GCS 5-1: Assets-Intro

Google Cybersecurity Course 5 (Assets, Threats, and Vulnerabilities) Module 1 (Introduction to asset security)

communicate

“As a new cybersecurity analyst, it’s important to be able to _____, take feedback, and feel uncomfortable.”

knowing

“No one is born _____ everything.”

Risk

Anything that can impact the confidentiality, integrity, or availability of an asset.

Security risk planning

• Assets

• Threats

• Vulnerabilities

Asset

An item perceived as having value to an organization.

Threat

Any circumstance or event that can negatively impact assets.

Vulnerability

A weakness that can be exploited by a threat.

No lock, unlocked lock, weak lock, old cracked wood.

Vulnerability examples for a front door

Likelihood x Impact

Formula for Risk

Risk helps

• Prevent costly and disruptive events

• Identify improvements that can be made to systems and processes

• Determine which risks can be tolerated

• Prioritize the critical assets that require attention

Threats, vulnerabilities

Risk factors

intentional, unintentional

Categories of threats

technical, human

Categories of vulnerabilities

problem solving, creative thinking

“_______ _______ ability and ________ ________ are important in cybersecurity.”

family, friends

“We can be there to protect our users, or ______ members, or _______.”

Asset management

The process of tracking assets and the risks that affect them.

Asset inventory

A catalog of assets that need to be protected.

Asset classification

The practice of labeling assets based on sensitivity and importance to an organization.

Public, internal-only, confidential, restricted

Levels of asset classification

Public

Assets that can be shared with anyone.

Internal-only

Assets that can be shared with anyone in the organization but should not be shared outside of it.

Confidential

Assets that should only be accessed by those working on a specific project.

Restricted

Assets that are typically highly sensitive and must be protected.

Data

Information that is translated, processed, or stored by a computer.

In use, in transit, at rest

States of dataD

Data in use

Data being accessed by one of more users.

Data in transit

Data traveling from one point to another.D

Data at rest

Data not currently being accessed.

Information security

Aka InfoSec

InfoSec

The practice of keeping data in all states away from unauthorized users.

Cloud computing

An on-demand, massively scalable service, hosted on shared infrastructure, accessible via the internet.

SaaS

Frontend applications that users access via a web browser like Gmail, Slack, and Zoom.

Software as a service

Aka SaaS

Platform as a service

Aka PaaS

PaaS

Refers to back-end application development tools that clients can access online like Google App Engine, Heroku, and VMware Cloud Foundry.

Infrastructure as a service

Aka IaaS

IaaS

Companies that give customers remote access to a range of back-end systems that are hosted by the cloud service provider like Google Cloud Platform, Microsoft Azure.

Cloud security challenges

• Misconfiguration

• Cloud-native breaches

• Monitoring access might be difficult

• Meeting regulatory standards

Burning Glass

A leading labor market analytics firm.

Damage, disclosure, loss of information

Types of risk categories

Policies, standards, procedures

Elements of a security plan

Policy

A set of rules that reduces risk and protects information.

Acceptable use policy

Aka AUP

AUP

These provisiions outline secure ways that an employee may access corporate systems.

Standards

References that inform how to set policies.

Procedures

Step-by-step instructions to perform a specific security task.

Compliance

The process of adhering to internal standards and external regulations.

Regulations

Rules set by a government or other authority to control the way something is done.

NIST Cybersecurity Framework

Aka NIST CSF.

NIST CSF

A voluntary framework that consists of standards, guidelines, and best practices to manage cybersecurity risk.

Core, tiers, profiles

NIST CSF components

Identify, Protect, Detect, Respond, Recover

Five functions of the NIST CSF core

Tiers

These provide security teams with a way to measure performance across each of the five functions of the core. They range from Level-1 to Level-4.

Level-1

This tier is known as passive. It is an indication that a function is reaching bare minimum standards.

Level-4

This tier is known as adaptive. It is an indication that a function is being performed at an exemplary standard.

Profiles

These provide insight into the current state of a security plan. One way to think of profiles is like photos capturing capturing a moment in time. Without photos, you may not have noticed how this tree has changed. They are used to help organizations develop a baseline for their cybersecurity plans, or as a way of comparing their current cybersecurity posture to a specific industry standard.

Risk register

A central record of potential risks to an organization’s assets, information systems, and data. Commonly used when conducting a risk assessment.