Security Definitions and Concepts Part 1
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hey there a Cybrary friends.
00:00
Welcome back to the HCISPP Certification course
00:00
with Cybrary,
00:00
Security Definitions and Concepts Part 1.
00:00
My name is Charlene Hutchins
00:00
>> and I'll be your instructor.
00:00
>> Today we're going to talk about
00:00
some of my favorite things.
00:00
Access controls,
00:00
data encryption and training and awareness. Let's go.
00:00
Before talking about controls of any kind,
00:00
please understand that controls are either
00:00
preventing something from happening,
00:00
a preventive control, or
00:00
detecting something after it's
00:00
happened, a detective control.
00:00
Access controls are both preventive and detective.
00:00
HIPAA defines their safeguards in three control groups.
00:00
Administrative, physical, and technical.
00:00
Access controls can be
00:00
segmented into the same three buckets.
00:00
Each can be carried out manually or through automation.
00:00
However, all should work in concert with each
00:00
other to protect any infrastructure and data.
00:00
Think about administrative controls as
00:00
policies and procedures, training and awareness,
00:00
risk assessments, audits and things like that.
00:00
Something that's non-technical.
00:00
Policies and procedures are preventive controls.
00:00
Having employees read and acknowledge policies and
00:00
procedures increases the likelihood
00:00
of preventing something from happening.
00:00
Now think about physical controls like a noun in grammar,
00:00
a noun is a person, place, or thing.
00:00
So when you apply that idea to a physical control,
00:00
a security guard, a person is a physical control.
00:00
A security guard controls access to
00:00
a building or to a datacenter.
00:00
A security guard can be
00:00
a preventive and detective control,
00:00
preventing those who are not authorized
00:00
to enter from doing so and
00:00
detecting someone
00:00
unauthorized if they've already entered.
00:00
Now the location of
00:00
a primary and or secondary data center is a place.
00:00
Having them geographically located at least 400
00:00
miles away from each other is a type of physical control.
00:00
The thing can be as simple as a door.
00:00
A door provides access for
00:00
some and prevents access for others.
00:00
That's a physical control.
00:00
A preventive control to prevent
00:00
complete destruction of services and data.
00:00
Now, technical controls are
00:00
those automated processes that are implemented
00:00
to control access to buildings,
00:00
systems, applications, etc.
00:00
Your username and password or
00:00
your credentials are technical controls.
00:00
Logging and monitoring is
00:00
the universal detective control.
00:00
While logging of activities happens in real-time,
00:00
monitoring through alerts allows administrators to
00:00
identify anomalies or suspected unauthorized activities.
00:00
Another important key here in this module
00:00
is the term control objective.
00:00
A control objective is the intent of
00:00
the control to fulfill a security requirement.
00:00
In simple terms, it's the why behind what you're doing.
00:00
Is what you're doing serving the security need?
00:00
That's the million dollar question to
00:00
ask when speaking to those who are removed
00:00
from the day-to-day operations and begin
00:00
to dictate and mandate how things should be done.
00:00
There is no such thing as
00:00
100 percent security or
00:00
zero-risk of vulnerabilities, it's impossible.
00:00
Any leader in any organization who believes they
00:00
can achieve that has probably never done security.
00:00
That's all I'll say about that.
00:00
Let's continue to talk about access controls.
00:00
There are several types of
00:00
access controls and I'll touch on these briefly.
00:00
Discretionary access to controls, just like it sounds,
00:00
uses discretion in the administration of
00:00
access based on a set of
00:00
rules or groups to which users belong.
00:00
The most common discretionary access control
00:00
is an access control list or ACL.
00:00
Logical access controls are
00:00
system-based mechanisms used to specify
00:00
who or what is to have access
00:00
to a specific resource
00:00
in the type of access that's allowed.
00:00
Mandatory access controls is
00:00
an access control policy that is uniformly
00:00
enforced across all subjects and
00:00
objects within the boundaries of an information system.
00:00
Think MFA, or multi-factor authentication.
00:00
Forcing all users to use MFA before granting access
00:00
to a system or network is
00:00
an example of a mandatory access control.
00:00
Role-based access controls is
00:00
access based on a business role.
00:00
Permissions and privileges are
00:00
granted to each role and users
00:00
within that role all have
00:00
the same privilege and permissions.
00:00
R back, as it's sometimes called,
00:00
is a form of mandatory access control but
00:00
is not based on multilevel security requirements.
00:00
R back is concerned more with
00:00
access to functions and information
00:00
and mandatory access controls is
00:00
concerned strictly with the access to the information.
00:00
Now, physical access controls is
00:00
an automated system that manages the passage of
00:00
people or assets through an opening in
00:00
a secure perimeter based on a set of authorization rules.
00:00
Think your key card
00:00
that gets you in and out of your building.
00:00
Technical access controls is
00:00
the software tools used to restrict access to objects.
00:00
They are either core components of
00:00
an operating system, add-on security packages,
00:00
applications, network hardware devices,
00:00
protocols, or access control matrices.
00:00
These controls work at different layers within
00:00
a network or system and need to maintain
00:00
sufficient relationships to ensure
00:00
that no unauthorized access to
00:00
resources that affects the confidentiality,
00:00
integrity, or availability of the data.
00:00
Now let's talk about encryption.
00:00
Encryption is making something
00:00
unusable to those who aren't
00:00
authorized users see it. Think of it this way.
00:00
When my daughter was in elementary school,
00:00
the school board decided that teaching
00:00
children to write in cursive was unnecessary.
00:00
So there's a generation or more of
00:00
children who not only don't know how to write in cursive,
00:00
but now they can't read it either.
00:00
Writing a letter in cursive is a type of
00:00
encryption of the data for those who can't read it.
00:00
This information is completely
00:00
useless to them. Back to the course.
00:00
Data encryption is a key provision of HIPAA and part of
00:00
the Stage 2 meaningful use requirements to
00:00
identify data that needs to be encrypted at rest,
00:00
and to implement strong protections
00:00
to safeguard the data.
00:00
Cryptography then not only
00:00
protects data from theft or alteration,
00:00
but can also be used for user authentication.
00:00
Unencrypted data is referred to as plain text.
00:00
It's encrypted into a cipher text
00:00
such as the cursive writing,
00:00
which will in turn be decrypted into usable plain text.
00:00
There are three types of algorithms for encryption.
00:00
Symmetric key cryptography SKC.
00:00
Uses a single key for both encryption and decryption.
00:00
A single key to lock the data and
00:00
the same key used to unlock the data.
00:00
The use of symmetric keys are much faster than
00:00
asymmetric systems and are hard
00:00
to break when using a large key size.
00:00
Asymmetric key systems or public key cryptography,
00:00
PKC is said to be
00:00
the most significantly development in
00:00
cryptography in the last 3-400 years.
00:00
Generic PKC employees two
00:00
keys that are mathematically related.
00:00
Although knowledge of one key does not
00:00
allow someone to easily determine the other key.
00:00
One key is used to encrypt
00:00
the plain text and
00:00
the other key is used to decrypt the cipher text.
00:00
It doesn't matter which key is applied first
00:00
but both keys are required for the process to work.
00:00
Hash function. A hash may incorporate
00:00
no key or may have a key to
00:00
alter the output of the message digest,
00:00
which is referred to as the keyed hash.
00:00
Regardless of the size of the message,
00:00
a hash creates a defined output which
00:00
is generally significantly smaller.
00:00
However, by looking at a hash,
00:00
it is relatively impossible to
00:00
determine what the message input was.
00:00
Now a hash function provides an integrity service,
00:00
but not a confidentiality service.
00:00
You may hear the term MD5,
00:00
which was a popular hash algorithm used for passwords.
00:00
It has since been compromised and broken.
00:00
So if you see that in your practices notes,
00:00
know that it should be updated.
00:00
Lastly, let's discuss training and awareness.
00:00
Training is the mechanism for teaching drills or
00:00
concepts to enable people
00:00
to perform their jobs more effectively.
00:00
Like this training, going over and over HIPAA,
00:00
security and privacy to enable you
00:00
to become a certified HCISPP.
00:00
Awareness sets the state for
00:00
the training by helping to change attitudes,
00:00
to realize the importance of security.
00:00
When you are more aware,
00:00
you recognize and change
00:00
your attitude about how to do things.
00:00
Simply stated, you can't do
00:00
anything about something you're not aware of.
00:00
Today we've covered a great deal.
00:00
We talked about access controls,
00:00
data encryption, training and awareness.
00:00
Stay tuned for more insecurity definitions
00:00
and concepts Part 2.
Up Next
