Time
3 hours 47 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

Our last section in Module 2 looking at key concerns focuses on Goals of Security. We discuss why it's important to understand the goals of the security systems you'll put in place and what those goals accomplish for the organization. We'll review the CIA Triad and what each component of the triad means in terms of security and delivers to the organization as a result. Then we'll look at how we carry out and demonstrate the importance of security through the use of Safety Drills and what we learn when we conduct them. [toggle_content title="Transcript"] Now I will be discussing section 2.9 of the security plus syllabus. Given the scenario, select the appropriate controls to meet goals of security. Given the scenario, select the appropriate controls to meet the goals of security. What are the security goals? This gives rise to the C.I. A triad, this is the reason for which we have security, confidentiality, integrity and availability. The goals of confidentiality are that, only authorized disclosure should be allowed. Disclosure of information should only be allowed if it's authorized. Control should be in place to deny access if the disclosure is not authorized. Integrity dictates that only authorized modifications should be allowed. Where a modification is not approved, control should be in place to limit that modification taking place and availability dictates that our resources should be available in a timely fashion to authorized personnel. The security goals bother around confidentiality, integrity, and availability. We will see different types of attacks at confidentiality, some to compromise confidentiality. Some attack are targeted at integrity and some other attacks are targeted at availability. What sort of control could we have in place to protect confidentiality? To protect confidentiality we could put encryption in place. When we encrypt the content of our hard disk or our removable drives in this drives fall into the wrong hands; the driver is missing, the drive is stolen, and the drive is misplaced. Unauthorized persons don't have access to the information contained in them. Encryption is the best form of security on mobile devices. This device is very easy to lose them; you lose them in a taxi you lose them in a public toilet, in the restaurant and places like that. So you want them to be encrypted should you lose them. No other persons have access to the content we should also have access controls, access controls to limit who has access. If you don't have a need to know, the access control should limit what you're able to see. I'll give an example here, we have two individuals in H.R. one is a senior personnel in H.R; the other is a junior personnel in HR. By virtue of their job position, they have a different need to know of information about personnel. If you don't have a need to know there should be what we call databases views to limit what you can see. The junior personnel possibly could see my date of employment but has no need to know of my date of birth. So we should have database views to limit that user from seeing that information. That is access control. The senior staff on the other hand, could have a need to know of my date of birth and my date of employment. The access we grant them to information within the database is different from that of the junior user. Access control could also be used to limit confidentiality or rather enforce confidentiality. Lastly, here we talk about steganography. Steganography is the technology by which the very existence of data is hidden. Steganography could be used for good reasons and also malicious reasons what happens here is that, using software you could hide information within Information. You could hide pictures within audio file. People will listen to the audio file and they don't notice any batches'. You could hide pictures within pictures. The picture file that people see is what we call the carrier file. The carrier files... How do we do it? We use the least significant bit of the carrier file so that if we distort the carrier files you don't notice any distortions in the picture, yet it is carrying multiple pictures. If you were to intercept a U.S.B from me, maybe I'm carrying out some practices that are not best practice. I could be trafficking in certain types of things or transporting certain types of information but I hide that information within another information. For example you were to intercept my U.S.B. drive you connect my U.S.B. drive to your system and you looking at my U.S.B. drive and all you find is holiday pictures of myself in France; that is me at the Eifel tower, that is me on the train, that is me at a shopping mall. You would say he is having a good time in France but within each of those pictures, there could be other pictures that I actually aiming to hide and this is steganography. This can be done easily with software. Software that is readily available in the internet today. Individual could want to hide their own information so that only they see it. A malicious person could also use pictures as carrier files or even audio files as carrier files to hide the fact that they're transporting information or data that could be very harmful. That is steganography. All of this helps achieve confidentiality. Then we talk about integrity. We are giving out our signature. Electronic identifiers that could be appended to messages to show proof that the document originated from a particular person. Where digital signatures are being applied to messages, it is very easy to show proof that this message has come from a particular source, that helps and sure that the data has not been modified while it is in transit and that is the goal of integrity. If you want to modify with the data the signature will be compromised and then we don't know not to trust the data anymore. Certificate could also be used to ensure integrity. When these technologies are used to help ensure that messages are signed so that we can put the source or the author of the message we can also prove the receipt of a message and when we do that such that users cannot repudiate they're receiving the message or sending the message or taking part in an electronic transaction we call that non repudiation. Non repudiation the inability of a person to deny taking part in a transaction or being the author or recipient of a document or a message. That is non repudiation. These three are able to meet the goals of integrity next, we talk about our availability. Availability dictates that, our resources be available in a timely fashion to authorized personnel. We want to ensure things like redundancy. By putting redundancy in place, we have spares. If one technology fails we have a spare. The technology is available. The service will be available whatever that technology offers, is still made available because we have redundancy. You could also introduce fault tolerance, when you invest in equipment, you want to invest in equipment that are fault tolerance they experience a fault and not everything shuts down. At least some production is still taking place. This could be very expensive in terms of hardware but it is a price to pay for availability. if you are down you are losing money but the more of an ability you can guarantee the better. We also should do patching. Software are not perfect. There are Vulnerabilities that exist within software. By downloading the patches you test the patch before you applied to patch you are able to ensure that your system stay up and alive. We have zero day explored. The best way to protect against the zero day exploit is to ensure that all your patches are to the most recent, that way the immunity of the systems in your network is very high and you can guarantee availability if you have all of that. Next, we talk about safety. For safety, certain issues are considered; fencing. You want to use a fence to establish your perimeter. You want to use your fence to say people cannot come in from this part of the facility but can only coming maybe through the gate; you use a fence to establish the perimeter and guide access into the facility. When you use a fence, best practice is that your lead defense digs deep to some distance so that people cannot go through the underside of the fence. Some other organizations would like to put razor wire at the top of the fence to prevent people on the outside; the razor wire could tilt this way so people cannot climb from the outside. And to keep people on the inside, the razor wire could be looking down so that way so people cannot climb out from the inside and if you must keep people in and out you could have your razor both ways. We have different types of fences that could be used. We have fences for the domestic use that we have around our homes, could probably raised high, wire mesh or wood, in some cases there are also about the average human height. At the industrial level, we have wire fences or fences that are eight feet or ten feet high. For safety purposes, we also want to ensure that our environment is well lit. An environment that is well lit people can see what is taking place; there is no fear of being attacked. When you are living in an environment that is well it's because you can see everything happening around, you can see people trying to hide, possible to attack. If the environment is not, well it becomes difficult to see and why it is difficult to see you could be vulnerable to a several types of attacks. When we talk about lightning in an environment at least the lightning should be about eight feet tall. Eight feet so that there is ample coverage of light around. We also need to implement locks. We should implement locks on the doors; lock should be very robust so that when you lock the door, the lock should actually go way in to keep the door firm. We should also have C.C.T.V. closed circuit television C.C.T.V... It is normal that people tend to conduct themselves better when we see cameras. "Oh there is a camera over here let me carry my activities elsewhere. For safety we should have C.C.T.V. C.C.T.V will monitor everything. When we plant our cameras we have to be very strategic. We need to have cameras that can pan tilt and zoom in. Your camera should have the ability to pan so that they can cover the entire area. They can tilt as require, they can zoom for better visuals. The environment should be well lit so you can see clearly, what you're recording. If you are recording into tape make sure there's a tape in there And if it's digital make sure it's running. We could have active and passive for our recordings In the passive it's just being recorded and stored in the active. The screens are monitored by individuals and I can say "Joe Can you go to the third floor I see the lady in red can you go find out what she's doing there". In that instance somebody can instantly respond that is active monitoring. When we do C.C.T.V. as well. It is best practice these days that you have your camera in an open door, glass surrounds the camera so people don't see where the camera is pointing that way; they don't try to avoid the camera. When you plant your cameras make sure you are avoid blind spots, the people around will quickly try to identify the blind spots because they don't want to be recorded while they are carrying out their naughty activities so best practice we could even use C.C.T.V. You also shoot established escape plans. The escape plan incident indicates an incident happens, in case an incident happens an organization should have escape plans. This is a plan as to how to escape from the facility. Certain routes we shouldn't follow should not follow within the organization which will have a plan. It should be documented. The users need to be trained as to the use of these plans. Everybody has to understand his plans. How do we carry out the understanding of these escape plans, we carry out drills, as simple fire drill. The fire drill is an effort following the escape plan. In the case of a fire, how do we respond, how do we escape from the building. Fire drill should be conducted. Your user should be trained what to do and what not to do in the case of a fire. The escape route should be clearly identified. The escape route should be marked with signs; Exit escape route whatever it is you want to call it they should be clearly identified. So people are not trying to escape through the wrong route leading to possibly more disasters. These controls should all be periodically tested. It is that you can put a control in place if you don't test the controls, How are you sure it's the safety? How are you sure it's working? How are you sure it's doing what is meant to do the right way. So periodically we should have testing for some of these controls to guarantee safety within our environment. This is the last portion of section 2.9. Thank you. [/toggle_content]

Video Transcription

00:04
I will be discussing Section 2.9 off the security plus syllabus,
00:09
giving a scenario. Select the appropriate control to admit the goals off security. So, given the scenario, select the appropriate control, so meet goals off security.
00:20
What are the security goals? This gives rise to the c I. A. Tried. This is the reason for which we have security,
00:28
confidentiality, integrity and availability. The goals off confidentiality At that
00:35
only authorized disclosure, she will be allowed
00:39
displeasure off. Information should only be allowed if it's authorized,
00:43
control should be in place, too.
00:46
Deny access. If the disclosure is not authorized,
00:50
integrity dictates that only authorized modifications should be allowed where a modification is not approved,
00:59
control should be in place toe limit. That modification taking place on availability dictates that our resources should be available in a timely fashion toe. Authorized personnel.
01:11
So
01:11
the security goals brother around confidentiality, integrity and availability.
01:19
We will see different types of attacks at confidentiality. Some toe compromise confidentiality. Some attacks are targeted at integrity on some other attacks are targeted at availability.
01:30
So what sort of controls could we have in place to protect against protect confidentiality?
01:37
Toa Protect confidentiality we could put encryption in place
01:41
when we encrypt the content off our hard disk or are removable drives.
01:47
If these drives fall into the wrong hands, the driver's missing the driving stolen. The driver's misplaced.
01:53
Unauthorized persons don't have access to the information contained in them.
01:59
Encryption is the best form of security on mobile devices. These devices is very easy to lose them. You lose them in the taxi, you lose them in a public toilet in a restaurant and places like that,
02:10
so you want them to be encrypted should you lose them. So no other persons have access to the content.
02:16
We should also have access controls,
02:20
access controls, toe Lim who has access.
02:23
So if you don't have a need to know
02:28
the access control should limit what you're able to see. I'll give an example. Here we have two individuals in HR. One is a senior personally nature. The order is a junior personnel in HR.
02:39
By virtue of their job positions, they have a different need to know off information about personnel.
02:47
So if you don't have a need to know, there should be what we call database views. Toe limit What you can see So the junior personnel possibly could see my debt off employment, but has no needs to know off my date of birth.
03:02
So would you have databases views to limit that user from seeing that information
03:08
that is access control the genius. The senior staff, on the other hand, could have a needs to know off my date of birth
03:16
on my date of employment. So the access we grant them to information within the database is different from that of the junior user so and access controls could also be used to limit
03:30
confidentiality or other Air Force confidentiality.
03:35
Lastly, here we talk about steganography
03:38
Stegner. Steganography is a technology by which the very existence off data is hidden so steganography could be used for good reasons and also malicious reasons. What happens here is that
03:53
using software, you could hide information with the information.
03:58
You could hide pictures within or do a fire.
04:02
People will listen to the audio file and they don't
04:05
notice any
04:06
***.
04:09
You could hide pictures within pictures.
04:11
The picture file
04:13
that people see is what we call the career file,
04:16
then *** Aria file.
04:18
How do we do it?
04:19
We use the least significant bits off the career fire so that if we distort the career files, you don't notice any distortions in the picture. Yet it is carrying multiple pictures. So if you want to intercept a USB for me, maybe I'm carrying out some
04:39
practices that are not best practice. I could be trafficking in certain types of things or transporting, citing types of information,
04:47
but I hide that information within another information. So say, for example, you have to intercept my USB drive. You connect my USB drive to a system on you looked through my USB drive. All you find is Holy day pictures off myself in France.
05:02
A. That is me, that Eiffel Tower that was me on the train that is me at the shopping. More
05:10
so is having a great time in France. But within each of those pictures, there could be other pictures that I'm actually aiming to hide,
05:18
and this is steganography. This can be done easily with software
05:23
software that is ready available on the Internet today. Individual school want to hide their own information
05:29
so that only them seat on malicious persons could also use
05:34
pictures as career files or even audio files as career files toe hide. If I that they're transporting
05:44
information or data that could be very harmful.
05:47
So that is steganography. All of this help achieve confidentiality.
05:54
Then we talk about integrity.
05:57
We have digital signatures.
06:00
Elektronik identify us that cool be appended to messages toe show proof that they are. The documents originated from a particular person.
06:10
So where digital signatures have been applied to messages,
06:15
it is very easy to show proof that this message has come from a particular source. That helps ensure that the data has not been modified while it is in transit on that is the goal of integrity. So if you are to modify with the data, the signature will be compromised on then. WeII known not to trust the data anymore.
06:34
Certificates could also be used to ensure integrity
06:38
when these technologies, I used the help ensure that messages are signed so that we can prove the source or the auto off a message. We can also prove the receipt off a message on when we do that, such that users cannot repudiate their receiving the message or sending the message or taking part in an electronic transaction
06:58
we call that known repudiation.
07:00
So no repudiation is the inability off a person toe deny taking part in a transaction or being the auto or recipient off a document or a message that is no repudiation. These three
07:14
able to meet the goals off integrity.
07:16
Next, we talk about availability.
07:19
Availability dictates that our resources be available in a timely fashion toe authorized personnel.
07:27
So we want to ensure things like redundancy by Putin. Redundancy in place. We have spares. So if once tipped once when when when technology fails, we have a spare,
07:38
the technology is available, the
07:42
service would be available. Whatever that technology offers is still made available because we have redundancy. You could also introduce false tolerance. When you invest in equipment, you want to invest in equipment that are false tolerance, the experience, their fault on. Not everything shuts down. At least some production is still taking place.
08:01
Uh, this will be very expensive in terms of hardware,
08:03
but it is a price to pay for availability. If you are down, you're losing money. But the more availability you can guarantee, the better
08:13
We also should do. Patching
08:16
software is not perfect.
08:18
There are vulnerabilities that exist within software. So by downloading the patches on you test the part before you apply the patch, you are able to ensure that your system stay up on a life
08:28
we have a zero day exploit. The best way to protect against zero day exploit is to ensure that all your patches are to the most recent,
08:37
that way, the human. The immunity off the systems in your network is very high on. You can guarantee availability if you have all of that.
08:48
Next, we talk about safety
08:52
for safety.
08:54
Certain issues are considered fencing. You want to use a fence to establish your perimeter.
09:01
You want to use your friends to say people cannot come in from these parts off the facility, but can only come in maybe through the gates. So you use the fence to establish the perimeter on guide access into the facility
09:15
when you use a fence. Best practice is that you'd let defense dig deep
09:20
so some distance so that people can borrow
09:24
two
09:24
the underside of defense.
09:26
Some other organizations would like to put
09:28
result wire at the top of the fence
09:31
to prevent people on the outside. There is a wire could tilt this way so people cannot climb
09:37
from the outside. And to keep people on the inside, there is a wire. Could be looking that way so people cannot climb
09:46
out from the inside. And if you must keep people in and out, you could have your is aware that way.
09:50
What ways?
09:52
So we have different types of offenses that could be used. We are fences for domestic use, like we have around our homes. Could just be probably, uh, waist high. Why Amish or root? In some cases, they're also about the average human height. But the
10:11
industrial level you have,
10:13
why offenses offenses that are eight feet or 10 feet high
10:18
for safety properties. We also want to ensure that our environment is well eat
10:24
on environment. That is, well, it. People can see what is taking place,
10:30
so there is no fear off being attacked.
10:33
When you moving
10:35
in an environment that is, well, it because you can see everything happening around you. You can see people trying to hide, possibly to attack. But if the environment is not well, it it becomes difficult to see on. While it is difficult to see you could be vulnerable to several types of attacks on when we talk about lightning.
10:54
In an environment, at least, the lightning should be about eight feet or
11:00
eight feet so that there's ample coverage
11:03
of light around.
11:05
We also need to implement looks
11:07
we should implement locks on the doors.
11:11
Lock should be very robust
11:15
so that when you lock the door they lost, you'd actually go away in tow. Keep the doors firm.
11:22
We should also have CCTV
11:26
closed circuit television, CCTV. It is normal that people tend to conduct themselves better when we see cameras. Oh, there's a camera over here. Let me carry my activities elsewhere. So for safety, we should have CCTV. CCTV won't monitor everything When we plant our cameras. We have to be very strategic.
11:43
We need to have cameras that compan,
11:46
tilt, zoom
11:48
your commercial, have the ability to plan so that they can cover the entire area. They can tilt as required, and they can zoom for better visuals.
11:58
The environment should be, well, it so you can see clearly what you're recording.
12:03
If you are recording in tow tape, make sure there's a tape in there,
12:07
and if it's digital Mitchell. It's running.
12:11
We could have active and passive for our recordings.
12:16
In the passive, it's just be recorded on story in the active. The screens are monitored by individuals that can say a Joe. Can you go to the third floor? I see the lady in red. Can you find out what she's doing there? So that place in that instance, somebody can instantly respond That is active monitoring when we do cc TV as well. It is best practice these days
12:37
that you have your camera in Olympic doom
12:41
glass around in the camera so people don't see where the camera is pointing that way. They don't try to avoid the camera. When you plant your cameras, make sure you avoid blind sports. The people around will quickly try to identify the blind sports because they don't want to be recorded while they had carrying out there
12:58
naughty activities.
13:01
So best practice we could even use CCTV.
13:05
You also should establish escape plans.
13:09
The escape plan in the incident in the kiss an incident happens
13:11
in because an incident happens, organizations should have escaped plants. This is the plan as to how to escape from the facility. Southern routes we should not follow within the organization. We should have a plan. It should be documented.
13:24
The user's need to be trained as to the use of these plants on. Everybody needs to understand these plans. So how do we carry out
13:33
the understanding off these escape plans? We carry out drills. A sample fire drill.
13:39
The fire drill is an effort following the escape plan. In the kiss off a fire, how do we response? How do we escape from the building? So periodic fire drills should be conducted. Your use. I should be trained, what to do and what not to do. In the case of a fire,
13:56
the escape routes should be clearly identified. The escape routes will be marked with science exit escape route. Whatever it is you want to call it, they should be clearly identified. So people are not trying to escape through the wrong route.
14:09
Leading toe. Possibly more disasters
14:13
on these controls should all be periodically tested.
14:18
It is that you can put a control in place on if you don't test the controls. How are you sure it's effective? How are you sure it's working? How are you sure it's doing what is meant to do the right way. So periodically we should have testings for some of these controls to guarantee safety
14:37
within our environment.
14:39
This is the last portion off section 2.9. Thank you.

Up Next

IT Security Governance

IT Security Governance is a type of risk management process that can be applied to business operations, identifying critical information and protecting that information from enemies

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor