Data and Data Science

 

SAP Mass Transport (Sony UK 2012 to 2016)

 In the context of SAP (Systems, Applications, and Products in Data Processing), a "mass transport" refers to the process of moving changes or developments from one SAP system to another. This is typically done using the Transport Management System (TMS), a tool provided by SAP for managing the transportation of changes across various SAP landscapes, such as development, quality assurance, and production environments.

Here's how the process generally works:

Development: Changes are made in the development environment, such as creating or modifying programs, reports, configurations, or customizations.

Transport Request Creation: Once the changes are completed and tested in the development system, they are bundled together into a transport request. This request contains all the necessary information and objects required to implement the changes in other systems.

Release of Transport Request: The transport request is then released by an authorized person. Releasing the transport request signifies that the changes are ready to be moved to other systems.

Importing into Other Systems: The released transport request is imported into other systems, such as quality assurance or production environments, using the Transport Management System. During this process, the system checks dependencies and ensures that the changes are applied correctly.

Testing: After the changes are imported into the target systems, thorough testing is performed to ensure that the functionality works as expected and that there are no adverse effects on other processes.

Approval and Confirmation: Once testing is successful, the changes are approved, and confirmation is sent back to the development team.

Documentation: It's essential to maintain proper documentation throughout the process, including documenting the changes made, the transport requests created, and any issues encountered and their resolutions.

By using mass transport, SAP enables organizations to maintain consistency and integrity across their SAP landscapes while facilitating efficient development and deployment processes.

Foundations of Cybersecurity - Google

1. Introduction to Cybersecurity

• Define the field of security

Security analysts are responsible for monitoring and protecting information and systems.

• Recognize core skills and knowledge needed to become a security analyst
• Identify how security attacks impact business operations
• Identify eight security domains
• Define security frameworks and controls

Blue team: Protecting users in BAU

Red team: Proactively tests to identify vulnerabilities and fix them to prevent security intrusions.

Operations team:  Responding to detections, BAU. Support work. (Analyst).

Project team: working with other teams, new detections, or improving current detections, on new features, modules, etc. Dev work. (Engineer)

Playbook: similar to a runbook that tells you how to respond to a given detection. 

Key terminology

Compliance is the process of adhering to internal standards and external regulations and enables organizations to avoid fines and security breaches.

Security frameworks are guidelines used for building plans to help mitigate risks and threats to data and privacy.

Security controls are safeguards designed to reduce specific security risks. They are used with security frameworks to establish a strong security posture.

Security posture is an organization’s ability to manage its defense of critical assets and data and react to change. A strong security posture leads to lower risk for the organization.

A threat actor, or malicious attacker, is any person or group who presents a security risk. This risk can relate to computers, applications, networks, and data.

An internal threat can be a current or former employee, an external vendor, or a trusted partner who poses a security risk. At times, an internal threat is accidental. For example, an employee who accidentally clicks on a malicious email link would be considered an accidental threat. Other times, the internal threat actor intentionally engages in risky activities, such as unauthorized data access.

Network security is the practice of keeping an organization's network infrastructure secure from unauthorized access. This includes data, services, systems, and devices that are stored in an organization’s network.

Cloud security is the process of ensuring that assets stored in the cloud are properly configured, or set up correctly, and access to those assets is limited to authorized users. The cloud is a network made up of a collection of servers or computers that store resources and data in remote physical locations known as data centers that can be accessed via the internet. Cloud security is a growing subfield of cybersecurity that specifically focuses on the protection of data, applications, and infrastructure in the cloud.

Programming is a process that can be used to create a specific set of instructions for a computer to execute tasks. These tasks can include:

• Automation of repetitive tasks (e.g., searching a list of malicious domains)
• Reviewing web traffic 
• Alerting suspicious activity 

2. Play It Safe: Manage Security Risks

• Recognize and explain the focus of eight security domains
• Identify the steps of risk management
• Describe the CIA triad
• Identify security principles
• Define and describe the purpose of a playbook
• Explain how entry-level security analysts use SIEM dashboards

3. Connect and Protect: Networks and Network Security

• Define types of networks
• Explain how data is sent and received over a network
• Recognize common network protocols
• Compare and contrast local networks to cloud computing
• Explain how to secure a network against intrusion tactics

4. Tools of the Trade: Linux and SQL

• Describe the main functions of an operating system
• Explain the relationship between operating systems, applications, and hardware
• Compare a graphical user interface to a command line interface
• Navigate the file system using Linux commands via the Bash shell
• Use SQL to retrieve information from a database

5. Assets, Threats, and Vulnerabilities

• Explain security’s role in mitigating organizational risk
• Describe the defense in depth strategy
• Explain how vulnerability assessments are used to assess potential risk
• Develop an attacker mindset to recognize threats
• Discuss the role encryption and hashing play in securing assets
• Identify forms of social engineering, malware, and web-based exploits

6. Sound the Alarm: Detection and Response

• Explain the lifecycle of an incident
• Use packet sniffing tools to capture and view network communications
• Perform artifact investigations to analyze and verify security incidents
• Identify the steps to contain, eradicate, and recover from an incident
• Interpret the basic syntax and components of signatures and logs in IDS and NIDS tools

7. Automate Cybersecurity Tasks with Python

• Explain how the Python programming language is used in security
• Write a simple algorithm
• Use regular expressions in Python to extract information from text
• Use Python to automate tasks performed by security professionals
• Use Python to parse a file

8. Put It to Work: Prepare for Cybersecurity Jobs

• Define stakeholders and describe their security roles
• Communicate sensitive information with care and confidentiality
• Identify reliable sources within the security community
• Determine opportunities to become engaged with the security community
• Determine ways to establish and advance a career in security, by engaging with the security community
• Find, apply for, and prepare for job interviews

=========================================================================

Key skills required in cybersecurity.

1. Transferable skills

-------------------

1. Communication

2. Collaboration

3. Analyse complex scenarios

4. Problem solving

5. Time management - is crucial as this requires ability to focus on high priority incidents towards resolution to minimize impact to critical assets and data.

2. Tech skills

-----------

1. Programming languages

2. Security information and event management tools (SIEM)

3. Computer forensics

4. Intrusion detection systems (IDS) - IDS monitors n/w activity and alerts for possible intrusions.

5. Threat landscape knowledge - being aware of current threat trends and actors as well as malware.

6. Incident response: 

PII, SPII and Identity Theft

PII (Personally Identifiable Information): any info used to infer individual's identity.

-----------------------------------------

> Person's name

> Address

> Email address

> Physical address

> Phone address

> IP Address

> etc.

SPII (Sensitive PII)

--------------------

> Specific type of PII

> SSO

> Medial or financial info

> Biometrics (facial recog)

If SPII is stolen, This is significantly more damaging to individual.

PII and SPII are key data that a threat actor will look out for to impersonate the person to commit fraud. The term used for this is called Identity Theft. 

Primary objective of identity theft is financial gain.

=========================================================================

History of Cybersecurity

1. Viruses
2. Malware
3. Social Engineering
4. Digital Age

Key terms

• Computer virus (presently called malware - affect devices or networks)
• Brain virus: 1986; by Alvi brothers Pakistan. 
• Moris worm
• 
  

Past security attacks

Brain

Discovered in 1986, Brain was the first virus to target IBM PC platforms (and, by extension, the MS-DOS operating system). By using techniques to hide its existence, it was also the first stealth virus. Created by two brothers from Pakistan, Basit Farooq Alvi and Amjad Farooq Alvi, Brain infected the boot sector of a floppy disk.

But why was it written? The Alvi brothers were operating a computer store in the Pakistani city of Lahore when they noticed pirated copies of a computer program they had written being circulated by their customers. This got them thinking about how they could teach their customers a lesson: enter Brain, also known as Pakistani Brain.

As explained in an interview with security expert Mikko Hypponen in 2011, the virus was created solely for addressing illegal copies of their program. In addition to a message warning users that they were running bootleg software, the virus’s code also included the brothers’ names, phone numbers, and their store’s address. According to the brothers, the virus was “not made to destroy any data”. Rather, it was intended to ensure that users whose machines had become infected due to using pirated software could contact them for “vaccination”.

Nevertheless, they never expected that the first phone call would come from the United States, nor that the virus would spread to various parts of the world.

Morris

The Morris Worm, sometimes also called the Internet Worm, entered the history books as the first computer worm that was distributed over the Internet and that compromised thousands of computers, drawing massive media attention in the process. It was written and unleashed in 1988 by Robert Tappan Morris, a 23-year-old doctoral student at Cornell University and the son of Robert Morris Sr., a famous cryptographer and formerly the chief scientist at the NSA's National Computer Security Center.

Back then, the Internet consisted of approximately 60,000 machines, some 6,000 of which were infected by the worm. After the code was released from a computer at Massachusetts Institute of Technology (MIT) in November 1988, much of the then Internet was paralyzed. This ultimately led to the establishment of the first Computer Emergency Response Team (CERT).

The worm operated by exploiting vulnerabilities in Unix's sendmail, fingerd, and rsh/rexec, while also taking advantage of weak passwords. It comprised 99 lines of code and, of course, had the ability to replicate and propagate itself. It became a dangerous threat due to a flaw in its propagation mechanism, having eventually infected thousands of computers at universities, in government laboratories, as well as in companies.

Besides the damage that it caused, the worm also exposed many security weaknesses, revealing the need for reviewing password protection procedures, among other measures.

According to statements made by Robert Morris back then, the worm was never intended to be malicious or spread so quickly. It is not certain why exactly it was created and launched, although it is often thought that Morris “only” sought to find out how big the Internet was. At any rate, when Morris realized that the worm was spreading so wildly, he asked a friend to send an email to apologize for his creation and to give instructions on how to kill it. Given the chaos that the malware caused, however, his message went unnoticed.

The worm’s creator became the first person to be convicted under the then recent Computer Fraud and Abuse Act. He was sentenced to three years of probation and ordered to pay a $10,050 fine and to perform 400 hours of community service.

Attacks in Digital Age

Love Letter Malware and Equifax breach

• Onel De Guzman created the LoveLetter malware in 2000 to steal internet login credentials
• LoveLetter attack was an example of social engineering
• Equifax breach (2017 - credit reporting agency; 143 mil cust records stolen. 40% of all Americans. SSNO, home addr, credit card nos, and more; 575 million penalty) resulted in the theft of millions of customers' PII and highlighted the financial consequences of a breach
• Morris worm led to the development of computer security incident response teams (CSIRTs)
• Phishing is the use of digital communications to trick people into revealing sensitive data or deploying malicious software

Phishing

Phishing is the use of digital communications to trick people into revealing sensitive data or deploying malicious software. 

Some of the most common types of phishing attacks today include: 

Business Email Compromise (BEC): A threat actor sends an email message that seems to be from a known source to make a seemingly legitimate request for information, in order to obtain a financial advantage.

Spear phishing: A malicious email attack that targets a specific user or group of users. The email seems to originate from a trusted source.

Whaling: A form of spear phishing. Threat actors target company executives to gain access to sensitive data.

Vishing: The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source.

Smishing: The use of text messages to trick users, in order to obtain sensitive information or to impersonate a known source.

Malware

Malware is software designed to harm devices or networks. There are many types of malware. The primary purpose of malware is to obtain money, or in some cases, an intelligence advantage that can be used against a person, an organization, or a territory.  

Some of the most common types of malware attacks today include: 

Viruses: Malicious code written to interfere with computer operations and cause damage to data and software. A virus needs to be initiated by a user (i.e., a threat actor), who transmits the virus via a malicious attachment or file download. When someone opens the malicious attachment or download, the virus hides itself in other files in the now infected system. When the infected files are opened, it allows the virus to insert its own code to damage and/or destroy data in the system.

Worms: Malware that can duplicate and spread itself across systems on its own. In contrast to a virus, a worm does not need to be downloaded by a user. Instead, it self-replicates and spreads from an already infected computer to other devices on the same network.

Ransomware: A malicious attack where threat actors encrypt an organization's data and demand payment to restore access. 

Spyware: Malware that’s used to gather and sell information without consent. Spyware can be used to access devices. This allows threat actors to collect personal data, such as private emails, texts, voice and image recordings, and locations.

Social Engineering 

Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. Human error is usually a result of trusting someone without question. It’s the mission of a threat actor, acting as a social engineer, to create an environment of false trust and lies to exploit as many people as possible. 

Some of the most common types of social engineering attacks today include:

Social media phishing: A threat actor collects detailed information about their target from social media sites. Then, they initiate an attack.

Watering hole attack: A threat actor attacks a website frequently visited by a specific group of users.

USB baiting: A threat actor strategically leaves a malware USB stick for an employee to find and install, to unknowingly infect a network. 

Physical social engineering: A threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location.

CISSP Security Domains [Certified Information Systems Security Professional]

1. Security and Risk Management

2. Asset Security

3. Security Architecture and Engineering

4. Communications and Network Security

5. Identity and Access Management.

6. Security Assessment and Testing.

7. Security Operations.

8. Software Development Security

1. Security and Risk management

Focuses on:

a. Defining security goals and objectives.

b. Risk mitigation

c. Compliance

d. Business continuity

e. The Law

For example, security analysts may need to update company policies related to private health information if a change is made to a federal compliance regulation such as the Health Insurance Portability and Accountability Act, also known as HIPAA.

2. Asset Security

Security digital and physical assets

Data storage, maintenance, retention and destruction of data

3. Security Architecture & Engg

Optimizing data security by ensuring effective tools, systems, and processes are in place.

For e.g., setting up and configuring a firewall to monitor and filter incoming traffic. Also processes and procedures in place to detect, report and counter breaches. 

4. Communication & Network Security

Manage and secure physical networks and wireless communications

Imagine discovering that users are connecting to unsecured wireless hotspots. This could leave the organization and its employees vulnerable to attacks. To ensure communications are secure, you would create a network policy to prevent and mitigate exposure.

5. Identity and Access Management

Keep data secure by:

Ensure users follow established policies to control and manage physical assets like office spaces and logical assets such as networks and applications.

Identity and Access Management (IAM) refers to the framework of policies, technologies, and processes that ensure the appropriate individuals in an organization have the right access to the right resources at the right times for the right reasons.

Validating the identities of employees and documenting access roles are essential to maintaining the organization's physical and digital security. For example, as a security analyst, you may be tasked with setting up employees' keycard access to buildings.

6. Security Assessment and Testing [Proactive activities]

Conducting security control testing

Collecting and analyzing data

Conducting security audits to monitor for risks, threats and vulnerabilities.

For example, access to payroll information is often limited to certain employees, so analysts may be asked to regularly audit permissions to ensure that no unauthorized person can view employee salaries.

7. Security Operations

Conducting investigations and implementing preventative measures. 

Imagine that you, as a security analyst, receive an alert that an unknown device has been connected to your internal network. You would need to follow the organization's policies and procedures to quickly stop the potential threat.

8. Software Development Security

Focuses on using secure coding practices, which are a set of recommended guidelines that are used to create secure applications and services. A security analyst will work with a software development team to ensure the code is secure.  

Please recall the SBD Certificate that was issued to my projects in Westpac. (Secury By Design). Security team used to run a tool to review the code and if any security vulnerabilities are found, Dev team used to fix them. Later on Sonarcube took over. 

- Engage security team.

- Run security tool on the codebase

- Fix any potential security vulnerabilities

- Get security certificate that is crucial to go ahead with prod deployment.

Types of Attacks

Password Attack

A password attack is an attempt to access password-secured devices, systems, networks, or data.

- Brute force

- Rainbow attack

Social engineering attack

Social engineering is a manipulation technique that exploits human error to gain private information, access, or valuables. 

- Phising

- Smishing

- Vishing

- Spear Phising

- Whaling

- Social media phising

- Business email compromise

- Watering hole attack

- USB baiting

- Physical social engineering

Physical attack

A physical attack is a security incident that affects not only digital but also physical environments where the incident is deployed.

- Malicious USB cable drive

- Malicious flash drive

- Card cloning and skimming

Adverserial AI 

Adversarial artificial intelligence is a technique that manipulates artificial intelligence and machine learning  technology to conduct attacks more efficiently. 

Supply chain attack

A supply-chain attack targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed. Because every item sold undergoes a process that involves third parties, this means that the security breach can occur at any point in the supply chain. These attacks are costly because they can affect multiple organizations and the individuals who work for them. 

Cryptographic attack

A cryptographic attack affects secure forms of communication between a sender and intended recipient. Some forms of cryptographic attacks are: 

- Birthday

- Collision

- Downgrade

Understanding Attackers

A threat actor is any person or group who presents a security risk.

Threat actor types:

Advanced Persistent Threats

Advanced persistent threats (APTs) have significant expertise accessing an organization's network without authorization. APTs tend to research their targets (e.g., large corporations or government entities)  in advance and can remain undetected for an extended period of time. Their intentions and motivations can include:

- Damaging critical infrastructure, such as the power grid and natural resources

- Gaining access to intellectual property, such as trade secrets or patents

Insider Treats

Insider threats abuse their authorized access to obtain data that may harm an organization. Their intentions and motivations can include: 

- Sabotage

- Corruption

- Espionage

- Unauthorized data access or leaks.

Hacktivists

Hacktivists are threat actors that are driven by a political agenda. They abuse digital technology to accomplish their goals, which may include: 

- Demonstrations

- Propaganda

- Social change campaigns

- Fame

Hacker Types

A hacker is any person who uses computers to gain access to computer systems, networks, or data. They can be beginner or advanced technology professionals who use their skills for a variety of reasons. There are three main categories of hackers:

- Authorized hackers (ethicak hackers)

- Semi authorized hackers - resarchers. Don't take advantage of vulnerabilities.

- Unauthorized hackers are also called unethical hackers. They are malicious threat actors who do not follow or respect the law. Their goal is to collect and sell confidential data for financial gain. 

Frameworks and Controls

Focus is how organizations protect themselves from threats, risks, and vulnerabilities by covering key principles such as: frameworks, controls, and ethics.

Security frameworks

Are guidelines used to building plans to help mitigate risks and threats to data and privacy. Security frameworks provide a structured approach to implementing a security lifecycle. 

Security lifecycle: is a constantly evolving set of policies and standards that define how an organization manages risks, follows established guidelines, and meets regulatory compliance or laws.

Purpose of security framework:

- Protecting PII

- Securing financial information

- Identifying security weaknesses

- Managing organziational risks

- Aligning security with business goals.

1. Identifying and documenting security goals: 
1. Example an org may have a security goal to align to the European GDPR (General Data Protection Regulation). 
2. GDPR helps European Citizens to have better control over their personal data.
3. For example, analyst may be asked to Identify and document compliance with respect to GDPR.
2.  Setting guidelines to achieve security goals.
1. For example, to implement security guidelines for GDPR, org may need to develop new policies for how to handle data requests from individual users.
3. Implementing strong security processes
1. Analyst may help design procedures to ensure org complies with GDPR against verified user data requests. Example, when a user attempts to update or delete their profile information. 
4. Monitoring and communicating results.
1. Example, monitor org's internal network and report a potential security issue affecting GDPR to manager / regulatory compliance officer. 

Security Control

Safeguards to reduce specific security risks. For example, your company may have a guideline that requires all employees to complete a privacy training to reduce the risk of data breaches. As a security analyst, you may use a software tool to automatically assign and track which employees have completed this training.

Secure Design

Specific frameworks and controls that organizations can voluntarily use to minimize risks to their data and to protect users

CIA Triad

The CIA triad is a foundational model that helps inform how organizations consider risk when setting up systems and security policies. CIA stands for confidentiality, integrity, and availability.

Confidentiality: Only authorised users can access specific assets or data. Strict access controls need to be put in place to ensure confidential data remains safe.  

Integrity: Data is correct, authentic, and reliable. Can use form of data protection like encryption to safeguard data tampering. In Westpac in my projects, I have used Rowcount and MD5 Checksum to ensure data integraty between source and destination systems. 

Availability: Data is accessible to those who are authorized to access it. 

NIST CSF (National Instituate of Standards and Technology Cyber Security Framework)

The NIST Cybersecurity Framework is a voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.

It's important to become familiar with this framework because security teams use it as a baseline to manage short and long-term risk. 

Controls, frameworks, and compliance 

CIA Triad and NIST CSF are two frameworks to establish appropriate controls that mitigate threats, risks and vulnerabilities. Security frameworks are guidelines used for building plans to help mitigate risks and threats to data and privacy.

They have 4 components:

- Identifying and documenting security goals. 

- Setting guidelines to achieve security goals.

- Implementing strong security processes.

- Monitoring and communicating results. 

Security controls are safeguards designed to reduce specific security risks. So they are used alongside frameworks to ensure that security goals and processes are implemented correctly and that organizations meet regulatory compliance requirements.

Compliance is the process of adhering to internal standards and external regulations.

Additional controls, frameworks and compliance standards.

The Federal Energy Regulatory Commission - North American Electric Reliability Corporation (FERC-NERC)

FERC-NERC is a regulation that applies to organizations that work with electricity or that are involved with the U.S. and North American power grid. These types of organizations have an obligation to prepare for, mitigate, and report any potential security incident that can negatively affect the power grid. They are also legally required to adhere to the Critical Infrastructure Protection (CIP) Reliability Standards defined by the FERC. 

The Federal Risk and Authorization Management Program (FedRAMP®)

FedRAMP is a U.S. federal government program that standardizes security assessment, authorization, monitoring, and handling of cloud services and product offerings. Its purpose is to provide consistency across the government sector and third-party cloud providers. 

Center for Internet Security (CIS®)

CIS is a nonprofit with multiple areas of emphasis. It provides a set of controls that can be used to safeguard systems and networks against attacks. Its purpose is to help organizations establish a better plan of defense. CIS also provides actionable controls that security professionals may follow if a security incident occurs. 

General Data Protection Regulation (GDPR)

GDPR is a European Union (E.U.) general data regulation that protects the processing of E.U. residents’ data and their right to privacy in and out of E.U. territory. For example, if an organization is not being transparent about the data they are holding about an E.U. citizen and why they are holding that data, this is an infringement that can result in a fine to the organization. Additionally, if a breach occurs and an E.U. citizen’s data is compromised, they must be informed. The affected organization has 72 hours to notify the E.U. citizen about the breach.

Payment Card Industry Data Security Standard (PCI DSS)

PCI DSS is an international security standard meant to ensure that organizations storing, accepting, processing, and transmitting credit card information do so in a secure environment. The objective of this compliance standard is to reduce credit card fraud. 

The Health Insurance Portability and Accountability Act (HIPAA)

HIPAA is a U.S. federal law established in 1996 to protect patients' health information. This law prohibits patient information from being shared without their consent. It is governed by three rules: 

Privacy

Security 

Breach notification 

Organizations that store patient data have a legal obligation to inform patients of a breach because if patients' Protected Health Information (PHI) is exposed, it can lead to identity theft and insurance fraud. PHI relates to the past, present, or future physical or mental health or condition of an individual, whether it’s a plan of care or payments for care. Along with understanding HIPAA as a law, security professionals also need to be familiar with the Health Information Trust Alliance (HITRUST®), which is a security framework and assurance program that helps institutions meet HIPAA compliance.

International Organization for Standardization (ISO) 

ISO was created to establish international standards related to technology, manufacturing, and management across borders. It helps organizations improve their processes and procedures for staff retention, planning, waste, and services. 

System and Organizations Controls (SOC type 1, SOC type 2)

The American Institute of Certified Public Accountants® (AICPA) auditing standards board developed this standard. The SOC1 and SOC2 are a series of reports that focus on an organization's user access policies at different organizational levels such as: 

Associate

Supervisor

Manager

Executive

Vendor 

Others 

They are used to assess an organization’s financial compliance and levels of risk. They also cover confidentiality, privacy, integrity, availability, security, and overall data safety. Control failures in these areas can lead to fraud.

Ethics in Cybersecurity

Adhere to policy procedures and protocols. 

Security Ethics are guidelines for making appropriate decisions as a security professional.

Ethical principles in Cybersecurity

1. Confidentiality
1. Its your ethical duty to keep proprietary and private information such as PII confidential and safe. 
2. For example, if you want to give computer access to your friend outside of properly documented channels, then that is a violation of above and can result in serious consequences.
2. Privacy protection means safeguarding personal information from unauthorised use. For example, imagine you receive a personal email after hours from your manager requesting a colleague's home phone number. Your manager explains that they can't access the employee database at the moment, but they need to discuss an urgent matter with that person.
3. Laws are rules that are recognized by a community and enforced by a governing entity. For example, consider a staff member at a hospital who has been trained to handle PII, and SPII for compliance. The staff member has files with confidential data that should never be left unsupervised, but the staff member is late for a meeting. Instead of locking the files in a designated area, the files are left on the staff member's desk, unsupervised. Upon the employee's return, the files are missing. The staff member has just violated multiple compliance regulations, and their actions were unethical and illegal, since their negligence has likely resulted in the loss of private patient and hospital data.

Ethical concerns and laws related to counterattacks 

Counterattacks

USA Standpoint: Deploying a counterattack on a threat actor is illegal. You can defend, but cannot launch counter offensive. Counterattack is considered vigilantism. A vigilante is a person who is not a member of the law but decides to stop crime on own. Because threat actors are criminals, counterattacks can exacerbate the situation leading to more damage and harm.

International standpoint: ICJ / International Court of Justice: Is acceptable under the given scenarios.

- Counterattack will affect only the party that has attacked first. 

- Counterattack is a direct communication asking the attacker to stop.

- Counterattack does not escalate the situation. 

- Counterattack effects can be reversed.

Because counterattacks are generally disapproved of or illegal, the security realm has created frameworks and controls—such as the confidentiality, integrity, and availability (CIA) triad and others discussed earlier in the program—to address issues of confidentiality, privacy protections, and laws. 

Tools and Programming Languages used in Cybersecurity

• SIEM Tools
• Security Information and Event Management
• SIEM is an application that collects and analyzes log data to monitor critical activities in an organization.
• Collect real time information.
• SIEM provides alerts for specific types of risks and threats.
• E.g. of SIEM tools - SPLUNK, Chronicle.
• Splunk: Splunk is a big data platform that simplifies the task of collecting and managing massive volumes of machine-generated data and searching for information within it. The technology is used for business and web analytics, application management, compliance, and security.
• Google Chronicle: cloud native SIEM tool. Chronicle SIEM is a cloud service, built as a specialized layer on top of core Google infrastructure, designed for enterprises to privately retain, analyze, and search the massive amounts of security and network telemetry they generate. Chronicle normalizes, indexes, correlates, and analyzes the data to provide instant analysis and context on risky activity.
• Playbook 
• Is a manual that provides details about any operational activity. 
• Playbooks vary from one organization to another.
• Guide analysts about security incidents before, during and after it has occurred.
• Pertain to security, compliance reviews, access management, and other org tasks that require documented processes.
• Network protocol analyzers: 
• Also called packet sniffer.
• A tool designed to capture and analyse data traffic within a network.
• Example TCP Dump, Wireshark.
• Linux operating system
• Programming languages - SQL, Python

Logs: a record of events that occur within an organization's systems. E.g. record of employees logging into their systems OR accessing web services. Logs help identify vulnerabilities and breaches.

Programming languages

• Python
• Used to perform tasks that are repetitive and time consuming, and those that require a high level of detail & accuracy. 
• SQL Programming
• Structured query language
• A programming language used to create, interact with, and request information from a database (an organised collection of information or data).
• There may be millions of data points in a database. So an entry-level security analyst would use SQL to filter through the data points to retrieve specific information.
• Linux 
• Is an open source operating system.
• Command line
• Examining logs on what's occurring within a system. Review an error log. 

Terms and definitions from Course

A

Adversarial artificial intelligence: A technique that manipulates artificial intelligence (AI) and machine learning (ML) technology to conduct attacks more efficiently

Antivirus software: A software program used to prevent, detect, and eliminate malware and viruses

Asset: An item perceived as having value to an organization

Availability: The idea that data is accessible to those who are authorized to access it

B

Business Email Compromise (BEC): A type of phishing attack where a threat actor impersonates a known source to obtain financial advantage

C

Cloud security: The process of ensuring that assets stored in the cloud are properly configured and access to those assets is limited to authorized users

Compliance: The process of adhering to internal standards and external regulations

Computer virus: Malicious code written to interfere with computer operations and cause damage to data and software

Confidentiality: Only authorized users can access specific assets or data

Confidentiality, integrity, availability (CIA) triad: A model that helps inform how organizations consider risk when setting up systems and security policies

Cryptographic attack: An attack that affects secure forms of communication between a sender and intended recipient

Cybersecurity (or security): The practice of ensuring confidentiality, integrity, and availability of information by protecting networks, devices, people, and data from unauthorized access or criminal exploitation

 

D

Database: An organized collection of information or data

Data point: A specific piece of information

H

Hacker: Any person who uses computers to gain access to computer systems, networks, or data

Hacktivist: A person who uses hacking to achieve a political goal

Health Insurance Portability and Accountability Act (HIPAA): A U.S. federal law established to protect patients’ health information

I

Integrity: The idea that the data is correct, authentic, and reliable

Internal threat: A current or former employee, external vendor, or trusted partner who poses a security risk

Intrusion detection system (IDS): An application that monitors system activity and alerts on possible intrusions

L

Linux: An open-source operating system

Log: A record of events that occur within an organization’s systems

M

Malware: Software designed to harm devices or networks

N

National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF): A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk

Network protocol analyzer (packet sniffer): A tool designed to capture and analyze data traffic within a network

Network security: The practice of keeping an organization's network infrastructure secure from unauthorized access

O

Open Web Application Security Project (OWASP): A non-profit organization focused on improving software security

Order of volatility: A sequence outlining the order of data that must be preserved from first to last

P

Password attack: An attempt to access password secured devices, systems, networks, or data

Personally identifiable information (PII): Any information used to infer an individual’s identity

Phishing: The use of digital communications to trick people into revealing sensitive data or deploying malicious software

Physical attack: A security incident that affects not only digital but also physical environments where the incident is deployed

Physical social engineering: An attack in which a threat actor impersonates an employee, customer, or vendor to obtain unauthorized access to a physical location

Privacy protection: The act of safeguarding personal information from unauthorized use

Programming: A process that can be used to create a specific set of instructions for a computer to execute tasks

Protected health information (PHI): Information that relates to the past, present, or future physical or mental health or condition of an individual

Protecting and preserving evidence: The process of properly working with fragile and volatile digital evidence

S

Security architecture: A type of security design composed of multiple components, such as tools and processes, that are used to protect an organization from risks and external threats

Security controls: Safeguards designed to reduce specific security risks

Security ethics: Guidelines for making appropriate decisions as a security professional

Security frameworks: Guidelines used for building plans to help mitigate risk and threats to data and privacy

Security governance: Practices that help support, define, and direct security efforts of an organization

Security information and event management (SIEM): An application that collects and analyzes log data to monitor critical activities in an organization

Security posture: An organization’s ability to manage its defense of critical assets and data and react to change

Sensitive personally identifiable information (SPII): A specific type of PII that falls under stricter handling guidelines

Social engineering: A manipulation technique that exploits human error to gain private information, access, or valuables

Social media phishing: A type of attack where a threat actor collects detailed information about their target on social media sites before initiating the attack

Spear phishing: A malicious email attack targeting a specific user or group of users, appearing to originate from a trusted source

SQL (Structured Query Language): A programming language used to create, interact with, and request information from a database

Supply-chain attack: An attack that targets systems, applications, hardware, and/or software to locate a vulnerability where malware can be deployed

T

Technical skills: Skills that require knowledge of specific tools, procedures, and policies

Threat: Any circumstance or event that can negatively impact assets

Threat actor: Any person or group who presents a security risk

Transferable skills: Skills from other areas that can apply to different careers

U

USB baiting: An attack in which a threat actor strategically leaves a malware USB stick for an employee to find and install to unknowingly infect a network

V

Virus: refer to “computer virus”

Vishing: The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source

W

Watering hole attack: A type of attack when a threat actor compromises a website frequently visited by a specific group of users

---