2.1 Understanding Security Layers Part 1

00:00

Hello and welcome back to the side Berries empty. A 98 3 67 security fundamentals certification prep course.

00:11

The tide of this particular model is understanding security layers marginal one.

00:18

Let's begin by taking a look at the objectives, and the objectives are as follows. The first object will be discussing its understanding. Security possible

00:27

Now the DEA addition. Objectives here. Title. Understanding. Physical security is what it's gonna thinning. Threat modeling will be discussed in the next video.

00:36

That brings us to a pre assessment course in. And of course, it is as follows

00:41

which vitamin terms in the case of the information is to be read on Lee by those people for whom is intended. Is it a company? Jolly be integrity. See availability or D accounting

00:55

If you selected eight. You're absolutely correct because company jelly is a concept we did with frequently in real life. For instance, respect that our doctors to keep my medical records confidential, and we trust our friends that keep our secrets confidential.

01:10

So let's take a look at the state of FAA security to date now. Did you know that the number fishing incidents is rising 400% in the past year. Cost, for instance, has also going up 4% during the same period. We also knows that the numbers cyber attacks is also going for up to 40% of each of the past two years,

01:27

very consistent with the fishing increases, according to several surveys. The type attack there's most rapidly a current in popularity is cybercrime. Nineties problems continue go. Even though we've been addressing infamous security as an issue for over 20 years,

01:46

what's becoming apparent in the U. S. Is that simply by more hardware

01:49

and software, not the complete answer.

01:53

Obviously, we need Thio quite adequate tools now day. But getting reality is that so many tools that become available that organizations are acting himself.

02:01

How can a better you last Tuesday half and not simply continue to spend money?

02:07

The answer that is, to improve the process of securing information, not lessen some Millie. Some what we call a technical mechanism. We need to have a process called governess in place, which would be discussing later on.

02:22

Now, before we start securing my environment, we need to answer the following questions. First of all, what are you trying to protect

02:29

Why does it need to be protected? And what are you protecting it from?

02:35

Now this next item is called a C. I try it

02:38

now. This C I trade is not the Searcher Intelligence agency, but in fact it is a security triangle that's the most important to security concept of all controls, mechanism and safeguards to the imprint of about one of them or more of these protection type that would be discussing. We think about all the risk dress Yvonne abilities their magic

02:57

for all that potential capacity

02:59

to compromise. Want all all of the C I A. Triad principles.

03:02

This try It is the basics for creating a holistic security plan to protect all your organization critical and sensitive assets.

03:13

The first thing we need to find exactly what it's confident galley not come to Delhi prevents the disclosure of data or information to unauthorized entities. Integrity, on the other hand, and sure that the data is protected from unauthorized modification or data corruption availability

03:30

equally as important means ensuring that that data

03:32

is assess what when and where it's needed.

03:38

Now here's the term call risk mansion. Now when I think about risk, man are you like. The term value lies an acronym and, in fact, called clock

03:46

Cops simply means controlling,

03:47

leading,

03:50

organizing and planning. And when you think about risk management, risk management, in fact, is forward looking. It's anticipating it's looking and identified situations whereby we can take a take corrective action to mitigate those situations. So gold is identify potential problem before they occur

04:06

so that that handle risk handling actives, maybe planning invoked as needed,

04:12

and we think about risk Mansion. It is, in fact, a ongoing process

04:16

that brings us to the importance of risk mansion. Now the gold risk management plan is to remove risk when possible and to minimize the consequences risk that cannot be eliminated. Risk assessment are used to identify the risk that are, by impact your particular environment.

04:35

So why did we need risk? Match it First of all, if you got good risk management process in place, one of things is going to do for you. Gonna promote good management of your of your overall infrastructure because it realities this risk. Magic is the cornerstone of any influence security program. You cannot have a security program unless you have risk management

04:55

risk matter represent time, proven methods and techniques. Jews to identify with

05:00

understand that probability of occurrence and potential impact to the organization enables you to make decisions about those risk based on established decision criteria and marriage. A key attributes of security and rest for long term what we called trending and for reporting to executive management.

05:20

Now, after Rhys has been identified, you need to decide what you want to do about them. Risk Manager can be thought of its handling risk. It's important to realize that risk management is not risk elimination. A business that doesn't take any risk doesn't stay in business long. The cost to eliminate all rest will consume all profits.

05:40

So we think about risk, madam. Various techniques.

05:43

The 1st 1 discusses Call of borders to avoid the risk by limited risk, cause and or consequence. Other words. Moody old news out of a flood zone. We can also mitigate that means to instant measures to eliminate or reduce the vulnerabilities.

05:57

Example. Prioritizing evaluation. We can also employed a cost benefit analysis to compare the impact of the realize risk to the cost associate with mitigation. We also choose the transfer that means again for example, me transferred risk by using other options, such as purchase insurance or compensation for loss.

06:15

We can also accept us again is to recognize that the risk cannot be economically eat, mitigated

06:19

and accepted the cost of doing business again. Then we have residual risk. Despite all our best efforts, we still gonna have some wrist left over. So to know that that risk remains out the dead if iris have been mitigated or accept it again. For example, apartment that costs, Let's that it caused for it's stolen and maintain add on security software for stand alone computer,

06:40

that store's assistant assistant files and not justifiable. So again, that's one way of looking at it.

06:45

We also employed a technique called Lise Privilege. Basically, again, it's a security discipline that requires that a user system or application be given no more privileges than necessary to perform its job or function. We can also implore separation duty. That's a president events. Any single person or entity from being ableto

07:04

have full access or complete control of our own function.

07:08

It's designed specifically to prevent fraud deaf and errors

07:12

again, where they look at our tax surface, the attack surface is total sum or the vulnerabilities in a given computer device or network that are accessible to the hacker. Anyone try to break the system. Journalist starts by scaring your target attack surface for possible attack vectors. Weather for active attacks or passive attacks.

07:30

So attacks of can be divided a few categories and network. We can

07:33

our tax service network serve AC attack surface, the software attack surface and the physical attack surface.

07:40

Another thing we might want to do again. Perform a scan of my surfaces again again. This is an assessment of the total number of exportable vulnerability in a system or network or other potential computer attack. Anybody trying to break in the system, Julie starts by scanning the target attack surface.

07:59

Now we think about social engineering now this a method used to gain access to data systems on network primary through misrepresentation.

08:07

This technique typically relies on trusting nature persons being attacked. Now we think about efficient attack. It's the most proper form of associating intact through digital communication. We also have spearfishing, which is a type of fish tank as well. That's the specific target specific groups or individuals,

08:26

while well, it is a term you describe a Fisher type that STIs infinitely aimed at WEF t powerful or prominent individuals. We have to look again at the cost of security and their words security going to cost you money. You must also describe the make this cretin marriages as seamless as possible. Obviously, if security becomes a heavy burden,

08:46

use often little method to circumvent imagines that you perhaps have established.

08:50

But the most important thing you can do is implement some form of what we call proactive security, where there's a type training to educate your users on the various threats and things they can do to assist you in mitigating these particular issues. That brings us to a post assessment question as follows.

09:07

Which of the following Sure that the dad has not changed when it's supposed to be, is it? Eh?

09:11

Come into jelly. Be integrity, See availability or D accounting. If you said like integrity, you absolutely correct because integrity, insurance the consistency, actually and validity of the data

09:24

not doing this particular presentation, we discuss understanding security principles in the upcoming presentation. Be taken. Look at understanding physical security, as was understanding threat. Mullen

09:37

again in upcoming presentation, we discuss an understanding or video. We restarts an understanding security possible,