https://www.cisa.

gov/resources-tools/resources/free-
cybersecurity-services-and-tools

https://ccdcoe.org/research/tallinn-manual/

critical infrastructure - Glossary | CSRC

https://csrc.nist.gov/glossary/term/critical_infrastructure#:~:text
=Definition(s)%3A,any%20combination%20of%20those
%20matters.

Executive Order on Improving the Nation's Cybersecurity | The

White House
https://www.whitehouse.gov/briefing-room/presidential-actions/2
021/05/12/executive-order-on-improving-the-nations-
cybersecurity/

OWASP Top Ten | OWASP Foundation https://owasp.org/www-

project-top-ten/

Get started with GitHub - Google Docs

https://docs.google.com/document/d/13nqRTU4H14NFytodh_tbafX
thjNRD7aWU_4Cjq7pKG8/template/
preview#heading=h.m08l38wqbrm0

Terms and definitions from Course 1, Module 2

Adversarial artificial intelligence (AI): A technique that manipulates

artificial intelligence (AI) and machine learning (ML) technology to conduct
attacks more efficiently

Business Email Compromise (BEC): A type of phishing attack where a

threat actor impersonates a known source to obtain financial advantage

CISSP: Certified Information Systems Security Professional is a globally

recognized and highly sought-after information security certification,
awarded by the International Information Systems Security Certification
Consortium

Computer virus: Malicious code written to interfere with computer

operations and cause damage to data and software

Cryptographic attack: An attack that affects secure forms of

communication between a sender and intended recipient

Hacker: Any person who uses computers to gain access to computer

systems, networks, or data

Malware: Software designed to harm devices or networks

Password attack: An attempt to access password secured devices,
systems, networks, or data

Phishing: The use of digital communications to trick people into revealing

sensitive data or deploying malicious software

Physical attack: A security incident that affects not only digital but also
physical environments where the incident is deployed

Physical social engineering: An attack in which a threat actor

impersonates an employee, customer, or vendor to obtain unauthorized
access to a physical location

Social engineering: A manipulation technique that exploits human error

to gain private information, access, or valuables

Social media phishing: A type of attack where a threat actor collects

detailed information about their target on social media sites before
initiating the attack

Spear phishing: A malicious email attack targeting a specific user or

group of users, appearing to originate from a trusted source

Supply-chain attack: An attack that targets systems, applications,

hardware, and/or software to locate a vulnerability where malware can be
deployed

USB baiting: An attack in which a threat actor strategically leaves a

malware USB stick for an employee to find and install to unknowingly
infect a network

Virus: refer to “computer virus”

Vishing: The exploitation of electronic voice communication to obtain

sensitive information or to impersonate a known source

Watering hole attack: A type of attack when a threat actor

compromises a website frequently visited by a specific group of users

Asset: An item perceived as having value to an organization

Availability: The idea that data is accessible to those who are authorized
to access it

Compliance: The process of adhering to internal standards and external

regulations

Confidentiality: The idea that only authorized users can access specific
assets or data
Confidentiality, integrity, availability (CIA) triad: A model that helps
inform how organizations consider risk when setting up systems and
security policies

Hacktivist: A person who uses hacking to achieve a political goal

Health Insurance Portability and Accountability Act (HIPAA): A U.S.

federal law established to protect patients' health information

Integrity: The idea that the data is correct, authentic, and reliable

National Institute of Standards and Technology (NIST) Cyber

Security Framework (CSF): A voluntary framework that consists of
standards, guidelines, and best practices to manage cybersecurity risk

Privacy protection: The act of safeguarding personal information from

unauthorized use

Protected health information (PHI): Information that relates to the

past, present, or future physical or mental health or condition of an
individual

Security architecture: A type of security design composed of multiple

components, such as tools and processes, that are used to protect an
organization from risks and external threats

Security controls: Safeguards designed to reduce specific security risks

Security ethics: Guidelines for making appropriate decisions as a

security professional

Security frameworks: Guidelines used for building plans to help

mitigate risk and threats to data and privacy

Security governance: Practices that help support, define, and direct

security efforts of an organization

Sensitive personally identifiable information (SPII): A specific type

of PII that falls under stricter handling

Antivirus software: A software program used to prevent, detect, and

eliminate malware and viruses

Database: An organized collection of information or data

Data point: A specific piece of information

Intrusion detection system (IDS): An application that monitors system

activity and alerts on possible intrusions

Linux: An open-source operating system

Log: A record of events that occur within an organization’s systems

Network protocol analyzer (packet sniffer): A tool designed to

capture and analyze data traffic within a network

Order of volatility: A sequence outlining the order of data that must be

preserved from first to last

Programming: A process that can be used to create a specific set of

instructions for a computer to execute tasks

Protecting and preserving evidence: The process of properly working

with fragile and volatile digital evidence

Security information and event management (SIEM): An application

that collects and analyzes log data to monitor critical activities in an
organization

SQL (Structured Query Language): A query language used to create,

interact with, and request information from a database

Vulnerabilities

A vulnerability is a weakness that can be exploited by a threat.

Therefore, organizations need to regularly inspect for vulnerabilities within
their systems. Some vulnerabilities include:

 ProxyLogon: A pre-authenticated vulnerability that affects the

Microsoft Exchange server. This means a threat actor can complete
a user authentication process to deploy malicious code from a
remote location.

 ZeroLogon: A vulnerability in Microsoft’s Netlogon authentication

protocol. An authentication protocol is a way to verify a person's
identity. Netlogon is a service that ensures a user’s identity before
allowing access to a website's location.

 Log4Shell: Allows attackers to run Java code on someone else’s

computer or leak sensitive information. It does this by enabling a
remote attacker to take control of devices connected to the internet
and run malicious code.

 PetitPotam: Affects Windows New Technology Local Area Network

(LAN) Manager (NTLM). It is a theft technique that allows a LAN-
based attacker to initiate an authentication request.

 Security logging and monitoring failures: Insufficient logging

and monitoring capabilities that result in attackers exploiting
vulnerabilities without the organization knowing it
  Server-side request forgery: Allows attackers to manipulate a
server-side application into accessing and updating backend
resources. It can also allow threat actors to steal data.

Security principles

In the workplace, security principles are embedded in your daily tasks.

Whether you are analyzing logs, monitoring a security information and
event management (SIEM) dashboard, or using a vulnerability scanner,
you will use these principles in some way.

Previously, you were introduced to several OWASP security principles.

These included:

 Minimize attack surface area: Attack surface refers to all the

potential vulnerabilities a threat actor could exploit.

 Principle of least privilege: Users have the least amount of

access required to perform their everyday tasks.

 Defense in depth: Organizations should have varying security

controls that mitigate risks and threats.

 Separation of duties: Critical actions should rely on multiple

people, each of whom follow the principle of least privilege.

 Keep security simple: Avoid unnecessarily complicated solutions.

Complexity makes security difficult.

 Fix security issues correctly: When security incidents occur,

identify the root cause, contain the impact, identify vulnerabilities,
and conduct tests to ensure that remediation is successful.

Additional OWASP security principles

Next, you’ll learn about four additional OWASP security principles that
cybersecurity analysts and their teams use to keep organizational
operations and people safe.

Establish secure defaults

This principle means that the optimal security state of an application is

also its default state for users; it should take extra work to make the
application insecure.

Fail securely

Fail securely means that when a control fails or stops, it should do so by

defaulting to its most secure option. For example, when a firewall fails it
should simply close all connections and block all new ones, rather than
start accepting everything.
Don’t trust services

Many organizations work with third-party partners. These outside partners

often have different security policies than the organization does. And the
organization shouldn’t explicitly trust that their partners’ systems are
secure. For example, if a third-party vendor tracks reward points for airline
customers, the airline should ensure that the balance is accurate before
sharing that information with their customers.

Avoid security by obscurity

The security of key systems should not rely on keeping details hidden.
Consider the following example from OWASP (2016): OWASP Mobile Top 10

The security of an application should not rely on keeping the source code
secret. Its security should rely upon many other factors, including
reasonable password policies, defense in depth, business transaction
limits, solid network architecture, and fraud and audit controls.

Key takeaways

Cybersecurity professionals are constantly applying security principles to

safeguard organizations and the people they serve. As an entry-level
security analyst, you can use these security principles to promote safe
development practices that reduce risks to companies and users alike.