Time
5 hours 49 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello, everybody. And welcome to the island to security Episode number 19 I really hate economy measures. My name is Alejandro Gonna and I'll be your instructor for today's session.
00:13
The learning object IBS is to understand main and basic condom measures. You can apply to your eye a team for structure.
00:22
Well, remember that we just discuss, um, how risk can be measured. And you know how the result will affect
00:32
how we take decisions and make decisions of the risk and cheese that they're the right Khanna measure. Well, let's say that I will let me
00:41
here. Let's say that risk that are below here
00:46
I don't green
00:48
and let's say that risk that are below over a year
00:52
out our jello, remember, this is a quantity, qualitative analysis and all the risk that are above that fool the red
01:00
meaning. You know, this cholera graph will brooks in something that would it should be,
01:07
I think, in consideration. So let's say that there's a thing 10 risk over here.
01:12
Uh, well, the rock itself will be
01:17
right here,
01:19
you know, which will represent
01:23
in a scenario for example, the scenario where we were discussing that someone hacked the server, and something happens to your smart watch. You didn't see that the previous module, which was to rest. I recommended to go back and check it out because it contains information that will be using in this in this,
01:42
uh, module. So, uh,
01:46
let's say that everything that is about here
01:49
is high risk,
01:51
and we need to fill it out. I mean, we need to apply condom measures to this
01:56
eso this specific scenario.
01:59
Someone hacks,
02:00
um, the server
02:04
And something happens to your smart watch,
02:08
Um, it explodes or something. That the things that something had some someone has deserve er and something explodes, exploits your smartwatch. So the kind of measures you need to choose first,
02:23
uh, you need to know before you know, elements off security with this cause in a previous model which waas device authentication, secure communication, secure code execution in secure storage.
02:37
Age of this has a inch of this concept, has another other concepts attached to him. And we need to we need to be familiarized with album. So first we need to understand the risk.
02:50
Uh, we did that in the previous models. Are we now? This is a high risk, which had 10. An impact
02:59
Antenen probability
03:02
Which game was high risk?
03:07
Amazing that we discussed that way said we said in the previous module, that name, but was how much he will hurt you. I mean, not not mean in her in terms of physical her Jupiter. You know, in terms of
03:20
look in this form from the business perspective, you're the owner of the business making this smart watchers
03:25
and how much your company will lose in terms of money insurance off. You know, if if some attack actually takes life, that's even worse. So how much it will impact your business? Will you go to jail because you didn't apply the necessary KHANNA measures?
03:45
Oh, this does boasting name back and the probabilities. How exposed
03:50
is your server or your service is or devices today Internet house, How vulnerable they are, Do they have a lot of my abilities that they have a lot of complexity that can lead to several vulnerabilities?
04:03
So now we know we know the risk,
04:05
Uh, how to understand it. Uh, we need to minimize the attack surface.
04:12
I mean that you have your server, you know, Look at it behind the cloud. That's it. This is the cloud. And this is your server controlling on all the smart devices.
04:24
Uh, he doesn't have, you know, if it doesn't have anything in the middle right here,
04:29
it doesn't have. For example, a fire will.
04:31
Just to put an example, isn't How far will you don't? It doesn't have
04:36
on I ps
04:39
interested prevention system. He doesn't have the l b
04:43
that a leak or that loss prevention doesn't have anything in the middle and is connected directly to the Internet. You know, your surface is really huge, especially if you're running also. For example, not only your smart device, you're smart watches, but also your smart Davis just march home appliances.
05:01
You're You know, um,
05:03
maybe some sensors, temperature sensors, you're running everything on the same server, and you're also, for some reason, running and https server, and you're also running on S and B service. So all of this will increase that that the the attack surface.
05:21
So, you know, applying countermeasures to all of the service's
05:27
will be harder if they're if they are on the same server. So, you know, if you're using the server, just make sure to use it to the necessary service is in this case, Let's reduce it to the Onley, monitoring or saving data about yours. Mara watches,
05:43
you know, and then implement security at the right layer because we're talking about the server. But what about the Smartwatch itself?
05:51
What about the phone? That this is Mark? This smart watch will be communicating to it.
05:59
Uh, all of these layers, uh, going to too
06:03
Prioritize and fly the specific Khanna measure for each layer. Also, what about the person coding or creating the code? Developing the goat for the phone or developing the code for the smartwatch or developing the code for the data is being used for developing the coat. You know,
06:21
the persons behind all this will also have to apply. Khanna measures
06:26
to to actually have a really good kind of mission. Life cycle. And what about, um
06:32
when we talk about you know, the four elements off security again? Device authentication. You know, this includes cryptography, digital signatures, hashes, which will be discussing a little bit, by the way and the next modules.
06:48
Um then we we said we have a secure storage or secure data or So when we say secure communication,
06:57
we mean protected that I emotion or that I in transit and in that data going from the cloud
07:03
too Smart watch
07:05
and then going back in the same direction. This is dating motion the data that is right here. How are we going to protected? You know, we can use https or we can use specific A protocol for royalty. I am Q t t. Um
07:24
And you know every other, uh, protocol for for, um
07:30
I o t.
07:30
And then we have to secure, you know, secure code execution, execution, Meaning data mona abuse better were using their that were actually executed inside this. Maybe you're trying to measure how much kilometers that you run
07:50
or how much, Uh, what's your heart rate?
07:53
How the application will be executed with its secure that I mean, the implication that maybe it's Titan. Or maybe it's a huge be or maybe is pearl or no job.
08:07
Whatever Dakota reducing, you need to make sure that you're executing that goes in the right intended way. And finally, we have to protect the data dressed. The data there is right here on the server.
08:18
Uh, maybe you gather information from from from this watching all the watches around the world and you're saving the data. I don't know, Data Mart. Or, you know, the new concept, which is big data servers to later analyze it and make maybe discover some patterns
08:37
in the users
08:39
behaviors
08:41
He had two Great. That in apply the countermeasures to in data storage or data in storage, which is data addressed. And finally you have to select the right bender O r the right security partner. If you okay, that you're creating is more watches. But you don't know much about that data basis.
09:00
Who will be your bender or your partner in this journey
09:03
I will be Will be choosing someone that is
09:07
Onley giving you Ah, the cheapest prices are going to have a little bit more the diligence
09:13
I do care over over investigating Georgia,
09:18
you're partners and your security vendors. I will recommend you to go with, you know, make a thorough investigation on your partners and you choose the right option for you.
09:31
Uh, what are the four main elements off? I A T security. Well is device authentication, secure communications, secure code execution and secure storage.
09:43
What does it mean to minimize the attack surface? Well, if you have several service is running in a single server, the attacker can exploit any of them and then pinpoint or jumping to the next server or into the next machine. So what you want to do is to run. The minimal service is required
10:01
to provide one service or deserves you're trying to implement.
10:07
And the example we were discussing we were talking about. It's more watches, so make sure to run on the servers needed to support that smart watch.
10:18
Why is that? Because on the condiment off the condom ensure so important, why do we have what we also need to know the impact of the attack? Well, because we need to make in sparks Ishan what? We cannot buy some khanna measures or client countermeasures that is worth timber.
10:35
I don't know my 1000 bucks or 100 bucks.
10:39
If the impact of this off not applying economist er is fine box
10:43
because this is where security becomes an expense and are an investment, we need to we need to make sure to talk to the CEO and make them realize security is an investment and not on expense
11:00
into in today's brief lecture with this, we'll discuss, you know, I take on the measures and what's the best time on layer to implement them?
11:09
I will recommend you to go to the swings into the Phipps
11:16
publication.
11:20
Looking forward in the next video, we'll cover I A T cryptography. One of one.
11:26
Well, that's it for today, folks hoping you're the video and talk to you soon.

Up Next

IoT Security

This IoT Security training is designed to help IT professionals strengthen their knowledge about the Internet of Things (IoT) and the security platforms related to it. You’ll also be able to identify the security, privacy and safety concerns related to the implementation of an IoT infrastructure.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor