Here are comprehensive notes for the provided sources, drawing on the

information presented in the transcripts:

1. Cybersecurity Assets, Network Threats & Vulnerabilities |

Google Cybersecurity Certificate

This course focuses on the protection of valuable assets from harm

through a combination of people, processes, and tools. It introduces asset
security, security systems and controls, common vulnerabilities, network
threats, and the threat modeling process. The field of security is described
as interdisciplinary, where diverse backgrounds and perspectives are
considered assets.

I. Core Security Concepts

 Assets: Any item perceived as having value to an organization,

such as equipment, data, and intellectual property.

 Threats: Any circumstance or event that can negatively impact

assets.

 Vulnerabilities: A weakness that can be exploited by a threat. Both

a vulnerability and a threat must be present for a risk to exist.

 Risk: Anything that can impact the confidentiality, integrity, or

availability (CIA triad) of an asset. Security plans are developed
based on an analysis of assets, threats, and vulnerabilities.
Organizations measure security risk by analyzing how these
elements affect the CIA triad of their information and systems.

II. Asset Management

 Definition: The process of tracking assets and the risks that affect
them. A fundamental truth in security is that "you can only protect
the things you account for".

 Asset Inventory: A catalog of assets that need to be protected.

This is essential for protecting organizational assets and helps in
allocating resources effectively.

 Asset Classification: The practice of labeling assets based on their

sensitivity and importance to an organization. Common schemes
include:

o Public: Can be shared with anyone.

o Internal-only: Can be shared within the organization but not

outside.
 o Confidential: Only accessible by those working on a specific
project.

o Restricted: Highly sensitive, considered "need-to-know" (e.g.,

intellectual property, health, or payment information).

o Classification determines whether an asset can be disclosed,

altered, or destroyed.

 Information Security (InfoSec): The practice of keeping data in

all states away from unauthorized users. Weak InfoSec can lead to
identity theft, financial loss, and reputational damage.

 States of Data: Security teams protect data in three different

states:

o In use: Data currently being accessed.

o In transit: Data actively moving (e.g., sending an email).

o At rest: Data not currently being accessed, typically stored on

a physical device. Cloud storage expands the understanding
of data "at rest". Understanding these states enables risk
analysis and asset management planning.

III. Security Planning & Culture

 Security as a Culture: Security is a shared set of values that

spans all levels of an organization, from employees to vendors to
customers. Focusing on people leads to the most effective security
plans.

 Elements of a Security Plan:

o Policies: The foundation of every security plan, a set of rules

that reduce risks and protect information. They define the
"what" and "why" of protection, focusing on strategic scope,
objectives, and limitations. An example is an acceptable use
policy (AUP).

o Standards: References that tactically inform how policies are

set (e.g., password management standards).

o Procedures: Step-by-step instructions to perform specific

security tasks, ensuring accountability, consistency, and
efficiency.

 Compliance: The process of adhering to internal standards and

external regulations. It is crucial for maintaining trust, reputation,
 safety, and data integrity, and for avoiding fines, penalties, and
lawsuits, especially in highly regulated industries.

IV. NIST Cybersecurity Framework (CSF)

 The NIST CSF is a voluntary framework consisting of standards,

guidelines, and best practices to manage cybersecurity risks. It
helps businesses secure information.

 Components:

o Core: Identifies five broad functions of a security plan, acting

as a security checklist:

 Identify: Managing cybersecurity risk and its effect on

an organization's people and assets.

 Protect: Implementing policies, procedures, training,

and tools to mitigate threats.

 Detect: Identifying potential security incidents and

improving monitoring.

 Respond: Using proper procedures to contain,

neutralize, and analyze incidents, and implement
improvements.

 Recover: Returning affected systems back to normal

operations.

o Tiers: Provide a way to measure performance across the five

core functions, ranging from Level 1 (Passive/bare minimum)
to Level 4 (Adaptive/exemplary standard).

o Profiles: Offer insight into the current state of a security plan,

like "photos capturing a moment in time". Good security
practice demonstrates care for people and their information.

V. Security Controls

 Definition: Safeguards designed to reduce specific security risks,

protecting assets before, during, and after an event.

 Types:

o Technical Controls: Technologies used to protect assets

(e.g., encryption, authentication systems).

o Operational Controls: Relate to maintaining the day-to-day

security environment, often performed by people (e.g.,
awareness training, incident response).
 o Managerial Controls: Centered around how other controls
reduce risks (e.g., policies, standards, procedures).

 Information Privacy: The protection of unauthorized access and

distribution of data, granting individuals and organizations the right
to decide when, how, and to what extent private information about
them is shared.

 Principle of Least Privilege: Security controls should limit access

based on the user and situation, granting access only for as long as
needed to perform a task.

o Data Owners: Persons who decide who can access, edit, use,
or destroy their information.

o Data Custodians: Anyone or anything responsible for the

safe handling, transport, and storage of information.

 Personally Identifiable Information (PII): Any information that

can be used to infer an individual's identity (e.g., name,
medical/financial information, photos, emails, fingerprints).

 Cryptography: The process of transforming information into a form

that unintended readers can't understand.

o Encryption: Scrambles plaintext into unreadable ciphertext.

o Decryption: Unscrambles ciphertext back into readable

plaintext.

o Caesar's Cipher: An early cryptographic method, vulnerable

to brute force attacks and single key loss.

o Public Key Infrastructure (PKI): An encryption framework

that secures the exchange of information online. It uses a two-
step process involving asymmetric and symmetric encryption.

 Asymmetric Encryption: Uses a public key (to encrypt

data for others to see) and a private key (to decrypt
data only you can see). Secure but slower.

 Symmetric Encryption: Uses a single secret key for

exchange. Faster but less secure.

 Digital Certificate: A file that verifies the identity of a

public key holder, used to establish trust between
computers and networks.
  Hashing: Creates a unique hash value for files or applications, used
to prove data integrity and detect even slight changes in input. It
assists with non-repudiation.

 Access Controls (AAA Framework): Security controls that

manage access, authorization, and accountability of information.

o Authentication: Systems that verify who is attempting to

access information (e.g., passwords, multi-factor
authentication).

o Authorization: Determines what an authenticated user is

allowed to do, linked to the principle of least privilege and
separation of duties. Examples include HTTP Basic Auth and
OAuth (using API tokens for verification).

o Accounting: The practice of monitoring system access logs

(who, when, what resources). Essential for identifying trends
(e.g., failed login attempts), uncovering hackers, and
detecting incidents.

VI. Vulnerability Management

 Vulnerability Management Process: The continuous process of

finding vulnerabilities and fixing their exploits.

 Exploit: A way of taking advantage of a vulnerability.

 Zero-Day Exploits: Previously unknown exploits that are

happening in real-time, leaving assets vulnerable.

 Defense in Depth: A layered defense model used to protect any

asset, primarily information in cybersecurity, using a five-layer
design. Each layer features security controls:

o Perimeter Layer: User authentication, filters external access.

o Network Layer: Network firewalls, aligned with authorization.

o Endpoint Layer: Devices with network access (laptops,

desktops, servers).

o Application Layer: Software applications.

o Data Layer: Critical data like PII.

 Common Vulnerabilities and Exposures (CVE) List: An openly

accessible dictionary of known vulnerabilities and exposures, used
by organizations to improve defenses.

o Exposure: A mistake that can be exploited by a threat.

 o CVEs are reported by researchers, vendors, and ethical
hackers, and undergo a strict review process by CVE
numbering authorities (CNAs). Criteria for ID assignment
include independence, recognized security risk, supporting
evidence, and affecting only one codebase.

 NIST National Vulnerability Database (NVD): Reviews CVEs and

uses the Common Vulnerability Scoring System (CVSS) to score
severity (0-10), helping security teams calculate impact and
prioritize patching.

 Vulnerability Assessments: Organizations perform these to

identify weak points and prevent attacks, as well as determine if
security controls meet regulatory standards. They typically follow a
four-step process:

o Identification: Using scanning tools and manual testing to

find vulnerabilities.

o Vulnerability Analysis: Investigating identified

vulnerabilities to find the source of the problem.

o Risk Assessment: Assigning a score to each vulnerability

based on potential impact and likelihood of exploitation, used
for prioritizing resources.

o Remediation: Addressing vulnerabilities by enforcing new

procedures, updating operating systems, or implementing
system patches, often a joint effort between security and IT
teams.

VII. Attack Surfaces & Attack Vectors

 Attack Surface: All the potential vulnerabilities that a threat actor

could exploit. Analyzing it is usually the first step for security teams.

o Physical Attack Surface: Made up of people and their

devices, can be attacked from both inside (e.g., angry
employees) and outside (e.g., business competitors).

o Security Hardening: The process of strengthening a system

to reduce its vulnerabilities and attack surface by minimizing
its points of entry. Examples include policies and access
controls.

o Digital Attack Surface: Includes everything beyond an

organization's firewall, connecting to an organization online.
Cloud computing has expanded this surface significantly.
  Attack Vectors: The pathways attackers use to penetrate security
defenses (e.g., social media, USB drives). They can be exploited
unintentionally (e.g., employees posting sensitive news) or
intentionally (e.g., disgruntled employees sharing confidential
information).

 Attacker Mindset: Security professionals adopt this mindset to

defend attack vectors. Steps include: identifying a target,
determining how the target can be accessed, evaluating
exploitability, and finding tools/methods of attack. This provides
insight into security controls and vulnerabilities.

o Defending Attack Vectors: Educating users, applying the

principle of least privilege, using the right security controls
and tools (e.g., antivirus software), and building a diverse
security team.

VIII. Types of Threats

 Social Engineering Tactics: Psychological tricks attackers use to

gain unauthorized access. The process typically involves information
gathering, establishing a line of communication (often disguised),
using persuasion tactics to manipulate the target into revealing
information, and then disconnecting to cover tracks.

o Defense: Implementing managerial controls (policies,

standards, procedures), staying informed of trends, and
sharing knowledge with others.

o Phishing Kits: Collections of software tools used to launch

phishing campaigns, even by those with little technical
background. Common tools include malicious attachments,
fake data collection forms, and fraudulent web links.

o Phishing Forms: Most common is malicious emails, but also

include smishing (text messages) and vishing (voice
communication exploitation).

 Malware: Software designed to harm devices or networks. Spyware

is one type used by cybercriminals to steal sensitive information like
login credentials.

 Web-Based Exploits (Injection Attacks):

o Cross-Site Scripting (XSS): Inserts malicious code into

vulnerable websites or web applications, often exploiting
HTML and JavaScript to gain access to session cookies,
 geolocation, webcams, etc.. Types include reflected, stored,
and DOM-based.

o SQL Injection: Exploits how websites access information from

databases using SQL. Attackers can obtain sensitive
information, modify tables, and gain administrative rights.
Defense involves writing code that sanitizes input, such as
prepared statements.

 Threat Modeling: A process of identifying assets, their

vulnerabilities, and how each is exposed to threats. It applies to
entire systems, applications, or business processes. It's considered
an advanced skill but involves multiple steps.

o General Steps:

1. Define scope: Inventory and classify assets.

2. Identify threats: Define potential threat actors

(internal/external) and map them using an attack tree.

3. Characterize the environment: Apply an attacker

mindset to how users interact with the environment.

4. Analyze threats: Examine existing protections and

identify gaps, then rank threats by risk score.

5. Mitigate risk: Create a plan for defending against

threats (avoid, transfer, reduce, or accept risk).

6. Evaluate findings: Document everything, apply fixes,

and note lessons learned.

o PASTA Framework: A popular seven-stage threat modeling

framework (Process for Attack Simulation and Threat
Analysis).

1. Define Business and Security Objectives: Decide on

goals, e.g., protecting customer data.

2. Define the Technical Scope: Identify application

components to evaluate (attack surface).

3. Decompose the Application: Identify existing

controls, often by creating a data flow diagram.

4. Perform a Threat Analysis: Research up-to-date

attack information (attacker mindset).
 5. Perform a Vulnerability Analysis: Deeply investigate
potential vulnerabilities, considering root causes.

6. Conduct Attack Modeling: Test vulnerabilities by

simulating attacks (e.g., creating an attack tree).

7. Analyze Risk and Impact: Assemble all information to

make informed risk management recommendations to
stakeholders.

2. Cybersecurity IDR: Incident Detection & Response | Google

Cybersecurity Certificate

This course focuses on incident detection, analysis, and response,

and applying these concepts using practical tools.

I. Incident Response Lifecycle (NIST)

 Framework: Provides a standardized approach to incident

response. This course specifically focuses on the Detect, Respond,
and Recover functions of the NIST Cybersecurity Framework (CSF).

 Phases of NIST Incident Response Lifecycle:

1. Preparation: Activities to prepare for incidents.

2. Detection and Analysis: Discovering and investigating

incidents.

3. Containment, Eradication, and Recovery: Actions to

mitigate and resolve incidents.

4. Post-Incident Activity: Reviewing and improving processes.

 Cyclical Nature: The incident lifecycle is not linear; steps can

overlap as new discoveries are made.

 Incident Definition: According to NIST, an incident is an

occurrence that "actually or imminently jeopardizes, without lawful
authority, the confidentiality, integrity, or availability of information
or an information system or constitutes a violation or imminent
threat of violation of law, security policies, security procedures, or
acceptable-use policies".

o Event vs. Incident: All security incidents are events, but not
all events are security incidents. An event is an observable
occurrence on a network, system, or device (e.g., a user
forgetting their password).
II. Incident Investigation & Documentation

 Incident Investigation: Reveals the "five Ws" of an incident: Who,

What, When, Where, and Why.

 Importance of Documentation:

o Reduces uncertainty and confusion, especially during high-

tension security incidents.

o Provides transparency, acting as a source of evidence for

insurance claims, regulatory investigations, and legal
proceedings.

o Offers standardization, ensuring consistent guidelines for

tasks and workflows.

o Improves clarity, providing clear understanding of roles,

duties, and how to get tasks done.

o Supports continuous improvement by identifying gaps in

actions.

 Documentation Tools: Word processors (Google Docs, OneNote),

ticketing systems (Jira), Google Sheets, audio recorders, cameras,
and handwritten notes.

 Types of Documentation:

o Incident Handler's Journal: A form of documentation used

to take notes on incident details (the five Ws) throughout
investigations.

o Playbooks: Manuals that provide detailed, step-by-step

instructions for operational actions when an incident occurs.
They offer structure and order during chaotic times, reducing
guesswork.

 Types: Non-automated (manual steps), Automated

(tasks done by automation), Semi-automated (combines
human action with automation).

 Playbooks are living documents that must be regularly

maintained and updated as threats evolve.

o Chain of Custody: A process of documenting evidence

possession and control during the entire incident lifecycle. It's
critical for legal proceedings, ensuring transparency and
proving evidence integrity. A "broken chain" occurs when
there are inconsistencies. Common elements include evidence
 description, custody log (names, dates, purpose), and
cryptographic hashes to detect tampering.

o Final Report: Comprehensive documentation providing a

review of an incident, including a timeline and
recommendations for future prevention. Used as a reference
in lessons learned meetings.

III. Incident Response Teams

 Computer Security Incident Response Teams (CSIRTs):

Specialized groups of security professionals trained in incident
management and response.

o Goals: Effectively and efficiently manage incidents, provide

services and resources for response and recovery, and
prevent future incidents.

o Cross-functional Collaboration: CSIRTs work with other

departments (e.g., legal, public relations) to share information
and coordinate efforts, especially for regulatory compliance
and public disclosure.

o Roles:

 Security Analyst: Investigates security alerts to

determine if an incident has occurred.

 Technical Lead: Provides technical guidance.

 Incident Manager: Oversees the response process,

ensuring procedures are followed.

 Communications Lead: Manages internal and external

communications.

o CSIRTs can also be known as Incident Handling Teams (IHT) or

Security Incident Response Teams (SIRT).

 Incident Response Plans: Formal documents outlining procedures

for responding to incidents, tailored to an organization's unique
requirements (mission, size, culture, industry, structure). They
include step-by-step procedures, system information (network
diagrams, asset inventory), and contact lists. Plans must be
regularly reviewed and tested through exercises like tabletops or
simulations.

IV. Detection & Management Tools

 Detection Tools:
 o Intrusion Detection System (IDS): An application that
monitors activity and alerts on possible intrusions.

 Host-based IDS: Monitors activity of the host it's

installed on (e.g., laptop, server).

 Network-based IDS: Collects and analyzes network

traffic at specific points in the network.

 Both log detected information as IDS logs and generate

alerts.

o Intrusion Prevention System (IPS): Monitors activity and

blocks threats.

o Popular Tools (often combine IDS/IPS functions): Snort,

Zeek, Kismet, Sagan, Suricata.

o IDS Signatures: Detection rules that specify the types of

network intrusions an IDS should detect. They consist of:

 Action: Determines what the IDS does if rule criteria are

met (e.g., alert, pass, reject).

 Header: Defines the signature's network traffic

(source/destination IPs, ports, protocols, direction).

 Rule Options: Customize signatures with additional

parameters (e.g., msg for alert text, sid for unique ID,
rev for revision, content to inspect packet content).

 Security Information and Event Management (SIEM): A tool

that collects and analyzes log data from various sources (IDS, IPS,
databases, firewalls, applications) to monitor critical activities and
provide a high-level overview of network events.

o Process:

1. Collect and Aggregate Data: Gathers logs from

diverse sources and centralizes them.

2. Normalize Data: Cleans up raw data, removes non-

essential attributes, and creates consistency in log
records.

3. Analyze Data: Processed data is analyzed against

configured rules to detect and categorize security
incidents as alerts.
 o Tools: Splunk (data analysis platform, offers Enterprise
Security for SIEM solutions, self-hosted and cloud-hosted
versions) and Chronicle (Google Cloud's SIEM, cloud-native
tool).

o Searching: SIEMs allow searching and filtering of log data

using queries. Splunk uses Search Processing Language (SPL).
Chronicle uses YARA-L language and Unified Data Model (UDM)
search.

o SIEM Dashboards: Visual representations (charts, graphs,

tables) of security-related data, providing quick and clear
insights into an organization's security posture and metrics.

 Security Orchestration Automation and Response (SOAR): A

collection of applications, tools, and workflows that uses automation
to respond to security events. SOAR automates analysis and
response to incidents and can track/manage cases. It can be
configured to automate playbooks.

V. Network Monitoring & Analysis

 Network Monitoring: Involves observing network activity to

identify potential malicious activity, such as data exfiltration.

 Network Traffic: The amount of data that moves across a network.

 Network Data: The data that's transmitted between devices on a

network.

 Packet Sniffers (Network Protocol Analyzers): Tools designed

to capture and analyze data traffic within a network (e.g., tcpdump
and Wireshark).

o Packet Capture (P-cap): A file containing data packets

intercepted from an interface or network, incredibly useful
during incident investigation to build a storyline of events.

o Packet Analysis: The process of interpreting and

understanding network communications captured in packets.
It involves filtering network traffic to gather relevant
information efficiently.

o Packet Components:

 Header: Includes delivery information like network

protocol, port, sender/receiver IP addresses, version,
type of service, time to live, and fragmentation details.
  Payload: Contains the actual data being delivered.

 Footer: Signifies the end of a packet.

 Logs: Records of events occurring within an organization's systems,

providing visibility into the environment and crucial details for
incident investigation.

o Log Analysis: The process of examining logs to identify

events of interest.

o Log Forwarders: Software that collects logs from various

sources and forwards them to a centralized repository.

o Log Sources: Include network logs (proxies, routers,

firewalls), system logs (operating systems), application logs
(software), security logs (IDS/IPS), and authentication logs.

o Log Formats: Logs come in different formats, some human-

readable, some machine-readable (e.g., syslog, JSON, XML,
CSV).

 Telemetry: The collection and transmission of data for analysis;

while logs record events, telemetry describes the data itself (e.g.,
packet captures are network telemetry).

VI. Incident Response Phases in Practice

 Detection and Analysis: The prompt discovery and investigation

of security events. Involves examining indicators of compromise
(IOCs) to validate alerts. Challenges include the impossibility of
detecting everything and high alert volumes (often from
misconfigurations or new vulnerabilities).

 Containment: Limiting and preventing additional damage caused

by an incident (e.g., isolating an affected system to prevent
malware spread).

 Eradication: Complete removal of incident elements from all

affected systems (e.g., performing vulnerability tests, applying
patches).

 Recovery: Returning affected systems back to normal operations

(e.g., reimaging systems, resetting passwords, adjusting network
configurations).

 Post-Incident Activity: Reviewing an incident to identify areas for

improvement during handling. Includes creating a final report and
holding lessons learned meetings to discuss what happened,
 actions taken, and how to improve future responses. The focus is on
learning and improvement, not blaming.

3. Cybersecurity for Beginners | Google Cybersecurity Certificate

This course introduces the fundamental concepts of cybersecurity, the

role of a security analyst, historical attacks, security domains,
frameworks, controls, ethics, and common tools and programming
languages.

I. Introduction to Cybersecurity

 Instructor: Toni.

 Cybersecurity Definition: The practice of ensuring

confidentiality, integrity, and availability (CIA triad) of
information by protecting networks, devices, people, and data from
unauthorized access or criminal exploitation.

 Threat Actor: Any person or group who presents a security risk.

 Benefits of Implementing Security:

o Mitigates (reduces impact of) threats.

o Ensures regulatory compliance (laws and guidelines) to

avoid fines and audits, upholding ethical obligations.

o Maintains and improves business productivity and

business continuity (ability to do jobs even during
incidents).

o Reduces expenses associated with risk (e.g., data loss,

downtime).

o Maintains brand trust and reputation.

II. Role of a Security Analyst

 Core Traits: Curiosity and excitement.

 Responsibilities:

o Monitoring and protecting information and systems.

o Protecting computer and network systems: Monitoring

internal networks, being the first to respond to detected
threats, and participating in exercises like penetration
testing or ethical hacking to identify vulnerabilities.
 o Preventing threats: Working with IT teams to install
prevention software, supporting product security by setting up
appropriate processes and systems during software/hardware
development.

o Conducting periodic security audits: Reviewing security

records, activities, and documents to ensure confidentiality of
information.

 Core Skills:

o Transferable Skills: Collaboration, analyzing complex

scenarios, problem-solving, intellectual curiosity, motivation to
keep learning.

o Technical Skills: Familiarity with Security Information and

Event Management (SIEM) tools, computer forensics
(identifying, analyzing, preserving digital evidence), Python,
and SQL.

III. Historical Security Attacks

 Computer Virus: Malicious code interfering with operations,

causing damage, and spreading.

 Worm: A type of computer virus that can duplicate and spread on

its own.

 Malware: Software designed to harm devices or networks (modern

term for viruses/worms).

 Brain Virus (1986): Intended to track pirated software, but

unexpectedly spread globally via infected disks, slowing productivity
and impacting business operations. Emphasized the need for
security and productivity plans.

 Morris Worm (1988): Designed to assess internet size, but

uncontrollably reinstalled itself, crashing ~6,000 computers. Cost
millions and led to the establishment of Computer Emergency
Response Teams (CERTs).

 LoveLetter (early 2000s): Malware disguised as a "love letter"

email, exploiting social engineering to spread. Increased
understanding of social engineering attacks.

 Equifax Breach (2017): One of the largest data breaches, stealing

PII of over 143 million customers due to multiple security failures.

IV. Security Domains (CISSP)

  CISSP (Certified Information Systems Security Professional) defines
eight domains to organize the work of security professionals. Gaps
in one domain can negatively affect the entire organization.

1. Security and Risk Management: Defining security goals,

risk mitigation, compliance, business continuity, and legal
aspects (e.g., updating policies for GDPR).

2. Asset Security: Securing digital and physical assets,

including storage, maintenance, retention, and destruction of
data.

3. Security Architecture and Engineering: Optimizing data

security through effective tools, systems, and processes (e.g.,
configuring firewalls). Emphasizes shared responsibility in
lowering risk.

4. Communication and Network Engineering: Managing and

securing physical networks and wireless communications
(e.g., creating network policies for unsecured Wi-Fi).

5. Identity and Access Management (IAM): Ensuring users

follow policies to control and manage physical and logical
assets, validating identities, and documenting access roles
(e.g., setting up keycard access). Goal is to reduce overall risk.

6. Security Assessment and Testing: Conducting security

control testing, data collection/analysis, and security audits to
monitor for risks, threats, and vulnerabilities (e.g., auditing
user permissions to payroll data).

7. Security Operations: Conducting investigations and

implementing preventative measures (e.g., responding to
alerts about unknown devices, digital forensic investigations).

8. Software Development Security: Using secure coding

practices and incorporating security reviews into the Software
Development Lifecycle (SDLC).

V. Frameworks, Controls, and Ethics

 Security Frameworks: Guidelines for building plans to mitigate

risk and threats to data and privacy. They provide a structured
approach to a continuously evolving security lifecycle.

o Purpose: Protect PII/financial information, identify

weaknesses, manage risks, and align security with business
goals.
 o Core Components: Identifying/documenting security goals,
setting guidelines, implementing strong security processes,
and monitoring/communicating results.

 Security Controls: Safeguards designed to reduce specific security

risks. Examples include security keys for multi-factor authentication
(MFA) and privacy training. Other types include encryption,
authentication, and authorization.

 CIA Triad (Confidentiality, Integrity, Availability): A

foundational model that helps organizations consider risk when
setting up systems and security policies.

o Confidentiality: Only authorized users can access specific

assets or data (e.g., strict access controls).

o Integrity: Data is correct, authentic, and reliable (e.g., using

encryption to safeguard data from tampering).

o Availability: Data is accessible to those who are authorized

to access it (e.g., systems functioning properly for timely
access).

 NIST Cybersecurity Framework (CSF): A voluntary framework

for managing cybersecurity risk with five core functions (Identify,
Protect, Detect, Respond, Recover).

 NIST Special Publication (SP) 800-53: Provides a unified

framework for protecting information systems within the U.S. federal
government.

 Security Ethics: Guidelines for making appropriate decisions as a

security professional, emphasizing respect for privilege and avoiding
abuse of access. Key ethical principles include:

o Confidentiality: Handling proprietary or private information

appropriately.

o Privacy Protections: Adhering to policies and procedures

regarding sharing of personal information.

o Laws: Following legal rules enforced by governing entities,

especially concerning sensitive data.

VI. Common Tools and Programming Languages

 Tools and programming languages enhance efficiency by

automating tasks.
  Logs: Records of events occurring within an organization’s systems,
helping identify vulnerabilities and potential breaches.

 Security Information and Event Management (SIEM) Tools:

Applications that collect and analyze log data to monitor critical
activities, provide real-time visibility, and generate alerts.

o Examples: Splunk (data analysis platform, self-hosted) and

Google's Chronicle (cloud-native SIEM).

 Playbooks: Manuals that provide detailed instructions for

operational actions, guiding analysts on how to handle security
incidents before, during, and after they occur.

 Network Protocol Analyzer (Packet Sniffer): A tool designed to

capture and analyze data traffic within a network.

o Examples: tcpdump and Wireshark.

 Linux: An open-source operating system that relies on a command

line interface as the primary user interface. Used for examining logs
and other security-related tasks.

 SQL (Structured Query Language): A programming language

used to create, interact with, and request information from
databases. Useful for filtering through large datasets.

 Python: A programming language used by security professionals to

automate repetitive and time-consuming tasks with high accuracy
and efficiency, reducing human error.

4. Fundamentals of Python for Cybersecurity | Google

Cybersecurity Certificate

This course focuses on foundational Python programming concepts

and how they can be used to automate common security tasks. Python
helps free up time from repetitive tasks, increases productivity, and
reduces human error.

I. Introduction to Python Programming

 Instructor: Ángel.

 Programming: Used to create a specific set of instructions for a

computer to execute tasks.

 Python in Security: A general-purpose language primarily used to

automate tasks. It's good for automating short, simple tasks like
sorting through log files, managing access control lists, analyzing
 network traffic, and combining separate tasks into one workflow.
Python has cross-platform support and a large community that
develops Python-based tools.

 Program Structure:

o Comments: Notes programmers make about the intention

behind their code, starting with #. They improve code
readability.

o print() function: Outputs specified data to the screen.

II. Python Building Blocks

 Data Types: Categories for particular types of data items.

o String: Data consisting of an ordered sequence of characters,

written in single or double quotation marks (e.g., "Hello
Python"). Can be concatenated with +.

 String Methods: Functions that belong to the string

data type, appearing after the string (e.g., .upper()
returns uppercase, .lower() returns lowercase, .split()
converts a string into a list based on a separator).

 Index: A number assigned to every element in a

sequence, indicating its position, starting from 0. Used
for accessing individual characters or slicing parts of a
string.

o Float: Numerical data with decimal points.

o Integer: Whole number data.

o Boolean: Data that can only be one of two values: True or

False. Used in conditional statements.

o List: A data structure consisting of a collection of data in

sequential form, enclosed in square brackets [] (e.g.,
['username1', 'username2']).

 Lists are mutable, meaning their values can be freely

changed, added, or removed (unlike strings).

 Can be concatenated with +.

 Methods include .remove() to delete an element

and .append() to add an item to the end of a list.
  Variables: Containers that store data, created through an
"assignment" (e.g., device_id = "h32rb17"). Variable names should
be relevant to their use.

o Type Error: Occurs from using the wrong data type (e.g.,
trying to add a number and a string).

 Conditional Statements: Help incorporate logic into programs,

allowing different actions based on conditions (e.g., if statements).

 Iterative Statements (Loops): Code that repeatedly executes a

set of instructions, automating repetitive tasks.

o for loops: Repeat code for a specified sequence (e.g.,

iterating through items in a list).

o while loops: Repeat code as long as a condition is true.

III. Writing Effective Python Code

 Functions: Reusable sections of code that can be called upon any

number of times in a program. They save time and simplify changes.

o Built-in Functions: Functions that exist within Python and

can be called directly (e.g., print(), type(), max(), min()).

o Parameters/Arguments: Information passed into a function.

Functions can have specific expected inputs and outputs.

o Return Statements: Allow functions to send information out.

 Modules and Libraries: Collections of usable Python code,

functions, and data types that can be imported to add functionality.

o Python Standard Library: An extensive collection of pre-

packaged Python code (e.g., re for regular expressions, csv,
glob, os, time, datetime).

o External Libraries: Can be downloaded for specific tasks

(e.g., Beautiful Soup for HTML parsing, NumPy for numerical
computations).

 Code Readability: Guidelines for writing clean and understandable

code, promoting consistency among programmers.

o Style Guide: A manual that informs writing, formatting, and

design (e.g., PEP 8 for Python, which provides stylistic
guidelines related to syntax, comments, and indentation).
 o Indentation: Spaces added at the beginning of a line of code,
improving readability and ensuring proper execution. PEP 8
recommends four spaces.

IV. Putting Python into Practice

 Algorithms: A set of rules (steps) that take an input, perform tasks,

and return a solution as an output. Breaking down problems into
smaller parts is recommended for designing algorithms.

 Regular Expressions (Regex): A sequence of characters that

forms a pattern, used for efficiently searching within strings or log
files for specific patterns (e.g., IP addresses, email addresses). The
re module is used for this.

 File Handling:

o Opening and Reading Files: Using the with statement

(handles errors, manages external resources, automatically
closes files) and the open() function. The .read() method
converts file contents into a string.

o Parsing Files: The process of converting data into a more

readable format, often using the .split() method to convert a
string into a list based on a specified character or whitespace.

 Debugging Code: The process of interpreting error messages to

make code work correctly.

o Syntax Errors: Result from incorrectly written code that

Python can identify.

o Logic Errors: Code runs but produces unintended or incorrect

results, often difficult to find. Strategies include using print()
statements to trace execution or debuggers with breakpoints
to segment and run code sections.

o Exceptions: Occur when the program doesn't know how to

execute code, even if the syntax is valid.

5. How To Manage Security Risks & Threats | Google

Cybersecurity Certificate

This course focuses on managing security risks and threats, detailing

CISSP's eight security domains, NIST's Risk Management Framework
(RMF), security audits, and common security tools.

I. Security Domains (CISSP)

 Instructor: Ashley.

 Security Posture: An organization's ability to manage its defense

of critical assets and data and react to change.

 Eight Security Domains (revisiting and expanding on prior

course):

1. Security and Risk Management: Focuses on defining

security goals/objectives, risk mitigation, compliance,
business continuity, and legal regulations. Emphasizes
following ethical behavior to minimize negligence, abuse, or
fraud.

2. Asset Security: Dedicated to securing digital and physical

assets, including their storage, maintenance, retention, and
destruction. Knowing what data is held and who has access is
crucial for a strong security posture.

3. Security Architecture and Engineering: Aims to optimize

data security by ensuring effective tools, systems, and
processes are in place. A core concept is shared
responsibility, meaning all individuals contribute to lowering
risk and maintaining security.

4. Communication and Network Security: Focuses on

managing and securing physical networks and wireless
communications, protecting data whether on-site, in the
cloud, or accessed remotely.

5. Identity and Access Management (IAM): Concentrates on

controlling access and authorization to keep data secure,
ensuring user access is limited to only what employees need
(principle of least privilege).

6. Security Assessment and Testing: Involves conducting

security control testing, collecting and analyzing data, and
performing security audits to monitor for risks, threats, and
vulnerabilities.

7. Security Operations: Focused on conducting investigations

and implementing preventative measures, requiring urgency
to minimize risks during active attacks. Includes digital
forensic investigations to determine incident root cause and
improve future measures.

8. Software Development Security: Emphasizes using

secure coding practices and integrating security reviews
 into every phase of the Software Development Lifecycle
(SDLC) (e.g., secure design reviews, code reviews, penetration
testing).

II. Threats, Risks, and Vulnerabilities

 Threat: Any circumstance or event that can negatively impact

assets (e.g., social engineering, like phishing, which manipulates
human error to gain private information).

 Risk: The likelihood of a threat occurring, impacting the

confidentiality, integrity, or availability of an asset. Risks are
rated as low, medium, or high, based on potential harm to
reputation, operations, or finances.

 Vulnerability: A weakness that can be exploited by a threat.

Examples include outdated software, weak passwords, unprotected
confidential data, and even people's actions. Educating employees
(e.g., on identifying phishing) is a key security measure.

 Ransomware: A type of malware that encrypts data and demands

a ransom for a decryption key, often involving the dark web.

 Three Layers of the Web:

1. Surface Web: Content accessible via a standard web browser

(most people use).

2. Deep Web: Requires authorization to access (e.g.,

organizational intranets).

3. Dark Web: Only accessible with special software, often

preferred by criminals due to secrecy.

 Impacts of Threats, Risks, and Vulnerabilities:

o Financial Impact: Costs from interrupted production,

services, remediation, and fines for non-compliance.

o Identity Theft: Sensitive PII (Personally Identifiable

Information) can be stolen and sold.

o Damage to Reputation: Compromised services or data can

erode customer trust and harm the brand long-term.

III. NIST Risk Management Framework (RMF)

 The NIST RMF provides a structured approach for managing security

and privacy risks.

 Seven Steps:
 1. Prepare: Activities necessary to manage security/privacy
risks before a breach (e.g., monitoring risks, identifying
controls).

2. Categorize: Developing risk management processes and

tasks by considering the impact on the CIA triad of systems
and information.

3. Select: Choosing, customizing, and documenting controls that

protect the organization (e.g., maintaining playbooks).

4. Implement: Putting security and privacy plans into action.

5. Assess: Determining if established controls are implemented

correctly and effectively, identifying weaknesses, and
suggesting changes.

6. Authorize: Being accountable for security and privacy risks,

generating reports, and establishing action plans aligned with
security goals.

7. Monitor: Continuously assessing and maintaining technical

operations to ensure systems meet security goals and
minimize risk.

IV. Security Frameworks and Controls in Detail

 Security Frameworks: Guidelines used as a starting point for

organizations to create their own security policies and processes,
mitigating risks and threats. They can guide both virtual and
physical security and are crucial for increasing employee awareness
(e.g., phishing training).

 Security Controls: Safeguards designed to reduce specific security

risks.

o Encryption: Converts data from a readable format (plaintext)

to an encoded, unreadable format (ciphertext) for protection.

o Authentication: The process by which a user proves their

identity (e.g., password, MFA).

o Authorization: The concept of granting access to specific

resources within a system, verifying a person has permission.

V. OWASP Security Principles

 These principles are useful in conjunction with NIST frameworks and

the CIA triad to minimize threats and risks.
 o Minimize the Attack Surface Area: Reducing all potential
vulnerabilities that a threat actor could exploit (e.g., disabling
software features, restricting access, complex passwords).

o Principle of Least Privilege: Ensuring users have the

minimum amount of access required to perform their daily
tasks, limiting potential damage from a breach.

o Defense in Depth: Implementing multiple security controls

that address risks and threats in different ways, creating
multiple layers of defense (e.g., MFA, firewalls, IDS, permission
settings).

o Separation of Duties: Preventing individuals from carrying

out fraudulent or illegal activities by not granting too many
privileges to one person (e.g., someone who signs paychecks
shouldn't also prepare them).

o Keep Security Simple: Avoiding unnecessarily complicated

security solutions that can become unmanageable and hinder
collaboration.

o Fix Security Issues Correctly: Identifying the root cause of

an incident, correcting identified vulnerabilities, and
conducting tests to ensure repairs are successful.

VI. Security Audits

 Internal Security Audits: Help security teams identify

organizational risk, assess controls, and correct compliance issues.

 Common Elements:

1. Establishing Scope and Goals: Defining the specific criteria

(people, assets, policies, etc.) and security objectives of the
audit.

2. Conducting a Risk Assessment: Identifying potential

threats, risks, and vulnerabilities to determine necessary
security measures.

3. Completing a Controls Assessment: Reviewing existing

assets and evaluating potential risks to ensure internal
controls and processes are effective. Controls are classified as:

 Administrative Controls: Policies and procedures

related to human aspects (e.g., password policies).
  Technical Controls: Hardware and software solutions
(e.g., IDS, encryption).

 Physical Controls: Measures to prevent physical

access (e.g., surveillance cameras, locks).

4. Assessing Compliance: Determining adherence to

necessary compliance regulations (e.g., GDPR, PCI DSS).

5. Communicating Results: Summarizing the audit's scope,

goals, risks, compliance needs, and providing
recommendations to stakeholders.

o Audits are opportunities to improve security posture.

VII. Security Tools (Revisited and Detailed)

 Logs: Records of events within an organization's systems and

networks, crucial for security analysts to identify vulnerabilities and
breaches.

o Common Log Sources: Firewall logs (incoming/outbound

traffic), Network logs (devices entering/leaving network,
connections), Server logs (website, email, file share events
like logins/passwords).

 Security Information and Event Management (SIEM) Tools:

Applications that collect, analyze, and store log data from multiple
sources in a centralized location. They provide real-time visibility,
event monitoring, and automated alerts, increasing efficiency.

o SIEM Dashboards: Visual representations (charts, graphs,

tables) of security information, allowing quick identification of
patterns and trends. They also display metrics (e.g., response
time, availability, failure rate) and can be customized for
different stakeholders.

o Types of SIEM Tools: Self-hosted (organization maintains

infrastructure), Cloud-hosted (vendor manages), Hybrid
(combination).

o Examples: Splunk Enterprise (self-hosted), Splunk Cloud

(cloud-hosted), Google's Chronicle (cloud-native, takes full
advantage of cloud computing).

VIII. Playbooks and Incident Response Phases

 Playbooks: Manuals detailing operational actions and tools for

security incidents, ensuring consistency, urgency, efficiency, and
 accuracy in response. Different types exist for various attacks
(ransomware, malware, DDoS).

 Six Phases of an Incident Response Playbook:

1. Preparation: Documenting procedures, staffing plans, and

user education to mitigate likelihood, risk, and impact.

2. Detection and Analysis: Detecting and analyzing events

using defined processes and technology to determine if a
breach occurred and its magnitude.

3. Containment: Preventing further damage and reducing the

immediate impact of an incident by taking actions to contain
it.

4. Eradication and Recovery: The complete removal of

incident artifacts and restoring the affected environment to a
secure state (IT restoration).

5. Post Incident Activity: Documenting the incident, informing

leadership, and applying lessons learned (e.g., root cause
analysis, implementing updates) to enhance overall security
posture for future incidents.

6. Coordination: Reporting incidents and sharing information

throughout the process based on established standards,
ensuring compliance and coordinated response.

 Playbooks and SIEM Integration: SIEM tools detect threats and

generate alerts, which then inform the security team to use the
appropriate playbook to guide the response process. Playbooks are
"living documents" frequently updated based on new threats and
lessons learned.

6. How To Prepare For Your Cybersecurity Career | Google

Cybersecurity Certificate

This course focuses on practical application of core security

concepts, incident escalation, communicating with stakeholders,
engaging with the security community, and preparing for cybersecurity
jobs.

I. Security Mindset & Data Protection

 Instructors: Dion and Emily.

  Security Mindset: The ability to evaluate risk and constantly seek
out and identify potential or actual breaches. It involves staying up-
to-date with attack trends, helps analysts defend against constant
attacker pressure, and prepares for worst-case scenarios. It is crucial
for protecting all levels of assets, from low to high importance.

 Importance of Data Protection: The data protected (e.g., PII,

credit card numbers, passwords) affects multiple levels of an
organization and its customers, who trust their data will be
protected. Handling sensitive data with care and attention to detail
is vital.

II. Incident Escalation

 Definition: The process of identifying a potential security incident,

triaging it, and, if appropriate, handing it off to a more experienced
team member. Not every incident requires escalation.

 Essential Skills for Escalation:

o Attention to detail: Helps quickly identify when something

seems wrong.

o Ability to follow escalation guidelines/processes: Crucial

for knowing how to properly escalate issues.

 Organizational Structure: Larger organizations have many levels

and teams involved in security (CISO, engineering, PR, legal), each
with defined roles depending on the incident's nature and scope.
Smaller organizations may have fewer security personnel.

 Incident Classification Types:

o Malware Infection: Malicious software (e.g., ransomware)

disrupting systems.

o Unauthorized Access: Gaining digital or physical access

without permission (e.g., brute force attacks). Urgency of
escalation depends on the criticality of the system.

o Improper Usage: Misuse of a system or data by an

authorized user.

 Impact of Unescalated Incidents: Even small incidents can

escalate into much larger problems, leading to financial loss,
operational downtime, and data breaches. Incident criticality (low,
medium, high) is determined by the value of the affected asset.
  Escalation Policy: Each organization has its own process outlining
who should be notified when an alert occurs and how it should be
handled. It's important to understand and bookmark this policy, as
challenges can arise (e.g., supervisor being out of office).

III. Communicating with Stakeholders

 Stakeholders: Individuals or groups with an interest in an

organization's decisions or activities. They provide input on security
team decisions, as security incidents can affect the entire
company's operations.

o Key Stakeholders: Risk Managers (identify risks, manage

response, notify legal/PR). CEO (highest-ranking,
financial/managerial decisions). CFO (manages financial
operations, concerned about incident costs). CISO (high-level
executive, develops security architecture, conducts risk
analysis/audits, creates plans). Operations Managers (oversee
security professionals, first line of defense, daily
maintenance).

 Effective Communication Strategies: Communications to

stakeholders should be clear, concise, focused, and avoid
unnecessary technical terms.

o Security Story: Detail the security challenge, its impact, and

possible solutions, supported by data/reports. It should
reference established procedures (e.g., incident response
playbooks) and suggest solutions.

o Communication Methods: Email, sharing documents, phone

calls, incident management/ticketing systems.

o Visuals: Highly effective for conveying impactful data and

metrics (e.g., graphs, charts, videos, visual dashboards). An
example involves creating a bar chart in Google Sheets to
show departments with high phishing email click rates.

o Qualities: Precise, confident, natural tone, normal pace.

Follow-up shows initiative.

IV. Preparing for a Cybersecurity Career

 Engaging with the Security Community:

o Reliable Resources: Websites and blogs like CSO Online,

Krebs on Security, and Dark Reading help stay updated on
security news and trends.
 o Social Media: LinkedIn is useful for connecting with
professionals, following industry leaders (e.g., CISOs), and
finding security-related events and groups.

o Professional Organizations: Joining cybersecurity

associations for networking and learning.

 Finding and Applying for Jobs:

o Monster Jobs. Research company, job role, and

required/preferred skills before applying.

o Resume (Curriculum Vitae/CV): Should be tailored to the

job.

 Content: Highlight skills and concepts learned in the

certificate program (e.g., Python, SQL, Linux command
line, security mindset, NIST CSF, CIA triad, SIEM tools,
packet sniffers). Include transferable skills (detail-
oriented, collaborative, communication) from previous
experience.

 Structure: Name, professional title, contact info, brief

summary statement, bulleted skills section, work history
(start bullets with verbs, quantify accomplishments),
education and certifications.

 Tips: No spelling/grammar errors, typically ~2 pages,

list last 10 years of experience or less. Use templates.

o Interview Preparation:

 Pre-interview Research: Understand the company's

mission/values, the employer's needs, and how your
skills can add value. Prepare questions for the
interviewer.

 Building Rapport: Professional, polite, and friendly

communication from the first interaction. Express
appreciation.

 STAR Method (Situation, Task, Action, Result): A

technique to answer behavioral and situational interview
questions thoughtfully.

 Elevator Pitch: A short, persuasive summary

explaining who you are, why you care about security,
and your relevant qualifications/skills. Highlight
transferable and technical skills. Practice but avoid
 sounding robotic, and speak at a normal pace. Take
deep breaths and deliver with confidence.

7. Internet Networks & Network Security | Google Cybersecurity

Certificate

This course delves into the basic structure and function of networks,
commonly used network tools and protocols, and methods for securing
networks against attacks through security hardening practices.

I. Network Structure and Devices

 Instructor: Chris Roosenraad.

 Network Definition: A group of connected devices that

communicate with each other over network cables or wireless
connections. Devices use unique IP and MAC addresses to locate
each other.

 Network Types:

o Local Area Network (LAN): Spans a small geographical area

(e.g., office, home) and connects to the internet.

o Wide Area Network (WAN): Spans a large geographical

area (e.g., city, state, country), with the internet being a large
WAN.

 Common Network Devices:

o Hub: Broadcasts information to every device on the network.

o Switch: Makes connections between specific devices, passing

data only to the intended destination, making it more secure
and improving network performance compared to a hub. It
uses a MAC address table to direct data packets.

o Router: Connects multiple networks together and forwards

data to the intended network's router.

o Modem: Connects the router to the internet, providing

internet access to the LAN.

o Virtualization Tools: Software that performs operations

typically handled by physical hubs, switches, routers, or
modems, often offered by cloud service providers for cost
savings and scalability.
  Data Packets: Data sent across a network is divided into packets,
which contain delivery information (where it's going, where it's from)
and the message content.

o Components: Header (network protocol, port,

source/destination IP), Payload (actual data), and Footer
(packet end).

II. Network Operations and Protocols

 TCP/IP Model: A framework used to visualize how data is organized

and transmitted across a network. It has four layers:

1. Network Access Layer: Deals with the creation and

transmission of data packets, including hardware devices.

2. Internet Layer: Where IP addresses are used for routing

packets.

3. Transport Layer: Handles error control and ensures smooth

data flow.

4. Application Layer: Protocols determine how data packets

interact with receiving devices (e.g., file transfers, email
services).

 Network Protocols: A set of rules used by devices to communicate

on a network, describing the order of delivery and data structure.

o Transmission Control Protocol (TCP): Used to establish

communication between devices [76-Fi)**: A set of standards
defining communications for wireless LANs, adapted to be
more secure and reliable over time.

III. Network Security Features

 Firewalls: Network security devices that monitor traffic to and from

a network, allowing or blocking it based on defined security rules.
They can use port filtering to limit unwanted communication.

o Types: Hardware, software, and cloud-based firewalls.

o Stateful vs. Stateless: Stateful firewalls keep track of

information and proactively filter out suspicious traffic,
offering greater security than stateless ones.

 Virtual Private Networks (VPNs): Add security by encrypting

personal data in transit and creating an encrypted tunnel between
the device and the VPN server, making IP addresses and virtual
locations unreadable to malicious actors.
  Security Zones: Network security features that divide a network to
maintain privacy and security.].

 Proxy Servers: Servers that sit between the internet and the rest
of the network, fulfilling client requests by forwarding them to other
servers and determining if a connection is safe. They use temporary
memory to store regularly requested data, reducing contact with
internal servers.

IV. Network Attacks

 Malware: Malicious software that can infiltrate networks and

disrupt operations.

 Denial-of-Service (DoS) Attack: Floods a network or server with

traffic to disrupt its operations.

 Distributed Denial-of-Service (DDoS) Attack: A DoS attack

originating from multiple compromised devices. Examples include
ICMP flooding, SYN attacks, and Ping of Death.

 Packet Sniffing (Malicious): Threat actors use software tools to

observe or intercept data packets not intended for them, potentially
to spy on or alter data.

o Protection: Using encryption (HTTPS, VPNs), avoiding

unprotected public Wi-Fi.

 Spoofing: Threat actors disguise themselves as a legitimate source

(e.g., IP spoofing, MAC spoofing, email spoofing, caller ID spoofing,
GPS spoofing) to gain unauthorized access or manipulate systems.

 Man-in-the-Middle (MITM) Attack (now often called On-Path

Attacks): A threat actor places themselves in the middle of an
authorized connection to intercept or alter data in transit.

 **Re Securing the OS, as a compromised OS can affect the entire

network.

o Regular Tasks: Patch installation (updates), backups, keeping

up-to-date lists of devices and authorized users. New OS
updates should be added to the baseline configuration (a
documented set of specifications for future builds). Proper
hardware/software disposal is also crucial.

o One-time Tasks: Configuring device settings for secure

encryption standards. Implementing strong812]. Network
segmentation (creating isolated subnets and security zones
 like restricted zones). Encrypting all network communication
using the latest encryption standards.

 Cloud Hardening: Securing cloud networks (servers, data,

applications hosted remotely). While cloud service providers have a
shared responsibility, organizations must also implement security
measures. This includes separating data and applications based on
service categories (e.g., older vs. newer applications, internal vs.
front-end).

8. The Basics of Computing Security: Linux & SQL | Google

Cybersecurity Certificate

This course introduces the fundamentals of computing security,

focusing on operating systems, the Linux operating system and its
command line, and SQL for database interaction. Understanding how
systems work is crucial for a security analyst to protect systems and
investigate events efficiently.

I. Operating Systems (OS)

 Instructor: Kim.

 Definition: Software that manages computer hardware and

software resources, acting as the interface betweenCLI)**: Relies on
text-based commands (e.g., Linux), an essential tool for security
analysts.

II. Linux Operating System

 History: Linux was developed by Linus Torvalds, who introduced the

Linux kernel. Richard Stallman worked on GNU, an operating system
based on Unix, aiming for free and open-source software. Their
innovations combined to form what we know as Linux.

 Components of Linux Architecture:

o User: Interacts with the system. *].

o Kernel: The core component that manages processes and

memory, communicating with hardware to execute commands
via drivers.

o Hardware: Physical components of the computer (e.g., CPU,

mouse, keyboard).

 Distributions (Distros/Flavors): Different versions of Linux, each

with specific tools and apps, designed to fit user needs.
 o Examples: Debian (parent distribution), Ubuntu (derived from
Debian), Kali Linux (derived from Debian), Red Hat (parent),
CentOS (derived from Red Hat), SUSE (derived from
Slackware).

o Kali Linux: Specifically designed for penetration testing

and digital forensics. It comes preinstalled with many tools
(e.g., tcpdump, Wireshark, Autopsy). It is recommended to use
Kali Linux on a virtual machine to prevent system damage
and allow reverting to previous states.

III. Linux Command Line in Security Context

 Foundational Skill: Essential for security analysts to navigate,

manage, and analyze files remotely, verify/configure users, and set
file permissions.

 Basic Communication: Commands (instructions) are typed into

the Bash shell prompt ($) and can take arguments (specific
information). Linux commands and arguments are case-sensitive.

 Navigating the File System:

o pwd: Prints the working directory (current content** of a

file.

o head: Displays the beginning of a file (default 10 lines).

 Filtering (Searching for Information):

o grep: Searches a specified file for a string (e.g., finding

malware strings).

o Piping (|): Sends the standard output of one command as

standard input to another command for further processing
(e.g., ls | grep "users").

 Managing Directories and Files:

o mkdir: Creates a new directory.

o rmdir: Removes/deletes a directory, with a built-in warning

if it's not empty.

o touch: Creates a new file.

o rm: Removes/deletes a file and Directory Permissions:

Define the type of access granted. Related to authorization.

o Types of Permissions:
  Read (r): Read file contents; read files in a directory.

 Write (w): Modify file contents; create new files in a

directory.

 Execute (x): Execute an executable file; enter a

directory and access its files.

o Owners: Permissions are granted for three types of owners:

User (owner of the file), Group (users in a specific group),
and Other (all other users on the system).

o Representation: Permissions are represented in a rwx format

for user, group, and other (e.g., rwxrwxrwx). A hyphen -
indicates a missing permission.

o chmod: The command to change permissions on files and

directories. It can be used in symbolic mode to add (+) or
remove (`--root users to temporarily execute commands with
root privileges, providing a safer alternative to direct root
login.

 Accessing Learning Resources: Online resources like Google

Search and Unix and Linux Stack Exchange offer support for Linux
tasks. Within the command line, commands like man (manual for
commands), whatis (brief description), and apropos (searches
manuals for a string) provide direct help.

IV. SQL (Structured Query Language)

 Definition: A programming language used to create, interact with,

and request information from a database. Nearly all relational
databases use some version of SQL.

 Databases: Organized collections of information or data, designed

to store massive amounts of data and be accessed by multiple
people simultaneously. Databases are crucial for security analysts to
access information on logins, machines, software updates, etc..

o Relational Databases: Structured databases containing

multiple tables that are related to each other [90 A request for
data from a database table or a combination of tables. SQL
can efficiently search through millions of data points.

 Syntax: SQL keywords are generally not case-sensitive (e.g.,

SELECT, FROM), and statements usually end with a semicolon.

 Basic Queries:
 o SELECT column1, column2 FROM table_name;: Selects
specified columns from a table.

o SELECT * FROM table_name;: Selects all columns from a table

(commonly referred to as SELECT ALL).

 Filters (WHERE clause): Used to refine queries and retrieve

specific information.

o Operators: Include = (equal to), != (not equal to), > (greater

than), < (less than), >= (greater than or equal to), <= (less
than or equal to).

o LIKE operator: Filters based on a pattern (e.g., `WHERE

country LIKE 'US%' Negates a condition, returning entries that
do not match.

 Joining Tables: Combines information from two different tables,

useful when needing data from multiple sources.

o Syntax: table_name.column_name is used to specify which

table a column comes from when columns share names across
joined tables.

o INNER JOIN: Returns records that have matching values in

specified columns from both tables [935, 936, 937 there is a
match in one of the tables.