MSc Intelligent Systems and Robotics (DMU)

  1. Portals
    1. MyDMU
  2. Student Handbooks
    1. DL students: 2 modules / semester for 2 years or 1 module / semester for 4 year;
    2. Spend 10 hours extra private study / module / week;
  3. Structures
    1. Research Method
    2. Computation Intelligent Optimisation:
    3. Fuzzy Logic
  4. References
    1. Induction Presentation.pdf
    2. e-Induction: Home.
    3. Study Guides.
    4. Student-Staff Communication PathWay
    5. ISR Semester 1 modules
    6. ISR Semester 2 modules
    7. Final MSc Project
    8. Programme Leader – Dr Fabio Caraffini
      2. Curriculum Vitae
    9. Free Microsoft software for DMU enrolled students.
      1. Visual Studio – Getting started
        2. Quick Start for Visual Studio IDE
        3. Working with Python
          1. Python for beginners
          2. Learning Python
        4. Working with C++
          1. Learning C++
MSc Intelligent Systems and Robotics (DMU)



  1. 基礎資料
    1. 課程
      1. 命名標準
      2. 多規格命夠及收費
      3. 單/多科目設定
    2. 班級
      1. 命名標準
    3. 學員
      1. 敏感位置0000000/1111111/1234567/8888888
      2. 盡量填寫: 地址/生日/學校…
    4. 其他參數
  2.  銷售收費
    1. 收費日期
    2. 訂金/忘記帶錢
    3. 補交欠費
  3. 諮詢
  4. 試聽課/體驗課
  5. 排課
    1. 任教老師
    2. 時間表
    3. 加入學生
    4. 調課
  6. 上課點名
    1. 出席帶課消
    2. 缺席需課消
    3. 出席不需課消
  7. 電子錢包結轉
    1. 轉課
  8. 校風云(老師端)
  9. 校風云(家長端)
  10. 常1
  11. 常見錯誤
  12. 常見問題
  13.  參考文件:
    1. 幫助中心:
    2. Video training:
  14. 限制
    1. 無法完整地按流水導出收據及各交易
    2. 無法對已排課進行課消預算
    3. 無法更改上課提示時間(集中在平台發出)
    4. 已收費收據, 無法增加備注
    5. 無法聯動, 例如收費沖電子錢包時, 應自動選擇收費帳戶; 另默認操作人而不需填寫;
    6. 無法自定義報表
    7. 两个班级,一个是周六班,一个是周日班,都属于精品常规,上课时间段不同,在录入系统的时候不能同选周六日两个班,所以只能分开收据打印
    8. 無法將銀行/交易手續費計課消;
    9. 已提交的收費不能再修改, 必須結轉/退費或刪除, 然後重新錄入; (校寶是確認到帳后, 才不可改$/課程/學員, 但其他細節仍可改);
    10. Lack of satisfaction feedback / log from student / parents;



Reading: Operations Management, 8/e, Slack, BJ & Johnston

  1. Tips
    1. Visit all links in each chapters
    2. Practise, practise and practise
    3. Remember key models and QQ analysis
    4. Research and apply own experiences
  2. Content – Summary
    1. Topic 1 – Ch1 – Operations Management
      1. Objectives
        1. What is operations management
        2. Why is OM important in all types of organizations
        3. What is the input-transformation-output process
        4. What is the process hierarchy
        5. How to operations and processes differ
        6. What do operations managers do
    2. Topic 2 – Ch6
    3. Topic 3 – Ch10
    4. Topic 4 – Ch16
    5. Topic 5 – Ch2
    6. Topic 6 – Ch3
    7. Topic 7 – Ch4
    8. Topic 8 – Ch5
    9. Topic 9 – Ch7
    10. Topic 10 – Ch8
    11. Topic 11 – Ch9
    12. Topic 12 – Ch11
    13. Topic 13- Ch12
    14. Topic 14 – Ch13
    15. Topic 15 – Ch14
    16. Topic 16 – Ch15
    17. Topic 17 – Ch17
    18. Topic 18 – Ch18
    19. Topic 19 – Ch19
  3. Content – Detailed
    1. Topic 1 – Ch1 OM
      1. Keys
        1. What is operations management
        2. Why is OM important in all types of organizations
        3. What is the input-transformation-output process
        4. What is the process hierarchy
        5. How to operations and processes differ
        6. What do operations managers do
      2. Contents
        1. OM – how organizations create and deliver services and products;
          1. uses “resources to appropriately create outputs that fulfill defined market requirements
        2. 3 Cores functions of any organization
          1. Marketing: communicating services and products to its market to generate customer requests
          2. Product / service development: coming up with new and modified services and products;
          3. Operations – core functions that create and deliver services and products; also including support functions (IT / HR / Acc…)om2
        3. OM Principle – OM is at the forefront of coping with, and exploiting developments in business and technology;
          1. OM principle – all operations produce service for their customers;
        4. Input-Output transformation
          1. Transformed resource inputs to a process are materials (transform properties of physical / location / possession), information (transform properties of status / location / possession) or customers (transform properties of accommodate / location / physiological or psychological state);
          2. Process hierarchy
            1. Process
              1. building blocks of all operations
              2. arrangement of resources or activities that transform inputs to outputs that satisfy customer needs;
              3. three levels: the process, the operation, the supply network / industry chain;
          3. OM is relevant to all parts of the business
            1. Operations
              1. creates and delivers services and products for the organizations’ external customers;
              2. management of the processes within any of the organizations’ functions;
              3. Operations and processes can reduce their costs by increasing volume, reducing variety, reducing variation and reducing visibility;
              4. OM activities will a have a significant effect on the sustainability performance of any type of enterprise;
        5. Various operational process dimension
          1. Volume of output
            1. McDonald. High volume output -> systematized and repeated tasks -> worth specialized tools -> low unit costs;
            2. Cafe. Low volume output > staff to perform wide range of tasks (rewarding) -> less open to systemization -> higher unit costs;
          2. Variety of output
            1. Taxi VS bus – flexibility
          3. Variation in the demand for their input
          4. Degree of visibility which customers have of the creation of their output (customer contact)4V in operations
        6. What do operations manager do?
          1. Direct – steering and forming strategies
          2. Design – products, services and processes
          3. Deliver – planning, controlling and improving
          4. Develop – performance
    2. Topic 2 – Ch6
    3. Topic 3 – Ch10
    4. Topic 4 – Ch16
    5. Topic 5 – Ch2
    6. Topic 6 – Ch3
    7. Topic 7 – Ch4
    8. Topic 8 – Ch5
    9. Topic 9 – Ch7
    10. Topic 10 – Ch8
    11. Topic 11 – Ch9
    12. Topic 12 – Ch11
    13. Topic 13- Ch12
    14. Topic 14 – Ch13
    15. Topic 15 – Ch14
    16. Topic 16 – Ch15
    17. Topic 17 – Ch17
    18. Topic 18 – Ch18
    19. Topic 19 – Ch19
  4. Content – Detailed
Reading: Operations Management, 8/e, Slack, BJ & Johnston

Reading: Management_13e, Robbins and Coulter.

  1. Content – Summary
    1. Topic 1 – Ch1 (done)
    2. Topic 2 – Ch1 & Ch15 (done)
    3. Topic 3 – Ch1 & Ch2 (done)
    4. Topic 4 – Ch14 (done)
    5. Topic 5 – Ch16 (done)
    6. Topic 6 – Ch17 (done)
    7. Topic 7 – MID TERM Exam (done)
    8. Topic 8 – Ch10 & Ch11 (done)
    9. Topic 9 – Ch3 ()
    10. Topic 10 – Ch3
    11. Topic 11 – Ch6
  2. Content – Details
    1. Chapter 1 – Managers in the Workplace (p.35-71)
      1. Objectives
        1. Explain why managers are important to organizations
        2. Tell who managers are and where they work
          1. Know how to manage you time
        3. Describe the functions, roles and skills of managers
          1. Develop you skill at being politically aware
        4. Describe the factors that are reshaping and redefining the manager’s job
        5. Explain the value of studying management
      2. Contents of Ch1
        1. Why managers are  important to organizations?
          1. organizations need their managerial skills and abilities in uncertain, complex, and chaotic times;
          2. Managers are critical to getting things done in organizations;
          3. Managers contribute to employee productivity and loyalty;
        2. Who managers are and where they work:
          1. managers coordinate and oversee the work of others -> organizational goals;
          2. managers work in organization;
        3. The functions, roles, and skills of managers
          1. overseeing the efficient and effective completion of others’s work activities;
          2. 4 functions: planning, organizing, leading, controlling
          3. Mintzberg’s managerial roles: interpersonal, informational, decisional
          4. Katz’s managerial skills: technical, interpersonal, conceptual
        4. Factors that are reshaping and redefining the manager’s job
          1. PEST, changing workplaces, ethical issues, security threats;
        5. The value of studying management
          1. 3 reasons: the universality of management, the reality of work, awareness of the significant rewards and challenges;Managerial roles and skills
    2. Chapter 15 – Understanding and Managing Individual Behavior (p.460 – 491)
      1. Objectives
        1. Identify the focus and goals of individual behavior within organizations
        2. Explain the role that attitudes play in job performance
        3. Describe different personality theories
          1. Know how to be more self-aware
        4. Describe perception and factors that influence it
        5. Discuss learning theories and their relevance in shaping behavior
          1. Develop you skill at shaping behavior
        6. Discuss contemporary issues in organizational behavior
      2. Keywords:
        1.  organized vs disorganized
        2. open to change VS comfortable with the familiar
      3. Contents of Ch15
        1. Challenges in understanding OB – address issues that aren’t obvious (like iceberg);iceberg
        2. to understand elements that also influence how employees behave to work;
        3. Areas
          1. Individual behavior (contributed by psychologists)
            1. Attitudes, personality, perception, learning, and motivation
          2. Group behavior (contributed by sociologists and social psychologists)
            1. Norms, roles, team building, leadership, and conflict
          3. Organizational behavior
            1. Structure, culture, and human resource policies and practices
        4. Goals of OB: explain (why), predict (how) and influence behavior;
        5. Six employee behaviors
          1. Employee productivity, absenteeism, turnover, organizational citizenship behavior (OCB), job satisfaction, and workplace misbehavior;
          2. Employee productivity: measurement of both efficiency and effectiveness;
          3. Absenteeism
          4. Turnover
          5. Organizational citizenship behavior
          6. Job satisfaction
          7. Workplace misbehavior
        6. Attitudes and Job performance
          1. Attitude: cognition, affect, and behavior
            1. Cognition: beliefs, opinions, knowledge or information held by a person
            2. Affect: usually referred from attitude; emotional or feeling part of an attitude, and could lead to behavioral outcomes;
            3. Behavior: intention to behave in a certain way
        7. Job-related attitudes: Job satisfaction, job involvement, and organizational commitment
          1. Job satisfaction: general attitude toward his or her job
            1. job satisfaction tends to increase as income increases, more challenges and allows workers more control;
            2. Strong correlation between satisfaction and productivity;
            3. Job satisfaction VS 6 employees behaviors
          2. Job involvement: degree of active participation
          3. Organizational commitment: degree to wish to maintain membership
            1. identifying your employing organization
            2. perceived organizational support – lead to increased job satisfaction and lower turnover;
          4. Employee engagement: when employees are connected to, satisfied with, and enthusiastic about their jobs;
            1. 2.5x to be top performers than less-engaged coworkers;
          5. Attitudes and consistency
            1. people seek consistency among their attitudes and between their attitudes and behavior;
          6. Cognitive Dissonance Theory
            1. Cognitive dissonance: inconsistency between attitudes or between behavior and attitudes;
            2. The inconsistency is uncomfortable and individuals try to reduce;
              1. Factors affecting us to reduce
                1. importance
                2. degree of influence
                3. rewards
          7. Regularly surveying employee attitudes: averaged for work groups, departments, divisions, or the organization; (wearable technology for continuous assessment)
        8. Personality
          1. unique combination of emotional, thought, and behavior patterns; affects how a person reacts and interacts;
          2. Two most well-known personality classification approaches: Myers Briggs Type Indicator (MBTI) and the Big Five Model:
            1. MBTI: 100-question assessment, 16 personality types;
              1. Social interaction: extraversion or introversion (E or I)
              2. Preference for gathering data: sensing or intuition (S or N)
              3. Preference for decision making: thinking or feeling (T or F)
              4. Style of making decisions: judging or perceiving (J or P)
            2. Big Five Model
              1. Extraversion
              2. Agreeablesness
              3. Conscientiousness
              4. Emotional stability
              5. Openness to experience
          3. Other personality traits
            1. Locus of Control: internal (controlled by own) or external (controlled by outside forces);
            2. Machiavellianism: ends / results can justify means; eg. salesperson
            3. Self-Esteem (SE)
              1. directly related to expectations for success;
              2. High SE
                1. possess the ability they need to succeed at work
                2. take more risks in job selection, and choose unconventional jobs
                3. less susceptible to external influence
                4. more satisfied with their jobs than low SEs
            4. Self-Monitoring: ability to adjust behavior to external, situational factors;
              1. Ability to present contradictions between the public persona and the private selves;
              2. Low self-monitors cannot adjust their behavior
            5. Risk Taking
            6. Proactive personality
            7. Resilience: ability to overcome challenges and turn them into opportunities;
        9. Emotions and Emotional Intelligence (EI)
          1. 5 dimensions of EI (ability to notice and to manage emotional cues and information)
            1. Self-awareness
            2. Self-management
            3. Self-motivation
            4. Empathy
            5. Social skills
          2. EI relevant to success in jobs that demand a high degree of social interaction;
        10. Perception
          1. Attribution Theory: explain how we judge people differently depending on what meaning we attribute to a given behavior;
            1. when we observe an individual’s behavior, we attempt to determine whether it was internally or externally caused;
            2. Distinctiveness: different behaviors in different situations, eg. unusual behavior caused by external forces while usual behavior as internal caused;
            3. Consensus: does other behave the same way in similar situations?
            4. Consistency: does person behave this way consistently?
            5. fundamental attribution error:
              1. tendency to underestimate the influence of external factors and to overestimate the influence of internal or personal factors;
              2. attribute our own successes to internal factors while putting blame for personal failure on external factors;
            6. Shortcuts used in judging others
              1. Assumed similarity: others are like onself
              2. Stereotyping: grouping a person based on perception
              3. Halo effect: general impression of an individual based on a single characteristic
        11. Learning:
          1. to explain, predict and influence behavior, we need to understand how people learn;
          2. Operant Conditioning
            1. behavior is a function of its consequences, eg. known rewards or punishment;
          3. Social learning theory: learn thru observation and direct experience
            1. Four processes
              1. Attentional processes: models which are attractive, repeatedly available, important and sees as similar to us;
              2. Retention processes: how well we remembers the actions
              3. Motor reproduction processes: reproduce the action
              4. Reinforcement processes: motivate the exhibit
          4. Shaping behavior:
            1. positive reinforcement, negative reinforcement: repeat desirable behaviors;
            2. punishment, and extinction: weakening undesirable behaviors;
        12. Contemporary issues
          1. Managing generational differences
            1. Gen Y (1982-1997)
          2. Managing negative behavior in the workplace
        13. Skills exercise – Develop your shaping behavior skill
          1. Must teach your employees the behaviors most critical to their;
            1. Identify the critical behaviors that have a significant impact on an employee’s performance;
            2. Establish a baseline of performance;
            3. Analyze the contributing factors to performance and their consequences;
            4. Develop a shaping strategy
            5. Apply the appropriate strategy
            6. Measure the change that has occurred
            7. Reinforce desired behavior
    3. Chapter 2 – Making Decisions (p.74-)
      1. Objectives
        1. Describe the eight steps in the decision-making process
          1. Develop you skills
        2. Explain the four ways managers make decisions
        3. Classify decisions and decision-making conditions
        4. Describe different decision-making styles and discuss how biases affect decision making
          1. Know how to recognize when you’ve using decision-making error and biases and what to do about it
        5. Identify effective decision-making techniques
      2. Contents of Ch2
        1. Eight steps in decision making process
          1. Identify a problem
          2. Identify decision criteria (or constraints)
          3. Allocating weights to the criteria
          4. Developing alternatives
          5. Analyzing Alternatives
          6. Selecting an Alternative
          7. Implementing the Alternative
          8. Evaluating decision effectiveness
        2. Making decisions (approaches)
          1. objective and logical
          2. bounded rationality: rational decision making, but limited by an individual’s ability to process information, thus, managers satisfice rather than maximize. eg. not searching all possible alternatives;
          3. escalation of commitment:
            1. increased commitment to a previous decision despite evidence that it may have been wrong;
            2. do not want to admit that the initial decision may have been flawed, eg. Challenger space shuttle disaster;
          4. Intuitive decision making
            1. on basis of experience, feelings and accumulated judgement;
            2. Subconscious mental processing (use data from subconscious mind)
            3. Value or ethics-based decisions
            4. Experience-based decisions
            5. Affect-initiated decisions (on feelings / emotions)
            6. Cognitive-based decisions (on skills / knowledge / training)
          5. Evidence-based management (EBMgt)
            1. systematic use of the best available evidence to improve management practice
            2. four essential elements
              1. decision maker’s expertise and judgement
              2. external evidence that’s been evaluated by the decision maker
              3. opinions, preferences and values of those who have a stake in the decision
              4. relevant organizational factors such as context, circumstances and members;
        3. Types of decisions
          1. structured problems and programmed decisions
            1. straightforward, familiar and easily defined;
            2. programmed decision – repetitive decision that can be handled by a routine approach;
            3. defined “develop-the-alternatives” stage
            4. three types of programmed decisions
              1. procedure: sequential steps
              2. rule: explicit statement about what can or cannot be done;
              3. policy: guideline for making decision with ambiguous terms that requires interpretation
          2. Unstructured problems and non-programmed decisions
            1. new or unusual problems for which info is ambiguous or incomplete
        4. Decision-making conditions: Certainty, risk, and uncertainty;
        5. Decision-making styles
          1. Linear thinking style: decisions on external data and facts and processing this information thru rational and logical thinking;
          2. nonlinear thinking style: preference for internal sources of information (feelings and intuition) with internal insights / feelings;
          3. Decision-making biases and errors
            1. rules of thumb / heuristics
            2. overconfidence bias
            3. immediate gratification bias (want immediate rewards and avoid immediate costs)
            4. anchoring effect: failed to adjust from initial information
            5. Selective perception bias
        6. Effective decision making in Today’s World
          1. Guidelines for effective decision making
            1. Understand cultural differences
            2. Create standards for good decision making:
              1. forward looking
              2. use available information
              3. consider all available and viable options
              4. not create conflicts of interest
              5. develop your ability to think clearly
            3. Know when it’s time to call it quits
            4. Use an effective decision-making process
              1. focuses on what’s important
              2. logical and consistent
              3. acknowledges both subjective and objective thinking
              4. require enough info as is necessary to resolve a problem
              5. encourages and guides gathering relevant info and informed opinions
              6. straigthforward, reliable, easy to use and flexible;
          2. Design thinking and decision making
            1. Design thinking: approaching management problems as designers approach design problems
          3. Big Data and Decision Making
    4. Chapter 14 – Managing Communication
      1. Objectives:
        1. Define the nature and function of communication
        2. Compare and contrast methods of interpersonal communication
        3. Identify barriers to effective interpersonal communication and how to overcome them
          1. Develop your skill at listening actively
          2. Know how to identify the differences in how genders communicate
        4. Explain how communication can flow most effectively in organizations
        5. Describe how technology affects managerial communication and organizations
        6. Discuss contemporary issues in communication
      2. Contents of Ch14:
        1. Keys: understanding the differences in how males and females communicate;
          1. males: speak and hear a language of independence and control; tend to direct;
          2. females: us communication to seek connection, closeness and intimacy; tend to subtle / vague / evasive;
        2. Communication: the transfer and understanding of meaning;
        3. Four functions of communication: control, motivation, emotional expression, and information;
        4. Barriers to effective communication
          1. Filtering, Information overload, Defensiveness, Language (jargon), National culture;
          2. Overcome: Use Feedback, Simplify Language, Active Listening, Control Emotion, Watch non-verbal cue;
        5. Workplace design and communication
          1. enclosures and barriers;
        6. IT and communication
          1. Networked systems and Wireless capabilities
        7. Getting employee input, eg. employee suggestion box
        8. Ethical communication
          1. includes all relevant information, is true in every sense, and is not deceptive in any way;
          2. encourage ethical communication? to establish clear guidelines for ethical behavior, including ethical business communication;
          3. Manager: responsible to think through your communication choices and the consequences of those choices;
        9. Active listening skills
          1. Make eye contact
          2. Exhibit affirmative nods and appropriate facial expressions
          3. Avoid distracting actions or gestures that suggest boredom
          4. Ask questions
          5. Paraphrase what’s been said
          6. Avoid interrupting the speaker
          7. Stay motivated to listen: not overtalk
          8. Make smooth transitions between the roles of speaker and listen
    5. Chapter 16 – Motivating Employees
      1. Objectives
        1. Define motivation
        2. Compare and contrast early theories of motivation
        3. Compare and contrast contemporary theories of motivation
          1. Develop your skill at motivating employees
        4. Discuss current issues in motivation
          1. Know how to identify what motivates you
      2. Contents of Ch16
        1. Keys:
          1. what motivates YOU in your career;
          2. effective managers who get employees to put forth maximum effort know how and why those employees are motivated and tailor motivational practices to satisfy their needs and wants;
          3. Effort direct toward and consistent with organizational goals;
        2. Motivation – the process by which a person’s efforts are energized, directed and sustained toward attaining a goal;
        3. Four early motivation theories
          1. Maslow’s hierarchy of needs
            1. Physiological <-> Safety <-> Social <-> Esteem <-> Self-Actualization
            2. each level in the needs hierarchy must be substantially satisfied before the next need becomes dominant;
            3. Lower-order needs (physiological / safety) are satisfied externally;
            4. Maslow provided no empirical support for his theory;
          2. McGregor’s theories X and Y
            1. Theory X is negative view of people (dislike, lazy, avoid responsibility)
            2. Theory Y is positive view of people (creative, enjoy work, self-direction); guide management practice;
          3. Herzberg’s two-factor theory (motivation-hygiene theory)
            1. intrinsic factors (recognition / responsibilities) are related to job satisfaction while extrinsic factors (supervision / salary) are associated with job dissatisfaction;
            2. hygiene factors – eliminate job dissatisfaction, but don’t motivate;
            3. opposite of “satisfaction” is “no satisfaction” while opposite of “dissatisfaction” is “no dissatisfaction”;
            4. Motivators (intrinsic factors)  – increase job satisfaction and motivation;
          4. McClelland’s three-needs theory
            1. Three acquired needs are major motives in work:
              1. need for achievement (nAch)
                1. achievement motivation based of people with high nAch
              2. need for power (nPow)
                1. impact / impression on others
              3. need for affiliation (nAff) 
                1. relationship with others
            2. measured by projective test TAT
        4. Contemporary Theories of Motivation (supported by research)motivation theories
          1. Goal-setting Theory
            1. The proposition that specific goals increase performance and that difficult goals, when accepted, result in higher performance than do easy goals;
              1. working toward a goal (measurable) is a major source of job motivation;
              2. specific and challenging goals, which are once accepted,  produce a higher output than the generalized one;
              3. People will do better if they get feedback on how they’re progressing toward their goals
                1. Higher self-efficacy, the more confidence you have in your ability to succeed in a task;
          2. Reinforcement Theory
            1. theory that behavior is a function of its consequences;
            2. focuses solely on what happens to a person when he or she does something;
            3. influence employees’s behavior by using positive reinforcers for actions;
          3. Job design Theory
            1. managers should design jobs deliberately and thoughtfully to reflect the demands of the changing environment
            2. Job enlargement: increasing the number of tasks
              1. knowledge enlargement activities (expanding the scope of knowledge used in a job) lead to more job satisfaction, enhanced customer service, and fewer errors;
            3. Job enrichment: vertical expansion (job depth) of a job by adding planning and evaluating responsibilities;
            4. Job characteristics model (JCM)
              1. Five dimensions and their impacts on employee productivity, motivation, and satisfaction
                1. Skill variety
                2. Task identity
                3. Task significance
                4. Autonomy
                5. Feedback
              2. individual’s motivation will be stimulated by the job itself, satisfy their control over their work;
          4. Equity Theory
            1. employee compares his or her job’s input-outcomes ratio with that of relevant other and then corrects any inequity;
          5. Expectancy Theory
            1. an individual tends to act in a certain way based on the expectation that the act will be followed by a given outcome and on the attractiveness of that outcome to the individual;
          6. High achievers VS general achievers
            1. high achievers are not concerned with the effort-performance, performance-reward, or reward-goals linkages;
            2. high nAch are internally driven as long as the jobs they’re doing provide them with personally responsibility, feedback and moderate risks
        5. Current issues in motivation
          1. motivating in tough economic circumstances
            1. be creative in keeping their employees’ efforts energized, directed and sustained toward achieving goals;
            2. keeps lines of communication open and to get their input on issues;
            3. establishing a common goal
            4. creating a community feel so employees could see that managers cared about them and their work;
            5. giving them opportunities to continue to learn and grow;
          2. cross cultural motivation challenges
            1. hierarchy of needs align with culture;
          3. motivate unique group of users
            1. professionals:
              1. chief reward is the work itself
              2. want others to think that what they are working on is important;
            2. low-skilled, minimum-wage employees
              1. money but also, employee recognition programs;
          4. Designing appropriate rewards programs
            1. Open Book Management: get employees to think like an owner
              1. sharing organization’s financial statements;
              2. require employees’ commitment to help find ways to reduce expenses and cut costs
            2. Employee Recognition Programs
            3. Pay-for-performance
    6. Chapter 17 – Being a Effective Leader
      1. Objectives
        1. Define leader and leadership
        2. Compare and contrast early theories of leadership
        3. Describe the three major contingency theories of leadership
        4. Develop your skill at choosing an effective leadership style
        5. Describe contemporary views of leadership
        6. Discuss contemporary issues affecting leadership
        7. Know how to prepare for an effective transition to a leadership position
      2. Contents of Ch17
        1. key: how to become more charismatic;
          1. Focus on others, not yourself;
          2. Be more extroverted;
          3. work on your communication skills;
          4. control your emotions;
          5. exhibit self-confidence;
        2. Leader: someone who can influence others and who has managerial authority;
          1. ideally, all managers should be leaders;
        3. leadership: a process of influencing a group to achieve goals
        4. Early Leadership theories
          1. Leadership Trait theories
            1. Drive / Desire to lead / Honesty and integrity / Self-confidence / Intelligence / Job-relevant knowledge / Extraversion / Proneness to guilt;
            2. more likely but not guarantee to be an effective leader; Also, ignore the interactions of leaders and their group members as well as situational factors;
          2. Leadership Behavior theories
            1. University of Iowa studies
              1. autocratic style: dictates work methods, makes unilateral decisions, and limits employee participation;
              2. democratic style: involves employees in decision making, delegates authority and uses feedback;
              3. laissez-faire style: let the group make decisions and complete the work;
            2. The Ohio State studies
              1. initiating structure: a leader defined his or her role and the roles of group members in attaining goals;
              2. Consideration: a leader had work relationships characterized by mutual trust and respect for group members’ ideas and feelings;
              3. a high-high leader sometimes achieved high group tasks performance and member satisfaction;
            3. University of Michigan studies
              1. employee oriented: emphasizing interpersonal relationships;
                1. able to get high group productivity and high group member satisfaction;
              2. production oriented: emphasizing the task aspects of the job;
            4. The managerial grid
              1. concern for people
              2. concern for production
              3. managers performed best when using a 9,9 style (team management, high concern for production, high concern for people)
        5. Contingency theories of Leadership
          1. The Fiedler Model (reflect situational factors)
            1. effective group performance depends on the proper match between a leader’s style and the degree to which the situation allows the leader to control and influence;
            2. key factor: leadership style – task oriented / relationship oriented;
              1. measured by least-preferred coworker questionnaire (LPC) (shortcomings: not practical)
            3. Improve leader effectiveness
              1. bring in a new leader whose style better fit the situation;
              2. change the situation to fit the leader
          2. Hersey and Blanchard’s Situational Leadership Theory
            1. contingency theory that focuses on followers’ readiness
              1. People are unable and unwilling
                1. Telling style: high task-low relationship
              2. People are unable but willing
                1. Selling style: high task-high relationship
              3. People are able but unwilling
                1. Participating style: low task-high relationship
              4. People are able and willing
                1. Delegating style: low task-low relationship
          3. Path-Goal Model
            1. leader’s job is to assist followers in attaining their goals and to provide direction or support needed to ensure that their goals are compatible with the goals of the group or organization;
            2. directive leader
            3. supportive leader
            4. participative leader
            5. achievement oriented leader
        6. Contemporary views of Leadership
          1. Leader-Member Exchange (LMX) Theory
            1. leaders create in-groups and out-groups and those in the in-group will have higher performance ratings, less turnover, and greater job satisfaction;
          2. Transformational-Transactional Leadership
            1. transactional leaders: lead by using social exchanges / transactions, i.e. rewards;
            2. transformational leaders:
              1. lead by stimulate and inspire followers to achieve extraordinary outcomes;
              2. developed from transactional one;
          3. Charismatic-Visionary Leadership\
            1. Charismatic leader: an enthusiastic, self-confident leader whose personality and actions influence people to behave in certain ways;
              1. personal characteristics:
                1. they have a vision
                2. the ability to articulate that vision
                3. a willingness to take risks to achieve that vision
                4. a sensitivity to both environmental constraints and follower needs
                5. behaviors that are out of the ordinary
            2. Visionary leadership: ability to create and articulate a realistic, credible, and attractive vision of the future that improves on the present situation;
          4. Managing Power
            1. Five sources of leader power
              1. Legitimate power: power or authority a leader has as a result of his / her position; broader than the power to coerce and reward;
              2. Coercive power: power to punish or control;
              3. Reward power: power to give positive rewards;
              4. Expert power: power based on expertise / knowledge;
              5. Referent power: power that arises because of a person’s desirable resources;
          5. Developing Trust
            1. Building trusts at work:
              1. being good at what you do;
              2. being passionate about your work and people around you;
              3. ability to listen and follow through;
            2. Honesty
            3. Competent
            4. Inspiring
            5. Five dimensions of trust
              1. Integrity
              2. Competence – tell the truth
              3. Consistency
              4. Loyalty
              5. Openness – show consistency
          6. Empowering Employees
            1. increasing the decision-making discretion of workers;
            2. For an organization to compete in a dynamic global economy, employees have to be able to make decisions and implement changes quickly;
          7. Leading Across Cultures
            1.  adjust style to situation
          8. Become an effective Leader
            1. Leader training
            2. Substitutes for Leadership
              1. explicit formalized goals, rigid rules and procedures or cohesive work groups;
              2. inherently unambiguous and routing
              3. experience, training, professional orientation, or need for independence
      3. Skills
        1. Team stage: forming, storming, norming, or performing;
    7. Chapter 10 – Designing Organizational Structure – Basic Designs
      1. Objectives
        1. Describe six key elements in organizational design
        2. Know how to delegate work to others and develop your skill at delegating
        3. Contrast mechanistic and organic structures
        4. Discuss the contingency factors that favor either the mechanistic model or the organic model of organizational design
        5. Describe traditional organizational designs
      2. Contents of Ch10
        1.  Keys
          1. How to delegate and control work tasks to others;
          2. Successful delegation
            1. Clarify the assignment
            2. Specify the employee’s range of discretion
            3. Allow the employee to participate
            4. Inform others that delegation has occurred
            5. Establish feedback controls to monitor progress
            6. Recognize key performance milestones and accomplishments
        2. organizational structure
          1. formal arrangement of jobs within an organization
        3. Six key elements in organizational design
          1. Work specialization
            1. dividing work activities into separate job tasks
          2. Departmentalization
            1. Functional departmentalization
            2. Geographical departmentalization
            3. Product departmentalization
            4. Process departmentalization
            5. Customer departmentalization
          3. Chain of Command – line of authority extending from upper organizational levels to lower levels, which clarifies who reports to whom;
          4. Span of control
            1. no magic number
            2. skills and abilities of the manager and the employees
            3. Information system / culture / standardized procedures…
          5. Centralization-decentralization
          6. Formalization
        4. Contrast mechanistic and organic structures
          1. mechanistic organization is a rigid and tightly controlled structure while organic is highly adaptive and flexible;
        5. Contingency factors
          1. Organization’s strategy
        6. Traditional organizational designs
    8. Chapter 11 – Designing Organizational Structure – Adaptive Designs
      1. Objectives
        1. Describe contemporary organizational designs
          1. Develop your skill at acquiring and using power
        2. Discuss how organizations organize for collaboration
        3. Explain flexible work arrangements used by organizations
        4. Discuss organizing issues associated with a contingent workforce
        5. Describe today’s organizational design challenges
      2. Contents of Ch11
        1. Keys:
          1. How to stay connected and in the organizational loop when you’re in a nontraditional working arrangement;
          2. Stay focused and productive;
          3. Communicate, communicate and communicate;
          4. Choose appropriate technology
          5. Be aware of the “people” aspects of remote work arrangements;
        2. Contemporary Organizational Designs
          1. Team Structures
          2. Matrix and Project Structures
          3. The boundaryless organization
            1. virtual organization
            2. network organization
          4. Learning Organizations
            1. developed the capacity to continuously learn, adapt, and change;
            2. must share information and collaborate on work activities;
    9. Chapter 3 – Managing the External Environment and the Organization’s Culture
      1. Objectives
        1. Contrast the actions of managers according to the omnipotent and symbolic views
        2. Describe the constraints and challenges facing managers in today’s external environment
          1. Develop your skill at scanning the environment so you can anticipate and interpret changes taking place
        3. Discuss the characteristics and importance of organizational culture
          1. Know how to read and assess an organization’s culture
        4. Describe current issues in organizational culture
      2. Contents of Ch3
        1. keys
          1. how to “read” an organization’s culture so you can find one in which you’ll be happy;
          2. To-dos:
            1. Do background work;
            2. Observe the physical surroundings and corporate symbols;
            3. How would you characterize the people you meet?
            4. Look at the organization’s HR manual (if you can);
            5. Ask questions of the people you meet;
        2. Omnipotent or Symbolic
          1. Omnipotent view of management: managers are directly responsible for an organization’s success or failure;
            1. eg. turnover among college and professional sports coaches;
          2. Symbolic view of management: much of an organization’s success or failure is due to external forces which are outside and constraint managers’ control;
        3. The External Environment – Constraints and Challenges
          1. The Economic Environment
            1. commodity / raw materials costs;
            2. income disparity and fiscal imbalance;
          2. The Demographic Environment
            1. certain stages in the life cycle can constraint decisions and actions taken by business;
          3. How external environment affects mangers
            1. Jobs and employment
            2. Environmental uncertainty: degree of change (dynamic / stable) and complexity in an organization’s environment
              1. Dynamic – unpredictable change; Predictable change is not dynamic
            3. Stakeholders relationships that exist
        4. Organizational Culture: Constraints and Challenges
          1. What is Organizational culture?
            1. shared values, principles, traditions and ways of doing things;
            2. Culture:
              1. Perception
              2. Descriptive
              3. Shared aspect of culture
            3. Seven Dimensions (Low-to-High)
              1. Innovation and Risk taking
              2. Attention to Detail
              3. Outcome Orientation
              4. People Orientation
              5. Team Orientation
              6. Aggressiveness
              7. Stability
          2. Strong Cultures
            1. greater influence on employees than weaker cultures; more loyal than the ones in weak cultures
            2. relatively high agreement on what’s important, what defines “good” employee behavior; and more it affects the way managers plan, organize, lead, and control;
            3. Research suggests there are positive correlations between strong cultures and high organizational performance;
            4. Drawback of strong culture: prevent employees from trying new approaches, especially when conditions change rapidly;
          3. Where cultures comes from and how it continues
            1. behaviors of founders and top management
          4. How employees learn culture
            1. Stories
            2. Rituals
            3. Material Symbols
            4. Language
          5. How Culture affects ManagersO cultures
        5. Current issues in organizational culture
          1. Creating an innovative culture
          2. Creating a Customer-Responsive Culture
          3. Spirituality and Organizational Cutlure
            1. Strong sense of purpose
            2. Focus on individual development
            3. Trust and openness
            4. Employee empowerment
            5. Tolerance of employee expression
      3. Skills
        1. Decide which type of environmental information is important to your work;
        2. Regularly read and monitor pertinent information;
        3. Incorporate the information you get from your environment scanning into your decisions and actions;
        4. Regularly review your environmental scanning activities;
        5. Encourage your subordinates to be alert to information that is important;
    10. Chapter 6 – Managing Social Responsibility and Ethics
    11. Chapter 7 – Managing Change and Innovation
      1. Compare and contrast views on the change process
      2. Classify types of organizational change
      3. Explain how to manage resistance to change
        1. Know how to be change ready by overcoming your resistance to change
      4. Discuss contemporary issues in managing changes
        1. Develop your skill in change management so you can serve as a catalyst for change
      5. Describe techniques for stimulating innovating
    12. Chapter 8 – Planning Work Activities
      1. Define the nature and purposes of planning
      2. Classify the types of goals organizations might have and the plans they use
      3. Compare and contrast approaches to goal-setting and planning
        1. Know how to set goals personally and create a useful, functional to-do list
        2. Develop your skill at helping your employees set goals
      4. Discuss contemporary issues in planning
    13. Chapter 9 – Managing Strategies
      1. Define strategic management and explain why it’s important
      2. Explain what managers do during the six steps of the strategic management process
        1. know how to identify your own personal strengths and weakness and deal with them
        2. develop your skill at strategic planning
      3. Describe the three types of corporate strategies
      4. Describe competitive advantage and the competitive strategies organizations use to get it
      5. Discuss current strategic management issues
    14. Chapter 12 – Managing HR
      1. Explain the importance of the human resource management process and the external influences that might affect that process
      2. Discuss the tasks associated with identifying and selecting competent employees
      3. Explain the different types of orientation and training
      4. Describe strategies for retaining competent, high-performing employees
      5. Discuss contemporary issues in managing human resources
    15. Chapter 13 – Creating and Managing Teams
      1. Define groups and the stages of group development
      2. Describe the major components that determine group performance and satisfaction
      3. Define teams and best practices influencing team performance
        1. Know how to maximize outcomes through effective negotiating
        2. Develop you skills at coaching team members
      4. Discuss contemporary issues in managing teams
    16. Chapter 18 – Monitoring and Controlling
      1. Explain the nature and importance of control
      2. Describe the three steps in the control process
      3. Explain how organizational and employee performance are measured
        1. Know how to be effective at giving feedback
      4. Describe tools used to measure organizational performance
      5. Discuss contemporary issues in control
        1. Develop you skills at dealing with difficult people
Reading: Management_13e, Robbins and Coulter.

SECOPS – CCSA study log (210-255)

  1. Objectives – learn and exam
    1. Cisco materials:
  2. Content summary
    1. Defining the Security Operations Center
    2. Understanding NSM Tools and Data
    3. Understanding Incident Analysis in a Threat  Centric SOC
    4. Identifying Resources for Hunting Cyber Threats
    5. Understanding Event Correlation and Normalization
    6. Identifying Common Attack Vectors
    7. Identifying Malicious Activity
    8. Identifying Patterns of Suspicious Behavior
    9. Conducting Security Incident Invesigations
    10. Describing the SOC Playbook
    11. Understanding the SOC metrics
    12. Understanding the SOC WMS and automation
    13. Describing the Incident Response Plan
    14. Appendix A – Describing the Computer Security Incident Response Team
    15. Appendix B – Understanding the use of VERIS
  3. Content details
    1. Defining the Security Operations Center
      1. Types of Security Operations Centers
        1. SOC: center for network security event monitoring and incident response
        2. responsible for detecting, analyzing, and reporting unauthorized or malicious network activity
        3. 3 types (vary from different job roles, tools and technologies)
          1. Threat-centric SOCs
            1. proactive hunts for malicious threats
            2. addresses the entire attack continuum – before / during / after;
          2. Compliance-based SOCs
            1. Against reference configuration templates and std system builds;
            2. relies on detecting unauthorized changes and existing config problems;
            3. Key: link risk mgt and incident response practices to an automated system compliance process;
            4. such as benchmarks by Center of Internet Security (CIS) or PCI DSS 2.0 (Payment Card Industry);
          3. Operational-based SOCs
            1. focus on maintaining the operational integrity and internal monitoring with techniques that are tailored for an organization‘s specific network environment;
              1. Tier 1 SOC analyst: deploying tools
              2. Tier 2 SOC analyst: developing tools
            2. term: CSIRT (Computer Security Incident Response Team)
            3. Addressing operational issues within an organization requires operational solutions and operational competence, not just enable features on a device when there is security issue;
          4.  Example of a SOC Architecture
            1. automate and customize feeds / inputs to database in which alerts are triggered and ease for analysis;
      2. SOC Analyst Tools
        1. Functions
          1. Network mapping
          2. Network monitoring
          3. Vulnerability detection
          4. Penetration testing
          5. Data collection
          6. Threat and anomaly detection
          7. Data aggregation and correlation
        2. Example tools
          1. Security Onion: Linux distribution with Log mgt, network security monitoring, IDS capabilities;
            1. Composed of Snort, Suricata and so on…
          2. Network analyst tools: Wireshark / Netwitness / OSSEC / NetFlow / Cisco Stealthwatch;
          3. Penetration testing tools: exploit weakness;
            1. eg. Kali Linux with tools such as Metasploit Framework, Armitage, and SET (Social Engineer Toolkit)
            2. start vulnerability assessment
            3. eliminate those weaknesses to an acceptable level
            4. perform a penetration test on improved posture;
      3. Data Analytics
        1. examining and deciphering raw data or data sets with the purpose of drawing conclusions;
          1. Tier 1 analyses real-time data for short run while escalate potential intrusions to Tier 2 to response;
          2. Dynamic analysis:  testing and evaluation against real-time data;
        2. Log mining
          1. SIEM tools such as Splunk can help a SOC collect and normalize large amounts of disparate log data;
          2. Sequencing: reconstructing network flow
          3. Path analysis: interpretation of a chain of consecutive events
          4. Log clusthering: mine through large amounts of log data to build profiles and to identify anomalous behavior
          5. forecast future attacks > Predictive analysis
        3. Raw Network Packet Capture Analysis
          1. Netflow / WireShark / tcpdump
        4. Real-time Rule-Based Alerts
          1. Alerts from Users / HelpDesk / Hardware / Software
      4. Hybrid installations: Automated Reports, Anomaly Alerts
        1. automate as many tasks as possible in streamline
          1. Ticket generation
          2. False positive alert handling
          3. Report generation: weekly / monthly summaries
        2. Anomaly detection: alerts which are based on volume or feature patterns
          1. Volume-based anomaly alerts can come from: Statistical analysis / Frequency analysis / Time-series forecasting
          2. feature-based anomaly detection
      5. Sufficient Staffing Necessary for an Effective Incident Response Team
      6. Roles in a Security Operations Center
        1. SOC manager
          1. prioritizing work and organizing resources with the goal of detecting, investigating, and mitigating incidents that could impact the business;
          2. determines both the day-to-day activities and the base skills that are required (workflows and SOPs) by the security analyst to perform the job successfully;
        2. Tier 1 security analyst
          1. Continuously monitors the alert queue
          2. Triages security alerts
          3. Monitors the health of the security sensors and endpoints
          4. Collects data and context necessary to initiate Tier 2 work
        3. Tier 2 security analyst
          1. Performs deep-dive incident analysis by correlating data from various sources
          2. Determines if a critical system or data set has been impacted
          3. Advises on remediation
          4. Provides support for new analytic methods that are used in threat detection
        4. Tier 3 security analyst
          1. Possesses in-depth technical knowledge on the network, endpoint, threat intelligence, forensics, malware reverse engineering, and the functioning of specific applications or underlying IT infrastructure
          2. Acts as an incident hunter, not waiting for escalated incidents
          3. Closely involved in developing, tuning, and implementing threat detection analytics
      7. Develop Key Relationships with External Resources
        1. TALOS
        2. US-CERT
        3. FiRST
        4. malwr
        5. OVE
        7. PhishTank
      8. Challenge
    2. Understanding NSM Tools and Data
      1. NSM (network security monitoring) Tools
        1. SOC analysts rely on NSM data
        2. functions
          1. collecting syslog messages
          2. moving messags from a flat log file to a database
          3. automate reports / dashboards / real-time query
        3. Commercial / Open source / homegrown
      2. NSM Data
        1. 6 types
          1. Session Data (Tool: ?Netflow)
            1. summary data that is associated with network conversations (who and when);
            2. IP 5-tuple
          2. Full packet capture (Tool: ?TCPdump / Wireshark)
            1. records all the network traffic, packet by packet;
            2. in PCAP format
          3. Transaction data
            1. between session data and full packet capture
            2.  captures the details that are associated with requests and responses;
              1. eg. log GET by client; log SMTP connections
          4. Alert data
            1. by IPS system
          5. Statistical data
            1. NSM data is collected over time, the data can be processed to produce statistical data
            2. performance ratio; summary
            3. produces baselines
            4. Deviations from normal are called anomalies
          6. Metadata
          7. Correlation is key for analysis
            1. eg. same time stamp of numerous packets from same IP address;
            2. connections with malicious IP addresses;
      3. Security Onion (Linux distribution that focuses on NSM)
        1. Security Onion is a turnkey NSM solution
        2. deployed as a simple standalone system or a distributed deployment;
        3. Security Onion use netsniff-ng to perform full packet capture
      4. Full Packet Capture
        1. in PCAP (packet capture) format
        2. Consider:
          1. Location: sensing interfaces are placed at chokepoints / ingress points in the network;
          2. Method of network connection
            1. sensing interface connected to mirror SPAN port
            2. network tap
            3. inline (reliable) where the sensor uses two interfaces and traffic is forced through the sensor between these two interfaces
          3. NIC configuration
            1. checksum offload and TCP segmentation offload to improve system and network performance
          4. Storage size: 540GB / day
      5. Session Data
        1. IP 5-tuple
        2. capture by Bro
        3. ELSA takes the flat Bro logs and other flat log sources and stores them in a relational MySQL database with Sphinx indexing
      6. Transaction Data
        1. audit trails of client requests and server responses (SMTP / HTTP / DNS…);
      7. Alert Data
        1. produced by IDS and IPS systems
        2. analyst must:
          1. understand whether the IDS is capable of dropping malicious traffic;
          2. know how to examine the alert data to determine the actions that the IDS has taken;
      8. Other Data Types
        1. Extracted content: artifacts from real-time traffic streams or PCAP files;
          1. eg. by Bro or NetworkMiner;
          2. eg. Bro extract all email attachments;
        2. Statistical Data by ELSA
      9. Correlating NSM Data
        1. 5 IP-tuple
      10. Explore Network Security Monitoring Tools
      11. Challenge
    3. Understanding Incident Analysis in a Threat Centric SOC
      1. Classic Kill Chain Model Overview
        1. R W D E I C A
      2. Kill Chain Phase 1: Reconnaissance
        1.  intelligence gathering
      3. Kill Chain Phase 2: Weaponization
        1. development of a cyber weapon that is based on reconnaissance information;
        2. such as viruse, code injection, email or phishing campaigns;
      4. Kill Chain Phase 3: Delivery
        1.  transmission of the payload to the target via a communication vector
        2. such as email attachments / phishing emails / redirection / USB devices;
        3. Deliver undetectedly is key to success: encryption, re-appeareace;
      5. Kill Chain Phase 4: Exploitation
        1. describes what occurs once the malicious code is executed;
        2. Threat actors / threat agent
        3. 3 typical weaknesses: Applications / OS / Users;
        4. Selection of the exploit is important -> intended effect and gain control;
      6. Kill Chain Phase 5: Installation
        1. also as persistence phase
        2. describes actions taken by the threat actor to establish a back door to sustain persistent access;
          1. especially survive a system reboot;
      7. Kill Chain Phase 6: Command-and-Control
        1. outbound to an Internet-based controller in order to establish a communications channel;
          1. eg. long DNS queries that are initiated from multiple inside hosts to domains using randomized names;
      8. Kill Chain Phase 7: Actions on Objectives
        1. actions taken by the threat actor that are objective-dependent
      9. Applying the Kill Chain Model
        1. Recon: Reconnaissance / gathers information
          1. hardened by NFFW
        2. Stage: Weaponization, cyber criminals try to fool users into opening emails or clicking on links;
        3. Launch: Delivery, Staging sites redirect from trustworthy-looking sites to sites that launch exploit kits and/or other malicious content;
        4. Exploit: exploited to take control of the user’s system
          1. hardened by network-based and host-based anti-malware solutions
        5. Install: infect and encrypt the victim’s system—the ransomware payload.
          1. hardened by network-based and host-based anti-malware solutions
        6. Callback: CnC, the malware calls home to a CnC server, where it retrieves keys to perform the encryption or receive additional instructions;
        7. Persist: objectives
      10. Diamond Model Overview
        1. framework for analyzing events in a repeatable way so that the threats can be organized, tracked, sorted, and countered; like PDCA;
        2. Adversary: entity responsible for conducting an intrusion
          1. adversary operator is the person who is conducting the intrusion
          2. adversary customer is an entity that benefits from the intrusion
        3. Capability: tool or technique that the adversary may use in an event
          1. adversary arsenal is the complete set of the adversary’s capabilities;
        4. Victim
          1. target of the adversary
          2. Victim persona is the group of people or organization being attacked;
          3. Victim asset is the physical or logical target of the attack
        5. Infrastructure
          1. the physical or logical communications nodes that the adversary uses to establish and maintain command and control over their capabilities, such as Internet / USB sticks
          2. 3 types
            1. Type 1: owned and controlled by the adversary
            2. Type 2: co-opted by the adversary, but is owned by a third party
            3. Service providers: entities that provide type 1 and type 2 infrastructures and include entities such as an ISP
          3. Questions utilized in the diamond model
            1. What infrastructure was utilized?
            2. What was the target (victim)?
            3. What methods (capability) were used?
        6. Meta-features
          1. Timestamp: When start or end:
          2. Phase: group of events
          3. Result: Success / Failure / Unknown
          4. Direction: eg. adversary to victim / victim to adversary
          5. Methodology: generic class of activity used, such as DoS / phishing
          6. Resources: external resource that is used by adversary
      11. Applying the Diamond Model
        1. fundamentally supports analytic pivoting;
        2. adversary-centered approach: monitoring an adversary directly to discover them
        3. victim-centered approach: perform reactive network and host monitoring, detection, and defense operations
        4.  threat intelligence platform called ThreatConnect
      12. Exploit Kits
        1. sets of tools that are utilized to gain access to a targeted host;
          1.  launching platform to deliver the payload to the targeted system
        2. the ease with which it can be used
        3. If the targeted host is patched and up-to-date on all applications (Flash, Java, or Silverlight), most exploit kits will stop at the landing page;
        4. Well known Exploit Kits:
          1. Neutrino targets Java runtime environment, drops ransomware on target systems
          2. Magnitude commonly utilized to drop ransomware on target systems
          3. Angler is a very versatile, utilizes a robust toolkit
          4. Nuclear: largely targets vulnerable Adobe Flash vulnerabilities, largely safe from AV detection.
      13. Investigate Hacker Methodology
      14. Challenge
        1. reconnaissance phase = A solid network security posture with firewalls and intrusion detection can prevent leaking more information
        2. delivery phase = Knowledge of existing ransomware attacks and communication vectors, can aid in the prevention of delivery
        3. installation phase = User access controls and strict limits to privilege levels can also help mitigate this stage
        4. command-and-control = Network security monitoring tools can greatly help identify this phase
        5. actions on target = Unusually high amounts of traffic, connections to IP addresses that are foreign or unrecognizable, or other activities that seem out of the ordinary can indicate this type of attack
    4. Identifying Resources for Hunting Cyber Threats
      1. Cyber-Threat Hunting Concepts
        1. threat-centric SOC
          1. involves a proactive approach to detecting malicious activity that is not identified by traditional alerting mechanisms;
          2. correlate the data and determine if there is cause for further investigation
      2. Hunting Maturity Model (HMM)
        1. HM0 to HM4
        2. levels increase, analysts become more knowledgeable and sophisticated in their tactics; and more proactive;
        3. HM0: relies on alerting; not collect information from any systems outside;
        4. HM1: rely on an IDS for alerts, but also collect information from their systems to look for new threats;
        5. HM2: able to incorporate hunt techniques from external sources into their own hunt operations;
          1. Most organizations with active performance will be in this level;
        6. HM3: innovative; also publish hunting procedures;
        7. HM4: able to automate many tactical-level analysis procedures;
      3. Cyber-Threat Hunting Cycle
        1. Hypothesis
          1. looking at the system from the perspective of the attacker
        2. Investigate
          1. uses tools and techniques to investigate the hypothesis
        3. Uncover
          1. TTP: tactics, techniques and procedures
          2. IOCs: Indicator of Compromise
          3.  where the ultimate success of the cycle is achieved
        4. Inform and Enrich
      4. Common Vulnerability Scoring System (CVSS)
        1. chances of being compromised in the event of an attack and potential severity of damage;
        2. latest version at 3.0;
        3.  provide the end user with an overall composite score representing the severity and risk of a vulnerability
        4. 3 metrics groups: Base Metrics / Temporal Metrics / Environmental Metrics
          1. Base Metrics: variables that are constant over time and across user environments
            1. exploitability metrics
              1. attack vector (AV): Local / Adjacent / Network / Physical; the context by which vulnerability exploitation is possible; higher value, more remote an attacker is from the vulnerable component;
              2. attack complexity (AC): Low / High; conditions beyond the attacker’s control that must exist in order to exploit the vulnerability;
              3. privileges required (PR): None / Low / High; level of privileges an attacker must possess before successfully exploiting the vulnerability;
              4. user interaction (UI): None / Required; whether or not a user other than the attacker must participate in;
              5. scope (S): Unchanged / Changed; ability for a vulnerability in one software component to impact resources beyond its means, or privileges;
            2. impact metrics
              1. confidentiality (C): None / Low / High; impact to the confidentiality of the information resources that are managed by a software component due to a successfully exploited vulnerability;
              2. integrity (I): None / Low / High; impact to integrity of a successfully exploited vulnerability;
              3. availability (A): None / Low / High; impact to the availability of the impacted component resulting from a successfully exploited vulnerability
          2. Temporal Metrics
            1. Exploit Code Maturity (E): Not Defined / Unproven / Proof-of-Concept / Functional / High; likelihood of the vulnerability being attacked, and it is typically based on the current state of exploit techniques, exploit code availability, or active, “in-the-wild” exploitation;
            2. Remediation Level (RL): Not Defined / Unavailable / Workaround / Temporary fix / Official fix; patching practices;
            3. Report Confidence (RC): Not Defined / Unknown / Reasonable / Confirmed; degree of confidence in the existence of the vulnerability and the credibility of the known technical details;
          3. Environmental Metrics: to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization
            1. Security Requirements (CR, IR, AR): Not Defined / Low / Medium / High; depends on user’s organization;
            2. Modified Base Metrics: MAV, MAC, MPR, MUI, MS, MC, MI, MA; to adjust the base metrics according to modifications that exist within the analyst’s environment
      5. CVSS v3.0 Scoring (maintained by FIRST (
        1. combining all the metric values according to specific formulas;
        2. to help prioritize remediation efforts;
        3. Basic scoring:
          1. once base scoring is computed, it is not expected to be changed;
          2.  has the largest bearing on the final score;
        4. Temporal scoring:
          1. for publication and modifies the base score;
          2. introduces mitigating factors that reduce the score of a vulnerability;
          3.  represents vulnerability urgency at specific points in time
        5. Environmental scoring:
          1. represents a snapshot in time and is tailored to a specific environment;
      6. CVSS v3.0 Example
        1. CVSS v3.0 score of the MySQL Stored SQL Injection vulnerability CVE-2013-0375.
      7. Hot Threat Dashboard
        1. graphical depiction of currently monitored threats;
        2. to define the criteria that must be met in order for a threat to be considered hot;
        3. Goal: to maintain an actionable list of current top hot threats (> 15);
        4. Posting a Hot Threat
          1. TLP (Traffic Light Protocol): set of designations that are used to ensure that sensitive information is shared appropriately;
            1. Red <> Amber <> Green <> White;
            2. Red: Not for disclosure, which is restricted to participants only
            3. White: Disclosure is not limited;
        5. Reviewing a Hot Threat: senior security investigator (Investigations Manager) will review and validate it to become active;
        6. Monitoring Hot Threats:
        7. Retiring Hot Threats
        8. Hot Threat Challenges
      8. Publicly Available Threat Awareness Resources
        1. OWASP (Open Web Application Security Project)
          1.  resources ranging from guides, cheat sheets, and applications to identify attacks;
          2. publish top 10 rated vulnerabilities per 3 years
            1. Injection: improper sanitization of user input for a command or query
            2. Broken authentication and session management: to tie a improper ended session to an individual user;
            3. XSS
            4. Insecure direct object references: by lax checks to ensure a user requesting a resource actually has permissions to access that resource; eg. address with user ID;
            5. Security misconfiguration: by improper configurations of any part of the application stack; eg. default config.;
            6. Sensitive data exposure
            7. Missing function level access control
            8. Cross-site request forgery (CSFR): by a failure to ensure that each request was properly originated by a user
            9. Using components with known vulnerabilities: by a failure to properly patch
            10. Unvalidated redirects and forwards
        2. Spamhaus Project
          1.  analyst should use Spamhaus to determine whether a suspected email is in fact on the list of known malicious spam;
          2. Top 10 list and, ;
            1. SBL:  Spamhaus Block List, list targeting IP addresses of known spammers;
            2. Exploits block list: XBL, hosts that are known to be infected or misconfigured and facilitating illegitimate traffic;
            3. Policy block list: PBL,  do not have legitimate reason to be directly relaying email;
            4. Domain block list: DBL, list of domains that are being utilized in spam;
        3. Alexa: website traffic analytic
        4. Farsight Security’s DNSDB:  provides information to security analysts about DNS
      9. Lab: Hunt Malicious Traffic
      10. Challenge
    5. Understanding Event Correlation and Normalization
      1. Event Sources
        1. Types
          1. DHCP server: transaction data of IP assignments;
          2. DNS server: transaction data of queries and responses;
          3. AAA server: Alert data of successful / failed authentication and authorization events;
          4. NetFlow-capable network device: Session data; Statistical data
          5. IPS: Alert data from triggers of rules / signatures;
          6. Firewall: Session data, Packet captures, Statistical data;
          7. Proxy (web and email): transaction data, extracted data;
        2. Identity and Access Managment: provide AAA services
        3. AntiVirus: alert data;
        4. Application Logs: transactional and statistical data
      2. Evidence
        1. Types
          1. Direct evidence: not require any reasoning to reach the conclusion;
          2. Circumstantial evidence: Requires an inference linking the evidence to the conclusion
          3. Corroborating evidence: supports an assertion that is supported by previously obtained evidence
          4. best evidence. Submitting the output of a sandbox detonation report as evidence, instead of submitting the malware file;
        2. Digital Forensics
          1. Collection
          2. Examination
          3. Analysis
          4. Reporting
      3. Security Data Normalization
        1. manipulating various security event data and fitting it into a common schema;
        2. parsers (eg. ELSA) algorithmically take the event data and extract the relevant characteristics and fill in the appropriate fields in the common schema;
      4. Event Correlation
        1. mutual relationship or connection between two or more things;
        2. MUST use the IP 5-tuple to correlate events
        3. correlated events provide much more detail and context to the analyst than can be obtained from any single event;
        4. Correlation is performed after normalization;
      5. Other Security Data Manipulation
        1. Aggregation: data mining technique where data is gathered to get more information about particular variables;
          1. eg.  ELSA may be queried with simply an IP address with multiple matches;
        2. Summarization
          1. data mining technique in which compact descriptions of key data set qualities are produced;
            1. in a graphical format or in a tabular format;
            2. useful for analyzing aggregated data;
        3. Deduplication: after normalizationpresent all the relevant details that are pulled from a collection of overlapping data in a concise format;
      6. Lab: Correlate Event Logs, PCAPs, and Alerts of and attack
      7. Challenge
    6. Identifying Common Attack Vectors
      1. Obfuscated Javascript
        1. Code obfuscationdisguise the appearance of source code running on a system;
        2. Employed to reduce the overall size of the software code or application;
        3. renders JavaScript source code into a form that is not easily readable, with the intent of disguising the intended function of the code;
        4. Original: prevent JavaScript source code from being analyzed or stolen in order to protect the intellectual property;
        5. Common techniques:
          1. Automatically renaming variables to random and meaningless names;
          2. White-space randomization within codes to increase readability;
          3. Self-modifying source code that rewrites itself as it is executed;
          4. Using character codes and string manipulation that is combined with the misuse of eval expressions ‘eval();
          5. Hackvertor is an online, community-based encoding tool by security Pros.
          6. JSDetox is a JavaScript malware analysis tool that utilizes de-obfuscation techniques and an execution engine that emulates HTML DOM.
      2. Shellcode and Exploits
        1. payload that is attached to an exploit that will execute the desired actions (add backdoor / create VNC session) of the threat actor;
        2. provide the threat actor with command shell access on the system;
        3. DEP prevents the use of the stack memory space for execution;
        4. ASLR will randomize the memory addresses in use, which can help ensure that an attacker cannot predict; but could be bypassed by egg-hunting;
        5. Two variations of Shellcode payloads:
          1. Staged: designed to be very compact to fit within memory space limitations for a particular exploit
          2. Unstaged: with all portions of the payload residing within a single memory space
        6. Detection:
          1. Snort IPS
          2. traversing a network is to focus on detecting a pattern of code that contains a sequence of NOP instructions, commonly referred to as a NOP sled;
      3. Common Metasploit Payloads
        1. Metasploit Payloads: modules utilized during exploitation events;
        2. 3 types of payloads within Metasploit:
          1. Singles:
            1. self-contained payloads that function on their own;
            2. not dependent on the Metasploit framework for execution;
            3. well documented and the process of gaining execution of a single is easily detected and blocked;
            4. eg. Netcat: after transfer, executed remotely so that it can begin performing the actions;
          2. Stagers
            1. set up a network connection between the attacker and victim;
          3. Stages
            1. used with the stagers and while much larger in comparison provide increased functionality;
            2. self-contained and contain everything outside of the network;
          4. Others
            1.  traffic that is generated by the payload would draw attention;
            2. Meterpreter: sophisticated because it is executed directly in memory;
            3. PassiveX: to circumvent outbound firewalls;
            4. reflective DLL injection: a stage payload is injected into a compromised host process running in memory, such as VPNC and Meterpreter make use of reflective DLL injection ;
      4. Directory Traversal
        1. by improper checking or validation of user-supplied input to access file system; such as thru web browser;
        2. entered several ..\ sequences into the URL;
        3. Modern web-server applications have included input checking and patched;
      5. SQL Injection
        1. Used to perform attacks:
          1. Authentication bypass
          2. Information disclosure
          3. Compromised data integrity: alteration of the contents of a database;
          4. Compromised availability of data: delete information with the intent to cause harm or delete log or audit information in a database;
          5. Remote command execution
        2. IPS signatures
      6. Cross-Site Scripting
        1. maliciously causing a script, typically JavaScript, to execute in the browser;
        2. 2 types:
          1. Stored (persistent):
            1. embeds the malicious code within the page that is stored on the web server itself;
            2. If the server fails to properly sanitize input, the attacker code will be posted to the page and displayed to all visiting users;
          2. Reflected (nonpersistent):
            1. includes HTML code within a link to a web address, knowing the linked page will fail to sanitize the included HTML code
          3. OWASP provides resources of best practices for developing web apps such as XSS Filter Evasion Cheat Sheet for testing;
      7. Punycode
        1. normally in ASCII format; but Unicode is needed by some countries;
        2. Punycode is a system for representing Unicode characters in an ASCII-only format to ensure compatibility with older DNS systems;
        3. threat actor: phishing > redirection > stager / exploit kit…
        4. such as;
      8. DNS Tunneling
        1. other protocol can be tunneled through DNS;
        2.  used for CnC, data exfiltration, or tunneling of any IP traffic;
        3. DNS tunneling tool such as Iodine
        4. uses the malicious server as the authority server for the specific domain
        5. Benefits: not often detected as DNS traffic is normal;
        6. Drawback: slow speed;
        7. Detection:
          1. Active examining payloads for unusual content, packet size, bandwidth, frequency of requests, and looking for unusual hostnames;
      9. Pivoting (redirection)
        1. use a compromised computer to attack other computers within the same network to avoid restrictions of firewalls;
        2. goal: expand access in the network of compromised host;
      10. Lab: Investigate Browser-based attacks
      11. Challenge
    7. Identifying Malicious Activity
      1. Understanding the Network Design
        1. obtain a network topology map of connected devices; or otherwise conducting their own vulnerability scan;
        2. inventory list of all network-based appliances;
        3. Categorizing the assets by priority such as critical, important, or sensitive;
        4. Identify the physical location of specific security-related devices and their data logging output;
      2. Identifying Possible Threat Actors
        1. person or groups who start a malicious incident;
        2. Types
          1. Script Kiddies: unskilled, use public tools;
          2. Hacktivists (Hack Activism)
            1. promoting their own political agenda;
            2. eg. Lulz Security (LulzSec) and Anonymous
            3. not interested in covering their tracks nor disguising their presence
        3. Organized Crime: driven by profits
        4. State-Sponsored / Nation-State Actors
          1. often referred to as APTs
        5. Insider Threat
          1.  motivated by financial gain or intent of harming organization;
          2. at risk if it is not adequately monitoring user and network system patterns for anomalous behaviors;
      3. Log Data Search
        1. ELSA (Enterprise Log Search and Archive):  syslog compiler and search querying tool;
          1. to correlate network and host activity by inspecting relevant syslog; and  log ingest capabilities;
        2. Portions of syslog (the RFC 3164):
          1. facility code: different OS or syslog implementations may vary;
          2. security level: 0-7
          3. message:
            1. TAG: program or processes that generated it;
            2. CONENT: content
          4. searching syntax (Boolean operators / directives):
            1. OR
            2. groupby
          5. Modeling Network attacks:
            1. Deterministic assessment method:
              1. scenario assessment on a small or very limited set of variables
              2. relies on known data values to yield a single outcome for each proposed scenario
              3. low degree of speculation
            2. Probabilistic Impact Assessment
              1. wide range of probable scenarios, which provide a distribution of all possible outcomes
              2. high degree of speculation;
      4. NetFlow as a Security Tool
        1. info of I5-tuple information, the time of the communication, and the amount of data transferred;
        2. Factors / Symptoms:
          1. Long active duration;
          2. application is undefined;
          3. no return traffic;
          4. inbound connection to the domain controller using unknown application;
      5. DNS Risk and Mitigation Tool
        1. DNS poisoning
        2. DNS tunnelling
        3. craft special DNS TXT records that contain small amounts of exfiltrated data;
        4. suspicious domain names may contain credit card no. in hex
        5. Types
          1. Fast Flux and Botnets
          2. Double IP Flux
          3. DGA (Domain Generation Algorithm)
      6. Lab: Analyze Suspicious DNS Activity
      7. Challenge
    8. Identifying Patterns of Suspicious Behavior
      1. Network Baselining
        1. profile for how a system or network normally behaves; how different the system / network behaves from normal; will it break at some point?
        2. baselining network traffic can include NetFlow and passive DNS statistics;
        3. A baseline of logging and application transactions;
        4. Core Baseline Flowchart
      2. Identity Anomalies and Suspicious Behaviors
        1. Malicious network traffic, or traffic tunnelling
        2. Log event data is another area that is important to monitor relating to the baseline:
          1. not normal user login behaviors / time;
          2. logging such as system restarts and application crashes are also very useful in identifying suspicious behavior;
        3. Powershell usage should be monitored for suspicious activity;
          1.  Powershell logs can be the source of a flag
      3. PCAP Analysis
        1. fill in some of the unknown information to build a more complete picture of the event;
        2. Analysis via
          1. source IP and destination IP pairs;
          2. source and destination ports pairs;
          3. network protocol that is anomaly;
          4. any payloads that were part of the suspicious behavior
        3. Filtering: REGEX. (regular expression) is a sequence of characters that define a search pattern;
      4. Delivery
        1. File analysis begins with identifying the suspicious files themselves and their child / parent processes;
        2. sandbox allows the files to be executed in a controlled environment, especially useful for reverse engineering;
        3. report. Using hashes from the submitted samples, will attempt to match the file with any previously known malware
        4.  malware component “dropper”: downloads file over the network and then executes that file;
      5. Lab: Investigate Suspicious Activity Using Security Onion
      6. Challenge
    9. Conducting Security Incident Investigations
      1. Security Incident Investigation Procedures
        1. 5W1H
        2. Tier 1 SOC analysts do not perform deep analysis of malware
        3. VirusTotal is a very useful tool for an analyst when investigating whether a suspected file is malicious or of no concern to the investigation
        4. Geolocation services: latitude and longitude, IP addresses
          1. Such as:, Virus Total,…
      2. Threat Investigation Example: China Chopper Remote Access Trojan
        1. China Chopper RAT is a back door for remotely accessing a compromised web server;
          1. two components: client interface (caidao.exe) and the web shell file on server;
          2.  goal of stealing sensitive data by gaining access;
          3. web-shell files are placed on a compromised web server, and the attacker uses a custom web-shell client to perform additional exploit objectives;
          4.  Difficulties:
            1. the web shell application portion of the RAT is extremely basic and small, under 4KB, which leaves only the attacker’s caidao.exe client communications ;
            2. if the web shell is deployed on a secured web server using TLS or SSL;
          5. Investigation steps:
            1. Alert > Detect > Confirm > Remediate > Resolve;
              1. query the source and destination IP addresses with tools such as ELSA, Sguil, and Bro;
              2. analyze the HTTP traffic between the caidao.exe client and the web shell;
          6. Once discovered compromised hosts, better format or re-imaging OS;
      3. Lab: Investigate Advanced Persistent Threats
      4. Challenge
    10. Describing the SOC Playbook
      1. Security Analyticsclose the time gap between network compromise and threat detection
        1. purpose of security analytics is to :
          1. detect attacks as fast as possible,
          2. stop an attack, and
          3. provide detailed information to reconstruct an attack
        2. by collecting, correlating, and analyzing a wide range of event data
        3. Playbook: prescriptive collection of repeatable plays (reports and methods) to detect and respond to security incident
        4. Mitigation: few short-term ways to stop the threat
          1. DNS sinkhole which blocks suspicious DNS queries by domain names;
          2. BGP black-holing, which quickly blocks IP addresses across the enterprise in seconds;
          3. Device quarantine using an IAM security device
          4. Using firewall rules to block the attack
        5. Remediate: Medium- and long-term fixes
          1. Requires partnerships with IT and network teams
          2. requires the security architecture to be reviewed and may require some system modifications
      2. Playbook Definition (my thought: AI enabled in extention?)
        1. complex queries or code to find “bad stuff”; self-contained, fully documented, prescriptive procedures for finding and responding to undesired activity;
        2. is living document that brings a dramatic increase in fidelity and new detection ideas, which leads to better detection
        3. Event play in the playbook
          1. Report ID: Identifies the particular play, and provides a high-level description of the play
          2. Objective
          3. Data query: 
          4. Action
          5. Analysis: Provides the bulk of the documentation of the play, and how to interpret and act on the results of the query
          6. Reference: Allows for the documentations of any additional useful information
      3. What is in a Play?
        1. Report Identification
          1. Report Unique ID = eg. 100003
            1. leading digit of the unique ID may be used to indicate the data source;
          2. Report Type = eg. HF / eg. INV
            1. High fidelity (HF) means that all events from a report can be automatically processed, cannot be triggered by normal or benign activity
              1. Hardcoded strings, known host names or IPs, and regular expressions that match a particular exploit are good examples of things that can be included in a high-fidelity report,
            2. Investigative (INV) event from a report might detail a host infection, describe a policy violation, trigger on normal activity (which may require tuning), require additional queries
              1. Reports that cannot indicate with 100 percent certainty that an event is malicious are deemed to be high fidelity;
          3. Event Source = IDS
            1. The event source identifies which source, that the report queries
          4. Report Category = MALWARE
            1. MALWARE = is malicious activity or indicators of malicious activity on a system or network
          5. Description: BOT-C2
            1.  free-text description component may provide a brief summary of detection;
        2. Objective
          1. “what” and “why” of a play;
        3. Data Query (working)
          1. implements the objective and produces the report results
          2. where the play objective changes from an English sentence to a machine-readable query
        4. Action
          1. documents the actions to take during the incident response phase
        5. Analysis
          1. documentation and training material that is needed to understand how the data query works
          2.  how to interpret and act on the results of the query
          3.  discusses the fidelity of the query, what the expected true positive results look like, the likely sources of false positives, and how to prioritize the analysis
          4. help security analysts who are running the play to act on the data
        6. Referenece
          1. can be managed using a tracking system such as Bugzilla (bug and ticket tracking system) – track changes and document the motivation for those changes;
          2. Comments allow for discussion
          3.  additional management options like retiring reports and reopening reports
      4. Playbook Management System:
        1. Create a custom field.
        2. Track the play progress and life cycle.
        3. Provide basic notification (such as email and RSS).
        4. Run queuing and assignment functions.
        5. Automate reports and metrics.
        6. Document and log changes.
        7. New and relevant plays must be developed continually and managed using a play management system
      5. Lab: Explore SOC Playbooks
      6. Challenge
    11. Understanding the SOC metrics
      1. Security Data Aggregation
        1. SIEM: provide real-time reporting and analysis of security events;
          1. collects, sorts, processes, prioritizes, stores, and reports the alarms;
          2.  creates a “single pane of glass” to monitor the enterprise
          3. goal: to reduce the time that is needed to detect, and to contain the threats;
          4. eg. host-based security controls, which can report the malicious activity to the SIEM. Then, analysts could correlate the incidents to single source;
          5.  historical perspective enables the security analysts to establish a baseline
          6.  historical perspective enables the security analysts to establish a baseline, factors are:
            1. total size of log data and the time range;
        2. Main SIEM functions
          1. Log collection of event records from sources
          2. Log normalization to map log messages to a common Schema data model
          3. Events and logs correlation to speed the detection
          4. Reporting tools to address regulation compliance reporting requirements
          5. Open source tools such as Splunk that are hosted on GitHub;
      2. Time to Detection (TTD) ( or dwell time)
        1. Stages: Malicious Event > Detected > Contained > Mitigated
        2. Duration from “Malicious Event” to “Detected”
        3. Metrics for performance / effectiveness of SOC
          1. time to detection, time to containment, and the time to mitigation;
          2. currently, TTD = 100-200 days
        4. Reduce TTD by
          1. improving and mature SOC processes, people, and technologies;
          2. effective security controls that work across the attack continuum
      3. Security Controls Detection Effectiveness
        1. False negative:
          1. High priority. Did not acted with malicious activity;
        2. False positive:
          1. acted with no malicious activity;
          2. significantly drain the SOC resources
        3. True negative: not acted with no activity;
        4. True positive: acted with malicious activity;
      4. SOC Metrics
        1.  An effective threat-centric SOCconsists of deep expertise with cutting-edge technology, leading security intelligence data, and advanced analytics to detect and investigate threats with great speed, accuracy;
          1. Speed: Faster detection and targeted mitigation
          2. Focus: Higher fidelity reduces false positives and ensures proper containment and actionable recommendations for remediation;
          3. Accuracy: Continuous monitoring and investigation plus full packet capture illuminate security blind spots;
        2. Reason of metrics:
          1. To understand and identify the cybersecurity risk
          2. To measure the SOC effectiveness
          3. To optimize resource and investment allocation
        3. Typical metrics
          1. The mean TTD of the incident after its occurrence
          2. The mean time to contain the incident after its detection
          3. The mean time to mitigate the incident after its containment
          4. The number of incidents being detected, contained, and mitigated
          5. The percentage of the discovered incidents found using the plays in the SOC playbook
          6. The number of new plays added to the SOC playbook
          7. The number of zero-day attack detections
          8. The false positive or true positive detection rate
          9. The operational cost of running the SOC
        4. SOC that is advancing and maturing
      5. Challenge
        1. focuses precisely on a particular aspect: specific”
        2. “easily identifiable: measurable”
    12. Understanding the SOC WMS and automation
      1. SOC WMS Concepts
        1. syslog server makes it easier for the analyst to manipulate and review logs from numerous devices, but still difficult to correlate events with different formats; thus, SIEM emerges;
        2. WMS (Workflow Management System)
          1. software that tags and identifies an existing security event, tracks the event, and tracks the actions that are taken in dealing with those events, from detection to response to mitigation to ticketing closure;
          2. automates the remediation of a malicious action
          3. performs containment and eradication, but not identify incidents, collect evidence, or help with approvals;
            1. such as Swimlane dubs
          4. SOAR: security operations, analysis, and reporting can be used
          5. Information flow: SIEM and Ticketing System > Security WMS > Security Devices;
          6. Workflow Types
            1. Sequential: flow chart-based with one-to-one stage; does not step backward;
            2. State machine: progresses from state to state; can return to a previous point;
            3. Rules-driven: based on a sequential workflow. The rules dictate the progress of the workflow;
          7. Repeatable Tasks that WMS can automate
            1. Audit log collection and enrichment
            2. Look up user information
            3. Look up device information (IP, hostname)
            4. Notifications and alerts
            5. Threat intelligence
            6. Ticket management
            7. Callouts and escalations
      2. Incident Response Workflow
        1. ensure that all incident severity levels have a defined response process;
        2. severity of that incident may change during handling
        3. During incident response, consistent and timely reporting;
        4. Roles in Incident Response flow:
          1. Tier 1 analyst: Continuously monitors the alert queue; triages security alerts; monitors health of security sensors and endpoints; collects data and context necessary to initiate Tier 2 work;
          2. Incident response handler: Manages the incident; executes containment strategies and ensures that the incident response process is followed throughout; at times, may also communicate with the business to provide periodic updates
      3. SOC WMS Integration
        1. specifically in regard to remediation autonomously;
        2. receive security events and alerts information from the SIEM and then push information or commands to security devices;
        3. WMS Integration with SIEM
        4. WMS Integration Approaches
          1. RESTful API (Representation State Transfer)
            1. uses HTTP requests to get, put, post, and delete data;
            2. WMS may leverage RESTful API to update a corporate enterprise ticket management system
          2. Command line API
            1.  run directly from the command line
            2. to query an SIEM tool with the SOC in order to check on the status of a particular use case
          3. TAXII
            1. standardizes the automated exchange of cyber threat information.
      4. SOC Workflow Automation Example
        1. Goals of automating SOC processes and workflow
          1. Reduce the time to detection, containment, and remediation
          2. Reduce human errors
        2. WMS Products
          1. CyberSponse
          2. Resilient Systems
          3. Proofpoint Threat Response
          4. Swimland
      5. Challenge
    13. Describing the Incident Response Plan
      1. Incident Response Planning
      2. Incident Response Life Cycle (
        1. Typical phases
          1. Preparation (Education / documentation / R&R)
          2. Identification (monitoring)
          3. Analysis: prioritize subsequent activities
          4. Containment
            1. hardest and most important decision
          5. Eradication and Recovery
          6. Lessons Learned
            1. FMEA (failure mode and effects analysis): spreadsheet, to help practitioners anticipate what might go wrong with a product or process
          7. Reporting
      3. Incident Response Policy Elements (
        1. Mission, strategies, and goals
        2. Incident response approach
        3. Buy-in from senior managment
        4. Communication
        5. Metrics
        6. Review
        7. Organization missions
          1. Result -> lower dwell time
      4. Incident Attack Categories
        1. Incident classifications are typically based on incident severity
        2. Common attack vectors
          1. removable media
          2. Attrition: employs brute-force methods to compromise, degrade, or destroy systems, eg. DDoS
          3. Impersonation: replacement of something benign with something malicious—for example, spoofing, MITM attacks, rogue wireless APs, and SQL injection attacks
      5. Reference: US-CERT Incident Categories
        1. common set of terms and relationships schema that is defined by the US-CERT
        2. seven incident categories (CAT 0 to CAT 6) (
          1. CAT 0 – Exercise/Network Defense Testing
            1. approved activity testing of internal and external network defenses or responses;
          2. CAT 1 – Unauthorized Access
            1. individual will gain logical or physical access without permission;
          3. CAT 2 – Denial of Service (DoS)
            1. successfully prevents or impairs the normal authorized functionality;
          4. CAT 3 – Malicious Code
            1. Successful installation of malicious software
          5. CAT 4 – Improper Usage
            1. violation of acceptable computing use policies
          6. CAT 5 – Scans/Probes/Attempted Access
            1. seeks to access or identify an exploit
          7. CAT 6 – Investigation
            1. Unconfirmed incidents that are potentially malicious
      6. Regulatory Compliance Incident Response Requirements
        1. PCI DSS (Payment Card Industry – Data Security Standard)
          1. to protect cardholder data wherever it is processed, stored, or transmitted
      7. Challenge
    14. Appendix A – Describing the Computer Security Incident Response Team
      1. CSIRT Categories
        1. help ensure company, system, and data preservation by performing comprehensive investigations
        2. Investigate
        3. Mitigate
        4. Prevent
        5. Types
          1. Internal CSIRTs
          2. National CSIRTs
          3. Coordination centers: handling of incidents across various CSIRTs
          4. Analysis centers: synthesizing data from various sources to determine trends and patterns in incident activity
          5. Vendor teams:  handles reports of vulnerabilities in their software or hardware products
          6. Incident response providers:  services as a for-fee service
      2. CSIRT Framework (MCSR)
        1. Mission (what it sets out to do):
          1. eg. Responsible for global 24-hour monitoring, investigation, and response to cybersecurity incidents;
          2. eg. Engage in proactive threat assessment, mitigation planning, incident detection and response, incident trending with analysis, and the development of security architecture
        2. Constituency (serving Whom)
          1. serving targets and relationships
        3. Place in organization (what its roots look like)
          1. structure
        4. Relationship to others (who its peers are)
        5. Reference: Handbook for Computer Security Incident Response Teams (CSIRTs), Carnegie Mellon Software Engineering Institute
      3. CSIRT Incident Handling Services
        1. Reactive services:
          1. triggered by an event or request
          2. core component of CSIRT work, eg. incident handling service
        2. Proactive service:
          1.  provide assistance and information to help prepare, protect, and secure constituent systems in anticipation of attacks, problems;
          2. reduce the number of incidents in the future;
          3. eg. security audits or assessments service
        3. Definition of CSIRTs services:
        4. Incident handling service
          1. triage: single point of contact and the focal point for accepting, collecting, sorting, ordering, and passing on incoming information for the service
          2. handling: provides support and guidance that is related to suspected or confirmed computer security incidents, threats, and attacks
          3. announcement: tailored for the constituency in various formats to disclose details
          4. feedback: an interface for media requests
      4. Challenge
    15. Appendix B – Understanding the use of VERIS (Vocabulary for Event Recordings and Incident Sharing)
      1. VERIS Overview
        1. open format that helping organizations to collect incident-related information and to share the information anonymously and responsibly
        2. VERIS metrics as baselines for comparison
        3. 4 A’s: Actions, Actors, Assets, Attributes
      2. VERIS Incidents Structure
        1. documented using the VERIS schema
        2. structure with five main sections: better idea of the cause and severity
          1. Incident Tracking:
            1. general information about the incident
          2. Victim Demographics
            1. describes (but does not identify) the organization that is affected by the incident
            2.  compares different types of organizations or departments within a single organization
          3. Incident Description
            1. translates the incident narrative of “who did what to what (or whom) with what result” into a form that is more suitable for trending and analysis
            2.  translates the incident details into a form more suitable for trending and analysis
          4. Discovery and Response
            1.  focuses on the timeline of the events, how the incident was discovered, and lessons learned during the response and remediation process
          5. Impact Assessment
            1. leverages three perspectives of the impact in order to provide an understanding and measure of consequence that is associated with the incident
              1. the varieties of losses that are experienced
              2. estimate their magnitude
              3. capture a qualitative assessment of the overall effect on the organization
      3. VERIS 4 A’s
        1.  the minimum information that is required to adequately describe any incident or threat scenario
        2. Actors (Agents) (Refer.
          1. External actors
          2. Internal actors
          3. Partner actors: third party sharing a business relationship with the organization
        3. Actions
          1. actions describe what the threat actor did to cause or contribute to the incident
          2. every incident has at least one action
          3. Categories
            1. Malware
              1. Malware variety
              2. Malware vector
              3. Malware vulnerabilities
              4. Malware common name
            2. Hacking: all attempts to intentionally access or harm information assets without (or exceeding) authorization
              1. Hacking variety: Brute force / buffer overflow / MITM / SQL injection / DoS / path traversal
              2. Hacking vector: Command shell / VPN / Backdoor
            3. Social
              1. social tactics: phishing / scam
              2. social vector: email / IM / social media / website
            4. Misuse: use of entrusted organizational resources or privileges for any purpose contrary to what was intended
              1. Privilege abuse
              2. Data mishandling
              3. Email misuse
              4. Network misuse
              5. Illicit content
              6. Unapproved hardware
              7. Unapproved software
            5. Physical
            6. Error
            7. Environmental
        4. Assets: information assets that were compromised during the incident
          1. Network hardware
          2. Server
          3. User device
          4. Others
        5. Attributes
          1. security attributes of the identified assets that were compromised during the incident.
          2. confidentiality/possessionintegrity/authenticity,and availability/utility, which is an extension of the “C-I-A triad.”
      4. VERIS Records
        1.  VERIS record framework can be as simple or as complicated as you need it to be;
        2. records: documents the incidents in a standard way
        3. the ability of security analysts and investigators to ascertain the data needed to populate the various fields in the VERIS records
      5. VERIS Community Database (VCDB) (
        1. catalog security incidents in the public domain using the VERISframework
        2. promote data-driven decision making and evidence-based risk management in the information security community by creating a public repository of breach data in an open format
        3. GitHub repository (
        4. Refer:
      6. Verizon Data Breach Investigations Report and Cisco Annual Security Report
      7. Challenge
  4. Follow-ups
  5. Tools:
    1. Security Onion: Linux distribution with Log mgt, network security monitoring, IDS capabilities;
    2. Network analyst tools: Wireshark / Netwitness / OSSEC / NetFlow / Cisco Stealthwatch;
    3. Penetration testing tools: eg. Kali Linux with tools such as Metasploit Framework, Armitage, and SET (Social Engineer Toolkit)
    4. SIEM tools such as Splunk can help a SOC collect and normalize large amounts of disparate log data
    5. Capture session data by Bro
    6. ELSA can pivot directly to CapME!, which will decode the PCAP data associated with this particular TCP connection
      1. parses various event log to schema;
    7. threat intelligence platform called ThreatConnect
    8. Public Threat Awareness Resources:
      1. OWASP (Open Web Application Security Project).
      2. Spamhaus Project
      3. Alexa
      4. Farsight Security’s DNSDB
    9. Hackvertor is an online, community-based encoding tool by security Pros.
    10. submit hash value of file resulted in Sandbox testing;
    11. Useful blogs and feeds for security investigation:
    12. Reference: Crafting the InfoSec Playbook by Jeff Bollinger, Brandon Enright & Matthew Valites. ISBN: 978-1-491-94940-5.
    13. Karen Scarfone, Tim Grance, and Kelly Masone, Computer Security Incident Handling GuideNational Institute of Standards and Technology Special Publication SP 800-61 Revision 1, March 2008
  6. References
    1. detrimental
    2. vendor agnostic
    3. intrinsic
    4. vigilantly
    5. obfuscation
    6. disguising
    7. anomalous
  7. Exam experiences
    1. Network Intrusion Analysis
      1. HTTP and agent
    2. Incident Handling
    3. Computer Forensics
    4. retrospective security approach
    5. REGEX and search
      1. Wireshark filtering.
    6. Wireshark commands
    7. Confidentiality definition in CVSS
    8. Computer Security Incident Handling Guide: NIST Special Publication 800-61  Revision 2
SECOPS – CCSA study log (210-255)

FC7P05 -LMU MSc Project- WK1

Computing Librarian Lynn:

Module Objectives.

  1.  Principles
    1. 5-7年磨一劍的目標, researcher and doctor;
    2. Prepare for management of 人工智能/能源科技/生物科技
    3. Complement of you weakness / strengths
    4. continuous writing is an integral part of the research process
    5. allow you to take control of your learning
    6. grow the wings to take you to a higher level of intellectual endeavour
  2. Hours ( / 20H)
  3. Module guidelines
    1. Topics selection from blank (subject that inspires you and drive you to work)
      1. Perform more reading (papers, Journals)
      2. Discuss with tutors and ask for suggestions
      3. Attend seminars
      4. Read previous theses
      5. Ask friends working in industry for ideas
    2. Rephrase your question as your aim and identify the three to five objectives
      1. Is the topic “research oriented” piece of work?
      2. Domain understanding, awareness of difficulties and understanding of fundamental questions.
    3. Proposal needs to be clear and sound
      1. Contents including: Title, rationale, question, aim, objectives, methodology, expected outcome, deliverables, work program and initial references
      2. Realistic timetable with actions and outcomes
      3. Project categories
        1. research oriented
          1. problem solving, algorithm enhancement, software quality, novel approach, fundamental issues;
          2. topics: networking, software engineering, data mining, security, intelligent systems, database, wireless technology, information system, business information system, grid computing, teaching and learning, image processing;
        2. critical review
    4. Works
      1. Original investigation
    5. Research elements
      1. problem solving, algorithm enhancement, software quality, novel approach, fundamental issues
      2. Topics: networking, software engineering, data mining, security, intelligent systems, database, wireless technology, information system, business information system, grid computing, teaching and learning, image processing…
    6. Supervision
      1. agree the frequency and format of meetings and having done
      2. preparing and making themselves available for meeting to find that the student fails to turn up without notice or explanation
      3. inform him/her of your progress by agreed frequency and channel, ask for advice, ask if your progress is satisfactory and discuss and discuss your future action plans
      4. Accept criticism gracefully, it is for your own good and you will produce a better dissertation for it
      5. get higher marks if you follow your supervisor’s guidance
      6. well-prepared to the meeting and so keep it productive, focused and if possible short
      7. welcome to attend the departmental weekly seminars as they might be very helpful
    7. Librarian support
      1. the computing librarian Lynn Crothall:
    8. Talk to different members of staff and ask for papers, Journals and articles
    9. Common Past Problems
      1. do not know how to write a proposal
      2. start the project late
      3. do not consult their supervisors
      4. are unable to find other directions when they get stuck
      5. find a lack of resources and unavailability of software
      6. do not engage with the project
      7. do not conduct a thorough review of the literature
      8. demonstrate little evidence of awareness of other work
      9. do not research the topic fully
      10. have problems writing a thesis (organisation, structure, coherence, style, evaluation of own work, references…)
      11. do not report their work fully
  4. Project Plan and deliverables
    1. Time tables and outcomes
    2. Meeting frequency with advisor
    3. timetable might be in the form of a bar chart or a series of timed milestones
    4. starts from reading the literature review and finishes with submitting the dissertation
  5. Topic selection
    1. Children online studying with Moodle platform in MJ education
      1. with paypal
    2. Wiki as Knowledge management in manufacturing – case study
    3. Mobile app for MJ learning assisting STEM lessons
    4. WeChat programming with enterprise mgt, MJG CRM and project mgt
    5. Mobile visual inspection
    6. Mobile broadcasting with API and payment
    7. Raspberry PI with RFID tag system in CY manufacturing
    8. Raspberry PI with video advertising system (check everbest / ezone)
    9. Knowledge management with Wikipedia and AI in CY manufacturing
    10. AR with education
    11. enterprise cybersecurity app
    12. Enterprise System / Mobile in manufacturing / Barcode in Mobile
    13. Preparation:
      1. Mobile / Programming and data manipulation / Reporting
    14. 流程系統化及知識系統
    15. Mobile oa
    16. wechat app to solve a problem?
    17. AI preparation
    18. Enterprise system implementation – Children care / Manufacturing
  6. Others
    1. Differences of dissertation and thesis
      1. UK: dissertation is the project report in final year of postgraduate study, while thesis is describing work for research-degree / doctoral degree;
      2. Canada / USA: dissertation for doctoral degree while, thesis for master degree;
    2. Mobile / ERP
      1. Tasks
        1. Assist operations in CY
          Assist operations in edu
      2. Applications
      3. Education
      4. Workplace
      5. Manufacturing
  7. Project Proposal
  8.  References:
    1. Writing up research: a statistics perspective.
    2. Microsoft Azure cognitive services.
    3. Topics of Dissertation
    4. Planning and conducting a dissertation research project (University of Leicester)
    5. Writing a dissertation (University of Leicester)
    6. A Guide to Writing your Masters Dissertation
    7. Succeeding with Your Master’s Dissertation – A step-by-step Handbook (
    8. Dissertation guidelines by LSE.
      1. Dissertation guide
      2. Guide to Writing MSc Dissertation (PDF)
    9. Dissertation timetable by University of Sussex.
  9. Wordings
    1. In other words…
FC7P05 -LMU MSc Project- WK1


Change needs sense of urgency

  1. 職+專+學+正+系
  2. WSUS + java
  3. AD audit report and policies
  4. AD RFS
  5. Performance reporting
  6. 生改單 – 圖及版本看系統
  7. 料號變更跟蹤
  8. 訂單電子審核
  9. OA – 樣板單
  10. CACTI SNMP server
  11. SQL backup and restore
  12. Wechat programming
  13. tax expense profile
  14. Economist
  15. Scrap rates and quantity
  16. Stock level
  17. BI at sharepoint and Tablet / mobile
  18. 8S correction with scrap alerts
    1. Launch date: 10Oct2016
    2. Status: Not yet
  19. Quality level
  20. Offsite backup with docoumentations
  21. Windows perfmon automation / syslog / SNMP
  22. IT system applications in Manufacturing and various industies
    1. Logic / flow
    2. Requirements
    3. Critical success factors
  23. Wikis:
    1. Documents library with version control,
    2. co-authering with approval,
    3. knowledge searching

MSc resources

A. BSc 1st Class means nothing (too many out there…), the importance is what you learned and how do you sustain to break through!

B. MBA for business; Specialist in MSc but not of MSc IT…

Roadmap (v. 20170625)

BSc 1st -> MSc of LMU ->  UST / Edinburg -> PgD Acc / digital marketing-> MBA -> Research Degree & PhD

  1.  Alumi
    1. myAluminHub in Middlesex University:
      1. Research Resources
  2. Academic writing:
    1. MDX resources:
    2. Using-academic-language:
    3. Academic vocabulary:
  3. Time management
  4. Research methods for Business Student – 5/e:
  5. Basic Business Statistics – 12e:
    1. Statistics e-resources:
  6. Harvard referencing
  7. Academic reference letter:
  8. Further MSc study:
    1. MSc Big Data Technology, HKUST:
    2. (NCC L7DSBIT) University of Gloucestershire (89th):
    3. (NCC L7DSBIT) London Metropolitan University (120th):—msc/
    4. University of Edinburg (19th):
      1. MSc Data Science, Technology and Innovation (Medical Informatics).
      2. MSc in Digital Education
    5. University of Leeds, MA Technology, Education and Learning (14th):,_Education_and_Learning_(Distance_Learning)
    6. University of Glasgow, MSc Data Analytics (Distance Learning) (27th):
    7. University of Leicester, MSc Computer Science, SoftEng, WebTech (32nd):
    8. University of Aberdeen, MSc PM, MSc IT & MBA Digital Marketing (42nd): 
    9. Royal Holloway Univeristy of London (37th):
    10. Edinburgh Napier University (92nd):
    11. Advanced Manufacturing system by Brunel University London (52nd):
    12. DeMontfort University (82th):
      1. MSc Data Analytics.
      2. MSc Intelligent Systems and Robotics (Distance Learning).
      3. MSc Intelligent Systems (Distance Learning).
      4. Business Intelligence Systems and Data Mining.
    13. Northumbria University, Information Science – Data Analytics(59th):
    14. Distance Learning postgraduate program, Lancaster University.
    15. MSc PM, Liverpool John Moores University (74th):
    16. University of Hertfordshire (79th):
      2. MSc E-learning technology (online),
      3. Online MSc courses:
    17. MSc PM, Salford University (95th, 4 intakes/yr):
    18. MSc PM, Birmingham City University (95th, but cheap):
    19. MSc IT, University of Derby (91st):
    20. MSc Data Science, University of Sunderland (103rd).
    21. MSc Mobile Appl Development, Staffordshire University (105th).
    22. MSc Data Analytics, Deakin University in Australia.
  9. Further MBA study:
    1. UST:
    2. Imperial College London.
    3. Duram University (6th):
    4. MBA with Data Analytics, Nottingham Trent University (63rd):
    5. University of Warick (8th):
    6. Middlesex University (78th):
    7. Leicester University (32nd):
    8. Heriot-Watt University (34th):
    9. University of Derby (91st):
    10. Most affordable:
      1. Agnlia Ruskin University (110th):
      2. Leeds Beckett University (103rd):
    11. Strategic Planning / Strategic Sustainble Business
  10. Further other studies:
    1. Leicester University:
    2. Digital Brand Marketing by GLASGOW CALEDONIAN UNIVERSITY (79th): 
  11. Further Acc Study (exempt basic knowledge application / future route?):
    1. HKICPA non-Acc routes: 
    2. HKU SPACE (fast / low price):
    3. PolyU (Most expensive / best):
    4. CUHK (High entry requirements with QR registers/ best):
    5. Lingnan (Deposit / Sat only, not available at 2017/18):
  12. Distance Learning materials:
    1. Leicester University:
    2. The University of Strathcylde:
      1. MSc Operational Research (Distance learning).
      2. Business Analysis & Consulting (Distance Learning). 
    3. University of Hertfordshire:
      1. MSc Operations and Supply Chain Management (Online).
      2. MSc Manufacturing Management (Online).
    4. Robert Gordon University:
  13. Research Degrees (distance learning)
    1. LMU, Research Degree – MPhil / Phd.—mphil–phd/
  14. NCC references:
    1. NCC contact:
    2. Middlesex sent official transcript to Education institute: 
  15. Others
    1. Manufacturing:
      1. MSc Manufacturing Systems Engineering and Management (MSEM).
      2. MSc Advanced Manufacturing System.
    2. MSc Gerontology.
    3. MSc Child and Youth Care.
    4. Postgraduate Search.
    5. MSc Professional Accounting with ACCA
  16. USA online Masters
    1. Masters in Predictive Analytics Online, NORTHWESTERN UNIVERSITY.
    2. Master of Science in Applied Business Analytics Degree, Boston University.
MSc resources

Tableau BI study log

  1. Objectives
    1. Establish formal procedures
    2. Establish advanced wiki for development
      1. OA + ERP db calculation
    3. Wide Access control by SharePoint
  2. Contents
    1. Getting Started
    2. Tableau Prep
    3. Connecting to Data
    4. Visual Analytics
    5. Dashboard and stories
    6. Mappings
    7. Calculations
    8. Why is Tableau doing that?
    9. How to?
    10. Publish to Tableau Online
  3. Resources
    1. Tableau Data Visualisation Cookbook:
      1. DataSets:
    2. Tableau Getting start:
    3. Learning:
      1. Videos:
      2. Learning path to Tableau expert:
      3. Tableau tutorials:
      4. Tableau: How Fast You Can Learn It?
      5. Tableau user Doc by edu:
    4. Scenario with 8 steps and library:
    5. SQL by
    6. Differences between blend and joints, Blending data.
  4. Terms
    1. Tableau Server
    2. Tableau Desktop 8.2:
    3. Project
    4. Workbook
    5. KPI / metrics
    7. Dashboard
    8. Story
  5. BI literature review
  6. Study log
  7. Dashboard research
    1. Actions in Dashboard:
    2. 7 Business Dashboards –
    3. 用数据说话,R语言有哪七种可视化应用?
    4. Tableau and SharePoint Integration:
    5. PMC Report samples by Tableau:!/vizhome/PMCreport/ChannelDashboard
    6. Monitor production quality with a single manufacturing dashboard:
    7. Add Reference Line:
      1. Dynamic reference line:
    8. Creating Error Bars:
    9. Creating Bars in Bar chart in Tableau: 
Tableau BI study log

ACCT6002 – Book- Cost Accounting: A Managerial Emphasis (163)

  1. Objectives
    1. Read, practices, Log & Learn
  2. Contents – brief
    1. The Manager and Management Accounting
    2. And Introduction to Cost Terms and Purposes
    3. Cos-Volume-Profit Analysis
    4. Job Costing
    5. Activity-based Costing and Activity-Based Management
    6. Master Budget and Responsibility Accounting
    7. Flexible Budgets, Direct-Cost Variances, and Management Control
    8. Flexible Budgets, Overhead Cost Variances, and Management Control
    9. Inventory Costing and Capacity Analysis
    10. Determining How Costs Behave
    11. Decision Making and Relevant Information
    12. Strategy, Balanced Scorecard, and Strategic Profitability Analysis
    13. Pricing Decisions and Cost Management
    14. Cost Allocation, Customer-Profitability Analysis, and Sales-Variance Analysis
    15. Allocation of Support-Department Costs, Common Costs, and Revenues
    16. Cost Allocation: Joint Products and Byproducts
    17. Process Costing
    18. Spoilage, Rework, and Scrap
    19. Balanced Scorecard: Quality and Time
    20. Inventory Management, Just-in-Time, and Simplified Costing Methods
    21. Capital Budgeting and Costing Analysis
    22. Management Control Systems, Transfer Pricing, and Multinational Considerations
    23. Performance Measurement, Compensation, and Multinational Considerations
  3. Contents – Detailed
    1. The Manager and Management Accounting – L1
      1. Learning objectives
        1. Distinguish financial accounting from management accounting;
        2. Understand how management accountants help firms make strategic decisions;
        3. Describe the set of business functions in the value chain and identify the dimensions of performance that customers are expecting of companies;
        4. Explain the five-step decision-making process and its role in management accounting
        5. Describe three guidelines management accountants follow in supporting managers
        6. Understand how management accounting fits into an organization’s structure
        7. Understand what professional ethics mean to management accountants
      2. Chapter contents
      3. Follow-ups
    2. An Introduction to Cost Terms and Purposes – L1
      1. Chapter Objectives
        1. Define and illustrate a cost object
        2. Distinguish between direct costs and indirect costs
        3. Explain variable costs and fixed
        4. Interpret unit costs cautiously
        5. Distinguish inventoriable costs from period costs
        6. Explain why product costs are computed in different ways for different purposes
        7. Describe a framework for cost accounting and cost management
      2. Chapter contents
      3. Follow-ups
    3. Cost-Volume-Profit Analysis – L4
      1. Chapter Objectives
        1. Explain the features of cost-volume-profit (CVP) analysis
        2. Determine the breakeven point and output needed to achieve a target operating income
        3. Understand how income taxes affect CVP analysis
        4. Explain how managers use CVP analysis to make decisions
        5. Explain how sensitivity analysis helps managers cope with uncertainty
        6. Use CVP analysis to plan variable and fixed costs
        7. Apply CVP analysis to a company producing multiple products
        8. Apply CVP analysis in service and not-for-profit organizations
        9. Distinguish contribution margin from gross margin
      2. Chapter contents
      3. Follow-ups
    4. Job Costing – L2
      1. Chapter Objectives
        1. Describe the building -block concepts of costing systems
        2. Distinguish job costing from process costing
        3. Describe the approaches to evaluating and implementing job-costing systems
        4. Outline the seven-step approach to normal costing
        5. Track the flow of costs in a job-costing system
        6. Dispose of under- or over-allocated manufacturing overhead costs at the end of the fiscal year using alternative methods
        7. Understand variations from normal costing
      2. Chapter contents
      3. Follow-ups
    5. Activity-based Costing and Activity-Based Management – L2
      1. Chapter Objectives
        1. Explain how broad averaging undercosts and overcosts products or services
        2. Present three guidelines for refining a costing system
        3. Distinguish between simple and activity-based costing (ABC) systems
        4. Describe a four-part cost hierarchy
        5. Cost products or services using activity-based costing
        6. Evaluate the benefits and costs of implementing activity-based costing systems
        7. Explain how managers use activity-based costing systems in activity-based management
        8. Compare activity-based costing systems and department costing systems
      2. Chapter contents
      3. Follow-ups
    6. Master Budget and Responsibility Accounting – L3
      1. Chapter Objectives
        1. Describe the master budget and explain its benefits
        2. Describe the advantages of budgets
        3. Prepare the operating budget and its supporting schedules
        4. Use computer-based financial planning models for sensitivity analysis
        5. Describe responsibility centers and responsibility accounting
        6. Recognize the human aspects of budgeting
        7. Appreciate the special challenges of budgeting in multinational companies (MNCs)
      2. Chapter contents
      3. Follow-ups
    7. Flexible Budgets, Direct-Cost Variances, and Management Control – L3
      1. Chapter Objectives
        1. Understand static budgets and static-budget variances
        2. Examine the concept of a flexible budget and learn how to develop it
        3. Calculate flexible-budget variances and sales-volume variances
        4. Explain why standard costs are often used in variance analysis
        5. Compute price variances and efficiency variances for direct-cost categories
        6. Understand how managers use variances
        7. Describe benchmarking and explain it role in cost management
      2. Chapter contents
      3. Follow-ups
    8. Flexible Budgets, Overhead Cost Variances, and Management Control – L3
      1. Chapter Objectives
        1. Explain the similarities and differences in planning variable overhead costs and fixed overhead costs
        2. Develop budgeted variable overhead cost rates and budgeted fixed overhead cost rates
        3. Compute the variable overhead flexible-budget variance, the variable overhead efficiency variance, and the variable overhead spending variance
        4. Compute the fixed overhead flexible-budget variance, the fixed overhead spending variance, and the fixed overhead production-volume variance
        5. Show how the 4-variance analysis approach reconciles the actual overhead incurred with the overhead amounts allocated during the period
        6. Explain the relationship between the sales-volume variance and the production-volume variance
        7. Calculate variances in activity-based costing
        8. Examine the use of overhead variances in non-manufacturing settings
      2. Chapter contents
      3. Follow-ups
    9. Inventory Costing and Capacity Analysis
      1. Identify what distinguishes
    10. Determining How Costs Behave
    11. Decision Making and Relevant Information
    12. Strategy, Balanced Scorecard, and Strategic Profitability Analysis
    13. Pricing Decisions and Cost Management
    14. Cost Allocation, Customer-Profitability Analysis, and Sales-Variance Analysis
    15. Allocation of Support-Department Costs, Common Costs, and Revenues
    16. Cost Allocation: Joint Products and Byproducts
    17. Process Costing
    18. Spoilage, Rework, and Scrap
    19. Balanced Scorecard: Quality and Time
    20. Inventory Management, Just-in-Time, and Simplified Costing Methods
    21. Capital Budgeting and Costing Analysis
    22. Management Control Systems, Transfer Pricing, and Multinational Considerations
    23. Performance Measurement, Compensation, and Multinational Considerations
  4. References
    1. Institutes of Management Accountants (IMA).
ACCT6002 – Book- Cost Accounting: A Managerial Emphasis (163)