Security Principles - Confidentiality

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> Hi everybody. I always like
00:00
beginning security discussions with the risk.
00:00
Because information security is risk-management.
00:00
Start by looking at your assets
00:00
>> and what they are worth.
00:00
>> Look at the threats and
00:00
vulnerabilities and figure out what the
00:00
potential for loss is based on probability and impact.
00:00
Then make a good decision
00:00
based on the potential value for
00:00
loss and what a good countermeasure would be,
00:00
and of course, continue to monitor for risk after that.
00:00
If we look at this a little bit more specifically,
00:00
in the realm of information security,
00:00
we have to start with the very beginning.
00:00
Here we look at the CIA triad,
00:00
confidentiality, integrity, and availability.
00:00
Those are the three tenants of security.
00:00
When we talk about securing an organization,
00:00
those are the three services we're focused on.
00:00
Now the problem is that security
00:00
>> always costs something.
00:00
>> There's always a trade-offs or security.
00:00
Usually that trade-off is performance.
00:00
Security usually slows things down.
00:00
Sometimes it costs money.
00:00
Sometimes you have to upgrade
00:00
components or pay for security devices.
00:00
But performance is the key trade-off.
00:00
What have to find out is what is the right amount of
00:00
security based on the needs for performance.
00:00
We also take into consideration
00:00
>> cost and user acceptance.
00:00
>> But we're mainly looking for that balance
00:00
between security and performance.
00:00
Let's look at confidentiality
00:00
and some of the threats against it.
00:00
The greatest threat is social engineering.
00:00
Social engineering is all about impersonation.
00:00
Impersonating someone to get
00:00
>> access to certain knowledge,
00:00
>> system ability in a room and so-forth.
00:00
Phishing is a very specific type of
00:00
social engineering that is
00:00
>> commonly done through e-mail.
00:00
>> The PH in phishing is a throwback to
00:00
the fact that it used to be
00:00
very common on the phone system.
00:00
We used to get these calls soliciting
00:00
donations or other fraudulent activities.
00:00
Now e-mail is the main market for this.
00:00
Phishing is based on the idea that it's indiscriminate.
00:00
An attacker sends a massive e-mail going back.
00:00
An attacker sends a massive alien and
00:00
casts a large enough net that he catches something.
00:00
A spammer purchases a mailing list
00:00
and sends the message out to everyone.
00:00
One type of phishing is called spear phishing.
00:00
This means it's targeted.
00:00
The attacker's targeting a demographic group or
00:00
a specific organization and
00:00
hopes that he is more likely to be successful.
00:00
A specific type of spear phishing is called whaling.
00:00
This is when the spear phishing is focused
00:00
on in snoring senior leaders.
00:00
Now, senior leaders sometimes
00:00
>> insist on having access to
00:00
>> everything but sometimes they don't have
00:00
time to get the security training
00:00
that everyone else gets,
00:00
and you'd think they would be the most
00:00
focused on avoiding risk.
00:00
But that's not always the case.
00:00
This might be why whaling to tax are successful.
00:00
Now going back to the idea of phishing,
00:00
we also have vishing.
00:00
The idea here is that the attacker
00:00
exploits voice over IP systems.
00:00
With caller ID, you would think that
00:00
you could detect this type of attack.
00:00
But phone numbers are as
00:00
>> easy to spoof as anything else.
00:00
>> That is not always a perfect way to
00:00
detect these types of attacks.
00:00
Another threat to confidentiality is media reuse.
00:00
This is where we stored information on removable drive,
00:00
like a thumb drive or a removable hard drive.
00:00
Or maybe people are sharing
00:00
a laptop or some other device.
00:00
If that hardware or a media is not properly sanitized,
00:00
we might be inadvertently passing
00:00
information from one individual to another.
00:00
Sanitizing media is really critical.
00:00
One of the ways we could do this is zeroisation,
00:00
where we override the drive with zeros.
00:00
It's fine and loose security environments.
00:00
But one thing about zeroisation is that it's
00:00
not good enough for really sensitive information.
00:00
For that, the best thing is physical destruction.
00:00
That's the only way to make
00:00
sure that the data remnants are gone.
00:00
Because if an attacker has the right equipment,
00:00
he can still retrieve data
00:00
from a disk that's been zeroised.
00:00
Another point to make is that if you're
00:00
storing sensitive information in the Cloud,
00:00
you can't do any physical sanitization.
00:00
For that there is something called crypto shutting.
00:00
This involves encrypting the entire disk with
00:00
a really strong publicly known algorithm.
00:00
One of the things you'll find
00:00
that people in security propor
00:00
is open as opposed to close architecture.
00:00
Ideally, the algorithm is one that's
00:00
tried and true and has been around for a long time.
00:00
When we use this algorithm we destroy the key.
00:00
We would never keep the key on
00:00
the same volume that we keep the encrypted information.
00:00
That's how we destroy remnants in a Cloud environment.
00:00
Eavesdropping is the next right to confidentiality.
00:00
Here we don't mean people
00:00
listening on phone conversations.
00:00
We mean technical eavesdropping.
00:00
This means sniffers like Wireshark.
00:00
Another name for sniffer is a protocol analyzer.
00:00
May hear it called a network or a packet analyzer.
00:00
But the idea is that an attacker
00:00
has a device on the network that
00:00
captures traffic in a software that
00:00
allows the attacker to view the traffic.
00:00
The easy way to defend against
00:00
eavesdropping is encrypting your data.
00:00
Also, you can keep a really sensitive stuff
00:00
from traversing the network at all.
00:00
We want to make sure that we're aware of these threats,
00:00
and we also want to have a good idea of
00:00
how to mitigate against them.
00:00
With social engineering,
00:00
your best method is through training.
00:00
Another way is to use separation of duties because
00:00
a person can't give an attacker
00:00
information if they don't have it.
00:00
For media reuse, we make sure we sanitize
00:00
the media and for eavesdropping, we encrypt our data.
Up Next