Hey there, cyber friends. Welcome back to the Hcs PP Certification course with Sai Buri Security definitions in concepts part one.
My name is Shalane Hutchins, and I'll be your instructor
today. We're going to talk about some of my favorite things. Access, controls, data encryption and training and awareness. Let's go
before talking about controls of any kind. Please understand that controls air either preventing something from happen happening a preventive control
or detecting something after it's happened. A detective control
access controls are both prevented, and Detective
Hippel defines their safeguards in three control groups. Administrative, physical and technical
access controls can be segmented into the same three buckets.
Each can be carried out manually. Working automation, however, all should work in concert with each other to protect any infrastructure in data.
Think about administrative controls, its policies and procedures, training and awareness, risk assessments, audits and things like that.
Something that's not technical
policies and procedures are preventive controls.
Having employees read and acknowledge policies and procedures increases the likelihood of preventing something from happening.
Nothing about physical controls like a now in grammar
and now is a person, police or pain.
So when you apply that idea to a physical control. A security guard.
A person is a physical control.
A security guard controls access to a building or to a data center. A security guard can be a preventive and detective control, preventing those who are not authorized to enter from doing so in detecting someone unauthorised if they've already into.
Now, the location of a primary and or secondary data center is a place.
Having them geographically located at least 400 miles away from each other, is a type of physical control,
and a thing can be a simple as a door.
A door provides access foursome and prevents access for others.
That's a physical control, a preventive control to prevent complete destruction of services and data.
Now, technical controls are those automated processes that are implemented to control access to building systems. Applications, etcetera.
Your user name and password or your credentials are technical controls.
Logging and monitoring is the universal detective control. While longing of activities happens in real time, monitoring through alerts allows administrators to identify anomalies or suspected unauthorized activities.
Another important key here in this module is the term control objective.
A control objective is the intent of the control to the Phyllis security requirement. In simple terms, it's the why behind what you're doing
is what you're doing serving the security need.
That's the million dollar question to ask when speaking to those who are removed from the day to day operations and begin to dictate and mandate how things should be done. There is no such thing as 100% security or zero risk or vulnerabilities. It's impossible, and
any leader in any organization who believes they can achieve that
has probably never done security.
That's all I'll say about that. Let's continue to talk about excess controls,
so there are several types of access controls, and I'll touch on these briefly
discretionary access controls.
Just like it sounds. Uses discretion in the administration of access based on a set of rules or groups to which users belong.
The most common discretionary access control is an access control list or a CEO.
Logical access controls our system based on mechanisms used to specify who
or what is to have access to a specific resource in the type of access that's allowed.
Mandatory access controls is an access control policy that is uniformly enforced across all subjects and objects within the boundaries of an information system.
Think I m f a or multi factor authentication. Forcing all users to use MF A before granting access to a system or network is an example of a mandatory access control.
Role based access controls is access based on a business role.
Permissions and privileges are granted to each role, and users within that will all have the same privilege in permissions,
are back as it's sometimes called, is a form of mandatory access control but is not based on multilevel security requirements. Are back is concerned more with access to functions and information. And mandatory access controls is concerned strictly with the access to the information.
Now. Physical access controls is an automated system that manages the passage of people or assets through an opening in a secure perimeter based on a set of authorisation rules. Thank your key card that get you in and out of your building.
Technical access controls is the software tools used to restrict access to objects. They're either core components of an operating system at on security packages, applications, network hardware, devices, protocols or access control. Nature sees
these controls work at different layers within the networker system and need to maintain sufficient relationships to ensure that no unauthorized access to resource is that affects the confidentiality, integrity or availability of the data.
Now let's talk about encryption.
Encryption is making something unusable to those who are authorized user. See it?
Think of it this way.
When my daughter was in elementary school,
the school board decided that teaching Children to write in cursive was unnecessary.
So there's a generation or more of Children who not only don't know how to write in cursive, but now they can't read it either. So writing a letter in cursive is a type of encryption of the data for girls who can't read it.
This information is completely useless. To them,
it's of active. Of course,
data encryption is a key provision of HIPPA and part of the stage to meaningful use. Requirements toe identify data that needs to be encrypted at rest and to implement strong protections to safeguard the data.
Cryptography then not only protects data from theft or alteration, but can also be used for user authentication.
Unencrypted data is referred to as plain text.
It's encrypted into a cipher text such as the curse of writing, which will in turn be decrypted into usable plain text.
There are three types of algorithms for encryption. Symmetric key cryptography.
SKC uses a single key for both encryption and decryption. A single key to unlock the data in the same key used to unlock the data.
Uh, the use of symmetric keys are much faster than asymmetric systems and are hard to break when using Ah, large key size
asymmetric key systems or public key cryptography. P K C is said to be the most significant in the development and cryptography in the last 3 to 400 years.
Generic BKC employs two keys that are mathematically related, although knowledge of one key does not allow someone to easily determine the other key.
One key is used to decrypt the plane to encrypt the plain text, and the other key is used to decrypt the cipher tents. It doesn't matter which keys applied first, but both keys are required for the process to work.
Hash functions. Ah hash may incorporate gnocchi or may have a key to alter the output of the Message digest, which is referred to as the keyed hash.
Regardless of the size of the message. A hash creates a defined output, which is generic generally significantly smaller.
However, by looking at a hash, it is relatively impossible to determine what the message input WAAS
Now Hash function provides an integrity service but not a confidentiality ease service.
You may hear the term in defy, which was a popular hash algorithm algorithm used for passwords.
It has since been compromised and broken. So if you see that in your practices knows no that it should be updated.
Lastly, let's discuss training and awareness Training is the mechanism for teaching drills or concepts to enable people to perform their jobs more effectively,
like this training going over and over hip of security and privacy to enable you to become a certified h C I. S P P.
Awareness sets the state for the training by helping to change attitudes to realize the importance of security. When you're more ran aware, you recognize and change your attitude about how to do things simply stated, you can't do anything about something you're not aware of,
so the day we've covered a great deal, we talked about access, controls,
data encryption, training and awareness. Stay tuned for more and security definitions caught in concepts. Part two