Part 2.2 - AC Derived Security Requirements

Video Activity

This lesson continues to cover requirement 1, which are the requirements for access control and discusses monitoring and controlling remote access sessions.

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

1 hour 27 minutes
Video Description

This lesson continues to cover requirement 1, which are the requirements for access control and discusses monitoring and controlling remote access sessions.

Video Transcription
okay. Our second half of derived security requirements to provide us access control. We're gonna monitor and control remote access sessions. You know, it would be infinitely more secure if anyone that access data, we forced them to be in our physical location or physical premises.
You know it, and that's true. Throughout.
I would rather make every single person that has access to network Resource is or system Resource is or information Resource is. I would rather make every single one of them come into my building.
Why will they have to go through physical security?
Ah, they have surveillance of other employees. It's just safer to make people be within your building within the framework of your building. However, today's business demands in many elements, you know, require remote access, whether it's WiFi,
whether it's VPN access, whether it's terminal service access,
whether it's even dial up, you know dialogue is dead. That's still around. So the bottom line is, if I'm going to allow these remote access sessions, I need to monitor them very carefully.
All right, 3.1 13 employed cryptographic mechanisms to protect the confidentiality of remote access sessions. A lot of these remote access sessions Don't natively encrypt information. Most of them don't.
So what we want to make sure is that we're using secure protocols. We were using secure mechanisms that as we transferred this information in this safe I mean, you think about WiFi and really, you can look at that as remote access because I can be outside the building in a lot of instances, but it's also
access, which I'm not physically wired into the network.
So by default we don't have to have security for WiFi, But we'd want employ w a, uh, tough e p a. To in order to secure it, um,
remote radius servers to strengthen remote access. Authenticity would also be helpful. Alright, route remote access via managed access control points. So that kind of goes back along the line as well. Those points in which we're gonna allow access onto the network.
We have to manage those devices and we have to make sure that authentication and authorization is hip happening
in a secure manner. So radius is a tool that will help us think authorized remote at execution of privilege commands and remote access to security. Relevant information. You know, it's tough allowing that type of, um of activity to go across remote links
again. I don't see that person. They're not getting the physical
requirements, so we're very much limit privilege commands for having three remote access, but when necessary, were to be very selective about how we do authorize those
authorized wireless access prior to allowing such connections. Meaning require authorization in really forced the wireless user to authenticate and then get authorized again. Radius helps very much with this and then the next.
Protect wireless access using authentication encryption W p A. To would provide US encryption service is
W. P. A. And then, well, prior don'ts provide sufficient encryption by today's standards. We want to use Deputy eight, and then we can bring in authorization with challenges. From an access point, we can require certificates in order to connect to the wireless network.
Or we can process and sin there's authentication requests over
again to a radius, sir.
All right, central connection of mobile devices. You know, in today's environment, we've got so many ways to connect to the network Access resource is to manipulate resource is mobile devices or just one of these
and mobile devices bring their own set of problems here. They're extremely flexible. Users love them. They give it
great amount of ease of use for most people. But the problem is, there are so many different operating systems to support so many different devices. It can be tricky. So if we're going to allow access to see you, I information there has to be a central means of controlling those.
You would see a lot fewer bring your own devices
in that type of infant in that type of environment. Encrypt. Ah! See why on the mobile devices, I would go along with that and think about and you know, this isn't for the nous publication, but think about
implementing some of the other security features of these mobile devices like remote. Why find my device? Some of those elements as well.
Ah, verifying control limit connections to in use of external information systems. So once again, just being very careful who we allow access to and making sure that we can verify in limit, you know, I don't want limitless, limitless connective ity.
Um, limit use of organizational portable storage devices on
external information systems, removable hard drives, very popular. Ah, and have been thumb drives. And so when we want to limit the usage control information posted or processed on publicly accessible information systems, whether that's a Web server
or some other device that's given, ah, access that we give access to the general public with,
you know, again just being very cautious and very selective, we're getting away from the school of thought that easy is better. We're looking to secure the information first and foremost.
Up Next