Introduction and Policy

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> Okay guys, we're moving on to the next chapter.
00:00
Operational security.
00:00
Operational security has to do with
00:00
those things we do day-to-day for network security.
00:00
As part of this section,
00:00
we'll be thinking about things like redundancy,
00:00
policies and procedures, continuity planning,
00:00
incident response, and monitoring.
00:00
In this chapter,
00:00
>> these are the topics we'll be covering.
00:00
>> Personal security.
00:00
It's really important to get
00:00
our policies and procedures in place
00:00
and we want to make sure we have
00:00
the right policies for the right environment.
00:00
Reducing the attack surface.
00:00
This is about hardening our systems
00:00
and making our surface harder to attack.
00:00
The idea is that if you have
00:00
a very wide range of applications
00:00
and services and many ports open and so forth,
00:00
there is a greater chance for compromise.
00:00
But if you reduce that landscaper surface,
00:00
it is harder to attack your systems.
00:00
Incident response and forensic investigations.
00:00
Here we'll talk about monitoring the network and
00:00
determining what is an attack and what isn't,
00:00
and what to do from there. Fault tolerance.
00:00
This is redundancy in getting rid of
00:00
those single points of failure on the network.
00:00
Virtualization and cloud services go hand in hand.
00:00
BCP and DRP.
00:00
This is business continuity planning
00:00
and disaster recovery planning.
00:00
Let's get started with personnel security.
00:00
The greatest weakness to any organization
00:00
comes from the inside.
00:00
We have to be particularly careful with our employees.
00:00
We need a robust screening program for hiring
00:00
them and a good onboarding process,
00:00
as well as a good off boarding process
00:00
when they separate from the organization.
00:00
Non-disclosure agreements or NDAs,
00:00
give us a way to ask employees not to release
00:00
proprietary information about our organization.
00:00
Employees and an NDA commit not to
00:00
disclose this information to
00:00
anyone outside the organization.
00:00
AUPs or acceptable use policies
00:00
are for detailing how company resources are to be used.
00:00
For example, whether you are allowed
00:00
to print personal documents on the company printer,
00:00
and other rules that govern the use
00:00
of company property and equipment.
00:00
Privacy here refers to
00:00
our employees' privacy and
00:00
the organization's obligation to
00:00
inform employees about any monitoring that
00:00
the company does on the use of its systems.
00:00
The organization should notify
00:00
>> employees of how they are
00:00
>> monitored and how the use of
00:00
the organization's equipment is monitored.
00:00
Another item here is training.
00:00
Training goes a long way to preventing
00:00
fraudulent activity and security instance.
00:00
I mentioned earlier that social engineering is
00:00
such a major threat to organizations today.
00:00
That's where training can really help to inform
00:00
employees of what to watch out for and avoid.
00:00
Then of course, we have to have policies,
00:00
procedures, standards, and guidelines.
00:00
Some senior management can
00:00
state how the organization should work.
00:00
Usually when you're dealing with policies,
00:00
you're talking about organizational
00:00
or corporate policies.
00:00
Of corporate policies like, for example,
00:00
a policy to encrypt
00:00
all personally identifiable information on the network.
00:00
We might also have to have certain policies for
00:00
specific systems as well as for specific issues.
00:00
A system related policy might have to do with who gets
00:00
access to certain systems and at what level?
00:00
An issue specific policy is like the one I mentioned
00:00
earlier related to acceptable use, so,
00:00
in that example, it would state how a piece of
00:00
equipment or a system should
00:00
be used and the rules around that.
Up Next