At long last, here it is.
My final week in the Google IT Support Professional course. This final week is focused on security and how organizations can promote security-minded practices.
It’s been a wild ride, folks, and I’ll be posting a few thoughts soon as a kind of postmortem on the course.
Google IT Cert – Week 30 – Creating A Company Culture for Security
This is my final week in the Google IT Support Professional Certification course from Google and Coursera.
Risk in the Workplace
As we have mentioned earlier, there is an important balance to be struck between security and user productivity. The most secure system will not be accessible to users, and a system with zero security in place will be rendered useless in short order. Determining this balance is crucial and will mean that your organization is properly protected from major and minor threats and can also be easily navigated and used by employees.
What your organization does will determine how data is handled, and if there are any legal requirements you must adhere to regarding your security.
If, for example, you accept credit card payments, you will need to adhere to the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is built on the following objectives:
- Build and maintain a secure network and systems: This includes using firewalls and NOT using vendor defaults on those firewalls.
- Protect cardholder data: This includes securing data storage, and encryption of any transmission of cardholder data over unsecured networks.
- Maintain a vulnerability management program: Update antimalware programs and run regular scans.
- Implement strong access control methods: Restrict access to cardholder data to “need to know.” Identify and authenticate access to systems. Restrict physical access to cardholder data.
- Regularly monitor and test networks.
- Maintain an information security policy. This means that while your security team is responsible for implementing security, every member of the organization is responsible for behaving in accordance with the set security policy.
We are going to go into security policies a little more in the upcoming segments.
Measuring and Assessing Risk
Security means identifying risks and exposure, understanding the probability of attacks, and creating defenses that minimize risk and the potential impact of attacks.
Security risk assessment begins with threat modeling. First, identify likely threats, then assign them a priority based on severity and probability. This is done by assuming the perspective of an attacker. Start by identifying any high-value targets that may be in your systems. High-value data would include usernames and passwords, or anything relating to payment processing, for example.
Finding vulnerabilities in your systems can be aided by the use of a vulnerability scanner, software that evaluates computers, networks and applications for weaknesses. Examples of these tools are Nessus, OpenVAS, and Qualys.
A vulnerability scanner is a service that runs on your system, and conducts periodic scans of the network and hosts on the network. Once a host is identified, a more detailed scan is run on all the ports that are open on the host, and on any services that are listening on a port. This information is then checked against a database of known vulnerabilities. The scanner then generates a report with details about severity and the scope of vulnerabilities.
Penetration testing is the “practice of attempting to break into a system or network to verify the systems in place.” This is hacking you do against yourself, using the same tools and techniques deployed against similar systems.
Reading: Risk in the Workplace
Read about these vulnerability scanners: Nessus, OpenVAS, and Qualys.
Enforcing compliance with privacy policies can be done with audits, which are conducted through logging and auditing systems. Data access logs will help you confirm that only authorized users have access to sensitive data.
Applying the principle of least privilege means access to data is not granted by default. Rather, only those users who will need to access data will be granted access. Anyone who needs access should make an access request, which will define who is to have access to what data, for what purposes and for how long.
If an audit reveals that someone had access to data without a corresponding access request that is considered a high-priority potential breach and must be investigated.
Data-handling policies cover details on how data is classified. What is considered confidential? Once data classes have been created, guidelines for handling different classes of data should be created.
These steps will help prevent (or remediate) incidents such as that classic situation where an employee loses an external hard drive full of unencrypted customer medical records.
WD 4TB My Cloud EX2 Ultra Network Attached Storage - NAS -
Keeping users in mind and actively engaged in security practices is often overlooked. The greatest security architecture in the world is easily undone by careless users. Passwords written on notes taped to a stolen laptop can quickly cause major security issues.
Security policies must involve realistic expectations for users. Users must have the tools they need to do their work, and must be guided and restricted by security policies constructed with this in mind.
Take the example of sharing a large, confidential file with a customer or outside party. If the file is too big to email, you may consider uploading it to a third-party filesharing service. Many employees would do this without thinking, but no data should ever be shared with any third-party or service that has not been evaluated by your organization.
Generally, “users can be lazy about security stuff.” This is especially true in the password department. Users hate complicated passwords, but that is what keeps systems safe. Requiring 24-character passwords that must be changed every month is great security theory, but it is guaranteeing that many users will be writing them down.
Because most security setups will include brute-force attack detection, overly-complex password requirements can be relaxed, somewhat. If a hashed password database is stolen, this is a more complex issue.
Preventing users from re-using passwords is also critical. Using the same password for a work account and a personal email account poses a serious risk.
A password change check function will prevent users from reverting back to an old, possibly compromised password.
Today, a much greater risk is found in the credential theft made possible by phishing emails (Usually this is a real-looking email prompting you to login to your account that leads to a fake site, where attackers can steal any info you enter). Spam filters and user education are important for limiting exposure to phishing emails.
Reading: User Habits
Read about Password Alert from Google, which helps defend against phishing attacks.
Third-party solutions are going to be a necessary part of your systems, so it is important to know how to mitigate potential risks posed by these solutions.
A sub-par third-party with poor security will necessarily undermine your security by opening new potential avenues of attack.
Conducting a vendor risk assessment will help you understand how using a third-party service will impact your organization. Vendors answer a security questionnaire to give you an understanding of the security designs they have built into their products and services.
Many vendors will allow you to test their products and services before you commit to a contract, giving you an opportunity to test it within your own environment.
Your security will be in the hands of these third parties, so knowing how well they are protected is critical.
Obviously, the questionnaire model relies on honest reporting by the vendor. Ask for a third-party assessment from your third-party vendors.
Google recently made available their Vendor Security Assessment Questionnaire (VSAQ), which gives you a template for creating questionnaires.
If third-party vendors are installing hardware at your site, it must be managed in a way that doesn’t compromise your security. If a vendor needs remote access to maintain hardware, for example, you must be sure that appropriate firewall settings have been implemented so that the hardware doesn’t become an entry point for attack.
Reading: Vendor Security Questionnaires
Read about the Google VSAQ.
Good security, like everything else at work, starts with good security training. Having dedicated channels where employees can ask security-related questions creates an environment where learning is encouraged.
Helping others keep security in mind will make your job as an IT support professional easier.
It is not easy to create a security-minded culture in an organization. This means training people to create strong, unique passwords, locking workstations when they leave, and not forgetting your work laptop in a coffee shop or alehouse.
Security training is never complete. Regular, short training sessions (videos, presentations) will keep the subject in peoples’ minds and help cultivate a security-conscious staff.
And remember, everyone loves quizzes!
Discussion: Security Habits
Q: “What security protections do you currently use in your daily life? How could you improve your security habits for the future?”
A: “I use a password manager and maintain strong password security. I don’t want to discuss my weaknesses as that opens up a new attack surface.”
This could be interpreted as a smart-ass response, but I think It is valid. How many thousands of other students in this course could be reading these responses? This may be a fairly novice group when it comes to hacking, but there is no reason to ever publicly explain your current, unpatched security vulnerabilities that I can think of.
Two questions, here, kids.
Alex Grit Story
A new face in these videos, Alex explains that being determined to figure things out is a valuable trait.
2019 Lenovo ThinkPad T480 14" Business Laptop i5, Win10 Pro SSD
Incident Reporting and Analysis
Security incidents will happen, and proper incident handling is very important.
Detection is the first step! Intrusion detection systems will often be the first to find evidence of an attack. An employee may also alert you to something suspicious, or someone may leak information to the news.
Analysis is the next step—determine the scope of the damage and what that may affect. If data was stolen, find out what data and what that means. Did malware infect your entire network or just one subnet? (Learning what your “normal” network traffic looks like will help you spot “abnormal” traffic and possible attacks.)
Containment can only happen after the scope of the attack has been determined. Containment is usually very time-sensitive—you don’t want to give malware extra time to move around an infect other systems.
If an account has been compromised, change the password immediately or lock the account down.
If a machine has been compromised by malware, firewalls can be configured to effectively quarantine the machine. Or it can be moved to a special vLAN used for security quarantining.
Other parts of incident analysis include severity, impact, and recoverability.
Severity includes what and how many systems were compromised, and how that will affect operations.
Impact is the degree to which an attack will affect the business. If a small company with one web server has that server taken down by an attack, that is a major impact. If a large company with dozens of servers loses one, there may be little to no impact to business operations.
Data exfiltration is the unauthorized extraction of data from an organization. This data could be used to further penetrate networks, or to otherwise disrupt operations.
Recoverability is how long and how complicated the recovery process will be. Some attacks can’t be fully recovered from. Have backups!
Incident Response and Recovery
After a threat has been detected, it must be removed, and any damage must be repaired. This means rebuilding machines and restoring from backups. This should all be done with the goal of stopping the threat from persisting and spreading to other systems.
If a critical piece of network infrastructure is compromised, simply shutting it down may not be an option, as this will interrupt business operations. Malware can be designed to self-destruct if it doesn’t check in regularly with a command and control server, so removing all network access may cause more harm than if that equipment was left connected.
Forensic analysis of an incident will involve close inspection of affected machines. Imaging disks will give investigators a copy of the damaged machine that they can study while allowing the machine to be reimaged and redeployed.
Gathering evidence from attacks will allow the organization to pursue legal action against attackers, and provides the security community at large an avenue to learn about new and evolving attacks. Security, legal, and PR teams should work closely after attacks.
Information gathered from the attack analysis can be used to prevent future attacks. First, determine the entry point the attackers used to get into the system. This is done at the same time as the “cleanup” from the attack. (Removing malware without closing the down the entry point can result in immediate re-infection.)
The post-mortem will be used to analyze and update security. Once an attack has been fully remediated and systems have been restored, including any updates made, testing can begin. It is crucial to determine if the vulnerabilities have actually been addressed, and if any changes made may have affected other systems or procedures.
There is usually a good chance that one attack method could be used against another part of your network, so using anything learned about one attack to strengthen the overall network security is very important. Update firewall rules and ACLs so that similar attacks in the future will be detected.
Another 2 quesitons.
Interview Role Play
Some example technical questions you may see in interviews. Explain the whitelisting/blacklisting principle. Disabling unnecessary services, enabling only necessary services. Segmenting networks to keep guest users away from core network infrastructure. Implementing wireless network security, WPA2, etc. Prevent phishing attacks—use strong passwords, educate them, use 2FA.
Interviewers want to know how you solve problems and how you conduct yourself under pressure. How are you going to interact with users?
Do research about the organization you are interviewing for. Ask questions during your interview and show that you are interested and share their values. Practice interviewing!
Almost at the end of this program! Stay focused and what’s-his-name will be there to congratulate you after the final project.
>>>>>Quiz: Creating a Company Culture for Security
Peer Graded Assignment: Creating a Company Culture for Security
Write a document outlining how you would implement stronger security for a small business.
Review Your Peers
I reviewed a few extras just to be nice. And because my grade was taking a long time to come through.
Reading: Final Project
An example of what the final project document should include. (I’m amazed I passed—thank you, lenient peer reviewer!)
Discussion: Your Learning Journey
My overall take on this course is that there is some great material but I would have enjoyed a lot more hands-on exercises in the VMs. I have a hard time retaining information when I’m exposed to it in a six minute video and then never again.
“…Now get out there and get a job…”
Homer's Odyssey | Translated by Norbert A.D. Albertson | Paperback
Rube's Apocalypse Survival Guide | by Jack Barker
President: Dispatches from the 2016 Circus | by Matt Taibbi
True Stories from Painful Beaches | by John Hodgman
Chain of Title:
How Three Ordinary Americans Uncovered Wall Street’s Great Foreclosure Fraud |
by David Dayen
9 thoughts on “Google IT Cert – Week 30 – Creating A Company Culture for Security”
What in the world did you do for the final assignment? I am stuck
Hello, I’m sorry I have been away from the site for a spell…
I don’t want to give away any answers, but my process on the final project was to take each broad topic and go back through the course materials and note anything that applied to the topic. Then I wrote a sentence about each one. I will give you one hint, however: your peers grading your assignment will probably be very lenient. I did not encounter any particularly fastidious grading, to say the least.
Feel free to use this site as your class notes, every week has a page and I have tried to tag/categorize them thoroughly for ease of use.
Thanks, and good luck.
I’m also stuck with this project ‘coz no sample. I am confused how to start. Plus English is not my first language.
Hi, and thanks for asking a question…
I got a similar question recently, and as I told that person I don’t want to give away the answers (and if I did, I would NOT give away my answer, because it wasn’t very good) so I will just say that to pass the final project I went back through my notes and listed anything that would apply to the various needs of the fictional organization.
The key to this is listing specific things, like deploying a firewall, for example, and explaining where on the network to place it and the purpose it will serve.
Remember, your peers grading your assignment will be very generous. And if you don’t make it through the first time, refine your answers and submit it again–you won’t be graded by the same people twice.
Best of luck!
Hi Jack, did you ended up with a job with this course.
Hello! Not exactly, as I completed the course while at my current job…but it is a resume item for me and I learned a lot. Good luck!
I would like to thank you for creating this site as it has helped me along my journey through the course. Your site was actually easier to read then on the coursera page.
Hey that’s great to hear, glad it helped!
Final Project – Sample Submission
Authentication will be handled centrally by an LDAP server and will incorporate One-Time Password generators as a 2nd factor for authentication.
The customer-facing website will be served via HTTPS, since it will be serving an e-commerce site permitting visitors to browse and purchase products, as well as create and log into accounts. This website would be publically accessible.
The internal employee website will also be served over HTTPS, as it will require authentication for employees to access. It will also only be accessible from the internal company network and only with an authenticated account.
Since engineers require remote access to internal websites, as well as remote command line access to workstations, a network-level VPN solution will be needed, like OpenVPN. To make internal website access easier, a reverse proxy is recommended, in addition to VPN. Both of these would rely on the LDAP server that was previously mentioned for authentication and authorization.
A network-based firewall appliance would be required. It would include rules to permit traffic for various services, starting with an implicit deny rule, then selectively opening ports. Rules will also be needed to allow public access to the external website, and to permit traffic to the reverse proxy server and the VPN server.
For wireless security, 802.1X with EAP-TLS should be used. This would require the use of client certificates, which can also be used to authenticate other services, like VPN, reverse proxy, and internal website authentication. 802.1X is more secure and more easily managed as the company grows, making it a better choice than WPA2.
Incorporating VLANs into the network structure is recommended as a form of network segmentation; it will make controlling access to various services easier to manage. VLANs can be created for broad roles or functions for devices and services. An engineering VLAN can be used to place all engineering workstations and engineering services on. An Infrastructure VLAN can be used for all infrastructure devices, like wireless APs, network devices, and critical servers like authentication. A Sales VLAN can be used for non-engineering machines, and a Guest VLAN would be useful for other devices that don’t fit the other VLAN assignments.
As the company handles payment information and user data, privacy is a big concern. Laptops should have full disk encryption (FDE) as a requirement, to protect against unauthorized data access if a device is lost or stolen. Antivirus software is also strongly advised to avoid infections from common malware. To protect against more uncommon attacks and unknown threats, binary whitelisting software is recommended, in addition to antivirus software.
To further enhance the security of client machines, an application policy should be in place to restrict the installation of third-party software to only applications that are related to work functions. Specifically, risky and legally questionable application categories should be explicitly banned. This would include things like pirated software, license key generators, and cracked software.
In addition to policies that restrict some forms of software, a policy should also be included to require the timely installation of software patches. “Timely” in this case will be defined as 30 days from the wide availability of the patch.
As the company takes user privacy very seriously, some strong policies around accessing user data are a critical requirement. User data must only be accessed for specific work purposes, related to a particular task or project. Requests must be made for specific pieces of data, rather than overly broad, exploratory requests. Requests must be reviewed and approved before access is granted. Only after review and approval will an individual be granted access to the specific user data requested. Access requests to user data should also have an end date.
In addition to accessing user data, policies regarding the handling and storage of user data are also important to have defined. These will help prevent user data from being lost and falling into the wrong hands. User data should not be permitted on portable storage devices, like USB keys or external hard drives. If an exception is necessary, an encrypted portable hard drive should be used to transport user data. User data at rest should always be contained on encrypted media to protect it from unauthorized access.
To ensure that strong and secure passwords are used, the password policy below should be enforced:
Password must have a minimum length of 8 characters
Password must include a minimum of one special character or punctuation
Password must be changed once every 12 months
In addition to these password requirements, a mandatory security training must be completed by every employee once every year. This should cover common security-related scenarios, like how to avoid falling victim to phishing attacks, good practices for keeping your laptop safe, and new threats that have emerged since the last time the course was taken.
Intrusion Detection or Prevention Systems
A Network Intrusion Detection System is recommended to watch network activity for signs of an attack or malware infection. This would allow for good monitoring capabilities without inconveniencing users of the network. A Network Intrusion Prevention System (NIPS) is recommended for the network where the servers containing user data are located; it contains much more valuable data, which is more likely to be targeted in an attack. In addition to Network Intrusion Prevention, Host-based Intrusion Detection (HIDS) software is also recommended to be installed on these servers to enhance monitoring of these important systems.