[Completed] Professional Google Cybersecurity Specialization C3/8; Connect and Protect: Networks and Network Security

• getting started & introduction to networks
• Introduction to Course 3 + course 3 overview
• Glossary Cybersecurity
• Welcome to week 1
• Chris: My path to cybersecurity
• What are networks?
• Tina: Working in network security
• Emmanuel: Useful skills for network security
• tech enthusiest reminder
• Network tools
• Network components, devices, and diagrams
• Cloud networks
• Cloud networks
• Network Communication
• Introduction to network communication
• The TCP/IP model
• The four layers of the TCP/IP model
• Learn more about the TCP/IP model
• The OSI model
• Local and wide network communication
• Components of network layer communication
• Wrap-up
• Glossary terms from Course 3, Week 1
• Introduction to network protocols
• Welcome to week 2, Network potocols
• Common network protocols
• Additional network protocols
• Antara: Working in network security
• Wireless protocols, The evolution of wireless security protocols
• Firewalls and network security measures
• Firewalls and network security measures
• Virtual private networks (VPNs)
• Security zones
• Subnetting and CIDR
• Proxy servers
• Virtual networks and privacy
• Glossary terms from week 2
• Course 3 resources and citations
• Introduction to intrusion tactics
• The case for securing networks
• Matt: A professional on dealing with attacks
• Denial of Service (DoS) attacks
• Read tcpdump logs
• Real-life DDoS attack
• Malicious packet sniffing
• IP Spoofing
• Overview of interception tactics
• Glossary terms from week 3 & wrap-up
• Security hardning
• temp
• Introduction to security hardening
• OS hardening practices
• Brute force attacks and OS hardening
• Network hardening practices
• Network security applications
• Kelsey: Cloud security explained
• Security hardening Wrap-up & Glossary terms from week 4
• Cloud Hardening
• how to read a tcpdump
• network hardening
• Course wrap-up; Glossary Cybersecurity Course 3

getting started & introduction to networks

Introduction to Course 3 + course 3 overview

Introduction

You've learned about security domains in previous courses.
Now we'll explore one of those domains further: networks.
It's important to secure networks because network-based attacks are growing in both
frequency and complexity.

Hi there! My name is Chris, and I'm the Chief Information Security Officer for
Google Fiber.
I'm excited to be your instructor for this course!
I've been working in network security and engineering for over 20 years, and
I'm looking forward to sharing some of my knowledge and experience with you.

This course will help you understand the basic structure of a network (also
referred to as network architecture) and commonly used network tools.
You'll also learn about network operations and explore some basic network protocols.
Next, you'll learn about common network attacks and
how network intrusion tactics can prevent a threat to a network.
Finally, the course will provide an overview of security hardening practices
and how you might use them to help secure a network.

There's a lot to learn in securing networks, and
I'm excited to go on this journey with you.
Ready to get started?
Let's go!

Course 3 overview

Hello and welcome to Connect and Protect: Networks and Network Security, the third course in the Google Cybersecurity Certificate. You’re on an exciting journey!

By the end of this course, you will develop a greater understanding of network architecture, operations, intrusion tactics, common types of network vulnerabilities and attacks, and how to secure networks. You’ll also be introduced to common network protocols, firewalls, virtual private networks (VPNs), and system hardening practices. 

Certificate program progress

The Google Cybersecurity Certificate program has eight courses. Connect and Protect: Networks and Network Security is the third course.

• — Explore the cybersecurity profession, including significant events that led to the development of the cybersecurity field and its continued importance to organizational operations. Learn about entry-level cybersecurity roles and responsibilities. 

• Play It Safe: Manage Security Risks

• — Identify how cybersecurity professionals use frameworks and controls to protect business operations, and explore common cybersecurity tools.

• Connect and Protect: Networks and Network Security

• — (current course) Gain an understanding of network-level vulnerabilities and how to secure networks.

• Tools of the Trade: Linux and SQL

• — Explore foundational computing skills, including communicating with the Linux operating system through the command line and querying databases with SQL.

• Assets, Threats, and Vulnerabilities

• — Learn about the importance of security controls and developing a threat actor mindset to protect and defend an organization’s assets from various threats, risks, and vulnerabilities.

• Sound the Alarm: Detection and Response

• — Understand the incident response lifecycle and practice using tools to detect and respond to cybersecurity incidents.

• Automate Cybersecurity Tasks with Python

• — Explore the Python programming language and write code to automate cybersecurity tasks.

• Put It to Work: Prepare for Cybersecurity Jobs

1. — Learn about incident classification, escalation, and ways to communicate with stakeholders. This course closes out the program with tips on how to engage with the cybersecurity community and prepare for your job search.

Course 3 content

Each course of this certificate program is broken into weeks. You can complete courses at your own pace, but the weekly breakdowns are designed to help you finish the entire Google Cybersecurity Certificate in about six months.

What’s to come? Here’s a quick overview of the skills you’ll learn in each week of this course.

Week 1: Network architecture

You'll be introduced to network security and explain how it relates to ongoing security threats and vulnerabilities. You will learn about network architecture and mechanisms to secure a network.

Week 2: Network operations 

You will explore network protocols and how network communication can introduce vulnerabilities. In addition, you'll learn about common security measures, like firewalls, that help network operations remain safe and reliable.

Week 3: Secure against network intrusions

You will understand types of network attacks and techniques used to secure compromised network systems and devices. You'll explore the many ways that malicious actors exploit vulnerabilities in network infrastructure and how cybersecurity professionals identify and close potential loopholes.

Week 4: Security hardening

You will become familiar with network hardening practices that strengthen network systems. You'll learn how security hardening helps defend against malicious actors and intrusion methods. You'll also learn how to use security hardening to address the unique security challenges posed by cloud infrastructures.

What to expect

Each course offers many types of learning opportunities:

• Videos led by Google instructors teach new concepts, introduce the use of relevant tools, offer career support, and provide inspirational personal stories. 

• Readings build on the topics discussed in the videos, introduce related concepts, share useful resources, and describe case studies.

• Discussion prompts explore course topics for better understanding and allow you to chat and exchange ideas with other learners in the discussion forums

• .

• Self-review activities and labs give you hands-on practice in applying the skills you are learning and allow you to assess your own work by comparing it to a completed example.

• Interactive plug-ins encourage you to practice specific tasks and help you integrate knowledge you have gained in the course.

• In-video quizzes help you check your comprehension as you progress through each video.

• Practice quizzes allow you to check your understanding of key concepts and provide valuable feedback.

• Graded quizzes demonstrate your understanding of the main concepts of a course. You must score 80% or higher on each graded quiz to obtain a certificate, and you can take a graded quiz multiple times to achieve a passing score.

Tips for success

• It is strongly recommended that you go through the items in each lesson in the order they appear because new information and concepts build on previous knowledge.

• Participate in all learning opportunities to gain as much knowledge and experience as possible.

• If something is confusing, don’t hesitate to replay a video, review a reading, or repeat a self-review activity.

• Use the additional resources that are referenced in this course. They are designed to support your learning. You can find all of these resources in the Resources

• tab.

• When you encounter useful links in this course, bookmark them so you can refer to the information later for study or review.

• Understand and follow the Coursera Code of Conduct

• to ensure that the learning community remains a welcoming, friendly, and supportive place for all members.
  
  
  

  Helpful resources and tips

  As a learner, you can choose to complete one or multiple courses in this program. However, to obtain the Google Cybersecurity Certificate, you must complete all the courses. This reading describes what is required to obtain a certificate and best practices for you to have a good learning experience on Coursera.

  Course completion to obtain a certificate

  To submit graded assignments and be eligible to receive a Google Cybersecurity Certificate, you must:

  • Pay the course certificate fee or apply and be approved for a Coursera scholarship.

  • Pass all graded quizzes in the eight courses with a score of at least 80%. Each graded quiz in a course is part of a cumulative grade for that course.   

  Healthy habits for course completion

  Here is a list of best practices that will help you complete the courses in the program in a timely manner: 

  • Plan your time: Setting regular study times and following them each week can help you make learning a part of your routine. Use a calendar or timetable to create a schedule, and list what you plan to do each day in order to set achievable goals. Find a space that allows you to focus when you watch the videos, review the readings, and complete the activities.

  • Work at your own pace: Everyone learns differently, so this program has been designed to let you work at your own pace. Although your personalized deadlines start when you enroll, feel free to move through the program at the speed that works best for you. There is no penalty for late assignments; to earn your certificate, all you have to do is complete all of the work. You can extend your deadlines at any time by going to Overview in the navigation panel and selecting Switch Sessions. If you have already missed previous deadlines, select Reset my deadlines instead.

  • Be curious: If you find an idea that gets you excited, act on it! Ask questions, search for more details online, explore the links that interest you, and take notes on your discoveries. The steps you take to support your learning along the way will advance your knowledge, create more opportunities in this high-growth field, and help you qualify for jobs. 

  • Take notes: Notes will help you remember important information in the future, especially as you’re preparing to enter a new job field. In addition, taking notes is an effective way to make connections between topics and gain a better understanding of those topics.

  • Review exemplars: Exemplars are completed assignments that fully meet an activity's criteria. Many activities in this program have exemplars for you to validate your work or check for errors. Although there are often many ways to complete an assignment, exemplars offer guidance and inspiration about how to complete the activity.

  • Chat (responsibly) with other learners: If you have a question, chances are, you’re not alone. Use the discussion forums to ask for help from other learners taking this program. You can also visit Coursera’s Global Online Community. Other important things to know while learning with others can be found in the Coursera Honor Code and Code of Conduct. 

  • Update your profile: Consider updating your profile on Coursera. When other learners find you in the discussion forums, they can click on your name to access your profile and get to know you better.

  Documents, spreadsheets, presentations, and labs for course activities

  To complete certain activities in the program, you will need to use digital documents, spreadsheets, presentations, and/or labs. Security professionals use these software tools to collaborate within their teams and organizations. If you need more information about using a particular tool, refer to these resources:

  • Microsoft Word: Help and learning: Microsoft Support page for Word

  • Google Docs: Help Center page for Google Docs

  • Microsoft Excel: Help and learning: Microsoft Support page for Excel

  • Google Sheets: Help Center page for Google Sheets

  • Microsoft PowerPoint: Help and learning: Microsoft Support page for PowerPoint

  • How to use Google Slides: Help Center page for Google Slides  

  • Common problems with labs: Troubleshooting help for Qwiklabs activities

  Weekly, course, and certificate glossaries

  This program covers a lot of terms and concepts, some of which you may already know and some of which may be unfamiliar to you. To review terms and help you prepare for graded quizzes, refer to the following glossaries:

  • Weekly glossaries: At the end of each week’s content, you can review a glossary of terms from that week. Each week’s glossary builds upon the terms from the previous weeks in that course. The weekly glossaries are not downloadable; however, all of the terms and definitions are included in the course and certificate glossaries, which are downloadable.

  • Course glossaries: At the end of each course, you can access and download a glossary that covers all of the terms in that course. 

  • Certificate glossary: The certificate glossary includes all of the terms in the entire certificate program and is a helpful resource that you can reference throughout the program or at any time in the future. 

  You can access and download the certificate glossaries and save them on your computer. You can always find the course and certificate glossaries through the course’s Resources section. To access the Cybersecurity Certificate glossary, click the link below and select Use Template.

  • Cybersecurity Certificate glossary

  OR

  • If you don’t have a Google account, you can download the glossary directly from the attachment below.

  Google Cybersecurity Certificate glossary

  DOCX File

  Course feedback

  Providing feedback on videos, readings, and other materials is easy. With the resource open in your browser, you can find the thumbs-up and thumbs-down symbols. 

  • Click thumbs-up for materials that are helpful. 

  • Click thumbs-down for materials that are not helpful.

  If you want to flag a specific issue with an item, click the flag icon, select a category, and enter an explanation in the text box. This feedback goes back to the course development team and isn’t visible to other learners. All feedback received helps to create even better certificate programs in the future. 

  For technical help, visit the Learner Help Center.

Glossary Cybersecurity

Terms and definitions from the certificate
A
Absolute file path: The full file path, which starts from the root
Access controls: Security controls that manage access, authorization, and
accountability of information
Active packet sniffing: A type of attack where data packets are manipulated in transit
Address Resolution Protocol (ARP): A network protocol used to determine the MAC
address of the next router or device on the path
Advanced persistent threat (APT): An instance when a threat actor maintains
unauthorized access to a system for an extended period of time
Adversarial artificial intelligence (AI): A technique that manipulates artificial
intelligence (AI) and machine learning (ML) technology to conduct attacks more
efficiently
Adware: A type of legitimate software that is sometimes used to display digital
advertisements in applications
Algorithm: A set of rules used to solve a problem
Analysis: The investigation and validation of alerts
Angler phishing: A technique where attackers impersonate customer service
representatives on social media
Anomaly-based analysis: A detection method that identifies abnormal behavior

Antivirus software: A software program used to prevent, detect, and eliminate
malware and viruses
Application: A program that performs a specific task
Application programming interface (API) token: A small block of encrypted code
that contains information about a user
Argument (Linux): Specific information needed by a command
Argument (Python): The data brought into a function when it is called
Array: A data type that stores data in a comma-separated ordered list
Assess: The fifth step of the NIST RMF that means to determine if established controls
are implemented correctly
Asset: An item perceived as having value to an organization
Asset classification: The practice of labeling assets based on sensitivity and
importance to an organization
Asset inventory: A catalog of assets that need to be protected
Asset management: The process of tracking assets and the risks that affect them
Asymmetric encryption: The use of a public and private key pair for encryption and
decryption of data
Attack surface: All the potential vulnerabilities that a threat actor could exploit
Attack tree: A diagram that maps threats to assets
Attack vectors: The pathways attackers use to penetrate security defenses
Authentication: The process of verifying who someone is
Authorization: The concept of granting access to specific resources in a system
Authorize: The sixth step of the NIST RMF that refers to being accountable for the
security and privacy risks that might exist in an organization
Automation: The use of technology to reduce human and manual effort to perform
common and repetitive tasks
Availability: The idea that data is accessible to those who are authorized to access it

B
Baiting: A social engineering tactic that tempts people into compromising their
security
Bandwidth: The maximum data transmission capacity over a network, measured by
bits per second
Baseline configuration (baseline image): A documented set of specifications within
a system that is used as a basis for future builds, releases, and updates
Bash: The default shell in most Linux distributions
Basic auth: The technology used to establish a user’s request to access a server
Basic Input/Output System (BIOS): A microchip that contains loading instructions for
the computer and is prevalent in older systems
Biometrics: The unique physical characteristics that can be used to verify a person’s
identity
Bit: The smallest unit of data measurement on a computer
Boolean data: Data that can only be one of two values: either True or False
Bootloader: A software program that boots the operating system
Botnet: A collection of computers infected by malware that are under the control of a
single threat actor, known as the “bot-herder"
Bracket notation: The indices placed in square brackets
Broken chain of custody: Inconsistencies in the collection and logging of evidence in
the chain of custody
Brute force attack: The trial and error process of discovering private information
Bug bounty: Programs that encourage freelance hackers to find and report
vulnerabilities
Built-in function: A function that exists within Python and can be called directly

Business continuity: An organization's ability to maintain their everyday productivity
by establishing risk disaster recovery plans
Business continuity plan (BCP): A document that outlines the procedures to sustain
business operations during and after a significant disruption
Business Email Compromise (BEC): A type of phishing attack where a threat actor
impersonates a known source to obtain financial advantage
C
Categorize: The second step of the NIST RMF that is used to develop risk
management processes and tasks
CentOS: An open-source distribution that is closely related to Red Hat
Central Processing Unit (CPU): A computer’s main processor, which is used to
perform general computing tasks on a computer
Chain of custody: The process of documenting evidence possession and control
during an incident lifecycle
Chronicle: A cloud-native tool designed to retain, analyze, and search data
Cipher: An algorithm that encrypts information
Cloud-based firewalls: Software firewalls that are hosted by the cloud service
provider
Cloud computing: The practice of using remote servers, applications, and network
services that are hosted on the internet instead of on local physical devices
Cloud network: A collection of servers or computers that stores resources and data in
remote data centers that can be accessed via the internet
Cloud security: The process of ensuring that assets stored in the cloud are properly
configured and access to those assets is limited to authorized users
Command: An instruction telling the computer to do something
Command and control (C2): The techniques used by malicious actors to maintain
communications with compromised systems

Command-line interface (CLI): A text-based user interface that uses commands to
interact with the computer
Comment: A note programmers make about the intention behind their code
Common Event Format (CEF): A log format that uses key-value pairs to structure
data and identify fields and their corresponding values
Common Vulnerabilities and Exposures (CVE®) list: An openly accessible dictionary
of known vulnerabilities and exposures
Common Vulnerability Scoring System (CVSS): A measurement system that scores
the severity of a vulnerability
Compliance: The process of adhering to internal standards and external regulations
Computer security incident response teams (CSIRT): A specialized group of
security professionals that are trained in incident management and response
Computer virus: Malicious code written to interfere with computer operations and
cause damage to data and software
Conditional statement: A statement that evaluates code to determine if it meets a
specified set of conditions
Confidentiality: The idea that only authorized users can access specific assets or data
Confidential data: Data that often has limits on the number of people who have
access to it
Confidentiality, integrity, availability (CIA) triad: A model that helps inform how
organizations consider risk when setting up systems and security policies
Configuration file: A file used to configure the settings of an application
Containment: The act of limiting and preventing additional damage caused by an
incident
Controlled zone: A subnet that protects the internal network from the uncontrolled
zone
Cross-site scripting (XSS): An injection attack that inserts code into a vulnerable
website or web application

Crowdsourcing: The practice of gathering information using public input and
collaboration
Cryptographic attack: An attack that affects secure forms of communication
between a sender and intended recipient
Cryptographic key: A mechanism that decrypts ciphertext
Cryptography: The process of transforming information into a form that unintended
readers can’t understand
Cryptojacking: A form of malware that installs software to illegally mine
cryptocurrencies
CVE Numbering Authority (CNA): An organization that volunteers to analyze and
distribute information on eligible CVEs
Cybersecurity (or security): The practice of ensuring confidentiality, integrity, and
availability of information by protecting networks, devices, people, and data from
unauthorized access or criminal exploitation
D
Data: Information that is translated, processed, or stored by a computer
Data at rest: Data not currently being accessed
Database: An organized collection of information or data
Data controller: A person that determines the procedure and purpose for processing
data
Data custodian: Anyone or anything that’s responsible for the safe handling,
transport, and storage of information
Data exfiltration: Unauthorized transmission of data from a system
Data in transit: Data traveling from one point to another
Data in use: Data being accessed by one or more users
Data owner: The person who decides who can access, edit, use, or destroy their
information

Data packet: A basic unit of information that travels from one device to another within
a network
Data point: A specific piece of information
Data processor: A person that is responsible for processing data on behalf of the data
controller
Data protection officer (DPO): An individual that is responsible for monitoring the
compliance of an organization's data protection procedures
Data type: A category for a particular type of data item
Date and time data: Data representing a date and/or time
Debugger: A software tool that helps to locate the source of an error and assess its
causes
Debugging: The practice of identifying and fixing errors in code
Defense in depth: A layered approach to vulnerability management that reduces risk
Denial of service (DoS) attack: An attack that targets a network or server and floods
it with network traffic
Detect: A NIST core function related to identifying potential security incidents and
improving monitoring capabilities to increase the speed and efficiency of detections
Detection: The prompt discovery of security events
Dictionary data: Data that consists of one or more key-value pairs
Digital certificate: A file that verifies the identity of a public key holder
Digital forensics: The practice of collecting and analyzing data to determine what has
happened after an attack
Directory: A file that organizes where other files are stored
Disaster recovery plan: A plan that allows an organization’s security team to outline
the steps needed to minimize the impact of a security incident

Distributed denial of service (DDoS) attack: A type of denial or service attack that
uses multiple devices or servers located in different locations to flood the target
network with unwanted traffic
Distributions: The different versions of Linux
Documentation: Any form of recorded content that is used for a specific purpose
DOM-based XSS attack: An instance when malicious script exists in the webpage a
browser loads
Domain Name System (DNS): A networking protocol that translates internet domain
names into IP addresses
Dropper: A type of malware that comes packed with malicious code which is delivered
and installed onto a target system
E
Elevator pitch: A brief summary of your experience, skills, and background
Encapsulation: A process performed by a VPN service that protects your data by
wrapping sensitive data in other data packets
Encryption: The process of converting data from a readable format to an encoded
format
Endpoint: Any device connected on a network
Endpoint detection and response (EDR): An application that monitors an endpoint
for malicious activity
Eradication: The complete removal of the incident elements from all affected systems
Escalation policy: A set of actions that outline who should be notified when an
incident alert occurs and how that incident should be handled
Event: An observable occurrence on a network, system, or device
Exception: An error that involves code that cannot be executed even though it is
syntactically correct
Exclusive operator: An operator that does not include the value of comparison

Exploit: A way of taking advantage of a vulnerability
Exposure: A mistake that can be exploited by a threat
External threat: Anything outside the organization that has the potential to harm
organizational assets
F
False negative: A state where the presence of a threat is not detected
False positive: An alert that incorrectly detects the presence of a threat
Fileless malware: Malware that does not need to be installed by the user because it
uses legitimate programs that are already installed to infect a computer
File path: The location of a file or directory
Filesystem Hierarchy Standard (FHS): The component of the Linux OS that organizes
data
Filtering: Selecting data that match a certain condition
Final report: Documentation that provides a comprehensive review of an incident
Firewall: A network security device that monitors traffic to or from a network
Float data: Data consisting of a number with a decimal point
Foreign key: A column in a table that is a primary key in another table
Forward proxy server: A server that regulates and restricts a person’s access to the
internet
Function: A section of code that can be reused in a program
G
Global variable: A variable that is available through the entire program
Graphical user interface (GUI): A user interface that uses icons on the screen to
manage different tasks on the computer

H
Hacker: Any person who uses computers to gain access to computer systems,
networks, or data
Hacktivist: A person who uses hacking to achieve a political goal
Hard drive: A hardware component used for long-term memory
Hardware: The physical components of a computer
Hash collision: An instance when different inputs produce the same hash value
Hash function: An algorithm that produces a code that can’t be decrypted
Hash table: A data structure that's used to store and reference hash values
Health Insurance Portability and Accountability Act (HIPAA): A U.S. federal law
established to protect patients’ health information
Honeypot: A system or resource created as a decoy vulnerable to attacks with the
purpose of attracting potential intruders
Host-based intrusion detection system (HIDS): An application that monitors the
activity of the host on which it’s installed
Hub: A network device that broadcasts information to every device on the network
Hypertext Transfer Protocol (HTTP): An application layer protocol that provides a
method of communication between clients and website servers
Hypertext Transfer Protocol Secure (HTTPS): A network protocol that provides a
secure method of communication between clients and website servers
I
Identify: A NIST core function related to management of cybersecurity risk and its
effect on an organization’s people and assets
Identity and access management (IAM): A collection of processes and technologies
that helps organizations manage digital identities in their environment
IEEE 802.11 (Wi-Fi): A set of standards that define communication for wireless LANs

Immutable: An object that cannot be changed after it is created and assigned a value
Implement: The fourth step of the NIST RMF that means to implement security and
privacy plans for an organization
Improper usage: An incident type that occurs when an employee of an organization
violates the organization’s acceptable use policies
Incident: An occurrence that actually or imminently jeopardizes, without lawful
authority, the confidentiality, integrity, or availability of information or an information
system; or constitutes a violation or imminent threat of violation of law, security
policies, security procedures, or acceptable use policies
Incident escalation: The process of identifying a potential security incident, triaging it,
and handing it off to a more experienced team member
Incident handler’s journal: A form of documentation used in incident response
Incident response: An organization’s quick attempt to identify an attack, contain the
damage, and correct the effects of a security breach
Incident response plan: A document that outlines the procedures to take in each step
of incident response
Inclusive operator: An operator that includes the value of comparison
Indentation: Space added at the beginning of a line of code
Index: A number assigned to every element in a sequence that indicates its position
Indicators of attack (IoA): The series of observed events that indicate a real-time
incident
Indicators of compromise (IoC): Observable evidence that suggests signs of a
potential security incident
Information privacy: The protection of unauthorized access and distribution of data
Information security (InfoSec): The practice of keeping data in all states away from
unauthorized users
Injection attack: Malicious code inserted into a vulnerable application
Input validation: Programming that validates inputs from users and other programs

Integer data: Data consisting of a number that does not include a decimal point
Integrated development environment (IDE): A software application for writing code
that provides editing assistance and error correction tools
Integrity: The idea that the data is correct, authentic, and reliable
Internal hardware: The components required to run the computer
Internal threat: A current or former employee, external vendor, or trusted partner who
poses a security risk
Internet Control Message Protocol (ICMP): An internet protocol used by devices to
tell each other about data transmission errors across the network
Internet Control Message Protocol flood (ICMP flood): A type of DoS attack
performed by an attacker repeatedly sending ICMP request packets to a network
server
Internet Protocol (IP): A set of standards used for routing and addressing data
packets as they travel between devices on a network
Internet Protocol (IP) address: A unique string of characters that identifies the
location of a device on the internet
Interpreter: A computer program that translates Python code into runnable
instructions line by line
Intrusion detection system (IDS): An application that monitors system activity and
alerts on possible intrusions
Intrusion prevention system (IPS): An application that monitors system activity for
intrusive activity and takes action to stop the activity
IP spoofing: A network attack performed when an attacker changes the source IP of a
data packet to impersonate an authorized system and gain access to a network
Iterative statement: Code that repeatedly executes a set of instructions
K

KALI LINUX TM: An open-source distribution of Linux that is widely used in the security
industry
Kernel: The component of the Linux OS that manages processes and memory
Key-value pair: A set of data that represents two linked items: a key, and its
corresponding value
L
Legacy operating system: An operating system that is outdated but still being used
Lessons learned meeting: A meeting that includes all involved parties after a major
incident
Library: A collection of modules that provide code users can access in their programs
Linux: An open-source operating system
List concatenation: The concept of combining two lists into one by placing the
elements of the second list directly after the elements of the first list
List data: Data structure that consists of a collection of data in sequential form
Loader: A type of malware that downloads strains of malicious code from an external
source and installs them onto a target system
Local Area Network (LAN): A network that spans small areas like an office building, a
school, or a home
Local variable: A variable assigned within a function
Log: A record of events that occur within an organization’s systems
Log analysis: The process of examining logs to identify events of interest
Logging: The recording of events occurring on computer systems and networks
Logic error: An error that results when the logic used in code produces unintended
results
Log management: The process of collecting, storing, analyzing, and disposing of log
data

Loop condition: The part of a loop that determines when the loop terminates
Loop variable: A variable that is used to control the iterations of a loop
M
Malware: Software designed to harm devices or networks
Malware infection: An incident type that occurs when malicious software designed to
disrupt a system infiltrates an organization’s computers or network
Media Access Control (MAC) address: A unique alphanumeric identifier that is
assigned to each physical device on a network
Method: A function that belongs to a specific data type
Metrics: Key technical attributes such as response time, availability, and failure rate,
which are used to assess the performance of a software application
MITRE: A collection of non-profit research and development centers
Modem: A device that connects your router to the internet and brings internet access
to the LAN
Module: A Python file that contains additional functions, variables, classes, and any
kind of runnable code
Monitor: The seventh step of the NIST RMF that means be aware of how systems are
operating
Multi-factor authentication (MFA): A security measure that requires a user to verify
their identity in two or more ways to access a system or network
N
nano: A command-line file editor that is available by default in many Linux distributions
National Institute of Standards and Technology (NIST) Cybersecurity Framework
(CSF): A voluntary framework that consists of standards, guidelines, and best
practices to manage cybersecurity risk
National Institute of Standards and Technology (NIST) Incident Response
Lifecycle: A framework for incident response consisting of four phases: Preparation;

Detection and Analysis; Containment, Eradication and Recovery, and Post-incident
activity
National Institute of Standards and Technology (NIST) Special Publication (S.P.)
800-53: A unified framework for protecting the security of information systems within
the U.S. federal government
Network: A group of connected devices
Network-based intrusion detection system (NIDS): An application that collects and
monitors network traffic and network data
Network data: The data that’s transmitted between devices on a network
Network Interface Card (NIC): Hardware that connects computers to a network
Network log analysis: The process of examining network logs to identify events of
interest
Network protocol analyzer (packet sniffer): A tool designed to capture and analyze
data traffic within a network
Network protocols: A set of rules used by two or more devices on a network to
describe the order of delivery and the structure of data
Network security: The practice of keeping an organization's network infrastructure
secure from unauthorized access
Network segmentation: A security technique that divides the network into segments
Network traffic: The amount of data that moves across a network
Non-repudiation: The concept that the authenticity of information can’t be denied
Notebook: An online interface for writing, storing, and running code
Numeric data: Data consisting of numbers
O
OAuth: An open-standard authorization protocol that shares designated access
between applications

Object: A data type that stores data in a comma-separated list of key-value pairs
On-path attack: An attack where a malicious actor places themselves in the middle of
an authorized connection and intercepts or alters the data in transit
Open-source intelligence (OSINT): The collection and analysis of information from
publicly available sources to generate usable intelligence
Open systems interconnection (OSI) model: A standardized concept that describes
the seven layers computers use to communicate and send data over the network
Open Web Application Security Project/Open Worldwide Application Security
Project (OWASP): A non-profit organization focused on improving software security
Operating system (OS): The interface between computer hardware and the user
Operator: A symbol or keyword that represents an operation
Options: Input that modifies the behavior of a command
Order of volatility: A sequence outlining the order of data that must be preserved
from first to last
OWASP Top 10: A globally recognized standard awareness document that lists the top
10 most critical security risks to web applications
P
Package: A piece of software that can be combined with other packages to form an
application
Package manager: A tool that helps users install, manage, and remove packages or
applications
Packet capture (P-cap): A file containing data packets intercepted from an interface
or network
Packet sniffing: The practice of capturing and inspecting data packets across a
network
Parameter (Python): An object that is included in a function definition for use in that
function

Parrot: An open-source distribution that is commonly used for security
Parsing: The process of converting data into a more readable format
Passive packet sniffing: A type of attack where a malicious actor connects to a
network hub and looks at all traffic on the network
Password attack: An attempt to access password secured devices, systems,
networks, or data
Patch update: A software and operating system update that addresses security
vulnerabilities within a program or product
Payment Card Industry Data Security Standards (PCI DSS): Any cardholder data
that an organization accepts, transmits, or stores
Penetration test (pen test): A simulated attack that helps identify vulnerabilities in
systems, networks, websites, applications, and processes
PEP 8 style guide: A resource that provides stylistic guidelines for programmers
working in Python
Peripheral devices: Hardware components that are attached and controlled by the
computer system
Permissions: The type of access granted for a file or directory
Personally identifiable information (PII): Any information used to infer an individual's
identity
Phishing: The use of digital communications to trick people into revealing sensitive
data or deploying malicious software
Phishing kit: A collection of software tools needed to launch a phishing campaign
Physical attack: A security incident that affects not only digital but also physical
environments where the incident is deployed
Physical social engineering: An attack in which a threat actor impersonates an
employee, customer, or vendor to obtain unauthorized access to a physical location
Ping of death: A type of DoS attack caused when a hacker pings a system by sending
it an oversized ICMP packet that is bigger than 64KB
Playbook: A manual that provides details about any operational action

Policy: A set of rules that reduce risk and protect information
Port: A software-based location that organizes the sending and receiving of data
between devices on a network
Port filtering: A firewall function that blocks or allows certain port numbers to limit
unwanted communication
Post-incident activity: The process of reviewing an incident to identify areas for
improvement during incident handling
Potentially unwanted application (PUA): A type of unwanted software that is
bundled in with legitimate programs which might display ads, cause device slowdown,
or install other software
Private data: Information that should be kept from the public
Prepare: The first step of the NIST RMF related to activities that are necessary to
manage security and privacy risks before a breach occurs
Prepared statement: A coding technique that executes SQL statements before
passing them on to a database
Primary key: A column where every row has a unique entry
Principle of least privilege: The concept of granting only the minimal access and
authorization required to complete a task or function
Privacy protection: The act of safeguarding personal information from unauthorized
use
Procedures: Step-by-step instructions to perform a specific security task
Process of Attack Simulation and Threat Analysis (PASTA): A popular threat
modeling framework that’s used across many industries
Programming: A process that can be used to create a specific set of instructions for a
computer to execute tasks
Protect: A NIST core function used to protect an organization through the
implementation of policies, procedures, training, and tools that help mitigate
cybersecurity threats

Protected health information (PHI): Information that relates to the past, present, or
future physical or mental health or condition of an individual
Protecting and preserving evidence: The process of properly working with fragile
and volatile digital evidence
Proxy server: A server that fulfills the requests of its clients by forwarding them to
other servers
Public data: Data that is already accessible to the public and poses a minimal risk to
the organization if viewed or shared by others
Public key infrastructure (PKI): An encryption framework that secures the exchange
of online information
Python Standard Library: An extensive collection of Python code that often comes
packaged with Python
Q
Query: A request for data from a database table or a combination of tables
Quid pro quo: A type of baiting used to trick someone into believing that they’ll be
rewarded in return for sharing access, information, or money
R
Rainbow table: A file of pre-generated hash values and their associated plaintext
Random Access Memory (RAM): A hardware component used for short-term
memory
Ransomware: A malicious attack where threat actors encrypt an organization’s data
and demand payment to restore access
Rapport: A friendly relationship in which the people involved understand each other’s
ideas and communicate well with each other
Recover: A NIST core function related to returning affected systems back to normal
operation

Recovery: The process of returning affected systems back to normal operations
Red Hat® Enterprise Linux® (also referred to simply as Red Hat in this course): A
subscription-based distribution of Linux built for enterprise use
Reflected XSS attack: An instance when malicious script is sent to a server and
activated during the server’s response
Regular expression (regex): A sequence of characters that forms a pattern
Regulations: Rules set by a government or other authority to control the way
something is done
Relational database: A structured database containing tables that are related to each
other
Relative file path: A file path that starts from the user's current directory
Replay attack: A network attack performed when a malicious actor intercepts a data
packet in transit and delays it or repeats it at another time
Resiliency: The ability to prepare for, respond to, and recover from disruptions
Respond: A NIST core function related to making sure that the proper procedures are
used to contain, neutralize, and analyze security incidents, and implement
improvements to the security process
Return statement: A Python statement that executes inside a function and sends
information back to the function call
Reverse proxy server: A server that regulates and restricts the internet's access to an
internal server
Risk: Anything that can impact the confidentiality, integrity, or availability of an asset
Risk mitigation: The process of having the right procedures and rules in place to
quickly reduce the impact of a risk like a breach
Root directory: The highest-level directory in Linux
Rootkit: Malware that provides remote, administrative access to a computer
Root user (or superuser): A user with elevated privileges to modify the system
Router: A network device that connects multiple networks together

S
Salting: An additional safeguard that’s used to strengthen hash functions
Scareware: Malware that employs tactics to frighten users into infecting their device
Search Processing Language (SPL): Splunk’s query language
Secure File Transfer Protocol (SFTP): A secure protocol used to transfer files from
one device to another over a network
Secure shell (SSH): A security protocol used to create a shell with a remote system
Security architecture: A type of security design composed of multiple components,
such as tools and processes, that are used to protect an organization from risks and
external threats
Security audit: A review of an organization's security controls, policies, and
procedures against a set of expectations
Security controls: Safeguards designed to reduce specific security risks
Security ethics: Guidelines for making appropriate decisions as a security
professional
Security frameworks: Guidelines used for building plans to help mitigate risk and
threats to data and privacy
Security governance: Practices that help support, define, and direct security efforts
of an organization
Security hardening: The process of strengthening a system to reduce its
vulnerabilities and attack surface
Security information and event management (SIEM): An application that collects
and analyzes log data to monitor critical activities in an organization
Security mindset: The ability to evaluate risk and constantly seek out and identify the
potential or actual breach of a system, application, or data
Security operations center (SOC): An organizational unit dedicated to monitoring
networks, systems, and devices for security threats or attacks

Security orchestration, automation, and response (SOAR): A collection of
applications, tools, and workflows that use automation to respond to security events
Security posture: An organization’s ability to manage its defense of critical assets and
data and react to change
Security zone: A segment of a company’s network that protects the internal network
from the internet
Select: The third step of the NIST RMF that means to choose, customize, and capture
documentation of the controls that protect an organization
Sensitive data: A type of data that includes personally identifiable information (PII),
sensitive personally identifiable information (SPII), or protected health information
(PHI)
Sensitive personally identifiable information (SPII): A specific type of PII that falls
under stricter handling guidelines
Separation of duties: The principle that users should not be given levels of
authorization that would allow them to misuse a system
Session: a sequence of network HTTP requests and responses associated with the
same user
Session cookie: A token that websites use to validate a session and determine how
long that session should last
Session hijacking: An event when attackers obtain a legitimate user’s session ID
Session ID: A unique token that identifies a user and their device while accessing a
system
Set data: Data that consists of an unordered collection of unique values
Shared responsibility: The idea that all individuals within an organization take an
active role in lowering risk and maintaining both physical and virtual security
Shell: The command-line interpreter
Signature: A pattern that is associated with malicious activity
Signature analysis: A detection method used to find events of interest

Simple Network Management Protocol (SNMP): A network protocol used for
monitoring and managing devices on a network
Single sign-on (SSO): A technology that combines several different logins into one
Smishing: The use of text messages to trick users to obtain sensitive information or to
impersonate a known source
Smurf attack: A network attack performed when an attacker sniffs an authorized
user’s IP address and floods it with ICMP packets
Social engineering: A manipulation technique that exploits human error to gain
private information, access, or valuables
Social media phishing: A type of attack where a threat actor collects detailed
information about their target on social media sites before initiating the attack
Spear phishing: A malicious email attack targeting a specific user or group of users,
appearing to originate from a trusted source
Speed: The rate at which a device sends and receives data, measured by bits per
second
Splunk Cloud: A cloud-hosted tool used to collect, search, and monitor log data
Splunk Enterprise: A self-hosted tool used to retain, analyze, and search an
organization's log data to provide security information and alerts in real-time
Spyware: Malware that’s used to gather and sell information without consent
SQL (Structured Query Language): A programming language used to create, interact
with, and request information from a database
SQL injection: An attack that executes unexpected queries on a database
Stakeholder: An individual or group that has an interest in any decision or activity of
an organization
Standard error: An error message returned by the OS through the shell
Standard input: Information received by the OS via the command line
Standard output: Information returned by the OS through the shell
Standards: References that inform how to set policies

STAR method: An interview technique used to answer behavioral and situational
questions
Stateful: A class of firewall that keeps track of information passing through it and
proactively filters out threats
Stateless: A class of firewall that operates based on predefined rules and that does
not keep track of information from data packets
Stored XSS attack: An instance when malicious script is injected directly on the server
String concatenation: The process of joining two strings together
String data: Data consisting of an ordered sequence of characters
Style guide: A manual that informs the writing, formatting, and design of documents
Subnetting: The subdivision of a network into logical groups called subnets
Substring: A continuous sequence of characters within a string
Sudo: A command that temporarily grants elevated permissions to specific users
Supply-chain attack: An attack that targets systems, applications, hardware, and/or
software to locate a vulnerability where malware can be deployed
Suricata: An open-source intrusion detection system, intrusion prevention system, and
network analysis tool
Switch: A device that makes connections between specific devices on a network by
sending and receiving data between them
Symmetric encryption: The use of a single secret key to exchange information
Synchronize (SYN) flood attack: A type of DoS attack that simulates a TCP/IP
connection and floods a server with SYN packets
Syntax: The rules that determine what is correctly structured in a computing language
Syntax error: An error that involves invalid usage of a programming language
T
Tailgating: A social engineering tactic in which unauthorized people follow an
authorized person into a restricted area

TCP/IP model: A framework used to visualize how data is organized and transmitted
across a network
tcpdump: A command-line network protocol analyzer
Technical skills: Skills that require knowledge of specific tools, procedures, and
policies
Telemetry: The collection and transmission of data for analysis
Threat: Any circumstance or event that can negatively impact assets
Threat actor: Any person or group who presents a security risk
Threat hunting: The proactive search for threats on a network
Threat intelligence: Evidence-based threat information that provides context about
existing or emerging threats
Threat modeling: The process of identifying assets, their vulnerabilities, and how each
is exposed to threats
Transferable skills: Skills from other areas that can apply to different careers
Transmission Control Protocol (TCP): An internet communication protocol that
allows two devices to form a connection and stream data
Triage: The prioritizing of incidents according to their level of importance or urgency
Trojan horse: Malware that looks like a legitimate file or program
True negative: A state where there is no detection of malicious activity
True positive An alert that correctly detects the presence of an attack
Tuple data: Data structure that consists of a collection of data that cannot be changed
Type error: An error that results from using the wrong data type
U
Ubuntu: An open-source, user-friendly distribution that is widely used in security and
other industries

Unauthorized access: An incident type that occurs when an individual gains digital or
physical access to a system or application without permission
Uncontrolled zone: Any network outside your organization's control
Unified Extensible Firmware Interface (UEFI): A microchip that contains loading
instructions for the computer and replaces BIOS on more modern systems
USB baiting: An attack in which a threat actor strategically leaves a malware USB stick
for an employee to find and install to unknowingly infect a network
User: The person interacting with a computer
User Datagram Protocol (UDP): A connectionless protocol that does not establish a
connection between devices before transmissions
User-defined function: A function that programmers design for their specific needs
User interface: A program that allows the user to control the functions of the
operating system
User provisioning: The process of creating and maintaining a user's digital identity
V
Variable: A container that stores data
Virtual machine (VM): A virtual version of a physical computer
Virtual Private Network (VPN): A network security service that changes your public
IP address and hides your virtual location so that you can keep your data private when
you are using a public network like the internet
Virus: Malicious code written to interfere with computer operations and cause
damage to data and software
VirusTotal: A service that allows anyone to analyze suspicious files, domains, URLs,
and IP addresses for malicious content
Vishing: The exploitation of electronic voice communication to obtain sensitive
information or to impersonate a known source
Visual dashboard: A way of displaying various types of data quickly in one place

Vulnerability: A weakness that can be exploited by a threat
Vulnerability assessment: The internal review process of an organization's security
systems
Vulnerability management: The process of finding and patching vulnerabilities
Vulnerability scanner: Software that automatically compares existing common
vulnerabilities and exposures against the technologies on the network
W
Watering hole attack: A type of attack when a threat actor compromises a website
frequently visited by a specific group of users
Web-based exploits: Malicious code or behavior that’s used to take advantage of
coding flaws in a web application
Whaling: A category of spear phishing attempts that are aimed at high-ranking
executives in an organization
Wide Area Network (WAN): A network that spans a large geographic area like a city,
state, or country
Wi-Fi Protected Access (WPA): A wireless security protocol for devices to connect to
the internet
Wildcard: A special character that can be substituted with any other character
Wireshark: An open-source network protocol analyzer
World-writable file: A file that can be altered by anyone in the world
Worm: Malware that can duplicate and spread itself across systems on its own
Y
YARA-L: A computer language used to create rules for searching through ingested log
data
Z

Zero-day: An exploit that was previously unknown

Welcome to week 1

Before securing a network, you need to understand the basic design of a network and how it functions.

In this section of the course, you will learn about the structure of a network, standard networking tools, cloud networks, and the basic framework for organizing communications across a network called the TCP/IP model.

Securing networks is a big part of a security analyst's responsibilities, so I'm excited to help you understand how to secure your organization's network from threats, risks, and vulnerabilities.

Let's get going!

Chris: My path to cybersecurity

My name is Chris and I'm the Chief Information Security Officer at Google Fiber. We provide high speed Internet to customers across the United States. As the chief information security officer, I'm responsible for making sure that the network stays safe, our customers' data stays safe and that we are supporting law enforcement and others as required. The career path was a long and winding one. My actual first job was working as a butcher at the family grocery store. I eventually ended up with a job in the computer center at college, which is where I learned a lot of my initial computer skills. Then when I graduated from college, I started off as a software developer, designing accounting software for a consulting company supporting the Department of Agriculture. Then I moved on from that to other roles, eventually ending up in one of the first Internet over cable companies. I ran several of their services, email, web services, etc. My stuff kept getting attacked. I fell into cybersecurity because I had to defend the things that I was building. I realized it was fun. I realized that it was a great career opportunity. I've just stuck with that ever since then. When I got into this field, other than a couple of books, there wasn't a lot of training material out there. There were some other people out there that I could ask questions of, and I could get some mentoring from. But as a general rule of thumb, I was on my own. Despite this being a fairly technical field, the most important thing you're going to learn are the connections you're going to make to other people. I made a conscious decision to become actively involved in some of the outside work organizations, the trade associations, the non profits, the meet ups, and other cybersecurity organizations. This enabled me to build the reputation and the relationships so that as my career moved along, people were reaching out to me saying, hey Chris, we have this opportunity, are you interested? Because the cybersecurity industry is so varied, it can seem like there is a tremendous amount you have to learn that there is this huge step that you have to take in order to get into the industry. That can be daunting. But the thing to remember is, once you have that fundamental level of skills and fundamental level of background, there are so many different directions you can go and there's so much opportunity out there. There's this continuous education and curiosity aspect of the job that is so much fun. It means that you are always having the opportunity to learn something new, to change directions and go in new ways because cybersecurity is going to be constantly changing. And that's part of the fun.

What are networks?

Welcome! Before you can understand the importance of securing a network, you need to know what a network is.

A network is a group of connected devices. At home, the devices connected to your network might be your laptop, cell phones, and smart devices, like your refrigerator or air conditioner. In an office, devices like workstations, printers, and servers all connect to the network. The devices on a network can communicate with each other over network cables, or wireless connections. Networks in your home and office can communicate with networks in other locations, and the devices on them.

Devices need to find each other on a network to establish communications. These devices will use unique addresses, or identifiers, to locate each other. The addresses will ensure that communications happens with the right device. These are called the IP and MAC addresses.

Devices can communicate on two types of networks: a local area network, also known as a LAN, and a wide area network, also known as a WAN.

A local area network, or LAN, spans a small area like an office building, a school, or a home. For example, when a personal device like your cell phone or tablet connects to the WIFI in your house, they form a LAN. The LAN then connects to the internet.

A wide area network or WAN spans a large geographical area like a city, state, or country. You can think of the internet as one big WAN. An employee of a company in San Francisco can communicate and share resources with another employee in Dublin, Ireland over the WAN.

Now that you've learned about the structure and types of networks, meet me in an upcoming video to learn about the devices that connect to them.

Tina: Working in network security

My name is Tina and I'm a software engineer at Google. As a software engineer, I work on an internal tool that serves the security engineers and network engineers at Google. Network security is important because we want to make sure that our network systems are safe and resilient to be able to defend against malicious hackers, and that we have the ability to protect our user data. Working with network security allows to see the overview of the whole company's network systems, which is super cool. My favorite part of my job is the impact I get to have on the community that I serve at Google. I would say most of my day is a lot of coding, design, talking to security teams and network teams on their priorities and their blockers and being able to come up with a solution. There are often going to be requests that come from network teams and security teams that have specific requirements on certain platforms or on a feature that they need in one of the network policies, and usually we would escalate that and try to work on a fix for that. One piece of advice I would give for someone who wants to take on the cybersecurity journey is to be able to always keep learning and be curious about how things work. Because security is an ever changing field, cybersecurity is definitely a team sport. Everybody has something to contribute, and especially on cybersecurity problems, there can be a lot of possibilities and a lot of different solutions to one problem. It's always great to be able to have people to brainstorm with and to track down issues together because things can get very complex sometimes, but it's also a fun process to be able to work on things together.

Emmanuel: Useful skills for network security

My name is Emmanuel and I am an offensive security engineer at Google. For offensive security, my job is to simulate adversaries and threats that are targeting various companies and I look at defending how we can protect Google's infrastructure. I make it harder to hack Google by actually hacking Google. The technical skills that I use is a lot of programming, as well as learning about operational and platform security. Knowing how these computers work, what is under the hood, and understanding the components that create this infrastructure. An entry-level cybersecurity analyst would look at using command lines, log parsing, and network traffic analysis in their everyday scope of work. Command line allows you to interact with various levels of your operating system, whether it's the low-level things like the memory and the kernel, or if it's high-level things like the applications and the programs that you're running on your computer. With log parsing, they're going to be times where you may need to figure out and debug what is going on in your program or application and these logs are there to help you and support you in finding the root issue and then resolve it from there. With this network traffic analysis, there may be times where you need to figure out why is my Internet going slow? Why is traffic not being routed to the appropriate destination? What can I do to ensure that my network is up and running? Network traffic analysis is looking at network across various application and network layers and seeing what that traffic is doing, how we can secure that traffic, as well as identify any vulnerabilities and concerns. In the contexts for me, for security, I look at: are passwords being leaked in the traffic that's being sent across the network? Are infrastructures being secured? Are firewalls being readily configured and configured safely? One skill that has continued to grow with me in my current role has been communicating effectively to product teams, engineers, and identifying an issue that is influencing or affecting the business, and communicating to those teams effectively to fix it. Being able to take on these many hats and explain things with the right business approach to things to ensure that the issues that I do find in my work are identified but there are also fixed. My advice to folks who are taking this certificate would take things apart, feel uncomfortable, learn and grow and find opportunities to learn and understand how things work and that skill set will benefit you for the remainder of your journey.

tech enthusiest reminder

A hub is a network device that broadcasts information to every device on the network.

Network tools

In this video, you'll learn about the common devices that make up a network. Let's get started.

A hub is a network device that broadcasts information to every device on the network. Think of a hub like a radio tower that broadcasts a signal to any radio tuned to the correct frequency.

Another network device is a switch. A switch makes connections between specific devices on a network by sending and receiving data between them. A switch is more intelligent than a hub. It only passes data to the intended destination. This makes switches more secure than hubs, and enables them to control the flow of traffic and improve network performance.

Another device that we'll discuss is a router. A router is a network device that connects multiple networks together.

For example, if a computer in one network wants to send information to a tablet on another network, then the information will be transferred as follows: First, the information travels from the computer to the router. Then, the router reads the destination address, and forwards the data to the intended network's router. Finally, the receiving router directs that information to the tablet.

Finally, let's discuss modems. A modem is a device that connects your router to the internet, and brings internet access to the LAN.

For example, if a computer from one network wants to send information to a device on a network in a different geographic location, it would be transferred as follows: The computer would send information to the router, and the router would then transfer the information through the modem to the internet. The intended recipient's modem receives the information, and transfers it to the router. Finally, the recipient's router forwards that information to the destination device.

Network tools such as hubs, switches, routers, and modems are physical devices. However, many functions performed by these physical devices can be completed by virtualization tools.

Virtualization tools are pieces of software that perform network operations. Virtualization tools carry out operations that would normally be completed by a hub, switch, router, or modem, and they are offered by Cloud service providers. These tools provide opportunities for cost savings and scalability. You'll learn more about them later in the certificate program.

Now you've explored some common devices that make up a network. Coming up, you're going to learn more about cloud computing, and how networks can be designed using cloud services.

Network components, devices, and diagrams

In this section of the course, you will learn about network architecture. 

Once you have a foundational understanding of network architecture, sometimes referred to as network design, you will learn about security vulnerabilities inherent in all networks and how malicious actors attempt to exploit them. In this reading, you will review network devices and connections and investigate a simple network diagram similar to those used every day by network security professionals. Essential tasks of a security analyst include setting up the tools, devices, and protocols used to observe and secure network traffic.

Devices on a network 

Network devices are the devices that maintain information and services for users of a network. These devices connect over wired and wireless connections. After establishing a connection to the network, the devices send data packets. The data packets provide information about the source and the destination of the data.

Devices and desktop computers 

Most internet users are familiar with everyday devices, such as personal computers, laptops, mobile phones, and tablets. Each device and desktop computer has a unique MAC address and IP address, which identify it on the network, and a network interface that sends and receives data packets. These devices can connect to the network via a hard wire or a wireless connection.

Firewalls

A firewall is a network security device that monitors traffic to or from your network. Firewalls can also restrict specific incoming and outgoing network traffic. The organization configures the security rules. Firewalls often reside between the secured and controlled internal network and the untrusted network resources outside the organization, such as the internet.

Servers 

Servers provide a service for other devices on the network. The devices that connect to a server are called clients. The following graphic outlines this model, which is called the client-server model. In this model, clients send requests to the server for information and services. The server performs the requests for the clients. Common examples include DNS servers that perform domain name lookups for internet sites, file servers that store and retrieve files from a database, and corporate mail servers that organize mail for a company. 

Hubs and switches

Hubs and switches both direct traffic on a local network. A hub is a device that provides a common point of connection for all devices directly connected to it. Hubs additionally repeat all information out to all ports. From a security perspective, this makes hubs vulnerable to eavesdropping. For this reason, hubs are not used as often on modern networks; most organizations use switches instead.

A switch forwards packets between devices directly connected to it. It maintains a MAC address table that matches MAC addresses of devices on the network to port numbers on the switch and forwards incoming data packets according to the destination MAC address.

Routers

Routers sit between networks and direct traffic, based on the IP address of the destination network. The IP address of the destination network is contained in the IP header. The router reads the header information and forwards the packet to the next router on the path to the destination. This continues until the packet reaches the destination network. Routers can also include a firewall feature that allows or blocks incoming traffic based on information in the transmission. This stops malicious traffic from entering the private network and damaging the local area network.

Modems and wireless access points

Modems

Modems usually interface with an internet service provider (ISP). ISPs provide internet connectivity via telephone lines or coaxial cables. Modems receive transmissions from the internet and translate them into digital signals that can be understood by the devices on the network. Usually, modems connect to a router that takes the decoded transmissions and sends them on to the local network.

Note: Enterprise networks used by large organizations to connect their users and devices often use other broadband technologies to handle high-volume traffic, instead of using a modem. 

Wireless access point

A wireless access point sends and receives digital signals over radio waves creating a wireless network. Devices with wireless adapters connect to the access point using Wi-Fi. Wi-Fi refers to a set of standards that are used by network devices to communicate wirelessly. Wireless access points and the devices connected to them use Wi-Fi protocols to send data through radio waves where they are sent to routers and switches and directed along the path to their final destination.

Using network diagrams as a security analyst

Network diagrams allow network administrators and security personnel to imagine the architecture and design of their organization’s private network.

Network diagrams are topographical maps that show the devices on the network and how they connect. Network diagrams use small representative graphics to portray each network device and dotted lines to show how each device connects to the other. Security analysts use network diagrams to learn about network architecture and how to design networks. 

Key takeaways

In the client-server model, the client requests information and services from the server, and the server performs the requests for the clients. Network devices include routers, workstations, servers, hubs, switches, and modems. Security analysts use network diagrams to visualize network architecture.

Cloud networks

Companies have traditionally owned their network devices, and kept them in their own office buildings. But now, a lot of companies are using third-party providers to manage their networks.
 
Why? Well, this model helps companies save money while giving them access to more network resources. The growth of cloud computing is helping many companies reduce costs and streamline their network operations.

Cloud computing is the practice of using remote servers, applications, and network services that are hosted on the internet instead of on local physical devices.

Today, the number of businesses that use cloud computing is increasing every year, so it's important to understand how cloud networks function and how to secure them.

Cloud providers offer an alternative to traditional on-premise networks, and allow organizations to have the benefits of the traditional network without storing the devices and managing the network on their own.

A cloud network is a collection of servers or computers that stores resources and data in a remote data center that can be accessed via the internet. Because companies don't house the servers at their physical location, these servers are referred to as being "in the cloud".

Traditional networks host web servers from a business in its physical location. However, cloud networks are different from traditional networks because they use remote servers, which allow online services and web applications to be used from any geographic location. Cloud security will become increasingly relevant to many security professionals as more organizations migrate to cloud services.

Cloud service providers offer cloud computing to maintain applications. For example, they provide on-demand storage and processing power that their customers only pay as needed. They also provide business and web analytics that organizations can use to monitor their web traffic and sales.

With the transition to cloud networking, I have witnessed an overlap of identity-based security on top of the more traditional network-based solutions. This meant that my focus needed to be on verifying both where the traffic is coming from and the identity that is coming with it.

More organizations are moving their network services to the cloud to save money and simplify their operations. As this trend has grown, cloud security has become a significant aspect of network security.

Cloud networks

Companies have traditionally owned their network devices, and kept them in their own office buildings. But now, a lot of companies are using third-party providers to manage their networks.

Why? Well, this model helps companies save money while giving them access to more network resources. The growth of cloud computing is helping many companies reduce costs and streamline their network operations.

Cloud computing is the practice of using remote servers, applications, and network services that are hosted on the internet instead of on local physical devices.

Today, the number of businesses that use cloud computing is increasing every year, so it's important to understand how cloud networks function and how to secure them.

Cloud providers offer an alternative to traditional on-premise networks, and allow organizations to have the benefits of the traditional network without storing the devices and managing the network on their own.

A cloud network is a collection of servers or computers that stores resources and data in a remote data center that can be accessed via the internet. Because companies don't house the servers at their physical location, these servers are referred to as being "in the cloud".

Traditional networks host web servers from a business in its physical location. However, cloud networks are different from traditional networks because they use remote servers, which allow online services and web applications to be used from any geographic location. Cloud security will become increasingly relevant to many security professionals as more organizations migrate to cloud services.

Cloud service providers offer cloud computing to maintain applications. For example, they provide on-demand storage and processing power that their customers only pay as needed. They also provide business and web analytics that organizations can use to monitor their web traffic and sales.

With the transition to cloud networking, I have witnessed an overlap of identity-based security on top of the more traditional network-based solutions. This meant that my focus needed to be on verifying both where the traffic is coming from and the identity that is coming with it.

More organizations are moving their network services to the cloud to save money and simplify their operations. As this trend has grown, cloud security has become a significant aspect of network security.

Network Communication

Introduction to network communication

Networks help organizations communicate and connect. But communication makes network attacks more likely because it gives a malicious actor an opportunity to take advantage of vulnerable devices and unprotected networks.

Communication over a network happens when data is transferred from one point to another. Pieces of data are typically referred to as data packets.

A data packet is a basic unit of information that travels from one device to another within a network. When data is sent from one device to another across a network, it is sent as a packet that contains information about where the packet is going, where it's coming from, and the content of the message.

Think about data packets like a piece of physical mail. Imagine you want to send a letter to a friend. The envelope will need to have the address where you want the letter to go and your return address. Inside the envelope is a letter that contains the message that you want your friend to read.

A data packet is very similar to a physical letter. It contains a header that includes the internet protocol address, the IP address, and the media access control, or MAC, address of the destination device. It also includes a protocol number that tells the receiving device what to do with the information in the packet. Then there's the body of the packet, which contains the message that needs to be transmitted to the receiving device. Finally, at the end of the packet, there's a footer, similar to a signature on a letter, the footer signals to the receiving device that the packet is finished.

The movement of data packets across a network can provide an indication of how well the network is performing. Network performance can be measured by bandwidth.

Bandwidth refers to the amount of data a device receives every second. You can calculate bandwidth by dividing the quantity of data by the time in seconds. Speed refers to the rate at which data packets are received or downloaded. Security personnel are interested in network bandwidth and speed because if either are irregular, it could be an indication of an attack. Packet sniffing is the practice of capturing and inspecting data packets across the network.

Communication on the network is important for sharing resources and data because it allows organizations to function effectively. Coming up, you'll learn more about the protocols to support network communication.

The TCP/IP model

Hello again. In this video, you'll learn more about communication protocols and devices used to communicate with each other across the internet. This is called the TCP/IP model.

TCP/IP stands for Transmission Control Protocol and Internet Protocol. TCP/IP is the standard model used for network communication. Let's take a closer look at this model by defining TCP and IP separately.

First, TCP, or Transmission Control Protocol, is an internet communication protocol that allows two devices to form a connection and stream data. The protocol includes a set of instructions to organize data, so it can be sent across a network. It also establishes a connection between two devices and makes sure that packets reach their appropriate destination.

The IP in TCP/IP stands for Internet Protocol. IP has a set of standards used for routing and addressing data packets as they travel between devices on a network. Included in the Internet Protocol (IP) is the IP address that functions as an address for each private network. You'll learn more about IP addresses a bit later.

When data packets are sent and received across a network, they are assigned a port.

Within the operating system of a network device, a port is a software-based location that organizes the sending and receiving of data between devices on a network. Ports divide network traffic into segments based on the service they will perform between two devices. The computers sending and receiving these data segments know how to prioritize and process these segments based on their port number.

This is like sending a letter to a friend who lives in an apartment building. The mail delivery person not only knows how to find the building, but they also know exactly where to go in the building to find the apartment number where your friend lives.

Data packets include instructions that tell the receiving device what to do with the information. These instructions come in the form of a port number. Port numbers allow computers to split the network traffic and prioritize the operations they will perform with the data. Some common port numbers are: port 25, which is used for e-mail, port 443, which is used for secure internet communication, and port 20, for large file transfers.

As you've learned in this video, a lot of information and instructions are contained in data packets as they travel across a network. Coming up, you'll learn more about the TCP/IP model.

The four layers of the TCP/IP model

Now that we've discussed the structure of a network and how communications takes place, it's important for you to know how the security professionals identify problems that might arise.

The TCP/IP model is a framework that is used to visualize how data is organized and transmitted across the network. The TCP/IP model has four layers. The four layers are: the network access layer, the internet layer, the transport layer, and the application layer.

Knowing how the TCP/IP model organizes network activity allows security professionals to monitor and secure against risks.

Let's examine these layers one at a time.

Layer one is the network access layer. The network access layer deals with creation of data packets and their transmission across a network. This includes hardware devices connected to physical cables and switches that direct data to its destination.

Layer two is the internet layer. The internet layer is where IP addresses are attached to data packets to indicate the location of the sender and receiver. The internet layer also focuses on how networks connect to each other. For example, data packets containing information that determine whether they will stay on the LAN or will be sent to a remote network, like the internet.

The transport layer includes protocols to control the flow of traffic across a network. These protocols permit or deny communication with other devices and include information about the status of the connection. Activities of this layer include error control, which ensures data is flowing smoothly across the network.

Finally, at the application layer, protocols determine how the data packets will interact with receiving devices. Functions that are organized at application layer include file transfers and email services.

Now you have an understanding of the TCP/IP model and its four layers. Meet you in the next video.



---------------

 

 

 

what are the Layers of the TCP/IP model?

1. Network access layer
2. Internet layer
3. Transport layer
4. Application layer

Learn more about the TCP/IP model

In this reading, you will build on what you have learned about the Transmission Control Protocol/Internet Protocol (TCP/IP) model, consider the differences between the Open Systems Interconnection (OSI) model and TCP/IP model, and learn how they’re related. Then, you’ll review each layer of the TCP/IP model and go over common protocols used in each layer. 

As a security professional, it's important that you understand the TCP/IP model because all communication on a network is organized using network protocols. Network protocols are a language that systems use to communicate with each other. In order for two network systems to successfully communicate with each other, they need to use the same protocol. The two most common models available are the TCP/IP and the OSI model. These models are a representative guideline of how network communications work together and move throughout the network and the host. The examples provided in this course will follow the TCP/IP model.

The TCP/IP model

The TCP/IP model is a framework used to visualize how data is organized and transmitted across a network. This model helps network engineers and network security analysts conceptualize processes on the network and communicate where disruptions or security threats occur. 

The TCP/IP model has four layers: network access layer, internet layer, transport layer, and application layer. When troubleshooting issues on the network, security professionals can analyze and deduce which layer or layers an attack occurred based on what processes were involved in an incident. 

Network access layer 

The network access layer, sometimes called the data link layer, organizes sending and receiving data frames within a single network. This layer corresponds to the physical hardware involved in network transmission. Hubs, modems, cables, and wiring are all considered part of this layer. The address resolution protocol (ARP) is part of the network access layer. ARP assists IP with directing data packets on the same physical network by mapping IP addresses to MAC addresses on the same physical network.

Internet layer

The internet layer, sometimes referred to as the network layer, is responsible for ensuring the delivery to the destination host, which potentially resides on a different network. The internet layer determines which protocol is responsible for delivering the data packets. Here are some of the common protocols that operate at the internet layer:

Internet Protocol (IP). IP sends the data packets to the correct destination and relies on the Transmission Control Protocol/User Datagram Protocol (TCP/UDP) to deliver them to the corresponding service. IP packets allow communication between two networks. They are routed from the sending network to the receiving network. The TCP/UDP retransmits any data that is lost or corrupt.

 

Internet Control Message Protocol (ICMP). The ICMP shares error information and status updates of data packets. This is useful for detecting and troubleshooting network errors. The ICMP reports information about packets that were dropped or that disappeared in transit, issues with network connectivity, and packets redirected to other routers.

Transport layer

The transport layer is responsible for reliably delivering data between two systems or networks. TCP and UDP are the two transport protocols that occur at this layer. 

Transmission Control Protocol 

The TCP ensures that data is reliably transmitted to the destination service. TCP contains the port number of the intended destination service, which resides in the TCP header of an TCP/IP packet.

User Datagram Protocol 

The UDP is used by applications that are not concerned with the reliability of the transmission. Data sent over UDP is not tracked as extensively as data sent using TCP. Because UDP does not establish network connections, it is used mostly for performance sensitive applications that operate in real time, such as video streaming.

Application layer

The application layer in the TCP/IP model is similar to the application, presentation, and session layers of the OSI model. The application layer is responsible for making network requests or responding to requests. This layer defines which internet services and applications any user can access. Some common protocols used on this layer are: 

Hypertext transfer protocol (HTTP)

Simple mail transfer protocol (SMTP)

Secure shell (SSH)

File transfer protocol (FTP)

Domain name system (DNS)

Application layer protocols rely on underlying layers to transfer the data across the network.

TCP/IP model versus OSI model

The OSI visually organizes network protocols into different layers. Network professionals often use this model to communicate with each other about potential sources of problems or security threats when they occur. 

The TCP/IP model combines multiple layers of the OSI model. There are many similarities between the two models. Both models define standards for networking and divide the network communication process into different layers. The TCP/IP model is a simplified version of the OSI model.

Key takeaways

Both the TCP/IP and OSI models are conceptual models that help network professionals visualize network processes and protocols in regards to data transmission between two or more systems. The TCP/IP model contains four layers, and the OSI model contains seven layers.

The OSI model

So far in this section of the course, you learned about the components of a network, network devices, and how network communication occurs across a network.

All communication on a network is organized using network protocols. Previously, you learned about the Transmission Control Protocol (TCP), which establishes connections between two devices, and the Internet Protocol (IP), which is used for routing and addressing data packets as they travel between devices on a network. This reading will continue to explore the seven layers of the Open Systems Interconnection (OSI) model and the processes that occur at each layer. We will work backwards from layer seven to layer one, going from the processes that involve the everyday network user to those that involve the most basic networking components, like network cables and switches. This reading will also review the main differences between the TCP/IP and OSI models.

The TCP/IP model vs. the OSI model

The TCP/IP model is a framework used to visualize how data is organized and transmitted across a network. This model helps network engineers and network security analysts design the data network and conceptualize processes on the network and communicate where disruptions or security threats occur.

The TCP/IP model has four layers: network access layer, internet layer, transport layer, and application layer. When analyzing network events, security professionals can determine what layer or layers an attack occurred in based on what processes were involved in the incident. 

The OSI model is a standardized concept that describes the seven layers computers use to communicate and send data over the network. Network and security professionals often use this model to communicate with each other about potential sources of problems or security threats when they occur.

Some organizations rely heavily on the TCP/IP model, while others prefer to use the OSI model. As a security analyst, it’s important to be familiar with both models. Both the TCP/IP and OSI models are useful for understanding how networks work. 

Layer 7: Application layer

The application layer includes processes that directly involve the everyday user. This layer includes all of the networking protocols that software applications use to connect a user to the internet. This characteristic is the identifying feature of the application layer—user connection to the network via applications and requests.

An example of a type of communication that happens at the application layer is using a web browser. The internet browser uses HTTP or HTTPS to send and receive information from the website server. The email application uses simple mail transfer protocol (SMTP) to send and receive email information. Also, web browsers use the domain name system (DNS) protocol to translate website domain names into IP addresses which identify the web server that hosts the information for the website. 

Layer 6: Presentation layer

Functions at the presentation layer involve data translation and encryption for the network. This layer adds to and replaces data with formats that can be understood by applications (layer 7) on both sending and receiving systems. Formats at the user end may be different from those of the receiving system. Processes at the presentation layer require the use of a standardized format.

Some formatting functions that occur at layer 6 include encryption, compression, and confirmation that the character code set can be interpreted on the receiving system. One example of encryption that takes place at this layer is SSL, which encrypts data between web servers and browsers as part of websites with HTTPS.

Layer 5: Session layer

A session describes when a connection is established between two devices. An open session allows the devices to communicate with each other. Session layer protocols occur to keep the session open while data is being transferred and terminate the session once the transmission is complete. 

The session layer is also responsible for activities such as authentication, reconnection, and setting checkpoints during a data transfer. If a session is interrupted, checkpoints ensure that the transmission picks up at the last session checkpoint when the connection resumes. Sessions include a request and response between applications. Functions in the session layer respond to requests for service from processes in the presentation layer (layer 6) and send requests for services to the transport layer (layer 4).

Layer 4: Transport layer

The transport layer is responsible for delivering data between devices. This layer also handles the speed of data transfer, flow of the transfer, and breaking data down into smaller segments to make them easier to transport. Segmentation is the process of dividing up a large data transmission into smaller pieces that can be processed by the receiving system. These segments need to be reassembled at their destination so they can be processed at the session layer (layer 5). The speed and rate of the transmission also has to match the connection speed of the destination system. TCP and UDP are transport layer protocols. 

Layer 3: Network layer

The network layer oversees receiving the frames from the data link layer (layer 2) and delivers them to the intended destination. The intended destination can be found based on the address that resides in the frame of the data packets. Data packets allow communication between two networks. These packets include IP addresses that tell routers where to send them. They are routed from the sending network to the receiving network. 

Layer 2: Data link layer

The data link layer organizes sending and receiving data packets within a single network. The data link layer is home to switches on the local network and network interface cards on local devices.

Protocols like network control protocol (NCP), high-level data link control (HDLC), and synchronous data link control protocol (SDLC) are used at the data link layer.

Layer 1: Physical layer 

As the name suggests, the physical layer corresponds to the physical hardware involved in network transmission. Hubs, modems, and the cables and wiring that connect them are all considered part of the physical layer. To travel across an ethernet or coaxial cable, a data packet needs to be translated into a stream of 0s and 1s. The stream of 0s and 1s are sent across the physical wiring and cables, received, and then passed on to higher levels of the OSI model.

Key takeaways

Both the TCP/IP and OSI models are conceptual models that help network professionals design network processes and protocols in regards to data transmission between two or more systems. The OSI model contains seven layers. Network and security professionals use the OSI model to communicate with each other about potential sources of problems or security threats when they occur.  Network engineers and network security analysts use the TCP/IP and OSI models to conceptualize network processes and communicate the location of disruptions or threats.

Local and wide network communication

Let's learn about how IP addresses are used to communicate over a network. IP stands for internet protocol. An internet protocol address, or IP address, is a unique string of characters that identifies a location of a device on the internet. Each device on the internet has a unique IP address, just like every house on a street has its own mailing address.

There are two types of IP addresses: IP version 4, or IPv4, and IP version 6, or IPv6. Let's look at examples of an IPv4 address.

IPv4 addresses are written as four, 1, 2, or 3-digit numbers separated by a decimal point. In the early days of the internet, IP addresses were all IPV4. But as the use of the internet grew, all the IPv4 addresses started to get used up, so IPv6 was developed.

IPv6 addresses are made up of 32 characters. The length of the IPv6 address will allow for more devices to be connected to the internet without running out of addresses as quickly as IPv4.

IP addresses can be either public or private. Your internet service provider assigns a public IP address that is connected to your geographic location. When network communications goes out from your device on the internet, they all have the same public-facing address. Just like all the roommates in one home share the same mailing address, all the devices on a network share the same public-facing IP address.

Private IP addresses are only seen by other devices on the same local network. This means that all the devices on your home network can communicate with each other using unique IP addresses that the rest of the internet can't see.

Another kind of address used in network communications is called a MAC address. A MAC address is a unique alphanumeric identifier that is assigned to each physical device on a network. When a switch receives a data packet, it reads the MAC address of the destination device and maps it to a port. It then keeps this information in a MAC address table. Think of the MAC address table like an address book that the switch uses to direct data packets to the appropriate device.

In this video, you learned about IP version 4 and IP version 6 addresses. You learned how IP and MAC addresses are used in network communication and the difference between a public and a private IP address.

Components of network layer communication

Components of network layer communication

In the reading about the OSI model
, you learned about the seven layers of the OSI model that are used to conceptualize the way data is transmitted across the internet. In this reading, you will learn more about operations that take place at layer 3 of the OSI model: the network layer.

Operations at the network layer

Functions at the network layer organize the addressing and delivery of data packets across the network and internet from the host device to the destination device. This includes directing the packets from one router to another router across the internet, based on the internet protocol (IP) address of the destination network. The destination IP address is contained within the header of each data packet. This address will be stored for future routing purposes in  routing tables along the packet’s path to its destination.

All data packets include an IP address; this is referred to as an IP packet or datagram. A router uses the IP address to route packets from network to network based on information contained in the IP header of a data packet. Header information communicates more than just the address of the destination. It also includes information such as the source IP address, the size of the packet, and which protocol will be used for the data portion of the packet. 

Format of an IPv4 packet

Next, you can review the format of an IP version 4 (IPv4) packet and review a detailed graphic of the packet header. An IPv4 packet is made up of two sections, the header and the data:

The size of the IP header ranges from 20 to 60 bytes. The header includes the IP routing information that devices use to direct the packet. The format of an IP packet header is determined by the IPv4 protocol.

The length of the data section of an IPv4 packet can vary greatly in size. However, the maximum possible size of an IP packet is 65,536 bytes. It contains the message being transferred to the transmission, like website information or email text. 

There are 13 fields within the header of an IPv4 packet:

Version: The first 4-bit header tells receiving devices what protocol the packet is using. The packet used in the illustration above is an IPv4 packet.

IP Header Length (HLEN): HLEN is the packet’s header length. This value indicates where the packet header ends and the data segment begins. 

Type of Service (ToS): Routers prioritize packets for delivery to maintain quality of service on the network. The ToS field provides the router with this information.

Total Length: This field communicates the total length of the entire IP packet, including the header and data. The maximum size of an IPv4 packet is 65,535 bytes.

Identification: For IPv4 packets that are larger than 65, 535 bytes, the packets are divided, or fragmented, into smaller IP packets. The identification field provides a unique identifier for all the fragments of the original IP packet so that they can be reassembled once they reach their destination. 

Flags: This field provides the routing device with more information about whether the original packet has been fragmented and if there are more fragments in transit.

Fragmentation Offset: The fragment offset field tells routing devices where in the original packet the fragment belongs.

Time to Live (TTL): TTL prevents data packets from being forwarded by routers indefinitely. It contains a counter that is set by the source. The counter is decremented by one as it passes through each router along its path. When the TTL counter reaches zero, the router currently holding the packet will discard the packet and return an ICMP Time Exceeded error message to the sender. 

Protocol: The protocol field tells the receiving device which protocol will be used for the data portion of the packet.

Header Checksum: The header checksum field contains a checksum that can be used to detect corruption of the IP header in transit. Corrupted packets are discarded.

Source IP Address: The source IP address is the IPv4 address of the sending device.

Destination IP Address: The destination IP address is the IPv4 address of the destination device.

Options: The options field allows for security options to be applied to the packet if the HLEN value is greater than five. The field communicates these options to the routing devices.

Difference between IPv4 and IPv6

In an earlier part of this course, you learned about the history of IP addressing. As the internet grew, it became clear that all of the IPv4 addresses would eventually be depleted; this is called IPv4 address exhaustion. At the time, no one had anticipated how many computing devices would need an IP address in the future. IPv6 was developed to mitigate IPv4 address exhaustion and other related concerns. 

One of the key differences between IPv4 and IPv6 is the length of the addresses. IPv4 addresses are numeric, made of 4 bytes, and allow for up to 4.3 billion possible addresses. IPv4 addresses are made up of four strings and the numbers range from 0 to 255. An example of an IPv4 address would be: 198.51.100.0. IPv6 addresses are hexadecimal, made up of 16 bytes, and allow for up to 340 undecillion addresses (340 followed by 36 zeros). An example of an IPv6 address would be: 2002:0db8:0000:0000:0000:ff21:0023:1234.

There are also some differences in the layout of an IPv6 packet header. The IPv6 header format is much simpler than IPv4. For example, the IPv4 Header includes the HLEN, Identification, and Flags fields, whereas the IPv6 does not. The IPv6 header introduces different fields not included in IPv4 headers, such as the Flow Label and Traffic Class.  

There are some important security differences between IPv4 and IPv6. IPv6 offers more efficient routing and eliminates private address collisions that can occur on IPv4 when two devices on the same network are attempting to use the same address. 

Key takeaways

Security analysts can use packet capturing tools, or PCAP, to inspect packets while they’re in transit. Analyzing the different fields in an IP address packet can be used to find out important security information about the packet. Some examples of security-related information found in IP address packets: where the packet is coming from, where it’s going, and which protocol it’s using. Understanding the data in an IPv4 data packet will allow you to make critical decisions about the security implications of packets that you inspect.

Wrap-up

Hey, you made it! Well done! Let's wrap up what you've learned in this section of the course.

We explored the structure of a network, including WANs and LANs. We also discussed standard networking tools like hubs, switches, routers, and modems. We briefly introduced cloud networks, and we discussed their benefits. We also spent some time on the TCP/IP model. As a reminder, technicians and security analysts often use this framework when communicating where network problems have occurred.

That wraps up this section. Next, you'll learn more about network operations and how data is transmitted over wireless networks.


bro i actuially listened to the extra reading like 5 times each

 

Glossary terms from Course 3, Week 1

Terms and definitions from Course 3, Week 1

Bandwidth: The maximum data transmission capacity over a network, measured by bits per second

Cloud computing: The practice of using remote servers, application, and network services that are hosted on the internet instead of on local physical devices

Cloud network: A collection of servers or computers that stores resources and data in remote data centers that can be accessed via the internet

Data packet: A basic unit of information that travels from one device to another within a network

Hub: A network device that broadcasts information to every device on the network

Internet Protocol (IP): A set of standards used for routing and addressing data packets as they travel between devices on a network

Internet Protocol (IP) address: A unique string of characters that identifies the location of a device on the internet

Local Area Network (LAN): A network that spans small areas like an office building, a school, or a home

Media Access Control (MAC) address: A unique alphanumeric identifier that is assigned to each physical device on a network

Modem: A device that connects your router to the internet and brings internet access to the LAN

Network: A group of connected devices

Open systems interconnection (OSI) model: A standardized concept that describes the seven layers computers use to communicate and send data over the network

Packet sniffing: The practice of capturing and inspecting data packets across a network

Port: A software-based location that organizes the sending and receiving of data between devices on a network

Router: A network device that connects multiple networks together

Speed: The rate at which a device sends and receives data, measured by bits per second

Subnetting: The subdivision of a network into logical groups called subnets

Switch: A device that makes connections between specific devices on a network by sending and receiving data between them

TCP/IP model: A framework used to visualize how data is organized and transmitted across a network

Transmission Control Protocol (TCP): An internet communication protocol that allows two devices to form a connection and stream data

User Datagram Protocol (UDP): A connectionless protocol that does not establish a connection between devices before transmissions

Wide Area Network (WAN): A network that spans a large geographic area like a city, state, or country

Introduction to network protocols

Welcome to week 2, Network potocols

---

Congratulations on the progress you've made so far!
In this section, you'll learn about how
networks operate using tools and protocols.
These are the concepts that you'll use every
day in your work as a security analyst.
The tools and protocols you'll learn in this section of
the program will help you protect
your organization's network from attacks.
Did you know that malicious actors can take advantage of
data moving from one device to another on a network?
Thankfully, there are tools and
protocols to ensure the network
stays protected against this type of threat.
As an example, I once identified an attack
based solely on the fact they were
using the wrong protocol.
The network traffic volumes were right, and it
was coming from a trusted IP,
but it was on the wrong protocol,
which tipped us off enough to shut down
the attack before they caused real damage.
First, we'll discuss some common network protocols.
Then we'll discuss virtual private networks, or VPNs.
And finally, we'll learn about
firewall security zones and proxy servers.
Now that you have an idea of where we're
headed, let's get started. 

Network protocols

Common network protocols

In this section of the course, you learned about network protocols and how they organize communication over a network. This reading will discuss network protocols in more depth and review some basic protocols that you have learned previously. You will also learn new protocols and discuss some of the ways protocols are involved in network security.

Overview of network protocols

A network protocol is a set of rules used by two or more devices on a network to describe the order of delivery and the structure of data. Network protocols serve as instructions that come with the information in the data packet. These instructions tell the receiving device what to do with the data. Protocols are like a common language that allows devices all across the world to communicate with and understand each other.

Even though network protocols perform an essential function in network communication, security analysts should still understand their associated security implications. Some protocols have vulnerabilities that malicious actors exploit. For example, a nefarious actor could use the Domain Name System (DNS) protocol, which resolves web addresses to IP addresses, to divert traffic from a legitimate website to a malicious website containing malware. You’ll learn more about this topic in upcoming course materials. 

Three categories of network protocols

Network protocols can be divided into three main categories: communication protocols, management protocols, and security protocols. There are dozens of different network protocols, but you don’t need to memorize all of them for an entry-level security analyst role. However, it’s important for you to know the ones listed in this reading. 

Communication protocols

Communication protocols govern the exchange of information in network transmission. They dictate how the data is transmitted between devices and the timing of the communication. They also include methods to recover data lost in transit. Here are a few of them.

Management Protocols

The next category of network protocols is management protocols. Management protocols are used for monitoring and managing activity on a network. They include protocols for error reporting and optimizing performance on the network.

Security Protocols

Security protocols are network protocols that ensure that data is sent and received securely across a network. Security protocols use encryption algorithms to protect data in transit. Below are some common security protocols.

Note: The encryption protocols mentioned do not conceal the source or destination IP address of network traffic. This means a malicious actor can still learn some basic information about the network traffic if they intercept it. 

Key takeaways

The protocols you learned about in this reading are basic networking protocols that entry-level cybersecurity analysts should know. Understanding how protocols function on a network is essential. Cybersecurity analysts can leverage their knowledge of protocols to successfully mitigate vulnerabilities on a network and potentially prevent future attacks.

Additional network protocols

In previous readings and videos, you learned how network protocols organize the sending and receiving of data across a network. You also learned that protocols can be divided into three categories: communication protocols, management protocols, and security protocols.

This reading will introduce you to a few additional concepts and protocols that will come up regularly in your work as a security analyst. Some protocols are assigned port numbers by the Internet Assigned Numbers Authority (IANA). These port numbers are included in the description of each protocol, if assigned. 

Network Address Translation

The devices on your local home or office network each have a private IP address that they use to communicate directly with each other. In order for the devices with private IP addresses to communicate with the public internet, they need to have a public IP address. Otherwise, responses will not be routed correctly. Instead of having a dedicated public IP address for each of the devices on the local network, the router can replace a private source IP address with its public IP address and perform the reverse operation for responses. This process is known as Network Address Translation (NAT) and it generally requires a router or firewall to be specifically configured to perform NAT. NAT is a part of layer 2 (internet layer) and layer 3 (transport layer) of the TCP/IP model.

Dynamic Host Configuration Protocol

Dynamic Host Configuration Protocol (DHCP) is in the management family of network protocols. DHCP is an application layer protocol used on a network to configure devices. It assigns a unique IP address and provides the addresses of the appropriate DNS server and default gateway for each device. DHCP servers operate on UDP port 67 while DHCP clients operate on UDP port 68.

Address Resolution Protocol

By now, you are familiar with IP and MAC addresses. You’ve learned that each device on a network has both an IP address that identifies it on the network and a MAC address that is unique to that network interface. A device’s IP address may change over time, but its MAC address is permanent. Address Resolution Protocol (ARP) is an internet layer protocol in the TCP/IP model used to translate the IP addresses that are found in data packets into the MAC address of the hardware device. 

Each device on the network performs ARP and keeps track of matching IP and MAC addresses in an ARP cache. ARP does not have a specific port number.

Telnet 

Telnet is an application layer protocol that allows a device to communicate with another device or server. Telnet sends all information in clear text. It uses command line prompts to control another device similar to secure shell (SSH), but Telnet is not as secure as SSH. Telnet can be used to connect to local or remote devices and uses TCP port 23. 

Secure shell

Secure shell protocol (SSH) is used to create a secure connection with a remote system. This application layer protocol provides an alternative for secure authentication and encrypted communication. SSH operates over the TCP port 22 and is a replacement for less secure protocols, such as Telnet.

Post office protocol

Post office protocol (POP) is an application layer (layer 4 of the TCP/IP model) protocol used to manage and retrieve email from a mail server. Many organizations have a dedicated mail server on the network that handles incoming and outgoing mail for users on the network. User devices will send requests to the remote mail server and download email messages locally. If you have ever refreshed your email application and had new emails populate in your inbox, you are experiencing POP and internet message access protocol (IMAP) in action. Unencrypted, plaintext authentication uses TCP/UDP port 110 and encrypted emails use Secure Sockets Layer/Transport Layer Security (SSL/TLS) over TCP/UDP port 995.  When using POP, mail has to finish downloading on a local device before it can be read and it does not allow a user to sync emails. 

Internet Message Access Protocol (IMAP)

IMAP is used for incoming email. It downloads the headers of emails, but not the content. The content remains on the email server, which allows users to access their email from multiple devices. IMAP uses TCP port 143 for unencrypted email and TCP port 993 over the TLS protocol. Using IMAP allows users to partially read email before it is finished downloading and to sync emails. However, IMAP is slower than POP3.

Simple Mail Transfer Protocol

Simple Mail Transfer Protocol (SMTP) is used to transmit and route email from the sender to the recipient’s address. SMTP works with Message Transfer Agent (MTA) software, which searches DNS servers to resolve email addresses to IP addresses, to ensure emails reach their intended destination. SMTP uses TCP/UDP port 25 for unencrypted emails and TCP/UDP port 587 using TLS for encrypted emails. The TCP port 25 is often used by high-volume spam. SMTP helps to filter out spam by regulating how many emails a source can send at a time.

Protocols and port numbers

Remember that port numbers are used by network devices to determine what should be done with the information contained in each data packet once they reach their destination. Firewalls can filter out unwanted traffic based on port numbers. For example, an organization may configure a firewall to only allow access to TCP port 995 (POP3) by IP addresses belonging to the organization.

As a security analyst, you will need to know about many of the protocols and port numbers mentioned in this course. They may be used to determine your technical knowledge in interviews, so it’s a good idea to memorize them. You will also learn about new protocols on the job in a security position.

Key takeaways

As a cybersecurity analyst, you will encounter various common protocols in your everyday work. The protocols covered in this reading include NAT, DHCP, ARP, Telnet, SSH, POP3, IMAP, and SMTP. It is equally important to understand where each protocol is structured in the TCP/IP model and which ports they occupy. 

 

Co

Antara: Working in network security

My name is Antara,
I work on the Enterprise Infrastructure Protection Team at Google.
And our main job responsibility is to protect
the infrastructure that all the amazing Google products run on.
I didn't start with a background in computers, and I did my undergrad
in electronics and communication, which is far away from computers.
I took up the challenge to actually pivot into computers with my first job.
That actually led me to explore the security world even more.
And that's how it led to doing my masters in security, getting expertise in that
area and then come to Google as a security engineer.
A typical day in the life of an entry-level network security engineer
would start with solving a problem.
Maybe you're trying to debug, why is this particular endpoint flooded with so
much traffic?
Or why is this endpoint actually slowing down?
And you would start with, okay, let me get to the endpoint.
Let me capture some traffic on the endpoint and
see what kind of traffic is coming in and going out through this endpoint.
So I would typically go back, think about the problem during lunch.
Sometimes things would click.
When you're thinking you might not have thought about a problem from a different
perspective, you might want to actually see how it looks like.
So you would go about maybe doing a lab recreate.
Let me connect these endpoints and let me try to reproduce the issue.
You might see some things in the lab recreate that you might have not
thought of.
And you might need to actually consult with experts from different domains who
might know better about this area.
Get their view on what the problem is, analyze,
show them everything that you have done.
You might get your solution just by talking to people.
It's a pretty busy day, but it's also a very fun day.
It's like solving puzzles all the time, which is pretty exciting.
Some of the best practices in network security that I've learned are,
don't try to always reinvent the wheel.
There are certain protocols,
there are certain algorithms that have been tried, tested,
analyzed, and they have been deemed secure for being used in network security.
The time that you spend on reinventing the wheel is not going to give you
the benefits that you need.
So it's always good to think about the unsolved challenges instead of
trying to solve the same problem in a different way.
I feel cybersecurity is actually a great field to get into right now, because,
as you see, we are in this information age where tech is exponentially growing.
Just getting into this field is just going to be exciting because there
are amazing new challenges coming up in this field.

​

Wireless protocols, The evolution of wireless security protocols

So far, you've learned about
a variety of network protocols,
including communication protocols like TCP/IP.
Now we're going to go more in depth
into a class of communication protocols
called the IEEE802.11.
IEEE802.11, commonly known as Wi-Fi,
is a set of standards that define
communications for wireless LANs.
IEEE stands for
the Institute of Electrical and Electronics Engineers,
which is an organization that maintains Wi-Fi standards,
and 802.11 is a suite of
protocols used in wireless communications.
Wi-Fi protocols have adapted
over the years to become more secure and reliable
to provide the same level of
security as a wired connection.
In 2004,
a security protocol called the Wi-Fi Protected Access,
or WPA, was introduced.
WPA is a wireless security protocol
for devices to connect to the internet.
Since then, WPA has evolved
into newer versions, like WPA2 and WPA3,
which include further security improvements,
like more advanced encryption.
As a security analyst,
you might be responsible for making sure that
the wireless connections in your organization are secure.
Let's learn more about security measures. 

The evolution of wireless security protocols

In the early days of the internet, all internet communication happened across physical cables. It wasn’t until the mid-1980s that authorities in the United States designated a spectrum of radio wave frequencies that could be used without a license, so there was more opportunity for the internet to expand. 

In the late 1990s and early 2000s, technologies were developed to send and receive data over radio. Today, users access wireless internet through laptops, smart phones, tablets, and desktops. Smart devices, like thermostats, door locks, and security cameras, also use wireless internet to communicate with each other and with services on the internet.

Introduction to wireless communication protocols

Many people today refer to wireless internet as Wi-Fi. Wi-Fi refers to a set of standards that define communication for wireless LANs. Wi-Fi is a marketing term commissioned by the Wireless Ethernet Compatibility Alliance (WECA). WECA has since renamed their organization Wi-Fi Alliance. 

Wi-Fi standards and protocols are based on the 802.11 family of internet communication standards determined by the Institute of Electrical and Electronics Engineers (IEEE). So, as a security analyst, you might also see Wi-Fi referred to as IEEE 802.11.

Wi-Fi communications are secured by wireless networking protocols. Wireless security protocols have evolved over the years, helping to identify and resolve vulnerabilities with more advanced wireless technologies.

In this reading, you will learn about the evolution of wireless security protocols from WEP to WPA, WPA2, and WPA3. You’ll also learn how the Wireless Application Protocol was used for mobile internet communications.

Wired Equivalent Privacy

Wired equivalent privacy (WEP) is a wireless security protocol designed to provide users with the same level of privacy on wireless network connections as they have on wired network connections. WEP was developed in 1999 and is the oldest of the wireless security standards.

WEP is largely out of use today, but security analysts should still understand WEP in case they encounter it. For example, a network router might have used WEP as the default security protocol and the network administrator never changed it. Or, devices on a network might be too old to support newer Wi-Fi security protocols. Nevertheless, a malicious actor could potentially break the WEP encryption, so it’s now considered a high-risk security protocol.

Wi-Fi Protected Access

Wi-Fi Protected Access (WPA) was developed in 2003 to improve upon WEP, address the security issues that it presented, and replace it. WPA was always intended to be a transitional measure so backwards compatibility could be established with older hardware.

The flaws with WEP were in the protocol itself and how the encryption was used. WPA addressed this weakness by using a protocol called Temporal Key Integrity Protocol (TKIP). WPA encryption algorithm uses larger secret keys than WEPs, making it more difficult to guess the key by trial and error.

WPA also includes a message integrity check that includes a message authentication tag with each transmission. If a malicious actor attempts to alter the transmission in any way or resend at another time, WPA’s message integrity check will identify the attack and reject the transmission.

Despite the security improvements of WPA, it still has vulnerabilities. Malicious actors can use a key reinstallation attack (or KRACK attack) to decrypt transmissions using WPA. Attackers can insert themselves in the WPA authentication handshake process and insert a new encryption key instead of the dynamic one assigned by WPA. If they set the new key to all zeros, it is as if the transmission is not encrypted at all.

Because of this significant vulnerability, WPA was replaced with an updated version of the protocol called WPA2. 

WPA2 & WPA3

WPA2

The second version of Wi-Fi Protected Access—known as WPA2—was released in 2004. WPA2 improves upon WPA by using the Advanced Encryption Standard (AES). WPA2 also improves upon WPA’s use of TKIP. WPA2 uses the Counter Mode Cipher Block Chain Message Authentication Code Protocol (CCMP), which provides encapsulation and ensures message authentication and integrity. Because of the strength of WPA2, it is considered the security standard for all Wi-Fi transmissions today. WPA2, like its predecessor, is vulnerable to KRACK attacks. This led to the development of WPA3 in 2018. 

Personal

WPA2 personal mode is best suited for home networks for a variety of reasons. It is easy to implement, initial setup takes less time for personal than enterprise version. The global passphrase for WPA2 personal version needs to be applied to each individual computer and access point in a network. This makes it ideal for home networks, but unmanageable for organizations. 

Enterprise

WPA2 enterprise mode works best for business applications. It provides the necessary security for wireless networks in business settings. The initial setup is more complicated than WPA2 personal mode, but enterprise mode offers individualized and centralized control over the Wi-Fi access to a business network. This means that network administrators can grant or remove user access to a network at any time. Users never have access to encryption keys, this prevents potential attackers from recovering network keys on individual computers.

WPA3

WPA3 is a secure Wi-Fi protocol and is growing in usage as more WPA3 compatible devices are released. These are the key differences between WPA2 and WPA3:

Key takeaways

As a security analyst, knowing the history of how Wi-Fi security protocols developed helps you to better understand what to consider when protecting wireless networks. It’s important that you understand the vulnerabilities of each protocol and how important it is that devices on your network use the most up-to-date security technologies.

Firewalls and network security measures

Firewalls and network security measures

Virtual private networks (VPNs)

Security zones

Subnetting and CIDR

Earlier in this course, you learned about network segmentation, a security technique that divides networks into sections. A private network can be segmented to protect portions of the network from the internet, which is an unsecured global network. 

For example, you learned about the uncontrolled zone, the controlled zone, the demilitarized zone, and the restricted zone. Feel free to review the video about security zones

for a refresher on how network segmentation can be used to add a layer of security to your organization’s network operations. Creating security zones is one example of a networking strategy called subnetting.

Overview of subnetting

Subnetting is the subdivision of a network into logical groups called subnets. It works like a network inside a network. Subnetting divides up a network address range into smaller subnets within the network. These smaller subnets form based on the IP addresses and network mask of the devices on the network. Subnetting creates a network of devices to function as their own network. This makes the network more efficient and can also be used to create security zones. If devices on the same subnet communicate with each other, the switch changes the transmissions to stay on the same subnet, improving speed and efficiency of the communications.

Classless Inter-Domain Routing notation for subnetting

Classless Inter-Domain Routing (CIDR) is a method of assigning subnet masks to IP addresses to create a subnet. Classless addressing replaces classful addressing. Classful addressing was used in the 1980s as a system of grouping IP addresses into classes (Class A to Class E). Each class included a limited number of IP addresses, which were depleted as the number of devices connecting to the internet outgrew the classful range in the 1990s. Classless CIDR addressing expanded the number of available IPv4 addresses. 

CIDR allows cybersecurity professionals to segment classful networks into smaller chunks. CIDR IP addresses are formatted like IPv4 addresses, but they include a slash (“/’”) followed by a number at the end of the address, This extra number is called the IP network prefix.  For example, a regular IPv4 address uses the 198.51.100.0 format, whereas a CIDR IP address would include the IP network prefix at the end of the address, 198.51.100.0/24. This CIDR address encompasses all IP addresses between 198.51.100.0 and 198.51.100.255. The system of CIDR addressing reduces the number of entries in routing tables and provides more available IP addresses within networks. You can try converting CIDR to IPv4 addresses and vice versa through an online conversion tool, like IPAddressGuide

, for practice and to better understand this concept.

Note: You may learn more about CIDR during your career, but it won't be covered in any additional depth in this certificate program. For now, you only need a basic understanding of this concept.

Security benefits of subnetting

Subnetting allows network professionals and analysts to create a network within their own network without requesting another network IP address from their internet service provider. This process uses network bandwidth more efficiently and improves network performance. Subnetting is one component of creating isolated subnetworks through physical isolation, routing configuration, and firewalls.

Key takeaways

Subnetting is a common security strategy used by organizations. Subnetting allows organizations to create smaller networks within their private network. This improves the efficiency of the network and can be used to create security zones.

Proxy servers

Virtual networks and privacy

This section of the course covered a lot of information about network operations. You reviewed the fundamentals of network architecture and communication and can now use this knowledge as you learn how to secure networks. Securing a private network requires maintaining the confidentiality of your data and restricting access to authorized users.

In this reading, you will review several network security topics previously covered in the course, including virtual private networks (VPNs), virtual local area networks (VLANs), proxy servers, firewalls, tunneling, and security zones. You'll continue to learn more about these concepts and how they relate to each other as you continue through the course.

Common network protocols  

Network protocols are used to direct traffic to the correct device and service depending on the kind of communication being performed by the devices on the network. Protocols are the rules used by all network devices that provide a mutually agreed upon foundation for how to transfer data across a network.

There are three main categories of network protocols: communication protocols, management protocols, and security protocols. 

Some other commonly used protocols are:

Wi-Fi

This section of the course also introduced various wireless security protocols, including WEP, WPA, WPA2, and WPA3. WPA3 encrypts traffic with the Advanced Encryption Standard (AES) cipher as it travels from your device to the wireless access point. WPA2 and WPA3 offer two modes: personal and enterprise. Personal mode is best suited for home networks while enterprise mode is generally utilized for business networks and applications.

Network security tools and practices  

Firewalls 

Previously, you learned that firewalls are network virtual appliances (NVAs) or hardware devices that inspect and can filter network traffic before it’s permitted to enter the private network. Traditional firewalls are configured with rules that tell it what types of data packets are allowed based on the port number and IP address of the data packet. 

There are two main categories of firewalls.

Next generation firewalls (NGFWs) are the most technologically advanced firewall protection. They exceed the security offered by stateful firewalls because they include deep packet inspection (a kind of packet sniffing that examines data packets and takes actions if threats exist) and intrusion prevention features that detect security threats and notify firewall administrators. NGFWs can inspect traffic at the application layer of the TCP/IP model and are typically application aware. Unlike traditional firewalls that block traffic based on IP address and ports, NGFWs rules can be configured to block or allow traffic based on the application. Some NGFWs have additional features like Malware Sandboxing, Network Anti-Virus, and URL and DNS Filtering.  

Proxy servers 

A proxy server is another way to add security to your private network. Proxy servers utilize network address translation (NAT) to serve as a barrier between clients on the network and external threats. Forward proxies handle queries from internal clients when they access resources external to the network. Reverse proxies function opposite of forward proxies; they handle requests from external systems to services on the internal network. Some proxy servers can also be configured with rules, like a firewall.  For example, you can create filters to block websites identified as containing malware.

Virtual Private Networks (VPN)

A VPN is a service that encrypts data in transit and disguises your IP address. VPNs use a process called encapsulation. Encapsulation wraps your encrypted data in an unencrypted data packet, which allows your data to be sent across the public network while remaining anonymous. Enterprises and other organizations use VPNs to help protect communications from users’ devices to corporate resources. Some of these resources include connecting to servers or virtual machines that host business applications. VPNs can also be used for personal use to increase personal privacy. They allow the user to access the internet without anyone being able to read their personal information or access their private IP address. Organizations are increasingly using a combination of VPN and SD-WAN capabilities to secure their networks. A software-defined wide area network (SD-WAN) is a virtual WAN service that allows organizations to securely connect users to applications across multiple locations and over large geographical distances. 

Key takeaways

There are three main categories of network protocols: communication, management, and security protocols. In this reading, you learned the fundamentals of firewalls, proxy servers, and VPNs. More organizations are implementing a cloud-based approach to network security by incorporating a combination of VPN and SD-WAN capabilities as a service.

 

Glossary terms from week 2

Glossary terms from week 2

Terms and definitions from Course 3, Week 2

Address Resolution Protocol (ARP): A network protocol used to determine the MAC address of the next router or device on the path

Cloud-based firewalls: Software firewalls that are hosted by the cloud service provider

Controlled zone: A subnet that protects the internal network from the uncontrolled zone

Domain Name System (DNS): A networking protocol that translates internet domain names into IP addresses

Encapsulation: A process performed by a VPN service that protects your data by wrapping sensitive data in other data packets

Firewall: A network security device that monitors traffic to or from your network

Forward proxy server: A server that regulates and restricts a person’s access to the internet

Hypertext Transfer Protocol (HTTP): An application layer protocol that provides a method of communication between clients and website servers

Hypertext Transfer Protocol Secure (HTTPS): A network protocol that provides a secure method of communication between clients and servers

IEEE 802.11 (Wi-Fi): A set of standards that define communication for wireless LANs

Network protocols: A set of rules used by two or more devices on a network to describe the order of delivery of data and the structure of data

Network segmentation: A security technique that divides the network into segments

Port filtering: A firewall function that blocks or allows certain port numbers to limit unwanted communication

Proxy server: A server that fulfills the requests of its clients by forwarding them to other servers

Reverse proxy server: A server that regulates and restricts the internet's access to an internal server

Secure File Transfer Protocol (SFTP): A secure protocol used to transfer files from one device to another over a network

Secure shell (SSH): A security protocol used to create a shell with a remote system 

Security zone: A segment of a company’s network that protects the internal network from the internet

Simple Network Management Protocol (SNMP): A network protocol used for monitoring and managing devices on a network

Stateful: A class of firewall that keeps track of information passing through it and proactively filters out threats 

Stateless: A class of firewall that operates based on predefined rules and does not keep track of information from data packets

Transmission Control Protocol (TCP): An internet communication protocol that allows two devices to form a connection and stream data

Uncontrolled zone: The portion of the network outside the organization

Virtual private network (VPN): A network security service that changes your public IP address and masks your virtual location so that you can keep your data private when you are using a public network like the internet

Wi-Fi Protected Access (WPA): A wireless security protocol for devices to connect to the internet

Course 3 resources and citations

Week 1: Network architecture

Resources

Helpful resources to get started

 

• Coursera Code of Conduct

•  

• Coursera Honor Code

•  

• Coursera: Edit my profile

•  

• Coursera: Learner Help Center

•  

• Coursera’s Global Online Community

•  

• Google: Common problems with labs

•  

• Google Docs help

•  

• Google Sheets help

•  

• How to use Google Slides

•  

• Microsoft Excel help and learning

•  

• PowerPoint help and learning

•  

• Word help and learning

•  

Citations

Network components, devices, and diagrams

 

• Meyers, Mike, and Scott Jernigan. (2019) CompTIA A+ Certification All-in-One Exam Guide, (Exams 220-1001 & 220-1002).

• Oluwatosin, H.S. (2014). Client-server model. IOSR Journal of Computer Engineering, 16(1), 67-71.

• Sulyman, Shakirat. (2014). Client-Server Model. IOSR Journal of Computer Engineering. 16. 57-71. 10.9790/0661-16195771. 

• GeeksforGeeks. (2022, March 21). Devices used in each layer of TCP/IP model

. 

•  

Cloud computing and software-defined networks

 

• Rackspace Technology Colo Data Centers. (n.d.). What is colocation?

•  

• Fortinet. (n.d.). What is hybrid cloud?

•  

Learn more about the TCP/IP model

 

• Clarke, Glen E. (2018). CompTIA Network+ Certification Study Guide: Exam N10-007. 

• International Business Machines. (2022, Nov 15). User datagram protocol

• .

• International Business Machines. (2022, Nov 15). Transmission control protocol

• .

• Oracle. (n.d.). TCP/IP protocol architecture model

• . System administration guide, volume 3.

• Study CCNA. (n.d.). OSI & TCP/IP models

• .

The OSI model

 

• Cloudflare. (n.d.). What is the OSI model?

•  

• FreeCodeCamp. (2020, December 21). The OSI Model – The 7 Layers of Networking Explained in Plain English

• .

• Imperva. (n.d.). OSI Model

• . Application security.  

Components of network layer communication

 

• Agnė Srėbaliūtė. (2022, Aug 2). IPv4 packet header: Format and structure

• . IPXO.

• Rajinder Kaur (2009) IPv4 Header

• . Advanced Internet Technologies. 

• Gsephrioth. (2017). The IP diagram

• .

• Wright, Robert. (October 1998). IP Routing Primer. O’Reilly.

Week 2: Network operations

Citations

Network protocols

 

• National Institute of Standards and Technology. (n.d.). Glossary

• . Accessed December 2022.

Common network protocols

 

• Cloudflare. (n.d.). What is a protocol? | Network protocol definition

• . 

• CompTIA. (n.d.). What is a network protocol and how does it work? 

•  

• Oracle. (n.d.). TCP/IP protocol architecture model

• . System administration guide, volume 3.

Additional network protocols 

 

• IBM. (2022, Oct 17). TCP/IP address and parameter assignment - Dynamic host configuration protocol

• . IBM AIX documentation.

• Microsoft. (n.d.O). What are IMAP and POP?

• Microsoft Support.

• Microsoft. (2013, October 21). SMTP

• . 

The evolution of wireless security protocols

 

• Asus. (2022, January 14).  [Wireless] What is WPA3? What are the advantages of using WPA3?

• FAQ.

• Britannica, T. Editors of Encyclopaedia (2022, February 3). Wi-Fi

• . Encyclopedia Britannica. 

• Cisco Press. (2010, April 9).  Moving to WPA/WPA2-Enterprise wi-fi encryption

• .  

Firewalls and network security measures 

 

• Cisco. (n.d.). What is a firewall? 

•  

Subnetting and CIDR

 

• Cloudflare. (n.d.). What is a subnet?

•  

• Techopedia. (2017, July 18). Subnetting

• . Dictionary.

• IP Address Guide. (n.d.). CIDR to IPv4 Conversion

• . IPV4 Tools.

Proxy servers

 

• National Institute of Standards and Technology. (n.d.). Glossary

• . Accessed December 2022.

Week 3: Secure against network intrusions

Resources

Analyze network attacks

 

• CompTIA

•  

Citations

The case for securing networks 

 

• Vinton, Kate. (2014, September 18). With 56 million cards compromised, Home Depot’s breach is bigger than Target’s

• . Forbes. 

Analyze network layer communication

 

• Lager, Nathan. (2020, April 3). Network Troubleshooting with Packet Captures

• . Enable Sysadmin. 

• Oracle. (n.d.) How the TCP/IP Protocols Handle Data Communications (System Administration Guide: IP Services

• ).

Real-life DDoS attack

 

• Olenick, D. (2020, December 10) Guilty plea in 2016 Dyn DDos attack

• . Bank info security. 

• Young, K (2022, January 10) Cyber case study: The Mirai DDoS attack on Dyn

• . Coverlink.

Overview of interception attacks

 

• Engebretson, P. (2013). The basics of hacking and penetration testing: ethical hacking and penetration testing made easy. Elsevier.

Week 4: Security hardening

Resources

Course 3 glossary 

 

Apply OS hardening techniques

 

• Opensource.com

•  

• Iana.org

•  

• Geekflare

•  

• Packet Pushers

•  

Citations

OS hardening practices 

 

• National Institute of Security Technology. (2018, October). Guide to securing macOS 10.12 systems for IT professionals

• . Special publication 800-179, revision 1. Accessed December 2022.

Apply OS hardening techniques

 

• Doropoulos, N. (n.d.). DNS Query Flood Attack.

• Linkedin.

Use the NIST Cybersecurity Framework to respond to a security

 

• Bhardwaj, P. (2023, January 2). How to detect an ICMP flood attack and protect your network.

•  

 

Firch, J. (2023, February 28). How to prevent a ICMP flood attack.

 

 

Google, Android, Chronicle, Google Drive, Google Sites, and YARA are trademarks owned by Google LLC.  All other trademarks belong to their respective owners and are not affiliated with Google LLC.

Introduction to intrusion tactics

The case for securing networks

How intrusions compromise your system

In this section of the course, you learned that every network has inherent vulnerabilities and could become the target of a network attack.

Attackers could have varying motivations for attacking your organization’s network. They may have financial, personal, or political motivations, or they may be a disgruntled employee or an activist who disagrees with the company's values and wants to harm an organization’s operations. Malicious actors can target any network. Security analysts must be constantly alert to potential vulnerabilities in their organization’s network and take quick action to mitigate them.

In this reading, you’ll learn about network interception attacks and backdoor attacks, and the possible impacts these attacks could have on an organization.

Network interception attacks 

Network interception attacks work by intercepting network traffic and stealing valuable information or interfering with the transmission in some way.

Malicious actors can use hardware or software tools to capture and inspect data in transit. This is referred to as packet sniffing. In addition to seeing information that they are not entitled to, malicious actors can also intercept network traffic and alter it. These attacks can cause damage to an organization’s network by inserting malicious code modifications or altering the message and interrupting network operations. For example, an attacker can intercept a bank transfer and change the account receiving the funds to one that the attacker controls.

Later in this course you will learn more about malicious packet sniffing, and other types of network interception attacks: on-path attacks and replay attacks.

Backdoor attacks

A backdoor attack is another type of attack you will need to be aware of as a security analyst. An organization may have a lot of security measures in place, including cameras, biometric scans and access codes to keep employees from entering and exiting without being seen. However, an employee might work around the security measures by finding a backdoor to the building that is not as heavily monitored, allowing them to sneak out for the afternoon without being seen. 

In cybersecurity, backdoors are weaknesses intentionally left by programmers or system and network administrators that bypass normal access control mechanisms. Backdoors are intended to help programmers conduct troubleshooting or administrative tasks. However, backdoors can also be installed by attackers after they’ve compromised an organization to ensure they have persistent access.

Once the hacker has entered an insecure network through a backdoor, they can cause extensive damage: installing malware, performing a denial of service (DoS) attack, stealing private information or changing other security settings that leaves the system vulnerable to other attacks. A DoS attack is an attack that targets a network or server and floods it with network traffic.

Possible impacts on an organization

As you’ve learned already, network attacks can have a significant negative impact on an organization. Let’s examine some potential consequences.

Key takeaways

Malicious actors are constantly looking for ways to exploit systems. They learn about new vulnerabilities as they arise and attempt to exploit every vulnerability in a system. Attackers leverage backdoor attack methods and network interception attacks to gain sensitive information they can use to exploit an organization or cause serious damage. These types of attacks can impact an organization financially, damage its reputation, and potentially put the public in danger.  It is important that security analysts stay educated in order to maintain network safety and reduce the likelihood and impact of these types of attacks. Securing networks has never been more important.

Matt: A professional on dealing with attacks

Denial of Service (DoS) attacks

Read tcpdump logs

A network protocol analyzer, sometimes called a packet sniffer or a packet analyzer, is a tool designed to capture and analyze data traffic within a network. They are commonly used as investigative tools to monitor networks and identify suspicious activity. There are a wide variety of network protocol analyzers available, but some of the most common analyzers  include:

• SolarWinds NetFlow Traffic Analyzer

• ManageEngine OpManager

• Azure Network Watcher

• Wireshark

• tcpdump

This reading will focus exclusively on tcpdump, though you can apply what you learn here to many of the other network protocol analyzers you'll use as a cybersecurity analyst to defend against any network intrusions. In an upcoming activity, you’ll review a tcpdump data traffic log and identify a DoS attack to practice these skills.

tcpdump 

tcpdump is a command-line network protocol analyzer. It is popular, lightweight–meaning it uses little memory and has a low CPU usage–and uses the open-source libpcap library. tcpdump is text based, meaning all commands in tcpdump are executed in the terminal. It can also be installed on other Unix-based operating systems, such as macOS®. It is preinstalled on many Linux distributions.

tcpdump provides a brief packet analysis and converts key information about network traffic into formats easily read by humans. It prints information about each packet directly into your terminal. tcpdump also displays the source IP address, destination IP addresses, and the port numbers being used in the communications.

Interpreting output

tcpdump prints the output of the command as the sniffed packets in the command line, and optionally to a log file, after a command is executed. The output of a packet capture contains many pieces of important information about the network traffic. 

Some information you receive from a packet capture includes: 

• Timestamp: The output begins with the timestamp, formatted as hours, minutes, seconds, and fractions of a second.  

• Source IP: The packet’s origin is provided by its source IP address.

• Source port: This port number is where the packet originated.

• Destination IP: The destination IP address is where the packet is being transmitted to.

• Destination port: This port number is where the packet is being transmitted to.

Note: By default, tcpdump will attempt to resolve host addresses to hostnames. It'll also replace port numbers with commonly associated services that use these ports.

Common uses

tcpdump and other network protocol analyzers are commonly used to capture and view network communications and to collect statistics about the network, such as troubleshooting network performance issues. They can also be used to:

• Establish a baseline for network traffic patterns and network utilization metrics.

• Detect and identify malicious traffic

• Create customized alerts to send the right notifications when network issues or security threats arise.

• Locate unauthorized instant messaging (IM), traffic, or wireless access points.

However, attackers can also use network protocol analyzers maliciously to gain information about a specific network. For example, attackers can capture data packets that contain sensitive information, such as account usernames and passwords. As a cybersecurity analyst, It’s important to understand the purpose and uses of network protocol analyzers. 

Key takeaways

Network protocol analyzers, like tcpdump, are common tools that can be used to monitor network traffic patterns and investigate suspicious activity. tcpdump is a command-line network protocol analyzer that is compatible with Linux/Unix and macOS®. When you run a tcpdump command, the tool will output packet routing information, like the timestamp, source IP address and port number, and the destination IP address and port number. Unfortunately, attackers can also use network protocol analyzers to capture data packets that contain sensitive information, such as account usernames and passwords.

Real-life DDoS attack

Previously, you were introduced to Denial of Service (DoS) attacks. You also learned that volumetric distributed DoS (DDoS) attacks overwhelm a network by sending unwanted data packets in such large quantities that the servers become unable to service normal users. This can be detrimental to an organization. When systems fail, organizations cannot meet their customers' needs. They often lose money, and in some cases, incur other losses. An organization’s reputation may also suffer if news of a successful DDoS attack reaches consumers, who then question the security of the organization.

In this reading you’ll learn about a 2016 DDoS attack against DNS servers that caused major outages at multiple organizations that have millions of daily users. 

A DDoS targeting a widely used DNS server 

In previous videos, you learned about the function of a DNS server. As a review, DNS servers translate website domain names into the IP address of the system that contains the information for the website. For instance, if a user were to type in a website URL, a DNS server would translate that into a numeric IP address that directs network traffic to the location of the website’s server. 

On the day of the DDoS attack we are studying, many large companies were using a DNS service provider. The service provider was hosting the DNS system for these companies. This meant that when internet users typed in the URL of the website they wanted to access, their devices would be directed to the right place. On October 21, 2016, the service provider was the victim of a DDoS attack.

Leading up to the attack

Before the attack on the service provider, a group of university students created a botnet. A botnet is a collection of computers infected by malware that are under the control of a single threat actor, known as the “bot-herder." Each computer in the botnet can be remotely controlled to send a data packet to a target system. In a botnet attack, cyber criminals instruct all the bots on the botnet to send data packets to the target system at the same time, resulting in a DDoS attack.

The group of university students posted the code for the botnet online so that it would be accessible to thousands of internet users and authorities wouldn’t be able to trace the botnet back to the students. In doing so, they made it possible for other malicious actors to learn the code to the botnet and control it remotely. This included the cyber criminals who attacked the DNS service provider.

The day of attack

At 7:00 a.m. on the day of the attack, the botnet sent tens of millions of DNS requests to the service provider. This overwhelmed the system and the DNS service shut down. This meant that all of the websites that used the service provider could not be reached. When users tried to access various websites that used the service provider, they were not directed to the website they typed in their browser. Outages for each web service occurred all over North America and Europe. 

The service provider’s systems were restored after only two hours of downtime. Although the cyber criminals sent subsequent waves of botnet attacks, the DNS company was prepared and able to mitigate the impact.

Key takeaways

As demonstrated in the above example, DDoS attacks can be very damaging to an organization. As a security analyst, it’s important to acknowledge the seriousness of such an attack so that you’re aware of opportunities to protect the network from them. If your network has important operations distributed across hosts that can be dynamically scaled, then operations can continue if the baseline host infrastructure goes offline. DDoS attacks are damaging, but there are concrete actions that security analysts can take to help protect their organizations. Keep going through this course and you will learn about common mitigation strategies to protect against DDoS attacks.

Malicious packet sniffing

IP Spoofing

Overview of interception tactics

In the previous course items, you learned how packet sniffing and IP spoofing are used in network attacks. Because these attacks intercept data packets as they travel across the network, they are called interception attacks.

This reading will introduce you to some specific attacks that use packet sniffing and IP spoofing. You will learn how hackers use these tactics and how security analysts can counter the threat of interception attacks.

A closer review of packet sniffing 

As you learned in a previous video, packet sniffing is the practice of capturing and inspecting data packets across a network. On a private network, data packets are directed to the matching destination device on the network. 

 

The device’s Network Interface Card (NIC) is a piece of hardware that connects the device to a network. The NIC reads the data transmission, and if it contains the device’s MAC address, it accepts the packet and sends it to the device to process the information based on the protocol. This occurs in all standard network operations. However, a NIC can be set to promiscuous mode, which means that it accepts all traffic on the network, even the packets that aren’t addressed to the NIC’s device. You’ll learn more about NIC’s later in the program. Malicious actors might use software like Wireshark to capture the data on a private network and store it for later use. They can then use the personal information to their own advantage. Alternatively, they might use the IP and MAC addresses of authorized users of the private network to perform IP spoofing.

A closer review of IP spoofing 

After a malicious actor has sniffed packets on the network, they can impersonate the IP and MAC addresses of authorized devices to perform an IP spoofing attack. Firewalls can prevent IP spoofing attacks by configuring it to refuse unauthorized IP packets and suspicious traffic. Next, you’ll examine a few common IP spoofing attacks that are important to be familiar with as a security analyst.

On-path attack

An on-path attack happens when a hacker intercepts the communication between two devices or servers that have a trusted relationship. The transmission between these two trusted network devices could contain valuable information like usernames and passwords that the malicious actor can collect. An on-path attack is sometimes referred to as a meddler-in-the middle attack because the hacker is hiding in the middle of communications between two trusted parties.

Or, it could be that the intercepted transmission contains a DNS system look-up. You’ll recall from an earlier video that a DNS server translates website domain names into IP addresses. If a malicious actor intercepts a transmission containing a DNS lookup, they could spoof the DNS response from the server and redirect a domain name to a different IP address, perhaps one that contains malicious code or other threats. The most important way to protect against an on-path attack is to encrypt your data in transit, e.g. using TLS.

Smurf attack

A smurf attack is a network attack that is performed when an attacker sniffs an authorized user’s IP address and floods it with packets. Once the spoofed packet reaches the broadcast address, it is sent to all of the devices and servers on the network. 

In a smurf attack, IP spoofing is combined with another denial of service (DoS) technique to flood the network with unwanted traffic. For example, the spoofed packet could include an Internet Control Message Protocol (ICMP) ping. As you learned earlier, ICMP is used to troubleshoot a network. But if too many ICMP messages are transmitted, the ICMP echo responses overwhelm the servers on the network and they shut down. This creates a denial of service and can bring an organization’s operations to a halt.

An important way to protect against a smurf attack is to use an advanced firewall that can monitor any unusual traffic on the network. Most next generation firewalls (NGFW) include features that detect network anomalies to ensure that oversized broadcasts are detected before they have a chance to bring down the network.

DoS attack

As you’ve learned, once the malicious actor has sniffed the network traffic, they can impersonate an authorized user. A Denial of Service attack is a class of attacks where the attacker prevents the compromised system from performing legitimate activity or responding to legitimate traffic. Unlike IP spoofing, however, the attacker will not receive a response from the targeted host. Everything about the data packet is authorized including the IP address in the header of the packet. In IP spoofing attacks, the malicious actor uses IP packets containing fake IP addresses. The attackers keep sending IP packets containing fake IP addresses until the network server crashes.

Pro Tip: Remember the principle of defense-in-depth. There isn’t one perfect strategy for stopping each kind of attack. You can layer your defense by using multiple strategies. In this case, using industry standard encryption will strengthen your security and help you defend from DoS attacks on more than one level. 

Key takeaways

This reading covered several types of common IP spoofing attacks. You learned about how packet sniffing is performed and how gathering information from intercepting data transmissions can give malicious actors opportunities for IP spoofing. Whether it is an on-path attack, IP spoofing attack, or a smurf attack, analysts need to ensure that mitigation strategies are in place to limit the threat and prevent security breaches.

 

Glossary terms from week 3 & wrap-up

Terms and definitions from Course 3, Week 3

Active packet sniffing: A type of attack where data packets are manipulated in transit

Botnet: A collection of computers infected by malware that are under the control of a single threat actor, known as the “bot-herder"

Denial of service (DoS) attack: An attack that targets a network or server and floods it with network traffic

Distributed denial of service (DDoS) attack: A type of denial or service attack that uses multiple devices or servers located in different locations to flood the target network with unwanted traffic

Internet Control Message Protocol (ICMP): An internet protocol used by devices to tell each other about data transmission errors across the network

Internet Control Message Protocol (ICMP) flood: A type of DoS attack performed by an attacker repeatedly sending ICMP request packets to a network server

IP spoofing: A network attack performed when an attacker changes the source IP of a data packet to impersonate an authorized system and gain access to a network

Network Interface Card (NIC): Hardware that connects computers to a network

On-path attack: An attack where a malicious actor places themselves in the middle of an authorized connection and intercepts or alters the data in transit

Packet sniffing: The practice of capturing and inspecting data packets across a network 

Passive packet sniffing: A type of attack where a malicious actor connects to a network hub and looks at all traffic on the network

Ping of death: A type of DoS attack caused when a hacker pings a system by sending it an oversized ICMP packet that is bigger than 64KB

Replay attack: A network attack performed when a malicious actor intercepts a data packet in transit and delays it or repeats it at another time

Smurf attack: A network attack performed when an attacker sniffs an authorized user’s IP address and floods it with ICMP packets

Synchronize (SYN) flood attack: A type of DoS attack that simulates a TCP/IP connection and floods a server with SYN packets

Security hardning

temp

things to review

1. On-path attack
2. Distributed denial of service attack (DDoS)
3. Denial of service attack (DoS)
4. SYN flood attack
5. IP spoofing
6. Packet sniffing

Introduction to security hardening

Security hardening

OS hardening practices

Brute force attacks and OS hardening

In this reading, you’ll learn about brute force attacks. You’ll consider how vulnerabilities can be assessed using virtual machines and sandboxes, and learn ways to prevent brute force attacks using a combination of authentication measures. Implementing various OS hardening tasks can help prevent brute force attacks. An attacker can use a brute force attack to gain access and compromise a network.

Usernames and passwords are among the most common and important security controls in place today. They are used and enforced on everything that stores or accesses sensitive or private information, like personal phones, computers, and restricted applications within an organization. However, a major issue with relying on login credentials as a critical line of defense is that they’re vulnerable to being stolen and guessed by malicious actors.

Brute force attacks

A brute force attack is a trial-and-error process of discovering private information. There are different types of brute force attacks that malicious actors use to guess passwords, including: 

Using brute force to access a system can be a tedious and time consuming process, especially when it’s done manually. There are a range of tools attackers use to conduct their attacks.

Assessing vulnerabilities

Before a brute force attack or other cybersecurity incident occurs, companies can run a series of tests on their network or web applications to assess vulnerabilities. Analysts can use virtual machines and sandboxes to test suspicious files, check for vulnerabilities before an event occurs, or to simulate a cybersecurity incident.

Virtual machines (VMs)

Virtual machines (VMs) are software versions of physical computers. VMs provide an additional layer of security for an organization because they can be used to run code in an isolated environment, preventing malicious code from affecting the rest of the computer or system. VMs can also be deleted and replaced by a pristine image after testing malware. 

VMs are useful when investigating potentially infected machines or running malware in a constrained environment. Using a VM may prevent damage to your system in the event its tools are used improperly. VMs also give you the ability to revert to a previous state. However, there are still some risks involved with VMs. There’s still a small risk that a malicious program can escape virtualization and access the host machine. 

You can test and explore applications easily with VMs, and it’s easy to switch between different VMs from your computer. This can also help in streamlining many security tasks.

Sandbox environments

A sandbox is a type of testing environment that allows you to execute software or programs separate from your network. They are commonly used for testing patches, identifying and addressing bugs, or detecting cybersecurity vulnerabilities. Sandboxes can also be used to evaluate suspicious software, evaluate files containing malicious code, and simulate attack scenarios. 

Sandboxes can be stand-alone physical computers that are not connected to a network; however, it is often more time- and cost-effective to use software or cloud-based virtual machines as sandbox environments. Note that some malware authors know how to write code to detect if the malware is executed in a VM or sandbox environment. Attackers can program their malware to behave as harmless software when run inside these types of  testing environments.

Prevention measures

Some common measures organizations use to prevent brute force attacks and similar attacks from occurring include: 

Key takeaways

Brute force attacks are a trial-and-error process of guessing passwords. Attacks can be launched manually or through software tools. Methods include simple brute force attacks and dictionary attacks. To protect against brute force attacks, cybersecurity analysts can use sandboxes to test suspicious files, check for vulnerabilities, or to simulate real attacks and virtual machines to conduct vulnerability tests. Some common measures to prevent brute force attacks include: hashing and salting, MFA and/or 2FA, CAPTCHA and reCAPTCHA, and password policies.

Network hardening practices

Network security applications

This section of the course covers the topic of network hardening and monitoring. Each device, tool, or security strategy put in place by security analysts further protects—or hardens—the network until the network owner is satisfied with the level of security. This approach of adding layers of security to a network is referred to as defense in depth.

In this reading, you are going to learn about the role of four devices used to secure a network—firewalls, intrusion detection systems, intrusion prevention systems, and security incident and event management tools. Network security professionals have the choice to use any or all of these devices and tools depending on the level of security that they hope to achieve.

This reading will discuss the benefits of layered security. Each tool mentioned is an additional layer of defense that can incrementally harden a network, starting with the minimum level of security (provided by just a firewall), to the highest level of security (provided by combining a firewall, an intrusion detection and prevention device, and security event monitoring).

Take note of where each tool is located on the network. Each tool has its own place in the network’s architecture. Security analysts are required to understand the network topologies shown in the diagrams throughout this reading.

Firewall

So far in this course, you learned about stateless firewalls, stateful firewalls, and next-generation firewalls (NGFWs), and the security advantages of each of them.

Most firewalls are similar in their basic functions. Firewalls allow or block traffic based on a set of rules. As data packets enter a network, the packet header is inspected and allowed or denied based on its port number. NGFWs are also able to inspect packet payloads. Each system should have its own firewall, regardless of the network firewall.

Intrusion Detection System

An intrusion detection system (IDS) is an application that monitors system activity and alerts on possible intrusions. An IDS alerts administrators based on the signature of malicious traffic.

The IDS is configured to detect known attacks. IDS systems often sniff data packets as they move across the network and analyze them for the characteristics of known attacks. Some IDS systems review not only for signatures of known attacks, but also for anomalies that could be the sign of malicious activity. When the IDS discovers an anomaly, it sends an alert to the network administrator who can then investigate further.

The limitations to IDS systems are that they can only scan for known attacks or obvious anomalies. New and sophisticated attacks might not be caught. The other limitation is that the IDS doesn’t actually stop the incoming traffic if it detects something awry. It’s up to the network administrator to catch the malicious activity before it does anything damaging to the network. 

When combined with a firewall, an IDS adds another layer of defense. The IDS is placed behind the firewall and before entering the LAN, which allows the IDS to analyze data streams after network traffic that is disallowed by the firewall has been filtered out. This is done to reduce noise in IDS alerts, also referred to as false positives.

Intrusion Prevention System

An intrusion prevention system (IPS) is an application that monitors system activity for intrusive activity and takes action to stop the activity. It offers even more protection than an IDS because it actively stops anomalies when they are detected, unlike the IDS that simply reports the anomaly to a network administrator.

An IPS searches for signatures of known attacks and data anomalies. An IPS reports the anomaly to security analysts and blocks a specific sender or drops network packets that seem suspect. 

The IPS (like an IDS) sits behind the firewall in the network architecture. This offers a high level of security because risky data streams are disrupted before they even reach sensitive parts of the network. However, one potential limitation is that it is inline: If it breaks, the connection between the private network and the internet breaks. Another limitation of IPS is the possibility of false positives, which can result in legitimate traffic getting dropped.

Full packet capture devices

Full packet capture devices can be incredibly useful for network administrators and security professionals. These devices allow you to record and analyze all of the data that is transmitted over your network. They also aid in investigating alerts created by an IDS.

Security Information and Event Management

A security information and event management system (SIEM) is an application that collects and analyzes log data to monitor critical activities in an organization. SIEM tools work in real time to report suspicious activity in a centralized dashboard. SIEM tools additionally analyze network log data sourced from IDSs, IPSs, firewalls, VPNs, proxies, and DNS logs. SIEM tools are a way to aggregate security event data so that it all appears in one place for security analysts to analyze. This is referred to as a single pane of glass.

Below, you can review an example of a dashboard from Google Cloud’s SIEM tool, Chronicle. Chronicle is a cloud-native tool designed to retain, analyze, and search data.

Splunk is another common SIEM tool. Splunk offers different SIEM tool options: Splunk Enterprise and Splunk Cloud. Both options include detailed dashboards which help security professionals to review and analyze an organization's data. There are also other similar SIEM tools available, and it's important for security professionals to research the different tools to determine which one is most beneficial to the organization.

A SIEM tool doesn’t replace the expertise of security analysts, or of the network- and system-hardening activities covered in this course, but they’re used in combination with other security methods. Security analysts often work in a Security Operations Center (SOC) where they can monitor the activity across the network. They can then use their expertise and experience to determine how to respond to the information on the dashboard and decide when the events meet the criteria to be escalated to oversight.

Key takeaways

Each of these devices or tools cost money to purchase, install, and maintain. An organization might need to hire additional personnel to monitor the security tools, as in the case of a SIEM. Decision-makers are tasked with selecting the appropriate level of security based on cost and risk to the organization. You will learn more about choosing levels of security later in the course.

 

Kelsey: Cloud security explained

Security hardening Wrap-up & Glossary terms from week 4

Terms and definitions from Course 3, Week 4

Baseline configuration (baseline image): A documented set of specifications within a system that is used as a basis for future builds, releases, and updates

Hardware: The physical components of a computer

Multi-factor authentication (MFA): A security measure which requires a user to verify their identity in two or more ways to access a system or network

Network log analysis: The process of examining network logs to identify events of interest 

Operating system (OS): The interface between computer hardware and the user

Patch update: A software and operating system update that addresses security vulnerabilities within a program or product

Penetration testing (pen test): A simulated attack that helps identify vulnerabilities in systems, networks, websites, applications, and processes 

Principle of least privilege: Access and authorization to information only last long enough to complete a task

Security hardening: The process of strengthening a system to reduce its vulnerabilities and attack surface

Security information and event management (SIEM): An application that collects and analyzes log data to monitors critical activities for an organization

World-writable file: A file that can be altered by anyone in the world

Cloud Hardening

Network security in the cloud 

secure the cloud

Earlier in this course, you were introduced to cloud computing

Cloud computing is a model for allowing convenient and on-demand network access to a shared pool of configurable computing resources. These resources can be configured and released with minimal management effort or interaction with the service provider. 

Just like any other IT infrastructure, a cloud infrastructure needs to be secured. This reading will address some main security considerations that are unique to the cloud and introduce you to the shared responsibility model used for security in the cloud. Many organizations that use cloud resources and infrastructure express concerns about the privacy of their data and resources. This concern is addressed through cryptography and other additional security measures, which will be discussed later in this course.

Cloud security considerations

Many organizations choose to use cloud services because of the ease of deployment, speed of deployment, cost savings, and scalability of these options. Cloud computing presents unique security challenges that cybersecurity analysts need to be aware of. 

Identity access management

Identity access management (IAM) is a collection of processes and technologies that helps organizations manage digital identities in their environment. This service also authorizes how users can use different cloud resources. A common problem that organizations face when using the cloud is the loose configuration of cloud user roles. An improperly configured user role increases risk by allowing unauthorized users to have access to critical cloud operations. 

Configuration

The number of available cloud services adds complexity to the network. Each service must be carefully configured to meet security and compliance requirements. This presents a particular challenge when organizations perform an initial migration into the cloud. When this change occurs on their network, they must ensure that every process moved into the cloud has been configured correctly. If network administrators and architects are not meticulous in correctly configuring the organization’s cloud services, they could leave the network open to compromise. Misconfigured cloud services are a common source of cloud security issues. 

Attack surface 

Cloud service providers (CSPs) offer numerous applications and services for organizations at a low cost. 

Every service or application on a network carries its own set of risks and vulnerabilities and increases an organization’s overall attack surface. An increased attack surface must be compensated for with increased security measures.

Cloud networks that utilize many services introduce lots of entry points into an organization’s network. However, if the network is designed correctly, utilizing several services does not introduce more entry points into an organization’s network design. These entry points can be used to introduce malware onto the network and pose other security vulnerabilities. It is important to note that CSPs often defer to more secure options, and have undergone more scrutiny than a traditional on-premises network. 

Zero-day attacks

Zero-day attacks are an important security consideration for organizations using cloud or traditional on-premise network solutions. A zero day attack is an exploit that was previously unknown. CSPs are more likely to know about a zero day attack occurring before a traditional IT organization does. CSPs have ways of patching hypervisors and migrating workloads to other virtual machines. These methods ensure the customers are not impacted by the attack. There are also several tools available for patching at the operating system level that organizations can use.

Visibility and tracking 

Network administrators have access to every data packet crossing the network with both on-premise and cloud networks. They can sniff and inspect data packets to learn about network performance or to check for possible threats and attacks.

This kind of visibility is also offered in the cloud through flow logs and tools, such as packet mirroring. CSPs take responsibility for security in the cloud, but they do not allow the organizations that use their infrastructure to monitor traffic on the CSP’s servers. Many CSPs offer strong security measures to protect their infrastructure. Still, this situation might be a concern for organizations that are accustomed to having full access to their network and operations. CSPs pay for third-party audits to verify how secure a cloud network is and identify potential vulnerabilities. The audits can help organizations identify whether any vulnerabilities originate from on-premise infrastructure and if there are any compliance lapses from their CSP.

Things change fast in the cloud

CSPs are large organizations that work hard to stay up-to-date with technology advancements. For organizations that are used to being in control of any adjustments made to their network, this can be a potential challenge to keep up with. Cloud service updates can affect security considerations for the organizations using them. For example, connection configurations might need to be changed based on the CSP’s updates. 

Organizations that use CSPs usually have to update their IT processes. It is possible for organizations to continue following established best practices for changes, configurations, and other security considerations. However, an organization might have to adopt a different approach in a way that aligns with changes made by the CSP. 

Cloud networking offers various options that might appear attractive to a small company—options that they could never afford to build on their own premises. However, it is important to consider that each service adds complexity to the security profile of the organization, and they will need security personnel to monitor all of the cloud services. 

Shared responsibility model

A commonly accepted cloud security principle is the shared responsibility model. The shared responsibility model states that the CSP must take responsibility for security involving the cloud infrastructure, including physical data centers, hypervisors, and host operating systems. The company using the cloud service is responsible for the assets and processes that they store or operate in the cloud.

The shared responsibility model ensures that both the CSP and the users agree about where their responsibility for security begins and ends. A problem occurs when organizations assume that the CSP is taking care of security that they have not taken responsibility for. One example of this is cloud applications and configurations. The CSP takes responsibility for securing the cloud, but it is the organization’s responsibility to ensure that services are configured properly according to the security requirements of their organization. 

Key takeaways

It is essential to know the security considerations that are unique to the cloud and understanding the shared responsibility model for cloud security. Organizations are responsible for correctly configuring and maintaining best security practices for their cloud services. The shared responsibility model ensures that both the CSP and users agree about what the organization is responsible for and what the CSP is responsible for when securing the cloud infrastructure.

how to read a tcpdump

idk if this is correct but from my research this is what I've figured out

An example TCP dump looks like this: 

Timestamp source IP > destination IP.protocol : flags [TCP flags], seq sequence numbers, ack acknowledgement number, win window size, options [TCP options], length payload length : payload

Here's an actual example:

 12:14:35.783589 IP ip.your.machine.port > domain.com.http: Flags [P.], seq 1:74, ack 1, win 512, options [nop,nop,TS val 3302576859 ecr 3302576859], length 73: HTTP: GET / HTTP/1.1

Here's a breakdown of the example:

12:14:35.783589 IP ip.your.machine.24365 > domain.com.http: Flags [P.], seq 1:74, ack 1, win 512, options [nop,nop,TS val 3302576859 ecr 3302576859], length 73: HTTP: GET / HTTP/1.1

12:14:35.783589: The timestamp of when the packet was captured.

IP: The protocol of the packet. In this case, it's IP.

ip.your.machine: The source IP address.

> domain.com.http: The destination IP address and the protocol (HTTP in this case).

Flags [P.]: The TCP flags for this packet. "P." stands for PSH (Push) and ACK (Acknowledgment).

seq 1:74: The sequence number for this packet. This packet is sending bytes 1 through 74.

ack 1: The acknowledgement field. This is the next sequence number that the sender of the ACK is expecting. It's the sequence number plus the segment length received in the last packet.

win 512: The window size, indicating the number of bytes that can be received before needing to send an acknowledgment.

options [nop,nop,TS val 3302576859 ecr 3302576859]: The TCP options for this packet. It includes two No-Operation (nop) options and a Timestamp (TS) option with value (val) 3302576859 and echo reply (ecr) 3302576859.

length 73: The length of the payload (in bytes).

HTTP: GET / HTTP/1.1: The payload itself, which is an HTTP GET request in this case.

TCP Flag codes include:

Flags [S] - SYN: Synchronization sequence numbers to initiate a connection

Flags [F] - FIN: Finish, used to close a connection

Flags [P] - PSH: Push function is utilized

Flags [R] - RST: Reset the connection

Flags [.] - ACK: Acknowledgment

Options Include:

nop: No Operation. It's used for alignment purposes and doesn't carry any information.

TS val 3302576859: This is the Timestamp value. It's the value of the sender's timestamp clock when this segment was sent.

ecr 3302576859: This is the Echo Reply timestamp. It's the timestamp value that was received in the TSval field of the segment being acknowledged.

network hardening

Course wrap-up; Glossary Cybersecurity Course 3

 

Glossary: Terms and definitions from Course 3

A

Active packet sniffing: A type of attack where data packets are manipulated in transit
Address Resolution Protocol (ARP): Used to determine the MAC address of the next
router or device to traverse

B

Bandwidth: The maximum data transmission capacity over a network, measured by
bits per second
Baseline configuration: A documented set of specifications within a system that is
used as a basis for future builds, releases, and updates
Bluetooth: Used for wireless communication with nearby physical devices
Botnet: A collection of computers infected by malware that are under the control of a
single threat actor, known as the “bot herder"

C

Cloud-based firewalls: Software firewalls that are hosted by the cloud service
provider
Cloud computing: The practice of using remote servers, application, and network
services that are hosted on the internet instead of on local physical devices

Cloud network: A collection of servers or computers that stores resources and data in
remote data centers that can be accessed via the internet
Controlled zone: A subnet that protects the internal network from the uncontrolled
zone

D

Data packet: A basic unit of information that travels from one device to another within
a network
Denial of service (DoS) attack: An attack that targets a network or server and floods
it with network traffic
Distributed denial of service (DDoS) attack: A type of denial or service attack that
uses multiple devices or servers located in different locations to flood the target
network with unwanted traffic
Domain Name System (DNS): A networking protocol that translates internet domain
names into IP addresses

E

Encapsulation: A process performed by a VPN service that protects your data by
wrapping sensitive data in other data packets

F

File Transfer Protocol (FTP): Used to transfer files from one device to another over a
network
Firewall: A network security device that monitors traffic to or from your network
Forward proxy server: A server that regulates and restricts a person’s access to the
internet

H

Hardware: The physical components of a computer

Hub: A network device that broadcasts information to every device on the network
Hypertext Transfer Protocol (HTTP): An application layer protocol that provides a
method of communication between clients and website servers
Hypertext Transfer Protocol Secure (HTTPS): A network protocol that provides a
secure method of communication between clients and servers

I

Identity and access management (IAM): A collection of processes and technologies
that helps organizations manage digital identities in their environment
IEEE 802.11 (Wi-Fi): A set of standards that define communication for wireless LANs
Internet Control Message Protocol (ICMP): An internet protocol used by devices to
tell each other about data transmission errors across the network
Internet Control Message Protocol (ICMP) flood: A type of DoS attack performed by
an attacker repeatedly sending ICMP request packets to a network server
Internet Protocol (IP): A set of standards used for routing and addressing data
packets as they travel between devices on a network
Internet Protocol (IP) address: A unique string of characters that identifies the
location of a device on the internet
IP spoofing: A network attack performed when an attacker changes the source IP of a
data packet to impersonate an authorized system and gain access to a network

L

Local area network (LAN): A network that spans small areas like an office building, a
school, or a home

M

Media Access Control (MAC) address: A unique alphanumeric identifier that is
assigned to each physical device on a network

Modem: A device that connects your router to the internet and brings internet access
to the LAN
Multi-factor authentication (MFA): A security measure that requires a user to verify
their identity in two or more ways to access a system or network

N

Network: A group of connected devices
Network log analysis: The process of examining network logs to identify events of
interest
Network protocols: A set of rules used by two or more devices on a network to
describe the order of delivery of data and the structure of data
Network segmentation: A security technique that divides the network into segments

O

Operating system (OS): The interface between computer hardware and the user
Open systems interconnection (OSI) model: A standardized concept that describes
the seven layers computers use to communicate and send data over the network
On-path attack: An attack where a malicious actor places themselves in the middle of
an authorized connection and intercepts or alters the data in transit

P

Packet sniffing: The practice of capturing and inspecting data packets across a
network
Passive packet sniffing: A type of attack where a malicious actor connects to a
network hub and looks at all traffic on the network
Patch update: A software and operating system update that addresses security
vulnerabilities within a program or product

Penetration testing: A simulated attack that helps identify vulnerabilities in systems,
networks, websites, applications, and processes
Ping of death: A type of DoS attack caused when a hacker pings a system by sending
it an oversized ICMP packet that is bigger than 64KB
Port: A software-based location that organizes the sending and receiving of data
between devices on a network
Port filtering: A firewall function that blocks or allows certain port numbers to limit
unwanted communication
Proxy server: A server that fulfills the requests of its clients by forwarding them to
other servers

R

Replay attack: A network attack performed when a malicious actor intercepts a data
packet in transit and delays it or repeats it at another time
Reverse proxy server: A server that regulates and restricts the Internet's access to an
internal server
Router: A network device that connects multiple networks together

S

Secure File Transfer Protocol (SFTP): A secure protocol used to transfer files from
one device to another over a network
Secure shell (SSH): A security protocol used to create a shell with a remote system
Security hardening: The process of strengthening a system to reduce its
vulnerabilities and attack surface
Security information and event management (SIEM): An application that collects
and analyzes log data to monitors critical activities for an organization
Security zone: A segment of a company’s network that protects the internal network
from the internet

Simple Network Management Protocol (SNMP): A network protocol used for
monitoring and managing devices on a network
Smurf attack: A network attack performed when an attacker sniffs an authorized
user’s IP address and floods it with ICMP packets
Speed: The rate at which a device sends and receives data, measured by bits per
second
Stateful: A class of firewall that keeps track of information passing through it and
proactively filters out threats
Stateless: A class of firewall that operates based on predefined rules and that does
not keep track of information from data packets
Subnetting: The subdivision of a network into logical groups called subnets
Switch: A device that makes connections between specific devices on a network by
sending and receiving data between them
Synchronize (SYN) flood attack: A type of DoS attack that simulates a TCP/IP
connection and floods a server with SYN packets

T

TCP/IP model: A framework used to visualize how data is organized and transmitted
across a network
Transmission Control Protocol (TCP): An internet communication protocol that
allows two devices to form a connection and stream data
Transmission control protocol (TCP) 3-way handshake: A three-step process used
to establish an authenticated connection between two devices on a network

U

Uncontrolled zone: The portion of the network outside the organization
User Datagram Protocol (UDP): A connectionless protocol that does not establish a
connection between devices before transmissions

V

Virtual Private Network (VPN): A network security service that changes your public
IP address and masks your virtual location so that you can keep your data private when
you are using a public network like the internet

W

Wide Area Network (WAN): A network that spans a large geographic area like a city,
state, or country
Wi-Fi Protected Access (WPA): A wireless security protocol for devices to connect to
the internet