At long last, here it is.
My final week in the Google IT Support Professional course. This final week is focused on security and how organizations can promote security-minded practices.
It’s been a wild ride, folks, and I’ll be posting a few thoughts soon as a kind of postmortem on the course.
Google IT Cert – Week 30 – Creating A Company Culture for Security
This is my final week in the Google IT Support Professional Certification course from Google and Coursera.
Risk in the Workplace
As we have mentioned earlier, there is an important balance to be struck between security and user productivity. The most secure system will not be accessible to users, and a system with zero security in place will be rendered useless in short order. Determining this balance is crucial and will mean that your organization is properly protected from major and minor threats and can also be easily navigated and used by employees.
What your organization does will determine how data is handled, and if there are any legal requirements you must adhere to regarding your security.
If, for example, you accept credit card payments, you will need to adhere to the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is built on the following objectives:
- Build and maintain a secure network and systems: This includes using firewalls and NOT using vendor defaults on those firewalls.
- Protect cardholder data: This includes securing data storage, and encryption of any transmission of cardholder data over unsecured networks.
- Maintain a vulnerability management program: Update antimalware programs and run regular scans.
- Implement strong access control methods: Restrict access to cardholder data to “need to know.” Identify and authenticate access to systems. Restrict physical access to cardholder data.
- Regularly monitor and test networks.
- Maintain an information security policy. This means that while your security team is responsible for implementing security, every member of the organization is responsible for behaving in accordance with the set security policy.
We are going to go into security policies a little more in the upcoming segments.
Measuring and Assessing Risk
Security means identifying risks and exposure, understanding the probability of attacks, and creating defenses that minimize risk and the potential impact of attacks.
Security risk assessment begins with threat modeling. First, identify likely threats, then assign them a priority based on severity and probability. This is done by assuming the perspective of an attacker. Start by identifying any high-value targets that may be in your systems. High-value data would include usernames and passwords, or anything relating to payment processing, for example.
Finding vulnerabilities in your systems can be aided by the use of a vulnerability scanner, software that evaluates computers, networks and applications for weaknesses. Examples of these tools are Nessus, OpenVAS, and Qualys.
A vulnerability scanner is a service that runs on your system, and conducts periodic scans of the network and hosts on the network. Once a host is identified, a more detailed scan is run on all the ports that are open on the host, and on any services that are listening on a port. This information is then checked against a database of known vulnerabilities. The scanner then generates a report with details about severity and the scope of vulnerabilities.
Penetration testing is the “practice of attempting to break into a system or network to verify the systems in place.” This is hacking you do against yourself, using the same tools and techniques deployed against similar systems.
Reading: Risk in the Workplace
Enforcing compliance with privacy policies can be done with audits, which are conducted through logging and auditing systems. Data access logs will help you confirm that only authorized users have access to sensitive data.
Applying the principle of least privilege means access to data is not granted by default. Rather, only those users who will need to access data will be granted access. Anyone who needs access should make an access request, which will define who is to have access to what data, for what purposes and for how long.
If an audit reveals that someone had access to data without a corresponding access request that is considered a high-priority potential breach and must be investigated.
Data-handling policies cover details on how data is classified. What is considered confidential? Once data classes have been created, guidelines for handling different classes of data should be created.
These steps will help prevent (or remediate) incidents such as that classic situation where an employee loses an external hard drive full of unencrypted customer medical records.
Keeping users in mind and actively engaged in security practices is often overlooked. The greatest security architecture in the world is easily undone by careless users. Passwords written on notes taped to a stolen laptop can quickly cause major security issues.
Security policies must involve realistic expectations for users. Users must have the tools they need to do their work, and must be guided and restricted by security policies constructed with this in mind.
Take the example of sharing a large, confidential file with a customer or outside party. If the file is too big to email, you may consider uploading it to a third-party filesharing service. Many employees would do this without thinking, but no data should ever be shared with any third-party or service that has not been evaluated by your organization.
Generally, “users can be lazy about security stuff.” This is especially true in the password department. Users hate complicated passwords, but that is what keeps systems safe. Requiring 24-character passwords that must be changed every month is great security theory, but it is guaranteeing that many users will be writing them down.
Because most security setups will include brute-force attack detection, overly-complex password requirements can be relaxed, somewhat. If a hashed password database is stolen, this is a more complex issue.
Preventing users from re-using passwords is also critical. Using the same password for a work account and a personal email account poses a serious risk.
A password change check function will prevent users from reverting back to an old, possibly compromised password.
Today, a much greater risk is found in the credential theft made possible by phishing emails (Usually this is a real-looking email prompting you to login to your account that leads to a fake site, where attackers can steal any info you enter). Spam filters and user education are important for limiting exposure to phishing emails.
Reading: User Habits
Read about Password Alert from Google, which helps defend against phishing attacks.
Third-party solutions are going to be a necessary part of your systems, so it is important to know how to mitigate potential risks posed by these solutions.
A sub-par third-party with poor security will necessarily undermine your security by opening new potential avenues of attack.
Conducting a vendor risk assessment will help you understand how using a third-party service will impact your organization. Vendors answer a security questionnaire to give you an understanding of the security designs they have built into their products and services.
Many vendors will allow you to test their products and services before you commit to a contract, giving you an opportunity to test it within your own environment.
Your security will be in the hands of these third parties, so knowing how well they are protected is critical.
Obviously, the questionnaire model relies on honest reporting by the vendor. Ask for a third-party assessment from your third-party vendors.
Google recently made available their Vendor Security Assessment Questionnaire (VSAQ), which gives you a template for creating questionnaires.
If third-party vendors are installing hardware at your site, it must be managed in a way that doesn’t compromise your security. If a vendor needs remote access to maintain hardware, for example, you must be sure that appropriate firewall settings have been implemented so that the hardware doesn’t become an entry point for attack.
Reading: Vendor Security Questionnaires
Read about the Google VSAQ.
Good security, like everything else at work, starts with good security training. Having dedicated channels where employees can ask security-related questions creates an environment where learning is encouraged.
Helping others keep security in mind will make your job as an IT support professional easier.
It is not easy to create a security-minded culture in an organization. This means training people to create strong, unique passwords, locking workstations when they leave, and not forgetting your work laptop in a coffee shop or alehouse.
Security training is never complete. Regular, short training sessions (videos, presentations) will keep the subject in peoples’ minds and help cultivate a security-conscious staff.
And remember, everyone loves quizzes!
Discussion: Security Habits
Q: “What security protections do you currently use in your daily life? How could you improve your security habits for the future?”
A: “I use a password manager and maintain strong password security. I don’t want to discuss my weaknesses as that opens up a new attack surface.”
This could be interpreted as a smart-ass response, but I think It is valid. How many thousands of other students in this course could be reading these responses? This may be a fairly novice group when it comes to hacking, but there is no reason to ever publicly explain your current, unpatched security vulnerabilities that I can think of.
Two questions, here, kids.
Alex Grit Story
A new face in these videos, Alex explains that being determined to figure things out is a valuable trait.
Incident Reporting and Analysis
Security incidents will happen, and proper incident handling is very important.
Detection is the first step! Intrusion detection systems will often be the first to find evidence of an attack. An employee may also alert you to something suspicious, or someone may leak information to the news.
Analysis is the next step—determine the scope of the damage and what that may affect. If data was stolen, find out what data and what that means. Did malware infect your entire network or just one subnet? (Learning what your “normal” network traffic looks like will help you spot “abnormal” traffic and possible attacks.)
Containment can only happen after the scope of the attack has been determined. Containment is usually very time-sensitive—you don’t want to give malware extra time to move around an infect other systems.
If an account has been compromised, change the password immediately or lock the account down.
If a machine has been compromised by malware, firewalls can be configured to effectively quarantine the machine. Or it can be moved to a special vLAN used for security quarantining.
Other parts of incident analysis include severity, impact, and recoverability.
Severity includes what and how many systems were compromised, and how that will affect operations.
Impact is the degree to which an attack will affect the business. If a small company with one web server has that server taken down by an attack, that is a major impact. If a large company with dozens of servers loses one, there may be little to no impact to business operations.
Data exfiltration is the unauthorized extraction of data from an organization. This data could be used to further penetrate networks, or to otherwise disrupt operations.
Recoverability is how long and how complicated the recovery process will be. Some attacks can’t be fully recovered from. Have backups!
Incident Response and Recovery
After a threat has been detected, it must be removed, and any damage must be repaired. This means rebuilding machines and restoring from backups. This should all be done with the goal of stopping the threat from persisting and spreading to other systems.
If a critical piece of network infrastructure is compromised, simply shutting it down may not be an option, as this will interrupt business operations. Malware can be designed to self-destruct if it doesn’t check in regularly with a command and control server, so removing all network access may cause more harm than if that equipment was left connected.
Forensic analysis of an incident will involve close inspection of affected machines. Imaging disks will give investigators a copy of the damaged machine that they can study while allowing the machine to be reimaged and redeployed.
Gathering evidence from attacks will allow the organization to pursue legal action against attackers, and provides the security community at large an avenue to learn about new and evolving attacks. Security, legal, and PR teams should work closely after attacks.
Information gathered from the attack analysis can be used to prevent future attacks. First, determine the entry point the attackers used to get into the system. This is done at the same time as the “cleanup” from the attack. (Removing malware without closing the down the entry point can result in immediate re-infection.)
The post-mortem will be used to analyze and update security. Once an attack has been fully remediated and systems have been restored, including any updates made, testing can begin. It is crucial to determine if the vulnerabilities have actually been addressed, and if any changes made may have affected other systems or procedures.
There is usually a good chance that one attack method could be used against another part of your network, so using anything learned about one attack to strengthen the overall network security is very important. Update firewall rules and ACLs so that similar attacks in the future will be detected.
Another 2 quesitons.
Interview Role Play
Some example technical questions you may see in interviews. Explain the whitelisting/blacklisting principle. Disabling unnecessary services, enabling only necessary services. Segmenting networks to keep guest users away from core network infrastructure. Implementing wireless network security, WPA2, etc. Prevent phishing attacks—use strong passwords, educate them, use 2FA.
Interviewers want to know how you solve problems and how you conduct yourself under pressure. How are you going to interact with users?
Do research about the organization you are interviewing for. Ask questions during your interview and show that you are interested and share their values. Practice interviewing!
Almost at the end of this program! Stay focused and what’s-his-name will be there to congratulate you after the final project.
>>>>>Quiz: Creating a Company Culture for Security
Peer Graded Assignment: Creating a Company Culture for Security
Write a document outlining how you would implement stronger security for a small business.
Review Your Peers
I reviewed a few extras just to be nice. And because my grade was taking a long time to come through.
Reading: Final Project
An example of what the final project document should include. (I’m amazed I passed—thank you, lenient peer reviewer!)
Discussion: Your Learning Journey
My overall take on this course is that there is some great material but I would have enjoyed a lot more hands-on exercises in the VMs. I have a hard time retaining information when I’m exposed to it in a six minute video and then never again.
“…Now get out there and get a job…”