responsibility: one of the core concepts of secure design, means that all individuals within an organization take an active role in lowering risk and maintaining both physical and virtual security

Example:
Imagine a company implements a shared responsibility approach to cybersecurity. Here’s how it might work:

1. Employee Awareness and Training: All employees receive regular cybersecurity training sessions. They learn about identifying phishing emails, using strong passwords, and recognizing potential security threats.
2. Policy Adherence: Employees are expected to follow security policies such as locking their computers when away from their desks, not sharing passwords, and reporting any suspicious activity immediately.
3. Reporting and Incident Response: If an employee notices something unusual, like a suspicious email or an unrecognized person in a restricted area, they are encouraged to report it promptly to the IT or security team.
4. Management Support: Managers reinforce the importance of cybersecurity in team meetings and one-on-one discussions. They lead by example in following security protocols and promptly addressing any security concerns raised by their team members.
5. IT Security Team: The IT security team implements robust technical controls like firewalls, antivirus software, and encryption. They also monitor the network for suspicious activity and conduct regular security assessments.

In this example, shared responsibility means that each employee understands their role in maintaining cybersecurity, from recognizing potential threats to adhering to security policies. By cultivating a culture where everyone takes ownership of security, the organization can better protect itself from cyber threats and vulnerabilities.

Communication and network security: focused on managing and securing physical networks and wireless communications

example: employees working remotely in public spaces need to be protected from vulnerabilities that can occur when they use insecure Bluetooth connections or public WiFi hotspots. By having security team members remove access to those types of communication channels at the organizational level, employees may be discouraged from practicing insecure behavior that could be exploited by threat actors. (This action typically involves configuring company-issued devices or network settings to restrict or disable insecure communication channels like Bluetooth and public WiFi when employees are working remotely in such public spaces.)

Identity and access management: focused on access and authorization to keep data secure, by making sure users follow established policies to control and manage assets

Components of IAM:
Identification: when a user verifies who they are by providing a username, an access card, or biometric data such as a fingerprint

Authentication: it is the verification process to prove a person’s identity, such as entering a password or PIN.

Authorization: it takes place after a user’s identity has been confirmed and relates to their level of access, which depends on the role in the organization.

Accountability: it refers to monitoring and recording user actions, like login attempts, to prove systems and data are used properly.

IAM uses what is referred to as the principle of least privilege, which is the concept of granting only the minimal access and authorization required to complete a task. As an example, a cybersecurity analyst might be asked to ensure that customer service representatives can only view the private data of a customer, such as their phone number, while working to resolve the customer’s issue; then remove access when the customer’s issue is resolved.

Security assessment and testing: focused on conducting security control testing, collecting and analyzing data, and conducting security audits to monitor for risks, threats, and vulnerabilities

An example of implementing a new control could be requiring the use of multi-factor authentication to better protect the organization from potential threats and risks.

Security operations: focused on conducting investigations and implementing preventative measures

Software development security: focused on using secure coding practices

The software development lifecycle is an efficient process used by teams to quickly build software products and features.

In this process, security is an additional step. By ensuring that each phase of the software development lifecycle undergoes security reviews, security can be fully integrated into the software product.

For example, performing a secure design review during the design phase, secure code reviews during the development and testing phases, and penetration testing during the deployment and implementation phase ensures that security is embedded into the software product at every step.

For example, an entry-level analyst working for a pharmaceutical company might be asked to make sure encryption is properly configured for a new medical device that will store private patient data.

Threats, risks, and vulnerabilities

Threat: any circumstance or event that can negatively impact assets

Social engineering: a manipulation technique that exploits human error to gain private information, access, or valuables

such as: phishing

Risk: anything that can impact the confidentiality, integrity, or availability of an asset

Example:

Scenario:
You are working as an entry-level security analyst for a small healthcare organization. One day, you discover that a server containing patient medical records has been infected with ransomware. The attackers are demanding a ransom payment in exchange for the decryption key.

Questions:

1. What are the potential threats that could have led to this situation?
2. What are the risks associated with these threats?

Answers:

Threats:

• Vulnerabilities: server may be a file server that contained a vulnerability that was exploited by a threat actor .
• Usb baiting: a threat actor may have strategically plugged a malicious usb drive into the server as it was left unsupervised
• Weak passwords: the server may have been secured usign a very weak password

Risks:

• Loss of patients data: as the threat actor may delete it or keep it encrypted
• Reputational damage: as company may start loosing clients
• Fines and severe legal consequences
• Unethical use of company’s server: as server may be used in cryptocurrency mining operations or may be used as a bot in a botnet to launch a cyber attack

Low risk asset: information that would not harm the organization’s reputation or ongoing operations, and would not cause financial damage if compromised

example:
public information such as website content, or published research data.

Medium-risk asset: information that’s not available to the public and may cause some damage to the organization’s finances, reputation, or ongoing operations

example:
the early release of a company’s quarterly earnings could impact the value of their stock.

High-risk asset: information protected by regulations or laws, which if compromisedwould have a severe negative impact on organization’s finances, ongoing operations, or reputation

example:
leaked assets with SPII, PII, or intellectual property.

Vulnerability: a weakness that can be exploited by a threat

example:
an outdated firewall, software, or application; weak passwords; or unprotected confidential data.

How can a company improve it’s security ?
educating people on how to identify a phishing email is a great starting point. Using access cards to grant employee access to physical spaces while restricting outside visitors is another good security measure.

Key impacts of Threats, risks, and vulnerabilities

Ransomware: a malicious attack where threat actors encrypt an organization’s data and demand payment to restore access

it can freeze network systems, leave devices unusable, and encrypt, or lock confidential data, making devices inaccessible. The threat actor then demands a ransom before providing a decryption key to allow organizations to return to their normal business operations. Note that when ransom negotiations occur or data is leaked by threat actors, these events can occur through the dark web.

The web: an interlinked network of online content that’s made up of three layers: the surface web, the deep web, and the dark web

The surface web is the layer that most people use. It contains content that can be accessed using a web browser.

The deep web generally requires authorization to access it. An organization’s intranet is an example of the deep web, since it can only be accessed by employees or others who have been granted access.

the dark web can only be accessed by using special software. The dark web generally carries a negative connotation since it is the preferred web layer for criminals because of the secrecy that it provides.

Key impacts

• Financial example: interrupted production and services, the cost to correct the issue, and fines if assets are compromised because of non-compliance with laws and regulations.
• Identity theft Storing any type of sensitive data presents a risk to the organization. Sensitive data can include personally identifiable information, or PII, which can be sold or leaked through the dark web. That’s because the dark web provides a sense of secrecy and threat actors may have the ability to sell data there without facing legal consequences.
• Reputation An exploited vulnerability can lead customers to seek new business relationships with competitors or create bad press that causes permanent damage to an organization’s reputation. The loss of customer data doesn’t only affect an organization’s reputation and financials, it may also result in legal penalties and fines.

NIST’s Risk management Framework

Steps of Risk Management Framework (RMF)

• Prepare
• Categorize
• Select
• Implement
• Assess
• Authorize
• Monitor

RMF Step 1: Prepare
Activities that are necessary to manage security and privacy risks before a breach occurs

RMF Step 2: Categorize
Used to develop risk management processes and tasks

Categorize is about sorting information systems based on how important they are and what could happen if they were compromised. This helps decide what security measures are needed to manage risks effectively.

RMF Step 3: Select
Choose, customize, and capture documentation of the controls that protect an organization

example:
keeping a playbook up-to-date or helping to manage other documentation that allows you and your team to address issues more efficiently.

RMF Step 4: Implement
Implement security and privacy plans for the organization

example:
if you notice a pattern of employees constantly needing password resets, implementing a change to password requirements may help solve this issue.

Example Explanation:
If employees frequently request password resets due to forgetting their passwords, implementing stricter password requirements — like requiring longer passwords with a mix of letters, numbers, and symbols — can enhance security. This makes passwords harder to guess but might require employees to use password managers or other tools to help remember them.

Brief and Short:
Implementing stronger password requirements, such as longer and more complex passwords, improves security but may require employees to adapt by using password managers for easier management.

RMF Step 5: Assess
Determine if established controls are implemented correctly

it’s essential to take the time to analyze whether the implemented protocols, procedures, and controls that are in place are meeting organizational needs. During this step, analysts identify potential weaknesses and determine whether the organization’s tools, procedures, controls, and protocols should be changed to better manage potential risks. it’s essential to take the time to analyze whether the implemented protocols, procedures, and controls that are in place are meeting organizational needs. During this step, analysts identify potential weaknesses and determine whether the organization’s tools, procedures, controls, and protocols should be changed to better manage potential risks.

RMF Step 6: Authorize
Being accountable for the security and privacy risks that may exist in an organization

In Step 6 of the RMF, “authorize” means taking charge of security and privacy risks in your organization. As an analyst, this involves making sure that plans and reports are in place to meet security goals. It’s about ensuring that everything needed to protect the organization from risks is properly set up and managed.

RMF Step 7: Monitor
Be aware of how systems are operating

Some common strategies used to manage risks include:

1. Acceptance: Accepting a risk to avoid disrupting business continuity

Acceptance, in the context of risk management, involves consciously deciding to tolerate or live with a certain level of risk without taking specific action to avoid it or mitigate its impact. Here’s an explanation:

Acceptance:

• Definition: Acceptance means acknowledging a risk and choosing not to implement additional controls or measures to reduce its likelihood or impact.
• Reasoning: Organizations may opt for acceptance when the cost or effort required to mitigate the risk outweighs the potential impact of the risk itself. It can also be a strategic decision based on the likelihood and impact assessment of the risk.
• Example: An organization might accept a low-risk event that has minimal impact on operations or finances, choosing to allocate resources to more critical areas of concern instead.

1. Avoidance: Creating a plan to avoid the risk altogether
2. Transference: Transferring risk to a third party to manage
3. Mitigation: Lessening (reduce) the impact of a known risk

Legacy systems refer to older technology or software that is still in use within an organization, despite being outdated or not actively maintained. Here’s a brief explanation:

1. Definition: Legacy systems are old systems, hardware, or software that may not be supported or updated anymore but are still functional and in use.
2. Impact on Assets: These systems can impact assets (like workstations or databases) because they may have vulnerabilities that haven’t been patched or upgraded, making them susceptible to security risks.
3. Examples:

• An old vending machine that accepts credit card payments but runs on outdated software vulnerable to hacking.
• Workstations connected to a legacy accounting system that no longer receives security updates, potentially exposing financial data to breaches.

4. Management Challenge: Organizations face challenges in maintaining and securing legacy systems due to compatibility issues, lack of vendor support, and the potential for introducing vulnerabilities into the network.

In essence, while legacy systems continue to function, they pose security and operational risks due to their outdated nature and lack of modern security features and updates. Therefore, organizations need to carefully manage and monitor these systems to mitigate potential risks to their assets and operations.

Vulnerabilities

A vulnerability is a weakness that can be exploited by a threat. Therefore, organizations need to regularly inspect for vulnerabilities within their systems. Some vulnerabilities include:

• ProxyLogon: A pre-authenticated vulnerability that affects the Microsoft Exchange server. This means a threat actor can complete a user authentication process to deploy malicious code from a remote location. The ProxyLogon vulnerability refers to a security flaw found in Microsoft Exchange Server software. Here’s a simplified explanation: ProxyLogon allowed hackers to access Exchange servers remotely without needing valid credentials. This meant they could steal data or install malicious software. Microsoft quickly released updates to fix this flaw, but it highlighted the importance of promptly applying security patches to protect against cyberattacks.
• ZeroLogon: A vulnerability in Microsoft’s Netlogon authentication protocol. An authentication protocol is a way to verify a person’s identity. Netlogon is a service that ensures a user’s identity before allowing access to a website’s location.
• Log4Shell: Allows attackers to run Java code on someone else’s computer or leak sensitive information. It does this by enabling a remote attacker to take control of devices connected to the internet and run malicious code.
• PetitPotam: Affects Windows New Technology Local Area Network (LAN) Manager (NTLM). It is a theft technique that allows a LAN-based attacker to initiate an authentication request. PetitPotam is a security issue that affects Windows servers. It allows attackers to force servers to give up data they shouldn’t. This can lead to serious problems like taking over a server or making it do things it shouldn’t.
• Security logging and monitoring failures: Insufficient logging and monitoring capabilities that result in attackers exploiting vulnerabilities without the organization knowing it Security logging and monitoring failures occur when systems or networks fail to properly record and track events that could indicate potential security threats or breaches. Here’s a simple explanation: When security logging and monitoring fail, important events like unauthorized access attempts or suspicious activities may go unnoticed. This can prevent timely detection and response to security incidents, leaving systems vulnerable to attacks or data breaches. Effective security logging and monitoring is crucial for identifying and mitigating risks before they escalate into more significant security incidents.
• Server-side request forgery: Allows attackers to manipulate a server-side application into accessing and updating backend resources. It can also allow threat actors to steal data.
  Server-side request forgery (SSRF) is a type of security vulnerability where an attacker tricks a server into making requests on their behalf. For example, imagine a web application allows users to input a URL for fetching data. If the application doesn’t properly validate the URL and the attacker enters a malicious URL pointing to an internal server, the application might make requests to that server as instructed by the attacker. This could potentially expose sensitive internal resources to unauthorized access.
  In SSRF, the attacker manipulates the server to send requests to other systems or resources, often bypassing security controls. This can lead to unauthorized access to sensitive data, exploitation of internal services, or even attacks on other servers. Preventing SSRF involves validating and restricting the types of requests servers can make to ensure they only interact with trusted resources, thereby mitigating the risk of such attacks.
  example:
  Imagine a web application has a feature that fetches content from external URLs based on user input. The application allows users to enter a URL, and behind the scenes, it fetches the content from that URL and displays it to the user. However, the application fails to properly validate or sanitize the input.
  An attacker exploits this by entering a malicious URL pointing to an internal server within the organization’s network that is not meant to be accessible externally. The vulnerable web application, unaware of the malicious intent, sends a request to the internal server as instructed by the attacker. This could lead to unauthorized access to sensitive internal resources, such as databases, files, or administrative interfaces, potentially compromising the security of the entire network.
  In this example, the attacker leverages SSRF to trick the vulnerable web application into making unauthorized requests to internal systems, exploiting the lack of proper input validation and potentially causing significant security risks.