1.1 Introduction to Cybersecurity

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
2 hours 41 minutes
Difficulty
Beginner
CEU/CPE
3
Video Transcription
00:00
>> Hi, and welcome back to the second episode of
00:00
cybersecurity architecture fundamentals,
00:00
introduction to cybersecurity.
00:00
In this episode, we will go
00:00
through what is cybersecurity,
00:00
confidentiality, integrity, and availability.
00:00
We'll put in contexts where cybersecurity architecture
00:00
fits in the overall cybersecurity domains and I will
00:00
end up by illustrating why is it so difficult to get
00:00
security requirements and why
00:00
security architecture requires some experience?
00:00
Now, let's start with the course proper.
00:00
We'll begin with an introduction to cybersecurity.
00:00
If you're taking this class,
00:00
I assume you know what is cybersecurity,
00:00
but we'll just reiterate the definitions.
00:00
Well, according to the FIPS, NIST's standards,
00:00
there are three core principles and security,
00:00
which is;confidentiality, integrity, and availability.
00:00
Our jobs as cybersecurity architects are to ensure that
00:00
systems are solutions bill
00:00
would meet these three principles.
00:00
As we begin our journey in
00:00
cybersecurity architecture, this chart,
00:00
just as a reminder that
00:00
cybersecurity architecture is but
00:00
one domain of the cybersecurity area.
00:00
To be an effective architect,
00:00
you should try to learn as much as you can
00:00
about all the other domains and how they are related.
00:00
Do visit the link below to get
00:00
the full-size picture to look at it clearly.
00:00
Let me begin with an example
00:00
to illustrate separate security architecture.
00:00
You might get a request is an archetype to say,
00:00
build me a secure storage.
00:00
Well, if that's the only requirement,
00:00
I can just deliver a solid concrete block
00:00
which would be extremely secure.
00:00
Then your user might say, "Oh,
00:00
that's not very useful,
00:00
I need a secure storage where I can put things in."
00:00
All right, we'll cut a slit
00:00
and we put a lid on top so that you could retrieve it,
00:00
so this is what we deliver.
00:00
When you get back,
00:00
your user might say,
00:00
"No, that's too small.
00:00
I want a secure storage where I can put things in,
00:00
where I can walk in."
00:00
Okay, so the size was wrong.
00:00
In this case, we build a concrete building with
00:00
a doorway so the users can walk in to the building.
00:00
Now on seeing the building,
00:00
your user might say, "Well,
00:00
that's nice and well,
00:00
but I want the door to be protected.
00:00
I don't want people getting in and out."
00:00
Fine, so in this case,
00:00
we put a gate in front of the door.
00:00
After seeing the gate,
00:00
your user might say,
00:00
"Well, it's too transparent.
00:00
I don't want people to be able to see inside."
00:00
In this case, we'll put a door behind the gate.
00:00
Make sure the protection is appropriate for the threat.
00:00
Are you trying to keep out a man,
00:00
a dog, or array?
00:00
From this picture, you can see there is
00:00
a gate for a Chao used to block the dog,
00:00
but the dog could easily go through the bars.
00:00
How do all these apply to architecture?
00:00
Well, it's easy to
00:00
secure something if there's no need for interaction.
00:00
But systems are there to serve a business purpose.
00:00
It's inevitable that you
00:00
need interaction and connectivity.
00:00
Now, from the previous example,
00:00
if you see the entrance as the network interface,
00:00
the gate could be seen as a firewall and
00:00
the dog could be seen as a proxy server or a wolf.
00:00
Well, it's not just good enough to put
00:00
a firewall without knowing the threat,
00:00
as seen in the previous example.
00:00
The size of the gate grid can be
00:00
seen as your firewall rules.
00:00
Architecture should not stop
00:00
at the device or the products.
00:00
We need to consider the configurations too,
00:00
and the key to know what you do not know and
00:00
who can help you in designing a secure system.
00:00
With that in mind,
00:00
let's take some time to think about
00:00
your work environment and list out
00:00
the various ways security is managed in the organization.
00:00
What are the controls in place?
00:00
Why are they there? Who's part of it?
00:00
Who's using it and so on.
00:00
This would be useful as we go deeper into the next topic.
00:00
Thinking of the example in the exercise previously,
00:00
think about the principles used to secure the design.
00:00
Some of the common principles in
00:00
a secure design would be the right amount of security.
00:00
Contrary to public opinion,
00:00
there is such a thing as too much security.
00:00
The cost of security versus the asset you're
00:00
protecting it's very much an important decision.
00:00
The completeness of the design is also important.
00:00
It is no point having the best locks in the wall for
00:00
a door if your windows are completely open.
00:00
Think about completeness of solution.
00:00
Fail-safe. Fail-safe is a way
00:00
to make sure that even when the system crashes,
00:00
there is no way to get to the system.
00:00
The best example of
00:00
a fail-safe is the Windows blue screen of death.
00:00
When your Windows crash and you get the blue screen,
00:00
there is no way you can get to the false with it,
00:00
that is the best example of a fail-safe system.
00:00
Layered defense is another very important principles.
00:00
We should be defending
00:00
a system through multi-layers of access.
00:00
For example, you have
00:00
a firewall that blocks the network traffic.
00:00
You might have another IPS or reverse
00:00
proxy or a wolf on top of that.
00:00
Furthermore, you can have host IPS
00:00
on your systems and for example,
00:00
if it's a database, you can have another layer
00:00
of database activity monitoring systems.
00:00
Having these multiple layers help prevent
00:00
a breach with a failure of one of the layers of defense.
00:00
Acceptability is
00:00
another very important principle of secure design.
00:00
If the cost of security makes it so hard to use,
00:00
your users will find ways to circumvent the defenses.
00:00
For example, if you need a 20-character password,
00:00
people will start writing it on
00:00
Post-it and put it on the screens,
00:00
that would make the defense useless.
00:00
Separation of duties is another very important concept.
00:00
We should have separation of maker and checkers
00:00
in all the configurations of all the important defenses.
00:00
Over time in history,
00:00
there were many approaches to security.
00:00
One of the oldest was security through obscurity.
00:00
When the belief that if no one knows what you're using,
00:00
they wouldn't be able to hack it.
00:00
Now, that has been proven wrong in many cases.
00:00
Sometimes people use security through obsolescence,
00:00
using very old antiquated products, and hopefully,
00:00
no one knows what to do with it,
00:00
and then that security through minority using
00:00
the least common products in the hope
00:00
that there is very little skills in industry for that.
00:00
Security through diversity is
00:00
the belief in using as many systems as
00:00
possible in the belief that
00:00
a single person may not know so many systems.
00:00
Now, all these methods have been proven ineffective.
00:00
What we're advocating is security by design.
00:00
That is, considering security
00:00
in every step of the process,
00:00
from requirements to design,
00:00
to build, to deployment.
00:00
We'll go through some of these in the rest of the class.
00:00
I will end this module by just
00:00
reiterating why it's difficult
00:00
to be a security architect.
00:00
Mainly because security requirements are really hard.
00:00
In the paper Software
00:00
Security Assurance State-of-Art report,
00:00
the reference can be found below.
00:00
The authors list out the main six reasons why this is so.
00:00
The first of which is people involved are
00:00
not likely to know or
00:00
care about non-functional requirements.
00:00
Most stakeholders just want to tell you what the system
00:00
should do and not what it should not do.
00:00
There is still the perception that
00:00
security limits
00:00
functionality or interferes with visibility.
00:00
I won't go into all the details and you
00:00
can read the paper to find the specifics.
00:00
But that said, it is very
00:00
important for security architect to be able to
00:00
articulate some of the reasons or
00:00
identify some of the places where controls are needed.
00:00
This is where we would focus on in the next module,
00:00
which is trade hunting.
00:00
After this module, please identify
00:00
some common principles for secure design
00:00
that you can think of and,
00:00
can you name some approaches
00:00
to security it was mentioned.
00:00
Think about these as you proceed to the next module.
00:00
Now just to recap.
00:00
In this module, we learned what is cybersecurity,
00:00
confidentiality, integrity, and availability.
00:00
We went briefly through the domains of cybersecurity.
00:00
Please remember to download
00:00
the picture to get a clearer view.
00:00
I went through what is security architecture,
00:00
why it's important,
00:00
and lastly, why it is not easy.
00:00
Here are some additional resource
00:00
you can get your hands on.
00:00
Unfortunately, the software
00:00
security assurance state-of-the-art report,
00:00
it's a hard copy book,
00:00
so that's a link now to help
00:00
you identify which library you can get it.
00:00
Security by design document
00:00
is also a pretty good place to start.
00:00
If you have the time,
00:00
you can start the next chapter,
00:00
which is what is threat modeling and I will go
00:00
through examples of abuse and misuse cases.
00:00
Looking forward to meeting you in the next module.
Up Next