Reading: Operations Management, 8/e, Slack, BJ & Johnston

  1. Tips
    1. Visit all links in each chapters
    2. Practise, practise and practise
    3. Remember key models and QQ analysis
    4. Research and apply own experiences
  2. Content – Summary
    1. Topic 1 – Ch1 – Operations Management
      1. Objectives
        1. What is operations management
        2. Why is OM important in all types of organizations
        3. What is the input-transformation-output process
        4. What is the process hierarchy
        5. How to operations and processes differ
        6. What do operations managers do
    2. Topic 2 – Ch6
    3. Topic 3 – Ch10
    4. Topic 4 – Ch16
    5. Topic 5 – Ch2
    6. Topic 6 – Ch3
    7. Topic 7 – Ch4
    8. Topic 8 – Ch5
    9. Topic 9 – Ch7
    10. Topic 10 – Ch8
    11. Topic 11 – Ch9
    12. Topic 12 – Ch11
    13. Topic 13- Ch12
    14. Topic 14 – Ch13
    15. Topic 15 – Ch14
    16. Topic 16 – Ch15
    17. Topic 17 – Ch17
    18. Topic 18 – Ch18
    19. Topic 19 – Ch19
  3. Content – Detailed
    1. Topic 1 – Ch1 OM
      1. Keys
        1. What is operations management
        2. Why is OM important in all types of organizations
        3. What is the input-transformation-output process
        4. What is the process hierarchy
        5. How to operations and processes differ
        6. What do operations managers do
      2. Contents
        1. OM – how organizations create and deliver services and products;
          1. uses “resources to appropriately create outputs that fulfill defined market requirements
        2. 3 Cores functions of any organization
          1. Marketing: communicating services and products to its market to generate customer requests
          2. Product / service development: coming up with new and modified services and products;
          3. Operations – core functions that create and deliver services and products; also including support functions (IT / HR / Acc…)om2
        3. OM Principle – OM is at the forefront of coping with, and exploiting developments in business and technology;
          1. OM principle – all operations produce service for their customers;
        4. Input-Output transformation
          1. Transformed resource inputs to a process are materials (transform properties of physical / location / possession), information (transform properties of status / location / possession) or customers (transform properties of accommodate / location / physiological or psychological state);
          2. Process hierarchy
            1. Process
              1. building blocks of all operations
              2. arrangement of resources or activities that transform inputs to outputs that satisfy customer needs;
              3. three levels: the process, the operation, the supply network / industry chain;
          3. OM is relevant to all parts of the business
            1. Operations
              1. creates and delivers services and products for the organizations’ external customers;
              2. management of the processes within any of the organizations’ functions;
              3. Operations and processes can reduce their costs by increasing volume, reducing variety, reducing variation and reducing visibility;
              4. OM activities will a have a significant effect on the sustainability performance of any type of enterprise;
        5. Various operational process dimension
          1. Volume of output
            1. McDonald. High volume output -> systematized and repeated tasks -> worth specialized tools -> low unit costs;
            2. Cafe. Low volume output > staff to perform wide range of tasks (rewarding) -> less open to systemization -> higher unit costs;
          2. Variety of output
            1. Taxi VS bus – flexibility
          3. Variation in the demand for their input
          4. Degree of visibility which customers have of the creation of their output (customer contact)4V in operations
        6. What do operations manager do?
          1. Direct – steering and forming strategies
          2. Design – products, services and processes
          3. Deliver – planning, controlling and improving
          4. Develop – performance
    2. Topic 2 – Ch6
    3. Topic 3 – Ch10
    4. Topic 4 – Ch16
    5. Topic 5 – Ch2
    6. Topic 6 – Ch3
    7. Topic 7 – Ch4
    8. Topic 8 – Ch5
    9. Topic 9 – Ch7
    10. Topic 10 – Ch8
    11. Topic 11 – Ch9
    12. Topic 12 – Ch11
    13. Topic 13- Ch12
    14. Topic 14 – Ch13
    15. Topic 15 – Ch14
    16. Topic 16 – Ch15
    17. Topic 17 – Ch17
    18. Topic 18 – Ch18
    19. Topic 19 – Ch19
  4. Content – Detailed
Reading: Operations Management, 8/e, Slack, BJ & Johnston

Reading: Management_13e, Robbins and Coulter.

  1. Content – Summary
    1. Topic 1 – Ch1 (done)
    2. Topic 2 – Ch1 & Ch15 (done)
    3. Topic 3 – Ch1 & Ch2 (done)
    4. Topic 4 – Ch14 (done)
    5. Topic 5 – Ch16 (done)
    6. Topic 6 – Ch17
    7. Topic 7 – MID TERM Exam (done)
    8. Topic 8 – Ch10 & Ch11
    9. Topic 9 – Ch3
    10. Topic 10 – Ch3
    11. Topic 11 – Ch6
  2. Content – Details
    1. Chapter 1 – Managers in the Workplace (p.35-71)
      1. Objectives
        1. Explain why managers are important to organizations
        2. Tell who managers are and where they work
          1. Know how to manage you time
        3. Describe the functions, roles and skills of managers
          1. Develop you skill at being politically aware
        4. Describe the factors that are reshaping and redefining the manager’s job
        5. Explain the value of studying management
      2. Contents of Ch1
        1. Why managers are  important to organizations?
          1. organizations need their managerial skills and abilities in uncertain, complex, and chaotic times;
          2. Managers are critical to getting things done in organizations;
          3. Managers contribute to employee productivity and loyalty;
        2. Who managers are and where they work:
          1. managers coordinate and oversee the work of others -> organizational goals;
          2. managers work in organization;
        3. The functions, roles, and skills of managers
          1. overseeing the efficient and effective completion of others’s work activities;
          2. 4 functions: planning, organizing, leading, controlling
          3. Mintzberg’s managerial roles: interpersonal, informational, decisional
          4. Katz’s managerial skills: technical, interpersonal, conceptual
        4. Factors that are reshaping and redefining the manager’s job
          1. PEST, changing workplaces, ethical issues, security threats;
        5. The value of studying management
          1. 3 reasons: the universality of management, the reality of work, awareness of the significant rewards and challenges;Managerial roles and skills
    2. Chapter 15 – Understanding and Managing Individual Behavior (p.460 – 491)
      1. Objectives
        1. Identify the focus and goals of individual behavior within organizations
        2. Explain the role that attitudes play in job performance
        3. Describe different personality theories
          1. Know how to be more self-aware
        4. Describe perception and factors that influence it
        5. Discuss learning theories and their relevance in shaping behavior
          1. Develop you skill at shaping behavior
        6. Discuss contemporary issues in organizational behavior
      2. Keywords:
        1.  organized vs disorganized
        2. open to change VS comfortable with the familiar
      3. Contents of Ch15
        1. Challenges in understanding OB – address issues that aren’t obvious (like iceberg);iceberg
        2. to understand elements that also influence how employees behave to work;
        3. Areas
          1. Individual behavior (contributed by psychologists)
            1. Attitudes, personality, perception, learning, and motivation
          2. Group behavior (contributed by sociologists and social psychologists)
            1. Norms, roles, team building, leadership, and conflict
          3. Organizational behavior
            1. Structure, culture, and human resource policies and practices
        4. Goals of OB: explain (why), predict (how) and influence behavior;
        5. Six employee behaviors
          1. Employee productivity, absenteeism, turnover, organizational citizenship behavior (OCB), job satisfaction, and workplace misbehavior;
          2. Employee productivity: measurement of both efficiency and effectiveness;
          3. Absenteeism
          4. Turnover
          5. Organizational citizenship behavior
          6. Job satisfaction
          7. Workplace misbehavior
        6. Attitudes and Job performance
          1. Attitude: cognition, affect, and behavior
            1. Cognition: beliefs, opinions, knowledge or information held by a person
            2. Affect: usually referred from attitude; emotional or feeling part of an attitude, and could lead to behavioral outcomes;
            3. Behavior: intention to behave in a certain way
        7. Job-related attitudes: Job satisfaction, job involvement, and organizational commitment
          1. Job satisfaction: general attitude toward his or her job
            1. job satisfaction tends to increase as income increases, more challenges and allows workers more control;
            2. Strong correlation between satisfaction and productivity;
            3. Job satisfaction VS 6 employees behaviors
          2. Job involvement: degree of active participation
          3. Organizational commitment: degree to wish to maintain membership
            1. identifying your employing organization
            2. perceived organizational support – lead to increased job satisfaction and lower turnover;
          4. Employee engagement: when employees are connected to, satisfied with, and enthusiastic about their jobs;
            1. 2.5x to be top performers than less-engaged coworkers;
          5. Attitudes and consistency
            1. people seek consistency among their attitudes and between their attitudes and behavior;
          6. Cognitive Dissonance Theory
            1. Cognitive dissonance: inconsistency between attitudes or between behavior and attitudes;
            2. The inconsistency is uncomfortable and individuals try to reduce;
              1. Factors affecting us to reduce
                1. importance
                2. degree of influence
                3. rewards
          7. Regularly surveying employee attitudes: averaged for work groups, departments, divisions, or the organization; (wearable technology for continuous assessment)
        8. Personality
          1. unique combination of emotional, thought, and behavior patterns; affects how a person reacts and interacts;
          2. Two most well-known personality classification approaches: Myers Briggs Type Indicator (MBTI) and the Big Five Model:
            1. MBTI: 100-question assessment, 16 personality types;
              1. Social interaction: extraversion or introversion (E or I)
              2. Preference for gathering data: sensing or intuition (S or N)
              3. Preference for decision making: thinking or feeling (T or F)
              4. Style of making decisions: judging or perceiving (J or P)
            2. Big Five Model
              1. Extraversion
              2. Agreeablesness
              3. Conscientiousness
              4. Emotional stability
              5. Openness to experience
          3. Other personality traits
            1. Locus of Control: internal (controlled by own) or external (controlled by outside forces);
            2. Machiavellianism: ends / results can justify means; eg. salesperson
            3. Self-Esteem (SE)
              1. directly related to expectations for success;
              2. High SE
                1. possess the ability they need to succeed at work
                2. take more risks in job selection, and choose unconventional jobs
                3. less susceptible to external influence
                4. more satisfied with their jobs than low SEs
            4. Self-Monitoring: ability to adjust behavior to external, situational factors;
              1. Ability to present contradictions between the public persona and the private selves;
              2. Low self-monitors cannot adjust their behavior
            5. Risk Taking
            6. Proactive personality
            7. Resilience: ability to overcome challenges and turn them into opportunities;
        9. Emotions and Emotional Intelligence (EI)
          1. 5 dimensions of EI (ability to notice and to manage emotional cues and information)
            1. Self-awareness
            2. Self-management
            3. Self-motivation
            4. Empathy
            5. Social skills
          2. EI relevant to success in jobs that demand a high degree of social interaction;
        10. Perception
          1. Attribution Theory: explain how we judge people differently depending on what meaning we attribute to a given behavior;
            1. when we observe an individual’s behavior, we attempt to determine whether it was internally or externally caused;
            2. Distinctiveness: different behaviors in different situations, eg. unusual behavior caused by external forces while usual behavior as internal caused;
            3. Consensus: does other behave the same way in similar situations?
            4. Consistency: does person behave this way consistently?
            5. fundamental attribution error:
              1. tendency to underestimate the influence of external factors and to overestimate the influence of internal or personal factors;
              2. attribute our own successes to internal factors while putting blame for personal failure on external factors;
            6. Shortcuts used in judging others
              1. Assumed similarity: others are like onself
              2. Stereotyping: grouping a person based on perception
              3. Halo effect: general impression of an individual based on a single characteristic
        11. Learning:
          1. to explain, predict and influence behavior, we need to understand how people learn;
          2. Operant Conditioning
            1. behavior is a function of its consequences, eg. known rewards or punishment;
          3. Social learning theory: learn thru observation and direct experience
            1. Four processes
              1. Attentional processes: models which are attractive, repeatedly available, important and sees as similar to us;
              2. Retention processes: how well we remembers the actions
              3. Motor reproduction processes: reproduce the action
              4. Reinforcement processes: motivate the exhibit
          4. Shaping behavior:
            1. positive reinforcement, negative reinforcement: repeat desirable behaviors;
            2. punishment, and extinction: weakening undesirable behaviors;
        12. Contemporary issues
          1. Managing generational differences
            1. Gen Y (1982-1997)
          2. Managing negative behavior in the workplace
        13. Skills exercise – Develop your shaping behavior skill
          1. Must teach your employees the behaviors most critical to their;
            1. Identify the critical behaviors that have a significant impact on an employee’s performance;
            2. Establish a baseline of performance;
            3. Analyze the contributing factors to performance and their consequences;
            4. Develop a shaping strategy
            5. Apply the appropriate strategy
            6. Measure the change that has occurred
            7. Reinforce desired behavior
    3. Chapter 2 – Making Decisions (p.74-)
      1. Objectives
        1. Describe the eight steps in the decision-making process
          1. Develop you skills
        2. Explain the four ways managers make decisions
        3. Classify decisions and decision-making conditions
        4. Describe different decision-making styles and discuss how biases affect decision making
          1. Know how to recognize when you’ve using decision-making error and biases and what to do about it
        5. Identify effective decision-making techniques
      2. Contents of Ch2
        1. Eight steps in decision making process
          1. Identify a problem
          2. Identify decision criteria (or constraints)
          3. Allocating weights to the criteria
          4. Developing alternatives
          5. Analyzing Alternatives
          6. Selecting an Alternative
          7. Implementing the Alternative
          8. Evaluating decision effectiveness
        2. Making decisions (approaches)
          1. objective and logical
          2. bounded rationality: rational decision making, but limited by an individual’s ability to process information, thus, managers satisfice rather than maximize. eg. not searching all possible alternatives;
          3. escalation of commitment:
            1. increased commitment to a previous decision despite evidence that it may have been wrong;
            2. do not want to admit that the initial decision may have been flawed, eg. Challenger space shuttle disaster;
          4. Intuitive decision making
            1. on basis of experience, feelings and accumulated judgement;
            2. Subconscious mental processing (use data from subconscious mind)
            3. Value or ethics-based decisions
            4. Experience-based decisions
            5. Affect-initiated decisions (on feelings / emotions)
            6. Cognitive-based decisions (on skills / knowledge / training)
          5. Evidence-based management (EBMgt)
            1. systematic use of the best available evidence to improve management practice
            2. four essential elements
              1. decision maker’s expertise and judgement
              2. external evidence that’s been evaluated by the decision maker
              3. opinions, preferences and values of those who have a stake in the decision
              4. relevant organizational factors such as context, circumstances and members;
        3. Types of decisions
          1. structured problems and programmed decisions
            1. straightforward, familiar and easily defined;
            2. programmed decision – repetitive decision that can be handled by a routine approach;
            3. defined “develop-the-alternatives” stage
            4. three types of programmed decisions
              1. procedure: sequential steps
              2. rule: explicit statement about what can or cannot be done;
              3. policy: guideline for making decision with ambiguous terms that requires interpretation
          2. Unstructured problems and non-programmed decisions
            1. new or unusual problems for which info is ambiguous or incomplete
        4. Decision-making conditions: Certainty, risk, and uncertainty;
        5. Decision-making styles
          1. Linear thinking style: decisions on external data and facts and processing this information thru rational and logical thinking;
          2. nonlinear thinking style: preference for internal sources of information (feelings and intuition) with internal insights / feelings;
          3. Decision-making biases and errors
            1. rules of thumb / heuristics
            2. overconfidence bias
            3. immediate gratification bias (want immediate rewards and avoid immediate costs)
            4. anchoring effect: failed to adjust from initial information
            5. Selective perception bias
        6. Effective decision making in Today’s World
          1. Guidelines for effective decision making
            1. Understand cultural differences
            2. Create standards for good decision making:
              1. forward looking
              2. use available information
              3. consider all available and viable options
              4. not create conflicts of interest
              5. develop your ability to think clearly
            3. Know when it’s time to call it quits
            4. Use an effective decision-making process
              1. focuses on what’s important
              2. logical and consistent
              3. acknowledges both subjective and objective thinking
              4. require enough info as is necessary to resolve a problem
              5. encourages and guides gathering relevant info and informed opinions
              6. straigthforward, reliable, easy to use and flexible;
          2. Design thinking and decision making
            1. Design thinking: approaching management problems as designers approach design problems
          3. Big Data and Decision Making
    4. Chapter 14 – Managing Communication
      1. Objectives:
        1. Define the nature and function of communication
        2. Compare and contrast methods of interpersonal communication
        3. Identify barriers to effective interpersonal communication and how to overcome them
          1. Develop your skill at listening actively
          2. Know how to identify the differences in how genders communicate
        4. Explain how communication can flow most effectively in organizations
        5. Describe how technology affects managerial communication and organizations
        6. Discuss contemporary issues in communication
      2. Contents of Ch14:
        1. Keys: understanding the differences in how males and females communicate;
          1. males: speak and hear a language of independence and control; tend to direct;
          2. females: us communication to seek connection, closeness and intimacy; tend to subtle / vague / evasive;
        2. Communication: the transfer and understanding of meaning;
        3. Four functions of communication: control, motivation, emotional expression, and information;
        4. Barriers to effective communication
          1. Filtering, Information overload, Defensiveness, Language (jargon), National culture;
          2. Overcome: Use Feedback, Simplify Language, Active Listening, Control Emotion, Watch non-verbal cue;
        5. Workplace design and communication
          1. enclosures and barriers;
        6. IT and communication
          1. Networked systems and Wireless capabilities
        7. Getting employee input, eg. employee suggestion box
        8. Ethical communication
          1. includes all relevant information, is true in every sense, and is not deceptive in any way;
          2. encourage ethical communication? to establish clear guidelines for ethical behavior, including ethical business communication;
          3. Manager: responsible to think through your communication choices and the consequences of those choices;
        9. Active listening skills
          1. Make eye contact
          2. Exhibit affirmative nods and appropriate facial expressions
          3. Avoid distracting actions or gestures that suggest boredom
          4. Ask questions
          5. Paraphrase what’s been said
          6. Avoid interrupting the speaker
          7. Stay motivated to listen: not overtalk
          8. Make smooth transitions between the roles of speaker and listen
    5. Chapter 16 – Motivating Employees
      1. Objectives
        1. Define motivation
        2. Compare and contrast early theories of motivation
        3. Compare and contrast contemporary theories of motivation
          1. Develop your skill at motivating employees
        4. Discuss current issues in motivation
          1. Know how to identify what motivates you
      2. Contents of Ch16
        1. Keys:
          1. what motivates YOU in your career;
          2. effective managers who get employees to put forth maximum effort know how and why those employees are motivated and tailor motivational practices to satisfy their needs and wants;
          3. Effort direct toward and consistent with organizational goals;
        2. Motivation – the process by which a person’s efforts are energized, directed and sustained toward attaining a goal;
        3. Four early motivation theories
          1. Maslow’s hierarchy of needs
            1. Physiological <-> Safety <-> Social <-> Esteem <-> Self-Actualization
            2. each level in the needs hierarchy must be substantially satisfied before the next need becomes dominant;
            3. Lower-order needs (physiological / safety) are satisfied externally;
            4. Maslow provided no empirical support for his theory;
          2. McGregor’s theories X and Y
            1. Theory X is negative view of people (dislike, lazy, avoid responsibility)
            2. Theory Y is positive view of people (creative, enjoy work, self-direction); guide management practice;
          3. Herzberg’s two-factor theory (motivation-hygiene theory)
            1. intrinsic factors (recognition / responsibilities) are related to job satisfaction while extrinsic factors (supervision / salary) are associated with job dissatisfaction;
            2. hygiene factors – eliminate job dissatisfaction, but don’t motivate;
            3. opposite of “satisfaction” is “no satisfaction” while opposite of “dissatisfaction” is “no dissatisfaction”;
            4. Motivators (intrinsic factors)  – increase job satisfaction and motivation;
          4. McClelland’s three-needs theory
            1. Three acquired needs are major motives in work:
              1. need for achievement (nAch)
                1. achievement motivation based of people with high nAch
              2. need for power (nPow)
                1. impact / impression on others
              3. need for affiliation (nAff) 
                1. relationship with others
            2. measured by projective test TAT
        4. Contemporary Theories of Motivation (supported by research)motivation theories
          1. Goal-setting Theory
            1. The proposition that specific goals increase performance and that difficult goals, when accepted, result in higher performance than do easy goals;
              1. working to a goal (measurable) is a major source of job motivation;
          2. Reinforcement Theory
          3. Job design Theory
          4. Equity Theory
          5. Expectancy Theory
          6. High involvement work practices
        5. Current issues in motivation
          1. cross cultural motivation challenges
          2. motivate unique group of users
          3. Designing appropriate rewards programs
            1. Open Book Management
            2. Employee Recognition Programs
    6. Chapter 17 – Being a Effective Leader
      1. Define leader and leadership
      2. Compare and contrast early theories of leadership
      3. Describe the three major contingency theories of leadership
        1. Develop your skill at choosing an effective leadership style
      4. Describe contemporary views of leadership
      5. Discuss contemporary issues affecting leadership
        1. Know how to prepare for an effective transition to a leadership position
    7. Chapter 10 – Designing Organizational Structure – Basic Designs
      1. Describe six key elements in organizational design
        1. Know how to delegate work to others and develop your skill at delegating
      2. Contrast mechanistic and organic structures
      3. Discuss the contingency factors that favor either the mechanistic model or the organic model of organizational design
      4. Describe traditional organizational designs
    8. Chapter 11 – Designing Organizational Structure – Adaptive Designs
      1. Describe contemporary organizational designs
        1. Develop your skill at acquiring and using power
      2. Discuss how organizations organize for collaboration
      3. Explain flexible work arrangements used by organizations
      4. Discuss organizing issues associated with a contingent workforce
      5. Describe today’s organizational design challenges
    9. Chapter 3 – Managing the External Environment and the Organization’s Culture
      1. Contrast the actions of managers according to the omnipotent and symbolic views
      2. Describe the constraints and challenges facing managers in today’s external environment
        1. Develop your skill at scanning the environment so you can anticipate and interpret changes taking place
      3. Discuss the characteristics and importance of organizational culture
        1. Know how to read and assess an organization’s culture
      4. Describe current issues in organizational culture
    10. Chapter 6 – Managing Social Responsibility and Ethics
    11. Chapter 7 – Managing Change and Innovation
      1. Compare and contrast views on the change process
      2. Classify types of organizational change
      3. Explain how to manage resistance to change
        1. Know how to be change ready by overcoming your resistance to change
      4. Discuss contemporary issues in managing changes
        1. Develop your skill in change management so you can serve as a catalyst for change
      5. Describe techniques for stimulating innovating
    12. Chapter 8 – Planning Work Activities
      1. Define the nature and purposes of planning
      2. Classify the types of goals organizations might have and the plans they use
      3. Compare and contrast approaches to goal-setting and planning
        1. Know how to set goals personally and create a useful, functional to-do list
        2. Develop your skill at helping your employees set goals
      4. Discuss contemporary issues in planning
    13. Chapter 9 – Managing Strategies
      1. Define strategic management and explain why it’s important
      2. Explain what managers do during the six steps of the strategic management process
        1. know how to identify your own personal strengths and weakness and deal with them
        2. develop your skill at strategic planning
      3. Describe the three types of corporate strategies
      4. Describe competitive advantage and the competitive strategies organizations use to get it
      5. Discuss current strategic management issues
    14. Chapter 12 – Managing HR
      1. Explain the importance of the human resource management process and the external influences that might affect that process
      2. Discuss the tasks associated with identifying and selecting competent employees
      3. Explain the different types of orientation and training
      4. Describe strategies for retaining competent, high-performing employees
      5. Discuss contemporary issues in managing human resources
    15. Chapter 13 – Creating and Managing Teams
      1. Define groups and the stages of group development
      2. Describe the major components that determine group performance and satisfaction
      3. Define teams and best practices influencing team performance
        1. Know how to maximize outcomes through effective negotiating
        2. Develop you skills at coaching team members
      4. Discuss contemporary issues in managing teams
    16. Chapter 18 – Monitoring and Controlling
      1. Explain the nature and importance of control
      2. Describe the three steps in the control process
      3. Explain how organizational and employee performance are measured
        1. Know how to be effective at giving feedback
      4. Describe tools used to measure organizational performance
      5. Discuss contemporary issues in control
        1. Develop you skills at dealing with difficult people
Reading: Management_13e, Robbins and Coulter.

SECOPS – CCSA study log (210-255)

  1. Objectives – learn and exam
    1. Cisco materials:
  2. Content summary
    1. Defining the Security Operations Center
    2. Understanding NSM Tools and Data
    3. Understanding Incident Analysis in a Threat  Centric SOC
    4. Identifying Resources for Hunting Cyber Threats
    5. Understanding Event Correlation and Normalization
    6. Identifying Common Attack Vectors
    7. Identifying Malicious Activity
    8. Identifying Patterns of Suspicious Behavior
    9. Conducting Security Incident Invesigations
    10. Describing the SOC Playbook
    11. Understanding the SOC metrics
    12. Understanding the SOC WMS and automation
    13. Describing the Incident Response Plan
    14. Appendix A – Describing the Computer Security Incident Response Team
    15. Appendix B – Understanding the use of VERIS
  3. Content details
    1. Defining the Security Operations Center
      1. Types of Security Operations Centers
        1. SOC: center for network security event monitoring and incident response
        2. responsible for detecting, analyzing, and reporting unauthorized or malicious network activity
        3. 3 types (vary from different job roles, tools and technologies)
          1. Threat-centric SOCs
            1. proactive hunts for malicious threats
            2. addresses the entire attack continuum – before / during / after;
          2. Compliance-based SOCs
            1. Against reference configuration templates and std system builds;
            2. relies on detecting unauthorized changes and existing config problems;
            3. Key: link risk mgt and incident response practices to an automated system compliance process;
            4. such as benchmarks by Center of Internet Security (CIS) or PCI DSS 2.0 (Payment Card Industry);
          3. Operational-based SOCs
            1. focus on maintaining the operational integrity and internal monitoring with techniques that are tailored for an organization‘s specific network environment;
              1. Tier 1 SOC analyst: deploying tools
              2. Tier 2 SOC analyst: developing tools
            2. term: CSIRT (Computer Security Incident Response Team)
            3. Addressing operational issues within an organization requires operational solutions and operational competence, not just enable features on a device when there is security issue;
          4.  Example of a SOC Architecture
            1. automate and customize feeds / inputs to database in which alerts are triggered and ease for analysis;
      2. SOC Analyst Tools
        1. Functions
          1. Network mapping
          2. Network monitoring
          3. Vulnerability detection
          4. Penetration testing
          5. Data collection
          6. Threat and anomaly detection
          7. Data aggregation and correlation
        2. Example tools
          1. Security Onion: Linux distribution with Log mgt, network security monitoring, IDS capabilities;
            1. Composed of Snort, Suricata and so on…
          2. Network analyst tools: Wireshark / Netwitness / OSSEC / NetFlow / Cisco Stealthwatch;
          3. Penetration testing tools: exploit weakness;
            1. eg. Kali Linux with tools such as Metasploit Framework, Armitage, and SET (Social Engineer Toolkit)
            2. start vulnerability assessment
            3. eliminate those weaknesses to an acceptable level
            4. perform a penetration test on improved posture;
      3. Data Analytics
        1. examining and deciphering raw data or data sets with the purpose of drawing conclusions;
          1. Tier 1 analyses real-time data for short run while escalate potential intrusions to Tier 2 to response;
          2. Dynamic analysis:  testing and evaluation against real-time data;
        2. Log mining
          1. SIEM tools such as Splunk can help a SOC collect and normalize large amounts of disparate log data;
          2. Sequencing: reconstructing network flow
          3. Path analysis: interpretation of a chain of consecutive events
          4. Log clusthering: mine through large amounts of log data to build profiles and to identify anomalous behavior
          5. forecast future attacks > Predictive analysis
        3. Raw Network Packet Capture Analysis
          1. Netflow / WireShark / tcpdump
        4. Real-time Rule-Based Alerts
          1. Alerts from Users / HelpDesk / Hardware / Software
      4. Hybrid installations: Automated Reports, Anomaly Alerts
        1. automate as many tasks as possible in streamline
          1. Ticket generation
          2. False positive alert handling
          3. Report generation: weekly / monthly summaries
        2. Anomaly detection: alerts which are based on volume or feature patterns
          1. Volume-based anomaly alerts can come from: Statistical analysis / Frequency analysis / Time-series forecasting
          2. feature-based anomaly detection
      5. Sufficient Staffing Necessary for an Effective Incident Response Team
      6. Roles in a Security Operations Center
        1. SOC manager
          1. prioritizing work and organizing resources with the goal of detecting, investigating, and mitigating incidents that could impact the business;
          2. determines both the day-to-day activities and the base skills that are required (workflows and SOPs) by the security analyst to perform the job successfully;
        2. Tier 1 security analyst
          1. Continuously monitors the alert queue
          2. Triages security alerts
          3. Monitors the health of the security sensors and endpoints
          4. Collects data and context necessary to initiate Tier 2 work
        3. Tier 2 security analyst
          1. Performs deep-dive incident analysis by correlating data from various sources
          2. Determines if a critical system or data set has been impacted
          3. Advises on remediation
          4. Provides support for new analytic methods that are used in threat detection
        4. Tier 3 security analyst
          1. Possesses in-depth technical knowledge on the network, endpoint, threat intelligence, forensics, malware reverse engineering, and the functioning of specific applications or underlying IT infrastructure
          2. Acts as an incident hunter, not waiting for escalated incidents
          3. Closely involved in developing, tuning, and implementing threat detection analytics
      7. Develop Key Relationships with External Resources
        1. TALOS
        2. US-CERT
        3. FiRST
        4. malwr
        5. OVE
        7. PhishTank
      8. Challenge
    2. Understanding NSM Tools and Data
      1. NSM (network security monitoring) Tools
        1. SOC analysts rely on NSM data
        2. functions
          1. collecting syslog messages
          2. moving messags from a flat log file to a database
          3. automate reports / dashboards / real-time query
        3. Commercial / Open source / homegrown
      2. NSM Data
        1. 6 types
          1. Session Data (Tool: ?Netflow)
            1. summary data that is associated with network conversations (who and when);
            2. IP 5-tuple
          2. Full packet capture (Tool: ?TCPdump / Wireshark)
            1. records all the network traffic, packet by packet;
            2. in PCAP format
          3. Transaction data
            1. between session data and full packet capture
            2.  captures the details that are associated with requests and responses;
              1. eg. log GET by client; log SMTP connections
          4. Alert data
            1. by IPS system
          5. Statistical data
            1. NSM data is collected over time, the data can be processed to produce statistical data
            2. performance ratio; summary
            3. produces baselines
            4. Deviations from normal are called anomalies
          6. Metadata
          7. Correlation is key for analysis
            1. eg. same time stamp of numerous packets from same IP address;
            2. connections with malicious IP addresses;
      3. Security Onion (Linux distribution that focuses on NSM)
        1. Security Onion is a turnkey NSM solution
        2. deployed as a simple standalone system or a distributed deployment;
        3. Security Onion use netsniff-ng to perform full packet capture
      4. Full Packet Capture
        1. in PCAP (packet capture) format
        2. Consider:
          1. Location: sensing interfaces are placed at chokepoints / ingress points in the network;
          2. Method of network connection
            1. sensing interface connected to mirror SPAN port
            2. network tap
            3. inline (reliable) where the sensor uses two interfaces and traffic is forced through the sensor between these two interfaces
          3. NIC configuration
            1. checksum offload and TCP segmentation offload to improve system and network performance
          4. Storage size: 540GB / day
      5. Session Data
        1. IP 5-tuple
        2. capture by Bro
        3. ELSA takes the flat Bro logs and other flat log sources and stores them in a relational MySQL database with Sphinx indexing
      6. Transaction Data
        1. audit trails of client requests and server responses (SMTP / HTTP / DNS…);
      7. Alert Data
        1. produced by IDS and IPS systems
        2. analyst must:
          1. understand whether the IDS is capable of dropping malicious traffic;
          2. know how to examine the alert data to determine the actions that the IDS has taken;
      8. Other Data Types
        1. Extracted content: artifacts from real-time traffic streams or PCAP files;
          1. eg. by Bro or NetworkMiner;
          2. eg. Bro extract all email attachments;
        2. Statistical Data by ELSA
      9. Correlating NSM Data
        1. 5 IP-tuple
      10. Explore Network Security Monitoring Tools
      11. Challenge
    3. Understanding Incident Analysis in a Threat Centric SOC
      1. Classic Kill Chain Model Overview
        1. R W D E I C A
      2. Kill Chain Phase 1: Reconnaissance
        1.  intelligence gathering
      3. Kill Chain Phase 2: Weaponization
        1. development of a cyber weapon that is based on reconnaissance information;
        2. such as viruse, code injection, email or phishing campaigns;
      4. Kill Chain Phase 3: Delivery
        1.  transmission of the payload to the target via a communication vector
        2. such as email attachments / phishing emails / redirection / USB devices;
        3. Deliver undetectedly is key to success: encryption, re-appeareace;
      5. Kill Chain Phase 4: Exploitation
        1. describes what occurs once the malicious code is executed;
        2. Threat actors / threat agent
        3. 3 typical weaknesses: Applications / OS / Users;
        4. Selection of the exploit is important -> intended effect and gain control;
      6. Kill Chain Phase 5: Installation
        1. also as persistence phase
        2. describes actions taken by the threat actor to establish a back door to sustain persistent access;
          1. especially survive a system reboot;
      7. Kill Chain Phase 6: Command-and-Control
        1. outbound to an Internet-based controller in order to establish a communications channel;
          1. eg. long DNS queries that are initiated from multiple inside hosts to domains using randomized names;
      8. Kill Chain Phase 7: Actions on Objectives
        1. actions taken by the threat actor that are objective-dependent
      9. Applying the Kill Chain Model
        1. Recon: Reconnaissance / gathers information
          1. hardened by NFFW
        2. Stage: Weaponization, cyber criminals try to fool users into opening emails or clicking on links;
        3. Launch: Delivery, Staging sites redirect from trustworthy-looking sites to sites that launch exploit kits and/or other malicious content;
        4. Exploit: exploited to take control of the user’s system
          1. hardened by network-based and host-based anti-malware solutions
        5. Install: infect and encrypt the victim’s system—the ransomware payload.
          1. hardened by network-based and host-based anti-malware solutions
        6. Callback: CnC, the malware calls home to a CnC server, where it retrieves keys to perform the encryption or receive additional instructions;
        7. Persist: objectives
      10. Diamond Model Overview
        1. framework for analyzing events in a repeatable way so that the threats can be organized, tracked, sorted, and countered; like PDCA;
        2. Adversary: entity responsible for conducting an intrusion
          1. adversary operator is the person who is conducting the intrusion
          2. adversary customer is an entity that benefits from the intrusion
        3. Capability: tool or technique that the adversary may use in an event
          1. adversary arsenal is the complete set of the adversary’s capabilities;
        4. Victim
          1. target of the adversary
          2. Victim persona is the group of people or organization being attacked;
          3. Victim asset is the physical or logical target of the attack
        5. Infrastructure
          1. the physical or logical communications nodes that the adversary uses to establish and maintain command and control over their capabilities, such as Internet / USB sticks
          2. 3 types
            1. Type 1: owned and controlled by the adversary
            2. Type 2: co-opted by the adversary, but is owned by a third party
            3. Service providers: entities that provide type 1 and type 2 infrastructures and include entities such as an ISP
          3. Questions utilized in the diamond model
            1. What infrastructure was utilized?
            2. What was the target (victim)?
            3. What methods (capability) were used?
        6. Meta-features
          1. Timestamp: When start or end:
          2. Phase: group of events
          3. Result: Success / Failure / Unknown
          4. Direction: eg. adversary to victim / victim to adversary
          5. Methodology: generic class of activity used, such as DoS / phishing
          6. Resources: external resource that is used by adversary
      11. Applying the Diamond Model
        1. fundamentally supports analytic pivoting;
        2. adversary-centered approach: monitoring an adversary directly to discover them
        3. victim-centered approach: perform reactive network and host monitoring, detection, and defense operations
        4.  threat intelligence platform called ThreatConnect
      12. Exploit Kits
        1. sets of tools that are utilized to gain access to a targeted host;
          1.  launching platform to deliver the payload to the targeted system
        2. the ease with which it can be used
        3. If the targeted host is patched and up-to-date on all applications (Flash, Java, or Silverlight), most exploit kits will stop at the landing page;
        4. Well known Exploit Kits:
          1. Neutrino targets Java runtime environment, drops ransomware on target systems
          2. Magnitude commonly utilized to drop ransomware on target systems
          3. Angler is a very versatile, utilizes a robust toolkit
          4. Nuclear: largely targets vulnerable Adobe Flash vulnerabilities, largely safe from AV detection.
      13. Investigate Hacker Methodology
      14. Challenge
        1. reconnaissance phase = A solid network security posture with firewalls and intrusion detection can prevent leaking more information
        2. delivery phase = Knowledge of existing ransomware attacks and communication vectors, can aid in the prevention of delivery
        3. installation phase = User access controls and strict limits to privilege levels can also help mitigate this stage
        4. command-and-control = Network security monitoring tools can greatly help identify this phase
        5. actions on target = Unusually high amounts of traffic, connections to IP addresses that are foreign or unrecognizable, or other activities that seem out of the ordinary can indicate this type of attack
    4. Identifying Resources for Hunting Cyber Threats
      1. Cyber-Threat Hunting Concepts
        1. threat-centric SOC
          1. involves a proactive approach to detecting malicious activity that is not identified by traditional alerting mechanisms;
          2. correlate the data and determine if there is cause for further investigation
      2. Hunting Maturity Model (HMM)
        1. HM0 to HM4
        2. levels increase, analysts become more knowledgeable and sophisticated in their tactics; and more proactive;
        3. HM0: relies on alerting; not collect information from any systems outside;
        4. HM1: rely on an IDS for alerts, but also collect information from their systems to look for new threats;
        5. HM2: able to incorporate hunt techniques from external sources into their own hunt operations;
          1. Most organizations with active performance will be in this level;
        6. HM3: innovative; also publish hunting procedures;
        7. HM4: able to automate many tactical-level analysis procedures;
      3. Cyber-Threat Hunting Cycle
        1. Hypothesis
          1. looking at the system from the perspective of the attacker
        2. Investigate
          1. uses tools and techniques to investigate the hypothesis
        3. Uncover
          1. TTP: tactics, techniques and procedures
          2. IOCs: Indicator of Compromise
          3.  where the ultimate success of the cycle is achieved
        4. Inform and Enrich
      4. Common Vulnerability Scoring System (CVSS)
        1. chances of being compromised in the event of an attack and potential severity of damage;
        2. latest version at 3.0;
        3.  provide the end user with an overall composite score representing the severity and risk of a vulnerability
        4. 3 metrics groups: Base Metrics / Temporal Metrics / Environmental Metrics
          1. Base Metrics: variables that are constant over time and across user environments
            1. exploitability metrics
              1. attack vector (AV): Local / Adjacent / Network / Physical; the context by which vulnerability exploitation is possible; higher value, more remote an attacker is from the vulnerable component;
              2. attack complexity (AC): Low / High; conditions beyond the attacker’s control that must exist in order to exploit the vulnerability;
              3. privileges required (PR): None / Low / High; level of privileges an attacker must possess before successfully exploiting the vulnerability;
              4. user interaction (UI): None / Required; whether or not a user other than the attacker must participate in;
              5. scope (S): Unchanged / Changed; ability for a vulnerability in one software component to impact resources beyond its means, or privileges;
            2. impact metrics
              1. confidentiality (C): None / Low / High; impact to the confidentiality of the information resources that are managed by a software component due to a successfully exploited vulnerability;
              2. integrity (I): None / Low / High; impact to integrity of a successfully exploited vulnerability;
              3. availability (A): None / Low / High; impact to the availability of the impacted component resulting from a successfully exploited vulnerability
          2. Temporal Metrics
            1. Exploit Code Maturity (E): Not Defined / Unproven / Proof-of-Concept / Functional / High; likelihood of the vulnerability being attacked, and it is typically based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation;
            2. Remediation Level (RL): Not Defined / Unavailable / Workaround / Temporary fix / Official fix; patching practices;
            3. Report Confidence (RC): Not Defined / Unknown / Reasonable / Confirmed; degree of confidence in the existence of the vulnerability and the credibility of the known technical details;
          3. Environmental Metrics: to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization
            1. Security Requirements (CR, IR, AR): Not Defined / Low / Medium / High; depends on user’s organization;
            2. Modified Base Metrics: MAV, MAC, MPR, MUI, MS, MC, MI, MA; to adjust the base metrics according to modifications that exist within the analyst’s environment
      5. CVSS v3.0 Scoring (maintained by FIRST (
        1. combining all the metric values according to specific formulas;
        2. to help prioritize remediation efforts;
        3. Basic scoring:
          1. once base scoring is computed, it is not expected to be changed;
          2.  has the largest bearing on the final score;
        4. Temporal scoring:
          1. for publication and modifies the base score;
          2. introduces mitigating factors that reduce the score of a vulnerability;
          3.  represents vulnerability urgency at specific points in time
        5. Environmental scoring:
          1. represents a snapshot in time and is tailored to a specific environment;
      6. CVSS v3.0 Example
        1. CVSS v3.0 score of the MySQL Stored SQL Injection vulnerability CVE-2013-0375.
      7. Hot Threat Dashboard
        1. graphical depiction of currently monitored threats;
        2. to define the criteria that must be met in order for a threat to be considered hot;
        3. Goal: to maintain an actionable list of current top hot threats (> 15);
        4. Posting a Hot Threat
          1. TLP (Traffic Light Protocol): set of designations that are used to ensure that sensitive information is shared appropriately;
            1. Red <> Amber <> Green <> White;
            2. Red: Not for disclosure, which is restricted to participants only
            3. White: Disclosure is not limited;
        5. Reviewing a Hot Threat: senior security investigator (Investigations Manager) will review and validate it to become active;
        6. Monitoring Hot Threats:
        7. Retiring Hot Threats
        8. Hot Threat Challenges
      8. Publicly Available Threat Awareness Resources
        1. OWASP (Open Web Application Security Project)
          1.  resources ranging from guides, cheat sheets, and applications to identify attacks;
          2. publish top 10 rated vulnerabilities per 3 years
            1. Injection: improper sanitization of user input for a command or query
            2. Broken authentication and session management: to tie a improper ended session to an individual user;
            3. XSS
            4. Insecure direct object references: by lax checks to ensure a user requesting a resource actually has permissions to access that resource; eg. address with user ID;
            5. Security misconfiguration: by improper configurations of any part of the application stack; eg. default config.;
            6. Sensitive data exposure
            7. Missing function level access control
            8. Cross-site request forgery (CSFR): by a failure to ensure that each request was properly originated by a user
            9. Using components with known vulnerabilities: by a failure to properly patch
            10. Unvalidated redirects and forwards
        2. Spamhaus Project
          1.  analyst should use Spamhaus to determine whether a suspected email is in fact on the list of known malicious spam;
          2. Top 10 list and, ;
            1. SBL:  Spamhaus Block List, list targeting IP addresses of known spammers;
            2. Exploits block list: XBL, hosts that are known to be infected or misconfigured and facilitating illegitimate traffic;
            3. Policy block list: PBL,  do not have legitimate reason to be directly relaying email;
            4. Domain block list: DBL, list of domains that are being utilized in spam;
        3. Alexa: website traffic analytic
        4. Farsight Security’s DNSDB:  provides information to security analysts about DNS
      9. Lab: Hunt Malicious Traffic
      10. Challenge
    5. Understanding Event Correlation and Normalization
      1. Event Sources
        1. Types
          1. DHCP server: transaction data of IP assignments;
          2. DNS server: transaction data of queries and responses;
          3. AAA server: Alert data of successful / failed authentication and authorization events;
          4. NetFlow-capable network device: Session data; Statistical data
          5. IPS: Alert data from triggers of rules / signatures;
          6. Firewall: Session data, Packet captures, Statistical data;
          7. Proxy (web and email): transaction data, extracted data;
        2. Identity and Access Managment: provide AAA services
        3. AntiVirus: alert data;
        4. Application Logs: transactional and statistical data
      2. Evidence
        1. Types
          1. Direct evidence: not require any reasoning to reach the conclusion;
          2. Circumstantial evidence: Requires an inference linking the evidence to the conclusion
          3. Corroborating evidence: supports an assertion that is supported by previously obtained evidence
          4. best evidence. Submitting the output of a sandbox detonation report as evidence, instead of submitting the malware file;
        2. Digital Forensics
          1. Collection
          2. Examination
          3. Analysis
          4. Reporting
      3. Security Data Normalization
        1. manipulating various security event data and fitting it into a common schema;
        2. parsers (eg. ELSA) algorithmically take the event data and extract the relevant characteristics and fill in the appropriate fields in the common schema;
      4. Event Correlation
        1. mutual relationship or connection between two or more things;
        2. MUST use the IP 5-tuple to correlate events
        3. correlated events provide much more detail and context to the analyst than can be obtained from any single event;
        4. Correlation is performed after normalization;
      5. Other Security Data Manipulation
        1. Aggregation: data mining technique where data is gathered to get more information about particular variables;
          1. eg.  ELSA may be queried with simply an IP address with multiple matches;
        2. Summarization
          1. data mining technique in which compact descriptions of key data set qualities are produced;
            1. in a graphical format or in a tabular format;
            2. useful for analyzing aggregated data;
        3. Deduplication: after normalizationpresent all the relevant details that are pulled from a collection of overlapping data in a concise format;
      6. Lab: Correlate Event Logs, PCAPs, and Alerts of and attack
      7. Challenge
    6. Identifying Common Attack Vectors
      1. Obfuscated Javascript
        1. Code obfuscationdisguise the appearance of source code running on a system;
        2. Employed to reduce the overall size of the software code or application;
        3. renders JavaScript source code into a form that is not easily readable, with the intent of disguising the intended function of the code;
        4. Original: prevent JavaScript source code from being analyzed or stolen in order to protect the intellectual property;
        5. Common techniques:
          1. Automatically renaming variables to random and meaningless names;
          2. White-space randomization within codes to increase readability;
          3. Self-modifying source code that rewrites itself as it is executed;
          4. Using character codes and string manipulation that is combined with the misuse of eval expressions ‘eval();
          5. Hackvertor is an online, community-based encoding tool by security Pros.
          6. JSDetox is a JavaScript malware analysis tool that utilizes de-obfuscation techniques and an execution engine that emulates HTML DOM.
      2. Shellcode and Exploits
        1. payload that is attached to an exploit that will execute the desired actions (add backdoor / create VNC session) of the threat actor;
        2. provide the threat actor with command shell access on the system;
        3. DEP prevents the use of the stack memory space for execution;
        4. ASLR will randomize the memory addresses in use, which can help ensure that an attacker cannot predict; but could be bypassed by egg-hunting;
        5. Two variations of Shellcode payloads:
          1. Staged: designed to be very compact to fit within memory space limitations for a particular exploit
          2. Unstaged: with all portions of the payload residing within a single memory space
        6. Detection:
          1. Snort IPS
          2. traversing a network is to focus on detecting a pattern of code that contains a sequence of NOP instructions, commonly referred to as a NOP sled;
      3. Common Metasploit Payloads
        1. Metasploit Payloads: modules utilized during exploitation events;
        2. 3 types of payloads within Metasploit:
          1. Singles:
            1. self-contained payloads that function on their own;
            2. not dependent on the Metasploit framework for execution;
            3. well documented and the process of gaining execution of a single is easily detected and blocked;
            4. eg. Netcat: after transfer, executed remotely so that it can begin performing the actions;
          2. Stagers
            1. set up a network connection between the attacker and victim;
          3. Stages
            1. used with the stagers and while much larger in comparison provide increased functionality;
            2. self-contained and contain everything outside of the network;
          4. Others
            1.  traffic that is generated by the payload would draw attention;
            2. Meterpreter: sophisticated because it is executed directly in memory;
            3. PassiveX: to circumvent outbound firewalls;
            4. reflective DLL injection: a stage payload is injected into a compromised host process running in memory, such as VPNC and Meterpreter make use of reflective DLL injection ;
      4. Directory Traversal
        1. by improper checking or validation of user-supplied input to access file system; such as thru web browser;
        2. entered several ..\ sequences into the URL;
        3. Modern web-server applications have included input checking and patched;
      5. SQL Injection
        1. Used to perform attacks:
          1. Authentication bypass
          2. Information disclosure
          3. Compromised data integrity: alteration of the contents of a database;
          4. Compromised availability of data: delete information with the intent to cause harm or delete log or audit information in a database;
          5. Remote command execution
        2. IPS signatures
      6. Cross-Site Scripting
        1. maliciously causing a script, typically JavaScript, to execute in the browser;
        2. 2 types:
          1. Stored (persistent):
            1. embeds the malicious code within the page that is stored on the web server itself;
            2. If the server fails to properly sanitize input, the attacker code will be posted to the page and displayed to all visiting users;
          2. Reflected (nonpersistent):
            1. includes HTML code within a link to a web address, knowing the linked page will fail to sanitize the included HTML code
          3. OWASP provides resources of best practices for developing web apps such as XSS Filter Evasion Cheat Sheet for testing;
      7. Punycode
        1. normally in ASCII format; but Unicode is needed by some countries;
        2. Punycode is a system for representing Unicode characters in an ASCII-only format to ensure compatibility with older DNS systems;
        3. threat actor: phishing > redirection > stager / exploit kit…
        4. such as;
      8. DNS Tunneling
        1. other protocol can be tunneled through DNS;
        2.  used for CnC, data exfiltration, or tunneling of any IP traffic;
        3. DNS tunneling tool such as Iodine
        4. uses the malicious server as the authority server for the specific domain
        5. Benefits: not often detected as DNS traffic is normal;
        6. Drawback: slow speed;
        7. Detection:
          1. Active examining payloads for unusual content, packet size, bandwidth, frequency of requests, and looking for unusual hostnames;
      9. Pivoting (redirection)
        1. use a compromised computer to attack other computers within the same network to avoid restrictions of firewalls;
        2. goal: expand access in the network of compromised host;
      10. Lab: Investigate Browser-based attacks
      11. Challenge
    7. Identifying Malicious Activity
      1. Understanding the Network Design
        1. obtain a network topology map of connected devices; or otherwise conducting their own vulnerability scan;
        2. inventory list of all network-based appliances;
        3. Categorizing the assets by priority such as critical, important, or sensitive;
        4. Identify the physical location of specific security-related devices and their data logging output;
      2. Identifying Possible Threat Actors
        1. person or groups who start a malicious incident;
        2. Types
          1. Script Kiddies: unskilled, use public tools;
          2. Hacktivists (Hack Activism)
            1. promoting their own political agenda;
            2. eg. Lulz Security (LulzSec) and Anonymous
            3. not interested in covering their tracks nor disguising their presence
        3. Organized Crime: driven by profits
        4. State-Sponsored / Nation-State Actors
          1. often referred to as APTs
        5. Insider Threat
          1.  motivated by financial gain or intent of harming organization;
          2. at risk if it is not adequately monitoring user and network system patterns for anomalous behaviors;
      3. Log Data Search
        1. ELSA (Enterprise Log Search and Archive):  syslog compiler and search querying tool;
          1. to correlate network and host activity by inspecting relevant syslog; and  log ingest capabilities;
        2. Portions of syslog (the RFC 3164):
          1. facility code: different OS or syslog implementations may vary;
          2. security level: 0-7
          3. message:
            1. TAG: program or processes that generated it;
            2. CONENT: content
          4. searching syntax (Boolean operators / directives):
            1. OR
            2. groupby
          5. Modeling Network attacks:
            1. Deterministic assessment method:
              1. scenario assessment on a small or very limited set of variables
              2. relies on known data values to yield a single outcome for each proposed scenario
              3. low degree of speculation
            2. Probabilistic Impact Assessment
              1. wide range of probable scenarios, which provide a distribution of all possible outcomes
              2. high degree of speculation;
      4. NetFlow as a Security Tool
        1. info of I5-tuple information, the time of the communication, and the amount of data transferred;
        2. Factors / Symptoms:
          1. Long active duration;
          2. application is undefined;
          3. no return traffic;
          4. inbound connection to the domain controller using unknown application;
      5. DNS Risk and Mitigation Tool
        1. DNS poisoning
        2. DNS tunnelling
        3. craft special DNS TXT records that contain small amounts of exfiltrated data;
        4. suspicious domain names may contain credit card no. in hex
        5. Types
          1. Fast Flux and Botnets
          2. Double IP Flux
          3. DGA (Domain Generation Algorithm)
      6. Lab: Analyze Suspicious DNS Activity
      7. Challenge
    8. Identifying Patterns of Suspicious Behavior
      1. Network Baselining
        1. profile for how a system or network normally behaves; how different the system / network behaves from normal; will it break at some point?
        2. baselining network traffic can include NetFlow and passive DNS statistics;
        3. A baseline of logging and application transactions;
        4. Core Baseline Flowchart
      2. Identity Anomalies and Suspicious Behaviors
        1. Malicious network traffic, or traffic tunnelling
        2. Log event data is another area that is important to monitor relating to the baseline:
          1. not normal user login behaviors / time;
          2. logging such as system restarts and application crashes are also very useful in identifying suspicious behavior;
        3. Powershell usage should be monitored for suspicious activity;
          1.  Powershell logs can be the source of a flag
      3. PCAP Analysis
        1. fill in some of the unknown information to build a more complete picture of the event;
        2. Analysis via
          1. source IP and destination IP pairs;
          2. source and destination ports pairs;
          3. network protocol that is anomaly;
          4. any payloads that were part of the suspicious behavior
        3. Filtering: REGEX. (regular expression) is a sequence of characters that define a search pattern;
      4. Delivery
        1. File analysis begins with identifying the suspicious files themselves and their child / parent processes;
        2. sandbox allows the files to be executed in a controlled environment, especially useful for reverse engineering;
        3. report. Using hashes from the submitted samples, will attempt to match the file with any previously known malware
        4.  malware component “dropper”: downloads file over the network and then executes that file;
      5. Lab: Investigate Suspicious Activity Using Security Onion
      6. Challenge
    9. Conducting Security Incident Investigations
      1. Security Incident Investigation Procedures
        1. 5W1H
        2. Tier 1 SOC analysts do not perform deep analysis of malware
        3. VirusTotal is a very useful tool for an analyst when investigating whether a suspected file is malicious or of no concern to the investigation
        4. Geolocation services: latitude and longitude, IP addresses
          1. Such as:, Virus Total,…
      2. Threat Investigation Example: China Chopper Remote Access Trojan
        1. China Chopper RAT is a back door for remotely accessing a compromised web server;
          1. two components: client interface (caidao.exe) and the web shell file on server;
          2.  goal of stealing sensitive data by gaining access;
          3. web-shell files are placed on a compromised web server, and the attacker uses a custom web-shell client to perform additional exploit objectives;
          4.  Difficulties:
            1. the web shell application portion of the RAT is extremely basic and small, under 4KB, which leaves only the attacker’s caidao.exe client communications ;
            2. if the web shell is deployed on a secured web server using TLS or SSL;
          5. Investigation steps:
            1. Alert > Detect > Confirm > Remediate > Resolve;
              1. query the source and destination IP addresses with tools such as ELSA, Sguil, and Bro;
              2. analyze the HTTP traffic between the caidao.exe client and the web shell;
          6. Once discovered compromised hosts, better format or re-imaging OS;
      3. Lab: Investigate Advanced Persistent Threats
      4. Challenge
    10. Describing the SOC Playbook
      1. Security Analyticsclose the time gap between network compromise and threat detection
        1. purpose of security analytics is to :
          1. detect attacks as fast as possible,
          2. stop an attack, and
          3. provide detailed information to reconstruct an attack
        2. by collecting, correlating, and analyzing a wide range of event data
        3. Playbook: prescriptive collection of repeatable plays (reports and methods) to detect and respond to security incident
        4. Mitigation: few short-term ways to stop the threat
          1. DNS sinkhole which blocks suspicious DNS queries by domain names;
          2. BGP black-holing, which quickly blocks IP addresses across the enterprise in seconds;
          3. Device quarantine using an IAM security device
          4. Using firewall rules to block the attack
        5. Remediate: Medium- and long-term fixes
          1. Requires partnerships with IT and network teams
          2. requires the security architecture to be reviewed and may require some system modifications
      2. Playbook Definition (my thought: AI enabled in extention?)
        1. complex queries or code to find “bad stuff”; self-contained, fully documented, prescriptive procedures for finding and responding to undesired activity;
        2. is living document that brings a dramatic increase in fidelity and new detection ideas, which leads to better detection
        3. Event play in the playbook
          1. Report ID: Identifies the particular play, and provides a high-level description of the play
          2. Objective
          3. Data query: 
          4. Action
          5. Analysis: Provides the bulk of the documentation of the play, and how to interpret and act on the results of the query
          6. Reference: Allows for the documentations of any additional useful information
      3. What is in a Play?
        1. Report Identification
          1. Report Unique ID = eg. 100003
            1. leading digit of the unique ID may be used to indicate the data source;
          2. Report Type = eg. HF / eg. INV
            1. High fidelity (HF) means that all events from a report can be automatically processed, cannot be triggered by normal or benign activity
              1. Hardcoded strings, known host names or IPs, and regular expressions that match a particular exploit are good examples of things that can be included in a high-fidelity report,
            2. Investigative (INV) event from a report might detail a host infection, describe a policy violation, trigger on normal activity (which may require tuning), require additional queries
              1. Reports that cannot indicate with 100 percent certainty that an event is malicious are deemed to be high fidelity;
          3. Event Source = IDS
            1. The event source identifies which source, that the report queries
          4. Report Category = MALWARE
            1. MALWARE = is malicious activity or indicators of malicious activity on a system or network
          5. Description: BOT-C2
            1.  free-text description component may provide a brief summary of detection;
        2. Objective
          1. “what” and “why” of a play;
        3. Data Query (working)
          1. implements the objective and produces the report results
          2. where the play objective changes from an English sentence to a machine-readable query
        4. Action
          1. documents the actions to take during the incident response phase
        5. Analysis
          1. documentation and training material that is needed to understand how the data query works
          2.  how to interpret and act on the results of the query
          3.  discusses the fidelity of the query, what the expected true positive results look like, the likely sources of false positives, and how to prioritize the analysis
          4. help security analysts who are running the play to act on the data
        6. Referenece
          1. can be managed using a tracking system such as Bugzilla (bug and ticket tracking system) – track changes and document the motivation for those changes;
          2. Comments allow for discussion
          3.  additional management options like retiring reports and reopening reports
      4. Playbook Management System:
        1. Create a custom field.
        2. Track the play progress and life cycle.
        3. Provide basic notification (such as email and RSS).
        4. Run queuing and assignment functions.
        5. Automate reports and metrics.
        6. Document and log changes.
        7. New and relevant plays must be developed continually and managed using a play management system
      5. Lab: Explore SOC Playbooks
      6. Challenge
    11. Understanding the SOC metrics
      1. Security Data Aggregation
        1. SIEM: provide real-time reporting and analysis of security events;
          1. collects, sorts, processes, prioritizes, stores, and reports the alarms;
          2.  creates a “single pane of glass” to monitor the enterprise
          3. goal: to reduce the time that is needed to detect, and to contain the threats;
          4. eg. host-based security controls, which can report the malicious activity to the SIEM. Then, analysts could correlate the incidents to single source;
          5.  historical perspective enables the security analysts to establish a baseline
          6.  historical perspective enables the security analysts to establish a baseline, factors are:
            1. total size of log data and the time range;
        2. Main SIEM functions
          1. Log collection of event records from sources
          2. Log normalization to map log messages to a common Schema data model
          3. Events and logs correlation to speed the detection
          4. Reporting tools to address regulation compliance reporting requirements
          5. Open source tools such as Splunk that are hosted on GitHub;
      2. Time to Detection (TTD) ( or dwell time)
        1. Stages: Malicious Event > Detected > Contained > Mitigated
        2. Duration from “Malicious Event” to “Detected”
        3. Metrics for performance / effectiveness of SOC
          1. time to detection, time to containment, and the time to mitigation;
          2. currently, TTD = 100-200 days
        4. Reduce TTD by
          1. improving and mature SOC processes, people, and technologies;
          2. effective security controls that work across the attack continuum
      3. Security Controls Detection Effectiveness
        1. False negative:
          1. High priority. Did not acted with malicious activity;
        2. False positive:
          1. acted with no malicious activity;
          2. significantly drain the SOC resources
        3. True negative: not acted with no activity;
        4. True positive: acted with malicious activity;
      4. SOC Metrics
        1.  An effective threat-centric SOCconsists of deep expertise with cutting-edge technology, leading security intelligence data, and advanced analytics to detect and investigate threats with great speed, accuracy;
          1. Speed: Faster detection and targeted mitigation
          2. Focus: Higher fidelity reduces false positives and ensures proper containment and actionable recommendations for remediation;
          3. Accuracy: Continuous monitoring and investigation plus full packet capture illuminate security blind spots;
        2. Reason of metrics:
          1. To understand and identify the cybersecurity risk
          2. To measure the SOC effectiveness
          3. To optimize resource and investment allocation
        3. Typical metrics
          1. The mean TTD of the incident after its occurrence
          2. The mean time to contain the incident after its detection
          3. The mean time to mitigate the incident after its containment
          4. The number of incidents being detected, contained, and mitigated
          5. The percentage of the discovered incidents found using the plays in the SOC playbook
          6. The number of new plays added to the SOC playbook
          7. The number of zero-day attack detections
          8. The false positive or true positive detection rate
          9. The operational cost of running the SOC
        4. SOC that is advancing and maturing
      5. Challenge
        1. focuses precisely on a particular aspect: specific”
        2. “easily identifiable: measurable”
    12. Understanding the SOC WMS and automation
      1. SOC WMS Concepts
        1. syslog server makes it easier for the analyst to manipulate and review logs from numerous devices, but still difficult to correlate events with different formats; thus, SIEM emerges;
        2. WMS (Workflow Management System)
          1. software that tags and identifies an existing security event, tracks the event, and tracks the actions that are taken in dealing with those events, from detection to response to mitigation to ticketing closure;
          2. automates the remediation of a malicious action
          3. performs containment and eradication, but not identify incidents, collect evidence, or help with approvals;
            1. such as Swimlane dubs
          4. SOAR: security operations, analysis, and reporting can be used
          5. Information flow: SIEM and Ticketing System > Security WMS > Security Devices;
          6. Workflow Types
            1. Sequential: flow chart-based with one-to-one stage; does not step backward;
            2. State machine: progresses from state to state; can return to a previous point;
            3. Rules-driven: based on a sequential workflow. The rules dictate the progress of the workflow;
          7. Repeatable Tasks that WMS can automate
            1. Audit log collection and enrichment
            2. Look up user information
            3. Look up device information (IP, hostname)
            4. Notifications and alerts
            5. Threat intelligence
            6. Ticket management
            7. Callouts and escalations
      2. Incident Response Workflow
        1. ensure that all incident severity levels have a defined response process;
        2. severity of that incident may change during handling
        3. During incident response, consistent and timely reporting;
        4. Roles in Incident Response flow:
          1. Tier 1 analyst: Continuously monitors the alert queue; triages security alerts; monitors health of security sensors and endpoints; collects data and context necessary to initiate Tier 2 work;
          2. Incident response handler: Manages the incident; executes containment strategies and ensures that the incident response process is followed throughout; at times, may also communicate with the business to provide periodic updates
      3. SOC WMS Integration
        1. specifically in regard to remediation autonomously;
        2. receive security events and alerts information from the SIEM and then push information or commands to security devices;
        3. WMS Integration with SIEM
        4. WMS Integration Approaches
          1. RESTful API (Representation State Transfer)
            1. uses HTTP requests to get, put, post, and delete data;
            2. WMS may leverage RESTful API to update a corporate enterprise ticket management system
          2. Command line API
            1.  run directly from the command line
            2. to query an SIEM tool with the SOC in order to check on the status of a particular use case
          3. TAXII
            1. standardizes the automated exchange of cyber threat information.
      4. SOC Workflow Automation Example
        1. Goals of automating SOC processes and workflow
          1. Reduce the time to detection, containment, and remediation
          2. Reduce human errors
        2. WMS Products
          1. CyberSponse
          2. Resilient Systems
          3. Proofpoint Threat Response
          4. Swimland
      5. Challenge
    13. Describing the Incident Response Plan
      1. Incident Response Planning
      2. Incident Response Life Cycle (
        1. Typical phases
          1. Preparation (Education / documentation / R&R)
          2. Identification (monitoring)
          3. Analysis: prioritize subsequent activities
          4. Containment
            1. hardest and most important decision
          5. Eradication and Recovery
          6. Lessons Learned
            1. FMEA (failure mode and effects analysis): spreadsheet, to help practitioners anticipate what might go wrong with a product or process
          7. Reporting
      3. Incident Response Policy Elements (
        1. Mission, strategies, and goals
        2. Incident response approach
        3. Buy-in from senior managment
        4. Communication
        5. Metrics
        6. Review
        7. Organization missions
          1. Result -> lower dwell time
      4. Incident Attack Categories
        1. Incident classifications are typically based on incident severity
        2. Common attack vectors
          1. removable media
          2. Attrition: employs brute-force methods to compromise, degrade, or destroy systems, eg. DDoS
          3. Impersonation: replacement of something benign with something malicious—for example, spoofing, MITM attacks, rogue wireless APs, and SQL injection attacks
      5. Reference: US-CERT Incident Categories
        1. common set of terms and relationships schema that is defined by the US-CERT
        2. seven incident categories (CAT 0 to CAT 6) (
          1. CAT 0 – Exercise/Network Defense Testing
            1. approved activity testing of internal and external network defenses or responses;
          2. CAT 1 – Unauthorized Access
            1. individual will gain logical or physical access without permission;
          3. CAT 2 – Denial of Service (DoS)
            1. successfully prevents or impairs the normal authorized functionality;
          4. CAT 3 – Malicious Code
            1. Successful installation of malicious software
          5. CAT 4 – Improper Usage
            1. violation of acceptable computing use policies
          6. CAT 5 – Scans/Probes/Attempted Access
            1. seeks to access or identify an exploit
          7. CAT 6 – Investigation
            1. Unconfirmed incidents that are potentially malicious
      6. Regulatory Compliance Incident Response Requirements
        1. PCI DSS (Payment Card Industry – Data Security Standard)
          1. to protect cardholder data wherever it is processed, stored, or transmitted
      7. Challenge
    14. Appendix A – Describing the Computer Security Incident Response Team
      1. CSIRT Categories
        1. help ensure company, system, and data preservation by performing comprehensive investigations
        2. Investigate
        3. Mitigate
        4. Prevent
        5. Types
          1. Internal CSIRTs
          2. National CSIRTs
          3. Coordination centers: handling of incidents across various CSIRTs
          4. Analysis centers: synthesizing data from various sources to determine trends and patterns in incident activity
          5. Vendor teams:  handles reports of vulnerabilities in their software or hardware products
          6. Incident response providers:  services as a for-fee service
      2. CSIRT Framework (MCSR)
        1. Mission (what it sets out to do):
          1. eg. Responsible for global 24-hour monitoring, investigation, and response to cybersecurity incidents;
          2. eg. Engage in proactive threat assessment, mitigation planning, incident detection and response, incident trending with analysis, and the development of security architecture
        2. Constituency (serving Whom)
          1. serving targets and relationships
        3. Place in organization (what its roots look like)
          1. structure
        4. Relationship to others (who its peers are)
        5. Reference: Handbook for Computer Security Incident Response Teams (CSIRTs), Carnegie Mellon Software Engineering Institute
      3. CSIRT Incident Handling Services
        1. Reactive services:
          1. triggered by an event or request
          2. core component of CSIRT work, eg. incident handling service
        2. Proactive service:
          1.  provide assistance and information to help prepare, protect, and secure constituent systems in anticipation of attacks, problems;
          2. reduce the number of incidents in the future;
          3. eg. security audits or assessments service
        3. Definition of CSIRTs services:
        4. Incident handling service
          1. triage: single point of contact and the focal point for accepting, collecting, sorting, ordering, and passing on incoming information for the service
          2. handling: provides support and guidance that is related to suspected or confirmed computer security incidents, threats, and attacks
          3. announcement: tailored for the constituency in various formats to disclose details
          4. feedback: an interface for media requests
      4. Challenge
    15. Appendix B – Understanding the use of VERIS (Vocabulary for Event Recordings and Incident Sharing)
      1. VERIS Overview
        1. open format that helping organizations to collect incident-related information and to share the information anonymously and responsibly
        2. VERIS metrics as baselines for comparison
        3. 4 A’s: Actions, Actors, Assets, Attributes
      2. VERIS Incidents Structure
        1. documented using the VERIS schema
        2. structure with five main sections: better idea of the cause and severity
          1. Incident Tracking:
            1. general information about the incident
          2. Victim Demographics
            1. describes (but does not identify) the organization that is affected by the incident
            2.  compares different types of organizations or departments within a single organization
          3. Incident Description
            1. translates the incident narrative of “who did what to what (or whom) with what result” into a form that is more suitable for trending and analysis
            2.  translates the incident details into a form more suitable for trending and analysis
          4. Discovery and Response
            1.  focuses on the timeline of the events, how the incident was discovered, and lessons learned during the response and remediation process
          5. Impact Assessment
            1. leverages three perspectives of the impact in order to provide an understanding and measure of consequence that is associated with the incident
              1. the varieties of losses that are experienced
              2. estimate their magnitude
              3. capture a qualitative assessment of the overall effect on the organization
      3. VERIS 4 A’s
        1.  the minimum information that is required to adequately describe any incident or threat scenario
        2. Actors (Agents) (Refer.
          1. External actors
          2. Internal actors
          3. Partner actors: third party sharing a business relationship with the organization
        3. Actions
          1. actions describe what the threat actor did to cause or contribute to the incident
          2. every incident has at least one action
          3. Categories
            1. Malware
              1. Malware variety
              2. Malware vector
              3. Malware vulnerabilities
              4. Malware common name
            2. Hacking: all attempts to intentionally access or harm information assets without (or exceeding) authorization
              1. Hacking variety: Brute force / buffer overflow / MITM / SQL injection / DoS / path traversal
              2. Hacking vector: Command shell / VPN / Backdoor
            3. Social
              1. social tactics: phishing / scam
              2. social vector: email / IM / social media / website
            4. Misuse: use of entrusted organizational resources or privileges for any purpose contrary to what was intended
              1. Privilege abuse
              2. Data mishandling
              3. Email misuse
              4. Network misuse
              5. Illicit content
              6. Unapproved hardware
              7. Unapproved software
            5. Physical
            6. Error
            7. Environmental
        4. Assets: information assets that were compromised during the incident
          1. Network hardware
          2. Server
          3. User device
          4. Others
        5. Attributes
          1. security attributes of the identified assets that were compromised during the incident.
          2. confidentiality/possessionintegrity/authenticity,and availability/utility, which is an extension of the “C-I-A triad.”
      4. VERIS Records
        1.  VERIS record framework can be as simple or as complicated as you need it to be;
        2. records: documents the incidents in a standard way
        3. the ability of security analysts and investigators to ascertain the data needed to populate the various fields in the VERIS records
      5. VERIS Community Database (VCDB) (
        1. catalog security incidents in the public domain using the VERISframework
        2. promote data-driven decision making and evidence-based risk management in the information security community by creating a public repository of breach data in an open format
        3. GitHub repository (
        4. Refer:
      6. Verizon Data Breach Investigations Report and Cisco Annual Security Report
      7. Challenge
  4. Follow-ups
  5. Tools:
    1. Security Onion: Linux distribution with Log mgt, network security monitoring, IDS capabilities;
    2. Network analyst tools: Wireshark / Netwitness / OSSEC / NetFlow / Cisco Stealthwatch;
    3. Penetration testing tools: eg. Kali Linux with tools such as Metasploit Framework, Armitage, and SET (Social Engineer Toolkit)
    4. SIEM tools such as Splunk can help a SOC collect and normalize large amounts of disparate log data
    5. Capture session data by Bro
    6. ELSA can pivot directly to CapME!, which will decode the PCAP data associated with this particular TCP connection
      1. parses various event log to schema;
    7. threat intelligence platform called ThreatConnect
    8. Public Threat Awareness Resources:
      1. OWASP (Open Web Application Security Project).
      2. Spamhaus Project
      3. Alexa
      4. Farsight Security’s DNSDB
    9. Hackvertor is an online, community-based encoding tool by security Pros.
    10. submit hash value of file resulted in Sandbox testing;
    11. Useful blogs and feeds for security investigation:
    12. Reference: Crafting the InfoSec Playbook by Jeff Bollinger, Brandon Enright & Matthew Valites. ISBN: 978-1-491-94940-5.
    13. Karen Scarfone, Tim Grance, and Kelly Masone, Computer Security Incident Handling GuideNational Institute of Standards and Technology Special Publication SP 800-61 Revision 1, March 2008
  6. References
    1. detrimental
    2. vendor agnostic
    3. intrinsic
    4. vigilantly
    5. obfuscation
    6. disguising
    7. anomalous
  7. Exam experiences
    1. Network Intrusion Analysis
      1. HTTP and agent
    2. Incident Handling
    3. Computer Forensics
    4. retrospective security approach
    5. REGEX and search
      1. Wireshark filtering.
    6. Wireshark commands
    7. Confidentiality definition in CVSS
    8. Computer Security Incident Handling Guide: NIST Special Publication 800-61  Revision 2
SECOPS – CCSA study log (210-255)

FC7P05 -LMU MSc Project- WK1

  1. Principles
    1. 5-7年磨一劍的目標, researcher and doctor;
    2. 人工智能/能源科技/生物科技
  2. Hours ( / 20H)
  3. Module guidelines
    1. Topics selection
      1. Perform more reading (papers, Journals)
      2. Discuss with tutors and ask for suggestions
      3. Attend seminars
      4. Read previous theses
      5. Ask friends working in industry for ideas
    2. Rephrase your question as your aim and identify the three to five objectives
      1. Is the topic “research oriented” piece of work
      2. Domain understanding, awareness of difficulties and understanding of fundamental questions.
    3. Proposal needs to be clear and sound
      1. Title, rationale, question, aim, objectives, methodology, expected outcome, deliverables, work program and initial references
      2. Realistic timetable with actions and outcomes
      3. Project categories
        1. research oriented
        2. critical review
    4. Works
      1. Original investigation
    5. Research elements
      1. problem solving, algorithm enhancement, software quality, novel approach, fundamental issues
      2. Topics: networking, software engineering, data mining, security, intelligent systems, database, wireless technology, information system, business information system, grid computing, teaching and learning, image processing…
    6. Supervision
      1. agree the frequency and format of meetings and having done
      2. preparing and making themselves available for meeting to find that the student fails to turn up without notice or explanation
      3. inform him/her of your progress by agreed frequency and channel, ask for advice, ask if your progress is satisfactory and discuss and discuss your future action plans
      4. Accept criticism gracefully, it is for your own good and you will produce a better dissertation for it
      5. get higher marks if you follow your supervisor’s guidance
      6. well-prepared to the meeting and so keep it productive, focused and if possible short
      7. welcome to attend the departmental weekly seminars as they might be very helpful
    7. Librarian support
      1. the computing librarian Lynn Crothall:
    8. Talk to different members of staff and ask for papers, Journals and articles
    9. Common Past Problems
      1. do not know how to write a proposal
      2. start the project late
      3. do not consult their supervisors
      4. are unable to find other directions when they get stuck
      5. find a lack of resources and unavailability of software
      6. do not engage with the project
      7. do not conduct a thorough review of the literature
      8. demonstrate little evidence of awareness of other work
      9. do not research the topic fully
      10. have problems writing a thesis (organisation, structure, coherence, style, evaluation of own work, references…)
      11. do not report their work fully
  4. Project Plan and deliverables
    1. Time tables and outcomes
    2. Meeting frequency with advisor
    3. timetable might be in the form of a bar chart or a series of timed milestones
    4. starts from reading the literature review and finishes with submitting the dissertation
  5. Topic selection
    1. Children online studying with Moodle platform in MJ education
      1. with paypal
    2. Mobile app for MJ learning assisting STEM lessons
    3. WeChat programming with enterprise mgt, MJG CRM and project mgt
    4. Mobile visual inspection
    5. Mobile broadcasting with API and payment
    6. Raspberry PI with RFID tag system in CY manufacturing
    7. Raspberry PI with video advertising system (check everbest / ezone)
    8. Knowledge management with Wikipedia and AI in CY manufacturing
    9. AR with education
    10. enterprise cybersecurity app
    11. Enterprise System / Mobile in manufacturing / Barcode in Mobile
    12. Preparation:
      1. Mobile / Programming and data manipulation / Reporting
  6. References:
    1. Writing up research: a statistics perspective.
    2. Microsoft Azure cognitive services.
FC7P05 -LMU MSc Project- WK1


Change needs sense of urgency

  1. 職+專+學+正+系
  2. WSUS + java
  3. AD audit report and policies
  4. AD RFS
  5. Performance reporting
  6. 生改單 – 圖及版本看系統
  7. 料號變更跟蹤
  8. 訂單電子審核
  9. OA – 樣板單
  10. CACTI SNMP server
  11. SQL backup and restore
  12. Wechat programming
  13. tax expense profile
  14. Economist
  15. Scrap rates and quantity
  16. Stock level
  17. BI at sharepoint and Tablet / mobile
  18. 8S correction with scrap alerts
    1. Launch date: 10Oct2016
    2. Status: Not yet
  19. Quality level
  20. Offsite backup with docoumentations
  21. Windows perfmon automation / syslog / SNMP
  22. IT system applications in Manufacturing and various industies
    1. Logic / flow
    2. Requirements
    3. Critical success factors
  23. Wikis:
    1. Documents library with version control,
    2. co-authering with approval,
    3. knowledge searching

MSc resources

A. BSc 1st Class means nothing (too many out there…), the importance is what you learned and how do you sustain to break through!

B. MBA for business; Specialist in MSc but not of MSc IT…

Roadmap (v. 20170625)

BSc 1st -> MSc of LMU ->  UST / Edinburg -> PgD Acc / digital marketing-> MBA -> Research Degree & PhD

  1.  Alumi
    1. myAluminHub in Middlesex University:
      1. Research Resources
  2. Academic writing:
    1. MDX resources:
    2. Using-academic-language:
    3. Academic vocabulary:
  3. Time management
  4. Research methods for Business Student – 5/e:
  5. Basic Business Statistics – 12e:
    1. Statistics e-resources:
  6. Harvard referencing
  7. Academic reference letter:
  8. Further MSc study:
    1. MSc Big Data Technology, HKUST:
    2. (NCC L7DSBIT) University of Gloucestershire (89th):
    3. (NCC L7DSBIT) London Metropolitan University (120th):—msc/
    4. University of Edinburg (19th):
      1. MSc Data Science, Technology and Innovation (Medical Informatics).
      2. MSc in Digital Education
    5. University of Leeds, MA Technology, Education and Learning (14th):,_Education_and_Learning_(Distance_Learning)
    6. University of Glasgow, MSc Data Analytics (Distance Learning) (27th):
    7. University of Leicester, MSc Computer Science, SoftEng, WebTech (32nd):
    8. University of Aberdeen, MSc PM, MSc IT & MBA Digital Marketing (42nd): 
    9. Royal Holloway Univeristy of London (37th):
    10. Edinburgh Napier University (92nd):
    11. Advanced Manufacturing system by Brunel University London (52nd):
    12. DeMontfort University (82th):
      1. MSc Data Analytics.
      2. MSc Intelligent Systems and Robotics (Distance Learning).
      3. MSc Intelligent Systems (Distance Learning).
    13. Northumbria University, Information Science – Data Analytics(59th):
    14. Distance Learning postgraduate program, Lancaster University.
    15. MSc PM, Liverpool John Moores University (74th):
    16. University of Hertfordshire (79th):
      2. MSc E-learning technology (online),
      3. Online MSc courses:
    17. MSc PM, Salford University (95th, 4 intakes/yr):
    18. MSc PM, Birmingham City University (95th, but cheap):
    19. MSc IT, University of Derby (91st):
    20. MSc Data Science, University of Sunderland (103rd).
    21. MSc AI
    22. MSc Data Analytics, Deakin University in Australia.
  9. Further MBA study:
    1. UST:
    2. Imperial College London.
    3. Duram University (6th):
    4. MBA with Data Analytics, Nottingham Trent University (63rd):
    5. University of Warick (8th):
    6. Middlesex University (78th):
    7. Leicester University (32nd):
    8. Heriot-Watt University (34th):
    9. University of Derby (91st):
    10. Most affordable:
      1. Agnlia Ruskin University (110th):
      2. Leeds Beckett University (103rd):
    11. Strategic Planning / Strategic Sustainble Business
  10. Further other studies:
    1. Leicester University:
    2. Digital Brand Marketing by GLASGOW CALEDONIAN UNIVERSITY (79th): 
  11. Further Acc Study (exempt basic knowledge application / future route?):
    1. HKICPA non-Acc routes: 
    2. HKU SPACE (fast / low price):
    3. PolyU (Most expensive / best):
    4. CUHK (High entry requirements with QR registers/ best):
    5. Lingnan (Deposit / Sat only, not available at 2017/18):
  12. Distance Learning materials:
    1. Leicester University:
    2. The University of Strathcylde:
      1. MSc Operational Research (Distance learning).
      2. Business Analysis & Consulting (Distance Learning). 
    3. University of Hertfordshire:
      1. MSc Operations and Supply Chain Management (Online).
      2. MSc Manufacturing Management (Online).
    4. Robert Gordon University:
  13. Research Degrees (distance learning)
    1. LMU, Research Degree – MPhil / Phd.—mphil–phd/
  14. NCC references:
    1. NCC contact:
    2. Middlesex sent official transcript to Education institute: 
  15. Others
    1. Manufacturing:
      1. MSc Manufacturing Systems Engineering and Management (MSEM).
      2. MSc Advanced Manufacturing System.
    2. MSc Gerontology.
    3. MSc Child and Youth Care.
    4. Postgraduate Search.
    5. MSc Professional Accounting with ACCA
  16. USA online Masters
    1. Masters in Predictive Analytics Online, NORTHWESTERN UNIVERSITY.
    2. Master of Science in Applied Business Analytics Degree, Boston University.
MSc resources

Tableau BI study log

  1. Objectives
    1. Establish formal procedures
    2. Establish advanced wiki for development
      1. OA + ERP db calculation
    3. Wide Access control by SharePoint
  2. Resources
    1. Tableau Data Visualisation Cookbook:
      1. DataSets:
    2. Tableau Getting start:
    3. Learning:
      1. Videos:
      2. Learning path to Tableau expert:
      3. Tableau tutorials:
      4. Tableau: How Fast You Can Learn It?
      5. Tableau user Doc by edu:
    4. Scenario with 8 steps and library:
    5. SQL by
    6. Differences between blend and joints, Blending data.
  3. Terms
    1. Tableau Server
    2. Tableau Desktop 8.2:
    3. Project
    4. Workbook
    5. KPI / metrics
    7. Dashboard
    8. Story
  4. BI literature review
  5. Study log
  6. Dashboard research
    1. Actions in Dashboard:
    2. 7 Business Dashboards –
    3. 用数据说话,R语言有哪七种可视化应用?
    4. Tableau and SharePoint Integration:
    5. PMC Report samples by Tableau:!/vizhome/PMCreport/ChannelDashboard
    6. Monitor production quality with a single manufacturing dashboard:
    7. Add Reference Line:
      1. Dynamic reference line:
    8. Creating Error Bars:
    9. Creating Bars in Bar chart in Tableau: 
Tableau BI study log

Structures and materials of MSc Intelligent systems and robotics

  1. DMU (
    1. Modules
      1. Computational Intelligence Research Methods
      2. Artificial Intelligence (AI) Programming
      3. Mobile Robots
      4. Fuzzy Logic
      5. Artificial Neural Networks
      6. Computational Intelligence Optimisation (CIO)
      7. Applied Computational Intelligence
      8. Intelligent Mobile Robots
      9. Individual Project
  2. University of Essex (
    1. Modules
      1. Computer Vision (
      2. Intelligent Systems and Robotics (
      3. Machine Learning and Data Mining (
      4. Professional Practice and Research Methodology
      5. Programming Embedded Systems (
      6. Neural Networks and Deep Learning (
      7. Creating and Growing a New Business Venture (
      8. Electronic System Design and Integration (
      9. Game Design (
      10. Physics-Based Games (
      11. Game Artificial Intelligence (
      12. Data Science and Decision Making (
  3. University of Manchester (
    1. MSc ACS: Artificial Intelligence – Modules
      1. Automated Reasoning and Verification
        1. Course outline
        2. Reading list
      2. Modelling Data on the Web
        1. Course outline
        2. Reading list
      3. Principles of Digital Biology
        1. Course outline
        2. Reading list
      4. Introduction to Health Informatics
        1. Course outline
        2. Reading list
      5. Parallel Programs and their Performance
        1. Course outline
        2. Reading list
      6. Designing for Parallelism and Future Multi-core Computing
        1. Course outline
        2. Reading list
      7. Data Engineering
        1. Course outline
        2. Reading list
      8. IT Governance
        1. Course outline
        2. Reading list
Structures and materials of MSc Intelligent systems and robotics

ACCT6004 – BA – Mid Term prepration

  1. 24Feb, 17-18:30pm, FTC1406 (Fortress Tower, 250 King’s Rd, Exit B, FH MTR)
  2. Contents of Mid-term
    1. Scope: Lecture 1 to Lecture 5
    2. 90 minutes
    3. Five multiple choices questions (needs review notes)
      1. Terms and definitions
        1. Assets / Liability / Equity (Net Assets)
        2. Sum of Digits” in calculating depreciation
      2. L5 lecture note – M.C. exercises – Straight forward
    4. Four Long questions
      1. Concepts
        1. Definitions and samples of
          1. Going Concern (1/2/)
          2. Accruals (1/2/)
          3. Prudent (1/2/)
          4. Relevant (1/2/)
        2. Disadvantages and Advantages of Historic cost accounting (HCA) (1/2/)
        3. Differences between:
          1. Capital expenditure and Revenue expenditure
          2. Bad and Doubtful debts
          3. Revenue and Gains
          4. Periodic and Perpetual Inventory System
      2. prepare income statement and balance sheet for sole trader accounts (30%) (start from page 13 of lecture 5 notes)
        1. L5 – Activity 6 + Activity 7
        2. In 45 minutes
        3. common problem, spend too much time to match 
      3. PPE AND re-evaluation (18%) (5 minutes – Give works of progress if there is time) (Assignment 1)
        1. Why do we need to calculate depreciation? Cost allocation
        2. Pro-rata depreciation basis
        3. Net book value of years required
          1. Straight-line
          2. Reducing balance
        4. Gain / Loss on Disposal
      4. Receivables, Bad debt, doubtful debt and inventory
        1. Receivables, Bad debt and doubtful debt
          1. Provisions for doubtful debt (refer to Activity 1 and 2 of L4)
        2. Concepts of Inventory
          1. What is NRV?
          2. What is the concept of lower of cost of NRV?
  3. Objectives
    1. Practise, practise and practise.
    2. Go thru all lecture materials twice
    3. Go thru all lecture activities Six times
    4. Activity 7 of lecture 5 is similar to the level of mid-term exam, should practise until be able to finish it within 45 minutes;
  4. Requirements
    1. Go thru all notes (A-1X -1D) (B-2X – 2D)
    2. notes taking for emphasized (3-5 stars) (C-1D; D-1D, E-1D, F-1D)
    3. notes taking for exam questions
    4. Memorized definitions required
    5. Go thru exam-liked Activities with time logging (at least 6 times)
    6. Calculation practising
  5. Contents
    1. A-1D (18-19Feb)
      1. Contents
        1. L1
          1. Objectives
            1. What is accounting?
              1. recording accounting data,
              2. classifying and summarizing the transaction to a company’s performance and financial position;
              3. communicating economic information;
              4. primary objective / purpose: to ***provide information for decision-making;
              5. Four financial statements
                1. Statement of Financial Position
                2. Statement of Profit or Loss and Other Comprehensive Income
                3. Statement of Cash Flow
                4. Statement of Changes in Equity
              6. Ways of business organization
                1. Sole Proprietorship
                  1. owned by one person with or without employees
                  2. Unlimited liability whose owner is personally liable for any obligation of the business entity;
                2. Partnership
                3. Corporation / Limited companies
                  1. limited liability
                  2. ownership and management may be separated
                4. Club
            2. Conceptual Framework of Financial Reporting
              1. The need for a conceptual framework
                1. provides concepts, principles and rules to prepare and present financial statements are known as Generally Accepted Accounting Principles (GAAP);
                2. Four types of users
                3. Ensure consistency and comparability
                4. Common accounting conventions
                  1. Business entity concept:
                  2. Double entry (Duality)
                  3. Historical cost
                  4. Materiality
                  5. Going concern
                  6. Accrual (matching) concept
                  7. Prudence
                  8. Consistency
              2. Underlying assumptions
                1. accrual basis
                2. going concern basis
              3. Qualitative characteristics of financial statements
                1. Fundamental Qualitative Characteristics – Useful to users
                  1. **Relevant financial information
                    1. making a different in the decisions made by users
                      1. predictive value: enable users to evaluate the past, present or future events;
                      2. confirmatory value: to confirm the past evaluations and assessments;
                    2. provided in time to influence the decisions
                    3. Materiality has a direct impact on the relevance of information; materiality is an entity-specific aspect of relevance based on the nature or magnitude, or both;
                  2. **Faithfully Representation
                    1. information must faithfully represent the effects of transactions and other events;
                    2. accounted for and presented in accordance with their substance and economic reality, not merely their legal form (substance over form);
                    3. Three characteristics
                      1. Completeness: must contain all necessary descriptions and explanations
                      2. Neutrality: free from bias
                      3. Free from error: free from material error
                2. Enhancing Qualitative Characteristics
                  1. Comparability
                    1. enable user to compare the info through time;
                    2. consistency and disclosure are required
                  2. Verifiability
                    1. different knowledgeable and independent observers could reach consensus;
                    2. direct verification: thru direct observation
                    3. indirect verification: checking the inputs and recalculating the outputs using the same approach, eg. inventory check
                  3. Timeliness
                    1. having information available to decision-makers in time to be capable of influencing their decisions
                  4. Understandability
                    1. presented in a way that is readily understood by users who are assumed to have reasonable knowledge of business, economic activities and accounting;
                3. Limits to relevant and reliable info
                  1. balance between qualitative characteristics
                  2. timeliness
                  3. benefit must outweigh cost
                4. True and fair view
                  1. compliance with accounting standards and the Framework will help to achieve them;
              4. Elements of financial statements
                1. Assets
                2. Liabilities
                3. Equity
                4. Format of Income Statement
                5. Format of Balance Sheet
              5. Recognition and measurement of the elements of the financial statements
                1. Advantages and Disadvantages of historical cost accounting (HCA)
            3. Regulatory Framework
              1. HKFRS: HKAS & HKFRS
              2. advantages of accounting standards: consistency
              3. disadvantages of accounting standards:
                1. different companies have different operating conditions
                2. small companies may outweigh cost over benefits
          2. Exam-liked questions (need examples)
            1. Purpose of accounting? Through a process of identifying, measuring and communicating economic information to provide information for decision making;
            2. Elements of financial statements (entity-based)
              1. Assets
                1. resource controlled by the entity
                2. as a result of past events
                3. from which future economic benefits are expected to flow to the entity
              2. Liabilities
                1. a present obligation of an entity
                2. arising from past events
                3. the settlement of which is expected to result in an outflow of resources that embody economic benefits
              3. Capital
                1. residual interest  in an entity after the value of all liabilities has been deducted from the value of all its assets.
                2. It is “balance sheet value” of net assets, and does not represent market value of the equity;
              4. Assets = Liabilities + Owners’ Equity
                1. Owners’ Equity = Assets – Liabilities
              5. Differences between revenue and gains
                1. Income includes both revenue and gains
                2. Revenue – benefits income for primary business activities, eg. sales of manufactured goods
                3. Gains – income from activities other than the primary activities, eg. exchange gains
              6. Capital and Revenue Expenditure
                1. Capital expenditure – item is purchased for use in the business over a long period of time; classified as fixed asset; in balance sheet;
                2. Revenue Expenditure – expenditure which is not spending on increasing the value of fixed assets, but on running the business on a day-to-day basis; as expense in P/L;
              7. ***Historical cost accounting (HCA) 
                1. Advantages
                  1. provide objective measurement
                  2. simple and cheap
                  3. the profit concept is well understood
                  4. provide basis for comparison with other companies or same entity for previous year;
                2. Disadvantages
                  1. when there is high rate of  inflation
                    1. the carrying value of assets is lower than their current fair value
                    2. the income statement understates the “real” value of the cost of sales and so overstates the profit
                    3. no recognition of the effect of inflation on monetary items such as loans
            3. What are the users of conceptual framework? Users of conceptual framework include (1)the standards-setting bodies in developing new financial reporting standards, (2)preparers of financial statement in applying accounting standards, (3)auditors in forming opinions, (4)users who are interpreting financial statement;
            4. Common accounting conventions (ABCD HM GP)
              1. Business entity concept (B)
                1. the affairs of a business to be treated as being separated from the non-business activities of its owners;
              2. Double entry (Duality) (D)
                1. each transaction has two effects: a debit and the corresponding credit; eg. a buy-in transaction of a vehicle debit account of vehicle asset and credit cash in bank;
              3. Historical cost (H)
                1. the values of the accounts are based on the historic costs incurred, eg. PP&E stated at their historical costs;
                2. used to prepare financial statements traditionally;
              4. Materiality (M)
                1. an item is material if its non-disclosure could influence the economic decisions of users;
                2. materiality assessment is not only the amount but the nature and context;
              5. Going concern (G)
                1. assumes the company will continue in operational existence for the foreseeable future;
                2. Not used if: the business is going to close down in the near future; shortage of cash;
              6. ***Accrual (matching) concept (A)
                1. Transactions and events are recognized when they occur and they are recorded and reported in the financial statements of the periods to which they relate;
                2. for instance, a business recognize a revenue when she delivered its product;
              7. Prudence (P)
                1. Under the conditions of uncertainty, judgement must be exercised cautiously in making the estimates required, such as assets or income are not overstated and liabilities or expenses are not understated;
                2. Provisions are made for all known liabilities , expenses and losses;
                3. Prudence concept overrides that of accrual;
              8. Consistency (C)
                1. a company should be consistent in its accounting treatment of similar items;
                2. to enable comparability;
              9. Bad and Doubtful debts
                1. Bad Debt: is a trade receivable that is uncollectible;
                2. Doubtful debts: is a trade receivable that there is some doubt as to its collectibility;
              10. Perpetual and Periodic Inventory System
                1. Periodic Inventory system
                2. Perpetual Inventory system
                3. Small organizations VS medium and large organizations
                4. No update VS continuous update for movement of inventory
                5. Must stocktake VS may stocktake for inventory verification
                6. Purchases account VS Inventory account to have updated value;
              11. Inventory
                1. NRV?
                  1. Net Realizable value (NRV): estimated selling price less cost of selling;
                2. Lower cost of NRV?
                  1. Inventory should be valued at the lower of cost ; and net realizable value;
        2. L2
          1. Objectives
            1. What is accounting cycle?
            2. Record transactions in Journals
            3. The accounting equation and the balance sheet
            4. The double entry system
            5. Post Journals to Ledger Accounts
            6. Prepare a Trial Balance
            7. Prepare Financial Reports
            8. Close the Ledger
        3. L3
          1. Recording of property, plant and equipment (PP&E)
          2. Depreciation of PP&E
          3. Disposals of PP&E
          4. Revaluations of PP&E
        4. L4
          1. Balance Day Adjustments
          2. Irrecoverable debts and allowances for receivables
          3. Accruals and prepayments
        5. L5
          1. Inventories
          2. Limitations of Trial Balance
          3. Cash Discount
          4. Sole Trader accounts
    2. B-1D (19Feb)
    3. C-1D (20Feb)
    4. D-1D (21Feb)
    5. E-1D (22Feb)
    6. F-1D (23Feb)
    7. G-1D (24Feb)
  6. Results
ACCT6004 – BA – Mid Term prepration