# Course Recap

Video Activity
Join over 3 million cybersecurity professionals advancing their career
or

Time
8 hours 20 minutes
Difficulty
CEU/CPE
9
Video Transcription
00:00
>> Course recap. The learning objective
00:00
for this lesson is to review key course components.
00:00
Let's get started. You made it to the end of the course.
00:00
What I want to do in this lesson is help reinforce
00:00
a lot of the items that we went
00:00
through in the entire course,
00:00
but these are going to be
00:00
key things for you to remember for the exam.
00:00
We're going to start off with risk.
00:00
Because in cybersecurity, everything starts with risk.
00:00
We can't formulate a response
00:00
if we don t know what our risk is.
00:00
The definition of risk for the exam purpose is,
00:00
risk is a measure of the impact and
00:00
the likelihood that a threat
00:00
will exploit a vulnerability.
00:00
The key components are highlighted in pink.
00:00
Likelihood is how realistic is the threat to occur,
00:00
is it highly likely or is it less likely?
00:00
Impact is if the risk were to happen,
00:00
how bad would it be for the organization?
00:00
Are we talking about loss of money?
00:00
Are we talking about loss of reputation,
00:00
loss of customers? That type of thing.
00:00
Then when we're measuring risk,
00:00
we have two types of analysis.
00:00
These are the quantitative and the qualitative.
00:00
Quantitative always uses numbers.
00:00
If you have a question on the test and it's asking you to
00:00
calculate something based on a number for risk,
00:00
then you know that's a quantitative analysis,
00:00
if it's asking you to use
00:00
words that you know it's a qualitative.
00:00
For quantitative, we have some terms and some formulas.
00:00
Our single loss expectancy is the cost of a single event.
00:00
How much did this one event cost us?
00:00
Annual loss expectancy is we take all the SLEs that
00:00
happened in one year for
00:00
this one device and add them together,
00:00
it's an annual cost.
00:00
Then our annual rate of occurrence is
00:00
how many times did it happen?
00:00
How many times did this one device
00:00
fail or did this one event happen?
00:00
If we want to calculate our annual loss expectancy,
00:00
we multiply the single loss expectancy times
00:00
the annual rate of occurrence.
00:00
You need to remember this formula,
00:00
it's going to be important.
00:00
Asset value is simply how much is this asset worth?
00:00
The exposure factor is what portion calculated in
00:00
a percent of the asset would be
00:00
lost if the risk were to happen?
00:00
The example we gave was if we're concerned
00:00
00:00
our building were to be hit by a natural disaster,
00:00
do we expect to lose
00:00
the whole building or a portion of the building?
00:00
Those type of things go into our calculations when
00:00
we're defining our risks and also our responses to it.
00:00
Keep in mind this other formula for
00:00
00:00
it's the asset value times the exposure factor.
00:00
We also have our meantime to recovery.
00:00
This is the time that it takes us to get
00:00
a device back up and running once it fails.
00:00
Our meantime between failure is the amount of
00:00
time that transpires between two failures.
00:00
With risk responses, we have several ways of responding
00:00
to the different types of
00:00
risks that an organization might face.
00:00
The first is to avoid,
00:00
this is simply stop doing
00:00
whatever it is that's causing the risk.
00:00
We can also accept it,
00:00
which is where we determine that
00:00
the cost of preventing the risk or
00:00
the measures we have to put in
00:00
place to mitigate the risk,
00:00
cost us more than the damage would
00:00
actually cost us if it were to happen.
00:00
We can mitigate the risk
00:00
by using controls that will help us
00:00
lower our exposure and lower
00:00
the chances that the risk will occur.
00:00
Finally, we can transfer.
00:00
Typically when you're talking about transferring risk,
00:00
00:00
I also want to talk about the risk as it comes into
00:00
the different models of cloud operations.
00:00
For our software as a service,
00:00
the entire model is managed by the provider,
00:00
so all the risk is with them.
00:00
But as we move over to a Platform as a Service,
00:00
then you start to see that the abs and
00:00
the operating system are now under our control,
00:00
so that portion of the risks now is shifted to us.
00:00
Then we also have Infrastructure
00:00
as a Service where the platform,
00:00
the app, and the operating system
00:00
are now under our control.
00:00
More of the risk has shifted to us with this.
00:00
With a third party, with, for example,
00:00
the Software as a Service,
00:00
they assume all of the risk.
00:00
We also have regulations that
00:00
impact us with risks and also with our responses,
00:00
what we're required to do to mitigate certain risks.
00:00
We're going to start off with the General Data
00:00
Protection Regulation or the GDPR.
00:00
The key thing to remember, this is
00:00
the EU's data privacy standard.
00:00
We also have the Capability Maturity
00:00
Model Integration, or CMMI.
00:00
This is the Department of
00:00
Defense Standard that it uses for
00:00
vendors for ensuring they have
00:00
mature cybersecurity models in place.
00:00
We also have
00:00
the Children's Online Privacy Protection Act,
00:00
or COPPA, which is a U.S. federal
00:00
law designed to protect children.
00:00
We also have the Payment Card
00:00
Industry Data Security Standard,
00:00
PCIDSS.
00:00
00:00
that is not a governmental regulation,
00:00
this is the payment card industry has created their own,
00:00
that anyone that processes credit cards has to follow,
00:00
and it's designed to protect payer information,
00:00
but also to help reduce credit card fraud.
00:00
Then lastly, we have
00:00
the Health Insurance Portability
00:00
and Accountability Act, or HIPAA.
00:00
This is the U.S. federal healthcare privacy law.
00:00
00:00
What I want you to remember about PKI is that
00:00
the public key and a private key or a matched pair.
00:00
We can give our public keys away freely,
00:00
but we have to keep our private key secure.
00:00
The keys can be used to digitally
00:00
sign messages or files, and when we do this,
00:00
we are proving authenticity or ownership,
00:00
which also allows us for non-repudiation.
00:00
We can't deny that this is ours or that we
00:00
signed it because it's using our key to do it.
00:00
But we can also encrypt messages to
00:00
others by using their public key.
00:00
The problem this solves is it makes it easy for us
00:00
to give away our public key
00:00
and get other people's public keys,
00:00
and then send secure messages back-and-forth.
00:00
Because now we're not having to worry about
00:00
00:00
PKI really solves this.
00:00
Certificate authority is the entity
00:00
that issues and guarantees certificates.
00:00
A digital certificate is a public assertion of identity,
00:00
but it's validated by a certificate authority.
00:00
When a digital certificate is issued,
00:00
the certificate authority guarantees
00:00
that this one is who they say they are.
00:00
A wildcard certificate allows us to use
00:00
subdomains instead of just, for example,
00:00
domain.com and a certificate,
00:00
we could also use chat.domain.com
00:00
or mail.domain.com with one certificate.
00:00
That's the purpose of a wildcard certificate.
00:00
The certificate revocation list is
00:00
a list of all the certificates that have been revoked.
00:00
That way we're not going to be
00:00
using that to encrypt something or to
00:00
send something to someone else
00:00
using their certificate because we
00:00
have query the revocation list in
00:00
making sure that we're not using those.
00:00
A certificate signing request is when
00:00
we want to request a certificate
00:00
from a certificate authority,
00:00
we use a CSR for that.
00:00
Hardening. The basic definition of
00:00
hardening is to remove any unnecessary services,
00:00
software, and protocols from a device.
00:00
If you remove those and you're lowering
00:00
your exposure factor, and that's what we want to do.
00:00
We want to make sure that we are
00:00
lowering all possibilities of
00:00
exposure by removing anything that's not
00:00
absolutely necessary for this device to operate.
00:00
Hatching refers to installing vendor supplied updates,
00:00
and this will plug any holes, fix any bugs.
00:00
This is very critical because
00:00
bugs are constantly being found,
00:00
vulnerabilities are being found,
00:00
and we want to make sure we're
00:00
patching those as soon as we can.
00:00
Disk encryption encrypts the data,
00:00
and this is especially useful on mobile devices.
00:00
I also want to go over BIOS versus UEFI.
00:00
Keep in mind that bios is typically older,
00:00
00:00
and we also have TPM or Trusted Platform Module.
00:00
This is a chip that's embedded on the motherboard of
00:00
devices that allows it to store keys for us.
00:00
Then we also want to use host-based firewalls,
00:00
block lists for apps,
00:00
host-based intrusion detection systems,
00:00
host-based intrusion prevention systems.
00:00
We want to make sure that when we're looking at these,
00:00
we are putting the appropriate level of controls
00:00
with these hardening steps
00:00
on the appropriate level of device.
00:00
For example, you might
00:00
want to use a block lists for apps so
00:00
that certain users are not allowed to use certain apps,
00:00
you may also want to use time restrictions for
00:00
things so that they can't use apps after hours,
00:00
and you want to make sure
00:00
that host-based firewalls are being used to
00:00
allow for only the necessary traffic
00:00
to come into a particular device,
00:00
all of these are involved in
00:00
the hardening process of a given device.
00:00
Now we're going to talk about the forensics process.
00:00
We begin with identification,
00:00
then we go collection,
00:00
then analysis, and then reporting and presentation.
00:00
It's very important that when we're
00:00
doing this entire process,
00:00
we remember the chain of custody,
00:00
because this allows us to do evidence preservation.
00:00
We have to make sure that any evidence that is
00:00
collected is identified properly,
00:00
labeled properly, and then stored
00:00
properly all the way through,
00:00
because if at any point it's outside of control,
00:00
then that can become tainted evidence
00:00
and then it can be thrown out,
00:00
or not allowed to be used in a prosecution
00:00
or in any type of proceedings against someone.
00:00
Incident response.
00:00
The first step is preparation.
00:00
This includes hardening our systems,
00:00
creating different policies and
00:00
procedures that we need for the organization.
00:00
Then we want to create our incident response procedure.
00:00
We do this ahead of time.
00:00
We don't want to do it as the incidents
00:00
happening because those are high stress times and we
00:00
want to be able to go and
00:00
pull out a document and follow that
00:00
step-by-step to make sure
00:00
that we're doing the things that are necessary.
00:00
Detection analysis is when we
00:00
decide if an incident has occurred,
00:00
and then if we have determined this is an incident,
00:00
how serious is it,
00:00
and then at this time we also notify the stakeholders.
00:00
Containment is simply limiting the scope of the breach,
00:00
we want to make sure that it's not
00:00
00:00
Then once we have contained it,
00:00
we'll begin our eradication and recovery.
00:00
This is where we remove the cause of the breach and start
00:00
getting things back up to
00:00
running normal like they were before.
00:00
Then after everything is said and done,
00:00
we'll have our post-incident activity.
00:00
This is also your after-action review,
00:00
where we define what can we improve,
00:00
what did we do well,
00:00
what did we do not so well?
00:00
We want to document our lessons learned here.
00:00
Vulnerabilities. I'm going to go over this quickly,
00:00
00:00
just go back to the particular lesson for this,
00:00
because there's a lot of details there.
00:00
But I want to have these terms in front of you,
00:00
so that you remember at
00:00
a high level what all of these are.
00:00
SQL injection is manipulating the SQL language to inject
00:00
data into a database to either
00:00
get it to send us data that it shouldn't,
00:00
or for us to put data that shouldn't be there.
00:00
LDAP injection manipulates LDAP strings to do similar so
00:00
that we can inject things in or actually
00:00
pull information back out of an LDAP directory.
00:00
Cross-site request forgery is when
00:00
the victim unintentionally
00:00
makes changes to their accounts,
00:00
and then because of that,
00:00
00:00
Cross-site scripting manipulates the file paths
00:00
to control how a web app operates.
00:00
Finally, directory traversal is
00:00
accessing the directories outside of the web route.
00:00
The attacker should not have
00:00
00:00
they're able to get in into
00:00
the operating system directories and then they
00:00
can copy data down or move
00:00
tools up and then further compromise the server.
00:00
Authentication. We always want to use
00:00
00:00
everything. The stronger the better.
00:00
I mentioned a good technique is to choose
00:00
three or four random words and put those together
00:00
because that is a very difficult concept
00:00
for brute force attackers to crack.
00:00
But we always want to use strong passwords everywhere.
00:00
One of the things I want to mention here is
00:00
we don't want to reuse passwords.
00:00
00:00
all your servers, it becomes cumbersome.
00:00
But if one of those will ever be compromised,
00:00
it's easy for an attacker to pivot to
00:00
the other servers using the same password.
00:00
Federation is when we are trusting
00:00
the accounts that are from another organization.
00:00
They can access resources from us,
00:00
we can access resources from them by using
00:00
this shared model of federation.
00:00
OpenID, it has authentication to the OAuth 2.0 protocol.
00:00
Security Assertion Markup Language or SAML,
00:00
I want you to go back and review
00:00
that if you don't remember about that.
00:00
Then shibboleth is based on SAML and it's
00:00
often used by universities
00:00
and public service organizations.
00:00
Access control methods.
00:00
Discretionary access control is where
00:00
the owner decides who has access.
00:00
Active Directory is a good example of this.
00:00
Keep that in mind that this is easy to manage,
00:00
but it's very difficult to secure because it's
00:00
the owner of the resource decides
00:00
who gets to access it and who doesn't.
00:00
Mandatory access control is based on
00:00
clearance levels and it uses labels.
00:00
It is considered non-discretionary,
00:00
so if you see a question that's
00:00
00:00
you know that that's mandatory access control.
00:00
Rule-based access control is
00:00
DAC when we're adding on the subjects roles.
00:00
For example, we may have a department
00:00
for human resources and one for finance,
00:00
and they may have different levels of
00:00
access based on those roles.
00:00
Attribute-based access control is when we're using
00:00
the subjects attributes and it uses XACML.
00:00
Rule-based access control is when the policies are
00:00
a system defined rules.
00:00
Let's summarize. We recapped risk,
00:00
we also went over PKI,
00:00
we discussed hardening and vulnerabilities,
00:00
we went over the forensics process,
00:00
and then incident response,
00:00
and we also discussed authentication and authorization.
00:00
Hope this lesson was helpful for
00:00
you, and I'll see you in the next one.
Up Next