4.1 Understanding Security Policies

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

2 hours 22 minutes
Video Transcription
Hello and welcome to the side Berries empty. A 98 3 67 Security fundamentals Certification Prep course.
Let's not turn outage toward discussion off. Marginal. My three now margin. Three. Is Tyrell understanding security policies? Did you know in businesses
a security positive document that states and writing how company plans to protect the company's physical and information technology assets and security passes often considered to be a living document, meaning that the documents never finished. But it's continued being updated as technology employees requirements change.
A company security deposit may include an acceptable use policy.
A description Harder Company plans to educate his employees about protecting the company assets and if this House security measures will be carried out and enforce and the procedures for evaluating effects of this critic policy to ensure that necessary corrections will be made.
So let's take a look. The objectives of yet with RS follows understanding password policies. That brings us to interestingly to a pre assessment course in which of the following is not a complex password is a
Is it B,
is it see
or is it d?
The great answer is
it should be B. Is that correct? ASA
and the reason why you should never use. They use a name as part of the password.
So let's take a look at password. Now we think about the password. It's a screen characters used forthe indicating a user on a computer system. For example, you may have an account on your computer that requires your log in and order to assess the access your account. You must provide a balance user name and password this combination often refer to as a log in.
Why use the names of generally public information?
Passwords are private to each user
when we look at our passwords in terms of complexity,
password Sprint is a measure of the effects of a pass were against guessing or brute force attacks, the rate of which an attack can submit. A guest pass word to the system is a key factor in determining the system security. A strong password, consistent at least six characters and Maur six or more characters. The scroll in the password.
Other words and they are combination of letters
you assembles.
Pastor typically case sensitive, so a strong password contains letters and both upper case as well as lower case.
Therefore was I password linked here.
Most passwords, 61% were right at the password, then either eight or nine characters loan.
The average link was 9.6 characters and the average password. This is the more important one. Uppercase letters, 6.1 lower case letters, 2.2 numbers and 0.2 special letters.
Now, for the time between password changes, the minimum password age policy setting determines the period of time. Other words to money in days that the password must be used before the user can change. You can set a value between one and 998 days, or you can allow password changes merely by setting the number of days to zero.
The maximum
password ACE policies said. In terms of period of time in days that the past could be used before the system requires the user change. You can set the past with despite after at the number of days. In other words, as we mentioned before.
So again, we have called the minimum password age, and then we have the maxim sort of matter. We talked about the minimum. Then we looked at maximum password age, so we understand what that means now forced my password. Hiss is concerned.
The enforced password history policies setting determines the number of unique new password that must be associate with the user account. Before no pass, it could be reused. Password used is an important concern in any organization. Many users want to reuse the same password for the account over a long period of time.
The loan the same path was used for a particular count, the greater the chance
that attack will be able to determine the powerful through brute force attacks. If a user over quite a change the password, but they can reuse opacity effects of your good password policy obviously is effectively reduced. The next night shows example again of the password posit different features we discussed
for always ranging from the enforce path word history
all way down to the minimum or maximum age password must meet complexity and so forth.
Now we have a term call account lockout.
Now account lock out of the feature work. Other words of password security and Windows 2000 and later, and basically that disabled disable user account. When a certain number of Phil Logan's occur due to Rome password within a certain interval of time. And so again, that's what, One way too over and enhance your security.
Particular someone eyes engaging, trying to guess your password or you guys
brute force attack. So again, this next Greece, I show the example of what a password positive looks like. The count, like out there so posits set into term the number of filled log. In other words, signing attempts that were called the user account. Obviously, to be lock, you can actually have a set with that person. After a certain period of time, it unlocks itself or the person. You may have to have them
busy to contact the admin person of
i t person to unlock their computer
that forced out passwords sitting objects again. Understanding Fund Green Password policy Find Green Password Project can be assigned to use is the group's. If a user belongs to more than one group
that has a fine green password policy assigned to it,
the present value preceding value of each posit used to again the president password policy is use determine which process applies to the members of that group.
We also have passwords setting object which again is an actor director. The object. This object contains all passwords settings that you confined in the default. What we call the main policy. GPO has a password, history and so forth.
Now force again, establishing again what we call a password procedures again. Obviously, we have security policy, not security. Posture is a myth before the onset is the deftest what it means to be secure for system organization or other entities for authorization. It addresses the constraints on behavior of the member as well, asking scrapes
again imposed on adversary by mechanisms such as door locks, keys and so forth. So you need to have
security parts that really again, it's very important we have a separate use Party is a document that outlines a set of rules to be followed by the user or customer of a set of computing resources, which would be a computer network website again, except used policy clearly states what to use it is and not allowed to do on those resource is
now password positive. Set the rules designed to enhance your computer security by encouraging use employees chrome password and use them properly. A password process, often part of an organization official regulation and may be taught as part of security awareness type training
now obviously forced a common attacks again. This actually describing again if you have password blown been record again, obviously, is a weak link if you think about in terms on security programs. So you again. First, you have you completely relying on the using. So like the passwords. And so again.
So the key is encouraging your users to use crow impaired because, well, that's going to do is go to mitigate a, minimize the impact or reduce the vulnerability through these various attack mechanisms. Now the different types attacked you have we have what we call a dictionary and a brute force attack
and crypt analysis and computer security. A dictionary attack is a form of brute force attack. Take me for the defeating a sigh per or authentication mechanism. Ah, brute. First attack is a trial and error method used to obtain information such uses, password or personal identification number or pen in a brute force attack.
Automated software is used to generate large number of consecutive guesses as a value of the desires again, data
now for its physical attacks, obviously based on attack base again. We look at tax, we can have physical type we talked about before by key loggers. Ah, physical attack and be completely bypass. Almost all security mechanisms such as Captain your passwords one wish your eyes and key logger.
And so again, I'm not ported. Thing is, if your encryption
key passes through a key logger, you might find that even your encrypted data is jeopardize. So we have to make sure we look at that. Ah, assess the fact vulnerability in terms of what we call physical attacks and so forth.
We also have Dumpster diving is looking through bins, and so far they have a lot of different ways where individuals are able to attack us again and try to mitigate our existing security infrastructure. We also have sniffers now against different to that intercepts data flowing in a network.
If a computers are connect to a local area network that is not feel to know switch the traffic can be broadcast
to all computers containing the same segment. This doesn't generally occur since computers are Julie Toe told to ignore all incoming are oh, it all the coming and going of traffic from other buttes. However, in the case of a sniffer, all traffic is shared
when the sniffer software commands again the network interface card nick To stop ignoring
obviously, the traffic
we want to make sure we protect at the main use account password. We have items such as Advice to God, which is one of the Windows Security features. That's a combination of enterprise related Hartwell Firmware software security features. When it's configured again together, we're locked down the device so that it can only run trusted applications
against or again critical isolated heart in your key systems and uses information.
The vice guarding credential guard are optimal optician features that when implement and enable reduced exposure, attack service is to mayor where, by requiring additional protectors to be enabled on your devices,
we re supposed assessment. Question the questions follow.
What do all of what do you call the password? As at least seven characters long? Three Other following categories. Uppercase, lower case number and special characters is a hefty password. Is it be minute migrating password isn't see standard passed hors de complex password. The correct answer is
the complex passwords
doing this particular presentation. We discuss understanding, password policy
and our upcoming module marginal before we discuss an understanding, dedicated firewall as well as understanding network isolation.
Up Next