On IBM's Cybersecurity Analyst Professional Certificate

Posted on September 29, 2022  •  8 minutes  • 1527 words

It is one of the most enrolled professional certificates on Coursera about Information Security. In that text, I’ll list some of my notes.

The Certificate Page on Coursera

Firstly, the content is very well formed to provide introductory knowledge for entry-level positions. Especially introduction of IBM solutions like Guardium and QRadar was beneficial to understand practical implementation cases.

It contains eight different courses:

1. Introduction to Cybersecurity Tools & Cyber Attacks
2. Cybersecurity Roles, Processes & Operating System Security
3. Cybersecurity Compliance Framework & System Administration
4. Network Security & Database Vulnerabilities
5. Penetration Testing, Incident Response and Forensics
6. Cyber Threat Intelligence
7. Cybersecurity Capstone: Breach Response Case Studies
8. IBM Cybersecurity Analyst Assessment

Some points worth mentioning but not limited to:

Introduction to Cybersecurity Tools & Cyber Attacks:

– A Handbook: Network Security Essentials by William Stallings
– SETOOLKIT (Social Engineering Tool Kit): https://github.com/trustedsec/social-engineer-toolkit
– Gophish: Open-Source Phishing Framework: https://getgophish.com/
– CSIS Significant (Recent) Cyber Incidents: https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents
– IBM Security X-Force for recent events and threats: https://www.ibm.com/x-force
– OWASP Security Knowledge Framework: https://owasp.org/www-project-security-knowledge-framework/

Pentest Methodologies:

– Open Source Security Testing Methodology: https://www.isecom.org
– NIST National Institute of Standards and Technology Guideline on Network Security Testing: https://www.nist.gov/publications/guideline-network-security-testing
– Federal Financial Institutions Examination Council Information Technology Examination Handbook Infobase: https://ithandbook.ffiec.gov/it-booklets.aspx
– The penetration testing execution standard: http://www.pentest-standard.org/

Digital Forensic Tools:

– The Volatility Framework: https://www.volatilityfoundation.org/
– FTK (Forensic Toolkit by AccessData)
– Autopsy: https://www.autopsy.com/
– OpenText™ EnCase™ Forensic: https://security.opentext.com/encase-forensic
– Bulk Extractor: https://www.kali.org/tools/bulk-extractor/

Cybersecurity Roles, Processes & Operating System Security:

– A SOC (Security Operation Center) needs three of them: People, Tools, Process.

Access Control Methods:

– MAC: Mandatory Access Control: use labels to regulate access. Like in a military: Top secret, secret, classified.
– DAC: Discretionary Access Control: Each object/file has an owner, and the owner defines the rights and privileges.
– Role-Based Access Control: User roles. Sales, management.

While configuring access controls, things to consider:

– Least privilege: “Giving a user account or process only those privileges essential to perform its intended function.”
– Separation of duties
– Rotation of duties

Access Control Mechanisms:

– Physical: Enterance control to buildings, 7/24 CCTV, etc.
– Technical: ID badges, logs, room/door limited access, proximity sensors, physical block.

Monitoring Access Control Processes:

– IDS: Intrusion Detection System: to scan and monitor 7/24 for potential anomalies and create alerts.
– IPS: Intrusion Prevention System: to actively prevent incidents.

Cybersecurity Compliance Framework & System Administration:

– HIPAA: Health Insurance Portability and Accountability Act of the USA protects health-related data.
– PCI DSS: Payment Card Industry Data Security Standard: Prepared by major credit card companies.
– NIST: National Institute of Standards and Technology. A US State institution that provides standards.
– ISO 27001: A standard for information security management.

Unified Endpoint Management: A client-based management technique with Mobile device management (MDM) APIs.

– Three key factors to consider in endpoint detection and response: Threat hunting, detection and response, and user education.

Some Unix shell commands and tips:

• ctrl+a: to go most left side of CLI
• ctrl+e: to go to the rightest side of CLİ
• history: to see the history of commands.
• Man LS: short for manual LS command.
• uname: show OS name.
• uname -a: more details
• cd: change directory
• pwd: print working directory
• tar: create a new tar archive
• grep: search for a given string in a file
• find: find files using file-name
• LS: lists directory contents
• LS -LTR: orders files based on the last modified time.
• gzip: to create a *.gz compressed file.
• unzip: to extract zip archives.
• shutdown -h now: shut down the system immediately
• ftp or sftp: to view files on a remote server
• ps: display info about running processes
• free: display memory information
• top: display current running processes
• df: display disk usage
• kill: terminate a process
• rm: remove/delete a file
• rmdir: remove an empty directory
• cp: copy files or directories
• mv: move a file or directory
• cat: display the content of a text file and combines several files into one.
• mkdir: create a folder
• mkdir -p test/test2/test3: create subfolders too.
• ifconfig -a: show network interfaces along with status
• whatis LS: shows a description of the following command
• locate: quickly search for the location of a specific file/files.
• tail -n N filename.txt: view the N number of lines from the file.
• Less: to see big files, but it loads page by page.
• su: to change the current user
• wget: to download files from the internet.

Cryptography:

– Encrypt all sensitive data you’re handling and also ensure its integrity.
– Assume the files containing sensitive information may be exposed and analyzed.
– Rely on proven cryptography algorithms and assume that your algorithms will be known to the adversary.
– Rely on hard-to-guess, randomly generated keys and passwords that are stored securely.

– Salting: Adding a random byte sequence of at least 8 bytes to the plain text, the resulting hash is completely different, and rainbow tables will no longer help. (A memory)

Network Security & Database Vulnerabilities:

– Stateless firewall’s packet inspection: Fast but not so secure.
– Stateful firewall inspection: Each packet is inspected.

How to prevent OS command injection?

– Don’t execute OS commands: Use built-in or 3rd part libraries instead.
– Run at the least possible privilege level
– Don’t run commands through shell interpreters.
– Use explicit paths when running executables.
– Use safer functions when running system commands.
– If possible, don’t let user input reach command execution unchanged.
– Sanitize use input with a strict whitelist

Prevention of SQL Injection:

– Use prepared statements: Mitigate to make less severe or more bearable.
– Sanitize user input: only restricted whitelists should be used, not blacklists.
– Do not expose native database errors to the user.
– Limit database user permissions:
– Use stored procedures.
– Use ORM (Object-relational mapping) libraries.

Penetration Testing, Incident Response and Forensics:

– Google Dorks (Google Hacking Technics): A dork is a search string that uses advanced search operators to find information that is not readily available on a website.

– Social Engineering: A general term related to deceiving the user to surrender enough information to obtain access and/or data.
– Shoulder surfing: seeing the screen or password of the person.
– Dumpster Diving: Retrieval of information by examining the trash in search of discarded but not destroyed information.

– Attack Phase: Gaining Access > Escalating Privileges > System Browsing [+Rediscovery] > Installing Additional Tools

– Hack The Box is a legal, free, and non-profit pen-testing lab: https://www.hackthebox.com/

The NIST Incident Response Process contains four steps:

– Preparation
– Detection and Analysis
– Containment, Eradication, and Recovery
– Post-Incident Activity

SANS Incident Response Process consists of six steps:

– Preparation
– Identification
– Containment
– Eradication
– Recovery
– Lessons Learned

• The Hive Project: A Free and Open Source Security Incident Response Platform: https://thehive-project.org/
• AlienVault OSSIM (Open Source Security Information and Event Management): https://cybersecurity.att.com/products/ossim/download

Cyber Threat Intelligence: Info about threats and threat actors that help mitigate harmful events in cyberspace.

Threat Intelligence Sources for the routine following:

– BleepingComputer: https://www.bleepingcomputer.com/
– DarkReading: https://www.darkreading.com/
– Trend Micro: https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits
– Krebs on Security: https://krebsonsecurity.com/
– InfoSecurity Magazine: https://www.infosecurity-magazine.com/
– X-Force Exchange: https://exchange.xforce.ibmcloud.com/

• Threat Intelligence Platform is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real-time to support defensive actions:

– Recorded Future
– FireEye
– IBM X-Force Exchange
– TruSTAR

SIEM: System Information and Event Management is a data aggregator, search, and reporting system.

IBM QRadar: It does log correlation, network forensics, intelligence feeds, vulnerability management, and risk management.

Its components:
– Vulnerability Manager: Proactively scans and discovers.
– User Behavior Analytics: to detect malicious insiders.
– Network Insights: analyze real-time network data to uncover an attacker’s footprints and expose hidden security threats, e.g., phishing e-mails, malware, data exfiltration, lateral movement, DNS, and other application abuse and compliance gaps.

Splunk: Industry leader SIEM solution. They offer a wide range of products to turn machine data into valuable information by monitoring and analyzing all activities. It is known as Operational Intelligence and is the unique value proposition of Splunk.

5 Challenges SOCs face today:

– Unaddressed threats.
– Insights overload.
– Lack of cybersecurity talent and job fatigue.
– Dwell times are getting worse.
– Stakes are at an all-time high.

Incident Handling Guide by NIST

Establishing an incident response capability should include the following actions:

– Establish a formal incident response capability.
– Create an incident response policy.
– Develop an incident response plan based on the incident response policy.
– Develop incident response procedures.
– Establish policies and procedures regarding incident-related information sharing.
– Consider the relevant factors when selecting an incident response team model.

Incident Response Team Structure:

– Team Models: Central. Distributed.
– Team Model Selection: Outsourcing or using in-house employees.
– Incident Response Personnel.
– Incident Response Team Services: also provide intrusion detection and advisory.

Incident Response Lifecycle by NIST: Preparation > Detection & Analysis > Containment Eradication & Recovery > Post-Incident Activity > Preparation…

IBM Security Learning Academy: https://www.securitylearningacademy.com/

“Lastly, remember keeping up with current cybersecurity vulnerabilities, attacks, and breaches is a daily activity.”

In conclusion, I’d like to thank every speaker and contributor of the course contents and IBM and Coursera for providing this certification.