What Googlers can teach you about Security part 2

[TL;DR, I'm a Web Dev and I don't care about Cybersec] - go and read Open Worldwide Application Security Project (OWASP) Top 10 Web Application Security Risks you must know this stuff, if your web app runs on anything else than http://127.0.0.1

Previously I wrote about Google's Cybersecurity Professional program and why I enrolled into it. If you haven't already, go and read it here.

If you've already read it - we continue with the second course in the series - "Play It Safe: Manage Security Risks"

Again, I only focus on some of the key points, course has a lots of content and hands on exercises - if you are interested how Cybersecurity industry works, explained through real life examples from Google, you should definitely take the course.

Even if you are developer and have no interest in working in Cybersec, this will give you a better picture of how your organization operates.

And who knows, maybe along the way you fall in love with Cyber. ❤️

Module 1

First module goes in depth with CISSP’s eight security domains that were mentioned in the previous course/post. I will list them again because they show how vast is the Security industry. Also, you can see the Roles and some of the responsibilities associated with them.

1. Security and Risk Management:

   • Roles: Chief Information Security Officer (CISO), Risk Manager, Compliance Officer.
   • Responsibilities:
     • Develop security policies and procedures.
     • Assess and manage risks.
     • Ensure compliance with regulations and standards.
     • Align security practices with organizational goals.

2. Asset Security:

   • Roles: Data Owners, System Administrators, Privacy Officers.
   • Responsibilities:
     • Manage information assets (data, hardware, software).
     • Define access controls and ownership.
     • Protect sensitive data and enforce privacy rules.

3. Security architecture and engineering

   • Roles: Security Architects, Systems Engineers.
   • Responsibilities:
     • Design secure systems and networks.
     • Implement encryption, firewalls, and access controls.
     • Evaluate security technologies.

4. Communication and Network Security:

   • Roles: Network Administrators, Security Analysts.
   • Responsibilities:
     • Secure network infrastructure (routers, switches).
     • Implement VPNs, firewalls, and intrusion detection systems.
     • Ensure secure data transmission.

5. Identity and Access Management (IAM):

   • Roles: IAM Managers, Access Control Administrators, System Administrators.
   • Responsibilities:
     • Manage user identities and access rights.
     • Implement authentication and authorization mechanisms.
     • Monitor user activity.

6. Security Assessment and Testing:

   • Roles: Penetration Testers, Vulnerability Assessors.
   • Responsibilities:
     • Conduct security assessments (penetration testing, vulnerability scanning).
     • Identify weaknesses and recommend improvements.
     • Validate security controls.

7. Security Operations:

   • Roles: Security Analysts, Incident Responders.
   • Responsibilities:
     • Monitor security events and incidents.
     • Investigate breaches and coordinate responses.
     • Manage security incidents and recovery.

8. Software Development Security:

   • Roles: Software Developers, Security Champions.
   • Responsibilities:
     • Write secure code.
     • Perform code reviews for vulnerabilities.
     • Ensure software remains free of flaws.

Risk management

You must keep your assets secure! Assets can be digital or physical - personal information of customers, trade secrets, servers, confidential documents…

The NIST Risk Management Framework (RMF) is a comprehensive, flexible, and repeatable 7-step process that organizations can use to manage information security and privacy risk.

The 7 steps are:

1. Prepare: Talk to key stakeholders, prepare a broad risk management strategy
2. Categorize: Analyze the system, categorize the data, and do an impact analysis.
3. Select: Choose NIST SP 800-53 controls based on risk assessment.
4. Implement: Deploy controls and document their deployment.
5. Assess: Verify control effectiveness.
6. Authorize: Senior management authorizes the whole thing.
7. Monitor: Continuously monitor control implementation and risks.

You can see list of cybersecurity risks here.

Also there is a famous OWASP top 10 security risks for web applications. If you are a web dev you should really really get acquainted with this list.

You can see how the top list changes through time.

Image credit Google Cybersecurity Professional Program

Module 2

We already mentioned CIA in previous post, but it’s so crucial that we will expand a bit here. The way I see it is whatever assessment you do in security, be it Application Threat Modeling or Infrastructure Security Review or Risk Assessment you are thinking about these three things:

Confidentiality - Who can access what? We need to ensure only authorized users can access specific parts of the system.

Integrity - No one should tamper with your system. And if someone does you should know about it.

Availability - Systems should be available to the authorized users.

Rest of the module goes in depth with OWASP and NIST CyberSecurity Framework. Also first hand on exercise is here - you conduct a security audit of a fictional small company that had a recent increase in business. It really well made and you see how everything you learned so far is applied in the real world.

Module 3

This module goes in depth on Security Information and Event Management (SIEM) tools. SIEM tools aggregate all event streams in the organization, like network logs, app logs and so on. And if something weird starts happening they sound the alert.

A picture is worth a thousand words, and video is.. thousand words per frame, I guess... So you can go and check IBM’s 4min video about this, if you are interested. Or do a web search on Splunk to see how the most popular SIEM solution looks like.

There is also a thing called Security orchestration, automation, and response (SOAR) which is considered to be a future of SIEM - or at least it can be used to automate some repetitive tasks generated by SIEMs. More about it here.

Module 4

So, your SIEM detected an intrusion, what do you do? Don’t panic, if you work in serious organization you have a Playbook. If you don’t have a Playbook? Well, than you can panic. 😅

Last module is about Playbooks. But what is a Playbook you ask?

A Playbook is a manual which tells you what exactly you need to do and with what tools in response to a security incident.

Playbooks ensure a consistent list of actions is followed, regardless of who is handling the case.

Different types of playbooks exist, including those for incident response, security alerts, team-specific, and product-specific purposes.

Here, we'll focus on a commonly used cybersecurity playbook called an incident response playbook. Incident response involves quickly identifying an attack, containing damage, and correcting the effects of a breach. An incident response playbook includes six phases to help manage security incidents from start to finish. Now while I think theory has it’s place, these type of things are best explained using real world examples. Here is how each step would look like for some concrete scenario:

1. 📝 Preparation: An organization creates an incident response plan that outlines specific procedures for different types of incidents (e.g., data breaches, DDoS attacks, malware outbreaks). They identify key personnel responsible for incident response, establish communication channels, and conduct regular tabletop exercises to ensure everyone knows their roles.
2. 🔍 Detection and Analysis: A security operations center (SOC) detects unusual network traffic patterns indicating a potential intrusion. Analysts investigate the incident, analyze logs, and use threat intelligence feeds to determine if the activity is malicious. They identify the affected systems and assess the impact.
3. 🔒 Containment: Upon confirming a data breach, the incident response team isolates compromised servers from the network to prevent further spread. They disable compromised user accounts and block malicious IP addresses. The goal is to limit the attacker’s access and prevent additional damage.
4. 👊 Eradication and Recovery: After identifying a ransomware attack, the organization removes the malware from affected systems. They restore data from backups and patch vulnerabilities that allowed the initial infection. The recovery process involves verifying system integrity and ensuring all services are operational.
5. ☕ Post-Incident Activity: The incident response team conducts a postmortem analysis of a successful phishing attack. They document the attack vector, identify gaps in security controls, and recommend improvements. Leadership reviews the findings, and the organization updates its security policies and provides additional user training.
6. ☎️ Coordination: This involves reporting incidents and sharing information throughout the response process based on established standards. Coordination ensures compliance requirements are met and allows for a coordinated response and resolution.

Again, there were a lots of other things, but you can get the idea. Feel free to ping me in the comments.

Stay safe!