Modern computer systems are almost universally connected, which creates wider attack surfaces well beyond code to users, hardware, and more. Securing systems is thus a fundamental skill for modern software engineers.

This course is a comprehensive introduction to cyber security best practices. You’ll start with an overview of common threats and vulnerabilities, as well as high-level concepts like privilege, integrity, logging, and mediation. With these concepts in mind, you’ll then learn common protection mechanisms and defense strategies from endpoint protection to firewalls, gateways, and proxy servers. Next, you’ll learn monitoring and detection techniques, alerts, and event management. Finally, when you detect a threat, you’ll know how to respond with support tickets, data preservation, and change management.

By the end of this course, you’ll have a better understanding of modern cyber security practices and a clear roadmap to implementing these as a developer.

Cyber Security Best Practices for Developers

## IP addresses

One of the least effective ways to identify the source of a scan or attack is to use the IP address it originates from. IP addresses are disposable and can be spoofed or routed through proxies to hide the actual source. An IP address may even lead to someone who is innocent but has a compromised device. For these reasons, attribution based on the IP address is unreliable.


Ascribing attribution to a particular part of the world can also be difficult.


> **Note:** The South Korean government experienced over 110 thousand cyber attacks in five years, and almost none were sourced from the attacker’s country of origin.


### Feasibility of monitoring IP addresses for security

Despite their relatively low value, IP addresses may still provide a starting point for creating alerts and dashboards. Also, attackers can occasionally get lazy and forget to hide their IP address. So IP addresses aren’t entirely without value from an attribution standpoint.


### Compromised IP addresses

Some IP addresses are perpetually compromised and will always be the source of low-grade attacks and scans. These IP addresses are low-hanging fruit that should be plugged into protection controls to block what should otherwise be considered internet noise.

## File hashes

Installing and using hashes with a file integrity checker (FIC) was discussed in chapter one of this course. Known bad file hashes can be supplied by cyber intelligence sources and fed to an alerting solution, such as an SIEM, or to endpoint FICs. If any files are discovered to have a hash that matches a hash identified by intel, there are a couple of response options:


- Generating an alert.

- Having the endpoint software quarantine the suspicious file.


## Email

Phishing is one of the most effective methods used by attackers to get a victim to download and install malware. Information collected from previous phishing campaigns can provide indicators that can be used to block the same phish from reaching other people’s inboxes. The following are elements of an email message that can be used to cross reference IOCs and block malicious emails.





# IP addresses

One of the least effective ways to identify the source of a scan or attack is to use the IP address it originates from. IP addresses are disposable and can be spoofed or routed through proxies to hide the actual source. An IP address may even lead to someone who is innocent but has a compromised device. For these reasons, attribution based on the IP address is unreliable.


Ascribing attribution to a particular part of the world can also be difficult.


> **Note:** The South Korean government experienced over 110 thousand cyber attacks in five years, and almost none were sourced from the attacker’s country of origin.


## Feasibility of monitoring IP addresses for security

Despite their relatively low value, IP addresses may still provide a starting point for creating alerts and dashboards. Also, attackers can occasionally get lazy and forget to hide their IP address. So IP addresses aren’t entirely without value from an attribution standpoint.


## Compromised IP addresses

Some IP addresses are perpetually compromised and will always be the source of low-grade attacks and scans. These IP addresses are low-hanging fruit that should be plugged into protection controls to block what should otherwise be considered internet noise.

# File hashes

Installing and using hashes with a file integrity checker (FIC) was discussed in chapter one of this course. Known bad file hashes can be supplied by cyber intelligence sources and fed to an alerting solution, such as an SIEM, or to endpoint FICs. If any files are discovered to have a hash that matches a hash identified by intel, there are a couple of response options:


- Generating an alert.

- Having the endpoint software quarantine the suspicious file.


# Email

Phishing is one of the most effective methods used by attackers to get a victim to download and install malware. Information collected from previous phishing campaigns can provide indicators that can be used to block the same phish from reaching other people’s inboxes. The following are elements of an email message that can be used to cross reference IOCs and block malicious emails.





Learn how to monitor IP addresses, file hashes, and emails for cyber attacks.


IP Addresses, File Hashes, and Email

Learn how to monitor IP addresses, file hashes, and emails for cyber attacks.

Introduction

Basics of Security

Detect

Protect

Respond

Conclusion

IP Addresses, File Hashes, and Email

IP addresses

Feasibility of monitoring IP addresses for security

Compromised IP addresses

File hashes

Email