Summarize Security Concepts

0:00Hello and welcome. My name is Keith Barker. And in this set of videos and in

0:04the skill you and I

0:06get to both discuss and demonstrate several of the core concepts in the world

0:10of security today.

0:11And the first of those concepts which you and I are going to discuss in the

0:13next video are the

0:14concepts of confidentiality, data integrity, and availability. So I'll see you

0:19in the next video in

0:20just a moment.

0:00Oftentimes we use pneumonics and acronyms to help us remember various things.

0:04Well, in the world of security, we have several of those that can help us

0:08remember.

0:08One of those is like a three-legged stool. So imagine we have a stool here and

0:12there's one leg

0:13and two legs and three legs. I'll make that in perspective so it looks a little

0:17more realistic

0:17there. So this is the stool with three legs. If we only have two of those legs

0:21or if one of those

0:22legs has a problem, it's going to cause the stool as a functional place to sit.

0:26That's going to cause

0:26it to fail. Well, in the world of security, we have one of our acronyms that we

0:30use and that is C-I-A,

0:34not to be confused with the central intelligence agency of the United States,

0:38but C-A and the world

0:38of security is a great way of remembering the three core pillars or legs in

0:43this example of a stool.

0:44So let's take a moment and chat about what each of those represents. The C

0:48represents the word

0:49or the concept of confidentiality. And the concept of confidentiality is that

0:53only the correct

0:55individuals or systems or people can see the data that they need to see. And

0:59then those people who are

1:00unauthorized should not be able to see or access that data. Now, there are

1:03several different ways

1:04we can help enforce the idea of confidentiality. And one of those is just to

1:08imagine that we want

1:10to go ahead and have a bank account somewhere. So let's imagine we have a bank

1:13out here. They have

1:14a presence on the internet. And let's imagine for our discussion that you and I

1:18are sitting right

1:19here at this computer and we are going to log into that banking website and

1:23access our account. Now,

1:24the question is if we're going to be accessing our own account information, do

1:28we really want

1:29other people who are unauthorized to have access to that? The answer is of

1:32course not. We don't

1:33want strangers and other third parties to be able to log into our bank account

1:37and have access to

1:38that data because we want it to be confidential. Meaning we are the authorized

1:41individuals. We want

1:42to make sure it stays that way. So what is the bank going to do to make sure

1:46that you and I,

1:47if we're sitting right here at this computer, that we are the only people they

1:50're authorized to go

1:51ahead and access that data? Well, one way of implementing confidentiality is to

1:55require

1:55usernames and passwords before allowing access to that data. So we have the

1:59correct username and

2:00password we log in, then they have some level of assurance that that's really

2:04us the authorized

2:04individual. And then they can provide access to that information. Now sometimes

2:08in addition to

2:09just using passwords, we use a technique called 2FA. Sometimes that's referred

2:14to as MFA. And

2:16let me do a brief example of what that is. 2-factor or multi-factor

2:19authentication is going to require

2:21more than just a password to get access to the data. And although we'll be

2:25talking more about 2-factor

2:26and MFA later in a separate skill, let me at this point just give you a really

2:30good example of

2:31it in use. So let's imagine we have different ways that we can use to authent

2:35icate or have an

2:36individual prove who they are. And let's call these categories regarding how we

2:39can have a user

2:40prove who they are as category one and category two and category three. So for

2:44category one, we could

2:45require something that the user, for example, URI, who are trying to log in,

2:49something that we

2:50know. An example of that would be, for example, a password. However, the bank

2:54could also require

2:55something else before it allows access to the system. And that's something else

2:59could be something

3:00that we have. So maybe we have a little code generator that generates a six

3:05digit code that we also

3:06have to supply along with our password before allows access into the system. So

3:11I'm going to call that

3:12an OTP short for one time password, this little code that comes up, like on an

3:16authenticator

3:17application, or maybe we have a push notification sent over to us on our smart

3:21device. And we hit a

3:22button that says, yes, it's me, let me in. So we either have a one time

3:25password or we have the device

3:27that's allowing us to confirm the access that we want to allow it. So the first

3:30category here

3:31would be something that we know like a password, second category would be

3:34something we have like a

3:35one time password, or a smartphone that we're going to use to allow access. And

3:39then third,

3:39an example of a different category altogether would be something that we are.

3:43So something that we

3:44are would be something like how our eyeball looks, like iris or the retina, or

3:48our fingerprint or

3:49handprint or some other biological trait. So here I'll just go ahead and put

3:52fingerprint. So for

3:54access, this probably wouldn't work too well to go to a bank website. But if we

3:56are trying to go

3:57into a physical facility or somewhere else, and they had set up the fingerprint

4:01reader or some other

4:03type of scanner for some biological trait, we could use that as part of our

4:06authentication. So any

4:07time that we're going to require at least two or more categories before we're

4:13giving access to some

4:14system or to some person to log in or to get access to confidential data, that

4:18's referred to as two

4:20FA. So each of these categories, they are referred to as factors. So two factor

4:24authentication,

4:25the acronym is two FA is using two different categories, for example, a

4:29password that the user

4:31knows, and maybe a fingerprint, for example, at a reader. And those two

4:34together are required

4:36before providing access. Or another example would be the password which a user

4:40knows, and also a

4:41one time password, which is generated on demand in real time through their

4:44authenticator app,

4:45or a push notification coming to their phone. That would also be an example of

4:49two factor

4:49authentication. Because it's using more than just one category or one factor,

4:53sometimes it's

4:53also referred to as MFA for multi factor authentication. But the whole goal

4:58here is that that is one

4:59of the ways that we can ensure or help to ensure confidentiality by requiring

5:05effective logins

5:06to verify that the person or system that's trying to log in and access the data

5:10is really who they

5:11say they are, and that they're an authorized user. All right, let me clean that

5:14up just a

5:15little bit. And let's talk also about a few other options that we can use

5:19regarding security to

5:20help ensure confidentiality that only the right individuals are able to access

5:24the data. Another

5:25key tool that we can use to implement confidentiality is the concept of

5:28encryption. And with the concept

5:30of encryption, we take the data, let's go ahead and take this word called test.

5:34And if we run it

5:35through an encryption algorithm, and then if we encrypt that data, say the

5:38encrypted data looks

5:39like this, a L Z a, and then regarding that data, that's how we transmit the

5:43data in an encrypted

5:44fashion or we're storing on a disk in an encrypted fashion. Any individual that

5:48's not authorized,

5:49effectively in the background, they don't have the keys or the secret involved

5:53to decrypt that

5:54information. They aren't able to make sense of it because they don't have the

5:57instructions on how

5:58to deassemble it or to decrypt it. However, the authorized system or the

6:02authorized party,

6:03who does have the secret or the keys to decrypt that can go ahead and use those

6:07keys and use the

6:08algorithm involved to decrypt that information and come to the final result. So

6:12over here,

6:12we have the keys that can be used to go ahead and encrypt the data. And we have

6:16the key or keys

6:17over here on the other side that can be used to go ahead and decrypt the data.

6:20But again,

6:20anybody in the middle there who doesn't have the keys involved won't be able to

6:24make sense.

6:24Now, where could we use that confidentiality? We could use it, for example, on

6:28this server,

6:29right here, we could take its hard disk or disks, and we could encrypt it. And

6:33that way,

6:34if that disk is stolen or taken, any individual who has that disk but doesn't

6:37have the keys

6:38involved to decrypt it, will not be able to make sense of the actual data on

6:41that disk,

6:42thereby maintaining the confidentiality. We can use that same technique of

6:46encryption as we're

6:46saying traffic over the network. So let's imagine we have a user right here at

6:50this branch office,

6:52and they are going to go ahead and send a file, and they're going to put that

6:55file over here

6:56on this server right here. So the server A and this is server B. So this is our

7:00user at their PC.

7:01So if that traffic from this user has to go over the internet, which is a

7:05public routed network,

7:06and we want to protect that data. So anybody who's eavesdropping or looking at

7:10that traffic

7:10between this user and that server, if we want to protect that data while it's

7:13in motion,

7:14we can go ahead and encrypt the packets that are being sent in a very popular

7:17way of doing that

7:18is by setting up what's known as a virtual private network. So if we have a

7:22virtual private network

7:24or VPN for short, the big goal of most VPNs is to encrypt the data. So for the

7:29VPN, either this

7:30user's computer and software running on that computer or on the back end, maybe

7:34they have a

7:34device dedicated to that purpose of sitting up and using the VPN. Before that

7:38data is sent

7:39over the internet, it's all encrypted. So if any service providers or anybody

7:43else for that matter,

7:44collects that data off the network and they try to look at it and see what

7:47really is going on,

7:48they won't be able to make sense of it because the data is all encrypted.

7:51However, when the data

7:52gets to the other side, let's say this firewall over here on the other side is

7:54the other end of this

7:55VPN, and then the firewall can decrypt that data and then forward that data to

7:59its final

8:00destination. In this case, it's going to server B. So now as far as the first C

8:03in our CIA for

8:05confidentiality and security concepts, we have two options to help us implement

8:08confidentiality.

8:09We have authentication, which is a fancy way for saying making entities prove

8:14who they are,

8:15whether it's just a password or we're using multi factor authentication or two

8:18factor

8:18authentication. And another option is do encryption, either encryption of data

8:22at rest, for example,

8:23sitting on storage, whether it's here on a hard disk or up in the cloud, if it

8:27's encrypted,

8:28any individual or entity or system that's trying to access that data, if they

8:32don't have the right

8:32keys involved to decrypt that data, they won't be able to make sense of it. And

8:36another very

8:36popular option for doing encryption for the data that's in motion is to use

8:40secure protocols.

8:41So for example, if you and I are sitting right here still at this computer and

8:45we're going to a

8:46banking website behind the scenes, the actual protocol that we're using back

8:49and forth is also

8:51using encrypted traffic and that's using a method called HTTP S and the

8:55background that's

8:56leveraging a protocol called TLS transport layer security, which effectively at

9:00the end of the day

9:01is encrypting the data that goes back and forth between our computer and the

9:05server that we're

9:05communicating with. Before we leave this option of confidentiality, let me also

9:09talk about in the

9:10example of secure protocols, some secure protocols that we're very likely to

9:14use as we're working

9:15with and managing our devices. So let's imagine that you and I are now the

9:19administrators of this

9:20entire network, including this location and this location. And we want to from

9:25our computer be

9:26able to go ahead and remotely manage our devices, whether we're managing other

9:31devices like printers

9:32or servers or networking devices like switches and routers and firewalls, one

9:37of the secure

9:38protocols we could use is called SSH, which is an acronym for secure shell. So

9:44a long, long time ago

9:45in a galaxy far away, we often use this like decades ago, we used an

9:49application called telnet

9:51and the problem with telnet and they go ahead and put a big no sign there. Now

9:55the concept of

9:56SSH and telnet is they both allow an administrator to remotely connect to

10:00remote systems to get a

10:01command line interface. And although SSH can be used for more than that, that's

10:05the starting point

10:06regarding their similarities. But the big difference is, is that if you and I

10:09are sitting here and

10:11we're managing devices with telnet, anybody who collects that data off the

10:15network, if we're using

10:16telnet, they can see everything that we're doing. For example, they can see the

10:20usernames and passwords

10:21that we're using to log on to devices, they can see the commands that we're

10:24issuing and it's

10:25absolutely not secure. In fact, let me show you an example of that right now.

10:28Let me go ahead and

10:29clean this up a little bit. And let's actually talk about and use this router

10:34as an example of how

10:35using an insecure protocol like telnet can be devastating. So here is router

10:39one, its IP address

10:40is 192 168 dot 1 dot 140. And let me go ahead and from this computer here, let

10:47me go ahead and open

10:48up a session using telnet. And then we'll play the role of an attacker or

10:52someone who wants to

10:54compromise our system and we'll capture the data as it's going back and forth

10:57between this computer

10:58and this router. And we'll be shocked about what is revealed and disclosed

11:03because of the lack of

11:04confidentiality and the lack of encryption that telnet brings the table. So

11:08this is a terminal

11:08emulator that I'm going to be using called secure CRT, but the concept is same

11:12regarding the actual

11:13program that we run on our local management computer. I've got an entry right

11:17here to connect

11:17via telnet over to 192 dot 168 dot 1 dot 140. So we double click on that and we

11:22'll go ahead and

11:23log in. I have a username called admin, I'll put in the password. And after

11:26supplying that pass,

11:27so press enter. And then we'll do a show run, which is short for running config

11:32, which will show us

11:33the full configuration on this router called router one. So there it is there,

11:38then I'll type in exit

11:39and finish off that session. Now, unfortunately, anybody who was eavesdropping

11:44on that traffic as

11:45it went from our management computer over to this router router one now has

11:49effectively all that

11:50information, including not only the username that I used to log in, but also

11:53the password. They now

11:54know it because they collected that data and telnet is an example of an

11:58insecure protocol. So let me

11:59bring in a protocol capture here. There's a little tool called wire shark,

12:03which just collects and

12:04this is view the data that's been captured directly off the network. And I just

12:08put a little filter

12:09up here just to show us the telnet traffic. And then I'm going to right click

12:12on that. And from

12:13the drop down here, I'm going to go ahead and say follow TCP stream and check

12:18this out. So here is

12:19where I was logging in. So it's there twice because as I typed in the

12:22characters, it was being sent.

12:24And then echoed back to my screen. So it shows up here twice. And then this is

12:28the password that

12:28I'm using. And this is the attacker's perspective as they've just collected all

12:32that data. And now

12:34they can see the entire output of what we were doing. So they don't only have

12:37my username and

12:38password, but they also have the full config here of this router. So telnet as

12:43an example of an

12:44insecure protocol does not do a good job of protecting confidentiality because

12:48there's no

12:49encryption whatsoever. So of course, the better option if we want remote access

12:53to the command

12:54lane interface on router one from right here from our workstation is to use a

12:58protocol like SSH. And

12:59so to compare and contrast the use of secure protocols to help ensure

13:03confidentiality, let me

13:04demonstrate once again, connecting over to this router. But this time, instead

13:08of using telnet,

13:09which is not secured, we'll use SSH, which is providing encryption and thereby

13:13maintaining

13:14confidentiality against anybody who might be eavesdropping or trying to steal

13:18those packets

13:19off the network. So this time, I'm going to connect to that same router at 192

13:23once state 1.40. But

13:24this time using SSH, so I'm going to go ahead and double click in the

13:27background. I had it supply

13:28my username and password from the secure CRT application here. And now if we do

13:33a show run,

13:34which is short for show running config and look at the entire configuration, it

13:38's going to show us

13:38but all that traffic as it's being sent back and forth between this workstation

13:43that we're currently

13:44sitting at and that router, all that traffic is encrypted as that data is being

13:48sent over the

13:49network and thereby maintaining confidentiality of whatever it is I happen to

13:53be doing here on

13:54this router, including in this example, doing this command show running config.

13:58So for this output

13:59here, again, this application called wire shark, which is a protocol analyzer,

14:03taking the data that

14:04we just collected. I'm just going to grab one of these SSH packets right here,

14:07right click and

14:08from the menu, click on follow. And then from the sub menu, click here on TCP

14:12string. So here,

14:13is the TCP stream regarding all the packets in that SSH session. So initially

14:19here, I had some

14:20negotiations that were going on as they are setting up the encryption. However,

14:24once we had the

14:24connection, look at this, everything here is just gobbledygook. Now it's gob

14:28bledygook to the attacker

14:30because it's encrypted. And on each end, on the router side and in my secure CR

14:35T software,

14:36on the client side, because we are doing the encryption and decryption, and we

14:39have the keys

14:40involved, both sides can understand the commands, but anybody who's eaves

14:43dropping on this traffic in

14:44the middle is simply going to be out of luck regarding what the heck any of

14:47this really means.

14:48Was the user doing a show running config or were they changing the

14:52configuration?

14:53Are they bringing up or bringing down interfaces? The attacker, the

14:57unauthorized individual who's

14:58looking at this data won't have any clue because once again, all that data is

15:02encrypted. And that's

15:03courtesy of this protocol called SSH. So now that we've taken a look at the

15:07concept of confidentiality

15:09and how we can implement that either with authentication control or doing

15:13encryption,

15:14whether it's encryption of a disk or encryption of data in motion or data going

15:17over a network,

15:18all of those options are going to help ensure the confidentiality as part of

15:22our security plan.

15:23So let me clean this up and we'll take a look at the next element here as part

15:27of our CAA.

15:28The next letter in our acronym is I and that I is to represent data integrity.

15:35And here's what

15:35data integrity represents. It means that only the authorized individuals and or

15:41systems who are

15:42allowed to change or manipulate data, we want to make sure that they're the

15:46only people that can

15:47change that data. So here's another example from a banking instance. Let's say

15:50that you and I are

15:51seeing this computer. We're logging on to a banking website and we say we'd

15:55like to go ahead and transfer

15:56100 units of money. I'll go ahead and put a little dollar sign there because I

16:00'm from the US, but

16:01let's say we want to transfer $100 from one area to another. It could be from

16:06one account to another

16:07or from us to somebody else or that could be a mobile app that we're using on

16:11our mobile device.

16:12In either case, if we say we want to move $100 or transfer $100 and then in

16:16transit,

16:16some of you steps in and they change that say $1,000, that would be a loss of

16:21integrity.

16:22Another example where integrity is super important would be if we are writing

16:26some data to a disk

16:27care, we want to make sure that the data that we want to write, whether it's

16:30part of a database or

16:31a spreadsheet or anything else, we want to make sure that the data we're

16:34writing to the disk is

16:35actually accurate with what we intended to have written to that disk. And again

16:39, that disk could

16:39be here on this server here or it could be a server up in the cloud or storage

16:42up in the cloud.

16:43The bottom line is we want to make sure we're maintaining data integrity. And

16:47one popular

16:48option for maintaining data integrity is to use the concept of a hash. For

16:54example, let's imagine

16:55that you and I are sitting at this little wireless computer right here and we

16:58're going out to the

16:59internet and we're going to download a file. So let's say the file that we want

17:03to download is

17:04file name x y z. In fact, you know what, instead of actually using a fictitious

17:08name like that,

17:09let's go out to the internet for a moment. And let's go ahead and take a look

17:13at downloading a file.

17:14So let's imagine we purchased a Raspberry Pi, a little small computer system

17:18and we want to now

17:19download the operating system to install on that Raspberry Pi. So we do a

17:23Google search,

17:24we go to this webpage or one similar to it. And then we go, okay, we're gonna

17:28go ahead and

17:28download Raspberry Pi. So we'll click there on the hyperlink and that leads us

17:32to the download

17:33section. And they think, okay, let's go ahead and grab the 64 bit version. And

17:36we can click on

17:37download right here. Now here's the problem. This website that I'm currently at

17:40, how do we know

17:42it's not a compromised or hacked website? Where if I click on download and I

17:46download the file,

17:47how do I know that actual image I'm downloading is not a image that has malware

17:53or some other

17:53compromising software has part of it put there by an attacker? Well, one way is

17:58we can go ahead

17:59and verify the hash. And here's how the hash works. The hash is a teeny little

18:03string of text

18:05that's mathematically calculated based on the actual source file. So here for

18:10this Raspberry Pi

18:11OS with desktop before we download it, we're gonna click right here on show the

18:15shop 256.

18:16That's one of the flavors of hashing that we can use. Show the Shaw 256 file

18:21integrity hash. So we'll

18:22click on that and there's the actual hash file. So I'm gonna go ahead and take

18:26that right click,

18:27copy it and I'm gonna put that in notepad. So there is the hash file. I just

18:32pasted it over

18:32there to make sure I had it. And it is a nice string of text that's all based

18:37on the actual source

18:38file. And the source file shows here is a little more than one gig. So I'm

18:41gonna go ahead and click

18:43on download to download the file. So in the background, that download is

18:47happening to my

18:48downloads folder or wherever on this computer is specified to keep downloads.

18:52So a couple things

18:53to play here. Number one, I'd want to make sure I'm going to the correct

18:56website to begin with.

18:57And then secondly, once I download this file, I'd also want to make sure that

19:01when I generate a

19:02shop 256 hash against this file, then I come up with that same result that was

19:06published here on

19:07the website. So the result I should be getting is this value right here. And

19:11there's lots of

19:12different ways of generating that shot 256 hash. One way is to use an online

19:17hash checking tool,

19:18which is what I'm going to do right now. So here is one such site. There's

19:21multiple out there. I'm

19:22going to take this file and simply drag it right here. And that is in the

19:26process right now of

19:27generating a shot 256 hash on this file. And then when it's done, hopefully

19:33that result will match

19:34this value right here, which was published by the provider by the website. And

19:39sure enough,

19:405C, 5, 4, etc, etc. And again, 1, 6, 5, 8, e, fantastic. And that is just a way

19:45to verify data

19:47integrity between the file that I downloaded from the correct source. And also

19:51to make sure

19:52that once I received it, it is intact. And it's exactly the same file based on

19:56the hash matching.

19:57So this is a three prong approach. Number one, make sure we're downloading from

20:00an authentic website

20:02that is really providing the accurate file. Secondly, checking the hash

20:05produced there. And then third,

20:07go ahead and generating our own hash on that same file. And then comparing the

20:11two hashes

20:12together, just to verify that they match. And if they do, that means that we

20:16have data integrity,

20:17in this case, regarding this specific file, a couple other examples where we

20:21can maintain data

20:22integrity would be if we have a disk, for example, and we make a copy of that

20:26disk. And we want to

20:27make sure that we have an exact copy, we can run a hash algorithm against this

20:32disk. And then compare

20:33that to the hash algorithm generated against this disk. And if they match, once

20:37again,

20:37that can help us validate that we have data integrity between the replication

20:41of one disk

20:42to the other. And that concept of hashing can also be used on packets and

20:46frames as they're being

20:47sent over a network to verify the actual integrity of data as it's being sent

20:52over a network. And the

20:53third day is availability in our CAA acronym. And the concept of availability

20:58is that for the

20:59individuals and systems that are supposed to have access to data as another

21:04systems, we want to

21:05make sure that when they need that access, that it's available. Now, how do we

21:09improve availability

21:10of our systems for our authorized users? The key element there is the concept

21:15of redundancy.

21:16So for example, if we have the server right here, and it has some local storage

21:20on it, we may want

21:21to make sure that we are fault tolerant with those hard disks so that when we

21:26write to one disk,

21:27it also writes to the other simultaneously. So if we have a single failure of

21:31either of those hard

21:32disks, whether they're SSD drives or they're spinning drives, having two of

21:36them and having

21:37them be redundant helps ensure availability regarding the data that they're

21:41storing. And the same concept

21:43applies to data up in the cloud. If we have cloud providers who are providing

21:47storage,

21:48it's extremely likely or desirable, at least, that they have fault tolerance

21:52for their storage

21:53mechanisms. That way, if there's a single failure of some component in the

21:56cloud services for the

21:58storage or here locally on the server here, if we have fault tolerance set up,

22:02a single component

22:02failure shouldn't stop that data from being available. And so that concept is

22:06often referred to as

22:08FT, which is an acronym for fault tolerance. Think of it like the ability to

22:12have a fault and tolerate

22:13that fault and not have the whole show stop. Another concept also associated

22:17with that is

22:18referred to as HA. And that's an acronym for high availability. And both of

22:22those fault tolerance

22:23and high availability boil down to having redundant systems. So let's say at a

22:27service provider or

22:29in a data center, they've got racks and racks and racks of servers. So if they

22:33have a single

22:33server that fails and they've set up their fault tolerance and high

22:36availability correctly,

22:37that single server failing should be unnoticeable by the customers and systems

22:42using that server.

22:43And there's a similar concept for networking as well. So instead of having one

22:46router here,

22:46we could have router one A and we have router one B. And then together, they

22:51could go ahead and

22:52support the routing function between this part of the network over here and the

22:56rest of the network

22:57going out this way. So if one of the devices fails, the other one can pick up

23:01and continue

23:02forwarding traffic. And we could also have fault tolerance here at our firew

23:05alls by having again

23:06two firewalls working as an HA pair in conjunction with each other. Once again,

23:11so if we have a

23:11single firewall that fails, the other firewall can pick up and continue to

23:15forward the traffic.

23:16Or in the case of security, while continuing to enforce the policies,

23:20controlling what

23:20traffic is allowed or not allowed. So when it boils down to security concepts

23:24in general,

23:25remembering CIA and confidentiality, data integrity and availability, those are

23:30going

23:30three critical components that we'll want to consider.

23:33[BLANK_AUDIO]

0:00For this next security concept, I'd like you to imagine that we have two people

0:03.

0:03And if these two people are arguing about some detail, for example, this person

0:08says,

0:08"You did this," and this person says, "No, I didn't. It's a shouting match back

0:11and forth."

0:12At some point, it'd be super helpful if we could prove, beyond a shadow of a

0:16doubt,

0:17exactly what happened or, in this case, what was said.

0:19And I still remember early in my career, when we had a whole bunch of data off

0:24of the server

0:25that was deleted, and we couldn't go back and verify exactly who did it.

0:30And that was because of some lack of security policies, a lack of

0:34implementation,

0:35and, frankly, a little lack of experience back in those early days.

0:38Because, ideally, what we want from a security perspective is, we want the

0:42ability to prove

0:43who did what. And that concept is known as non-repudiation.

0:49Penlight, go ahead and draw a little roll of tape here.

0:52And let me go ahead and label this as well, so I can make sure we all know what

0:55it is.

0:55So this is some tape, like electrical tape or duct tape.

0:58So the concept of non-repudiation is making it stick.

1:01For example, if this user right here logged onto this server and then deleted a

1:06whole

1:06bunch of files or modified a whole bunch of files, we want to make sure that we

1:10can document

1:11and verify that it was really this individual. Or if this is us, sitting at

1:15this computer,

1:15and we're going to a banking website, or making a change by moving money or

1:20changing our information,

1:21the bank wants to make sure that before they allow that to happen, that it's

1:24really us.

1:24And then secondly, they want to have the ability to validate that it really was

1:28us doing that

1:29transaction. So the concept of non-repudiation is making it stick, meaning

1:34being able to prove

1:35exactly who did what. Now, there's a lot of different methods that can be used

1:39to help in the process

1:41of non-repudiation and authentication. We'll be some of that. For example, the

1:45bank making

1:46us prove who we are by authenticating, possibly doing multi-factor

1:49authentication,

1:50before it gives us access. Also, they may be recording the location that we're

1:54coming in from

1:55based on IP address or some cookies on our computer and so forth. However, one

2:00of the primary ways

2:01of doing non-repudiation is based on the concept of a signature. So if we

2:05imagine this person right

2:06here who signed an agreement and then later claimed that they didn't, if that

2:11person went to court,

2:12or they went to arbitration and they showed them that paperwork and they would

2:15say, "Is this not

2:16your signature?" If that guy says, "No, it isn't." They could actually compare

2:20signatures and say,

2:21"Yep, it is your signature." And therefore, you did agree to this and so forth.

2:25Well, in the world of

2:26security, because everything's digital, we are going to be using a concept

2:29called a digital signature

2:30for that function. And although we'll have a separate set of skills on public

2:35and private

2:36encryption keys and digital signatures, for now, as we discuss high-level

2:39security concepts,

2:41I'd like you just be aware that the concept of a digital signature that can be

2:45implemented

2:46can be used. And there's many different applications for it. One would be, for

2:49example, a user here,

2:50this computer sends an email and that email is being sent to a user over here.

2:56Now, if this is user

2:57one over here and this is user two over here, if user one sends an email, how

3:01does user two validate

3:02it's really from user number one? And the answer is we could actually implement

3:06a digital signature

3:08by user one here. And so if user one applies a digital signature, then when

3:12user two gets that

3:13email message, it can validate that signature and know that, "Hey, this email

3:17really is from user one."

3:19So when you think of non-repudiation, think about making it stick, being able

3:23to validate who sent

3:25something, for example, like this email message that was sent over, or that

3:28some other transaction

3:29was done. If there's a digital signature that's involved, that's going to

3:32assist us with non-repudiation,

3:34which is making it stick and being able to validate exactly not only is the

3:38data have integrity,

3:40but also validating exactly who did it or who sent it because of the digital

3:45signature that was

3:45used as part of the transaction.

0:00Another fundamental security concept involves another acronym and this one is a

0:04pretty fun one to remember is a

0:06a

0:08Not to be confused with the automobile Association of America

0:11AA AAA triple A as a security concept has three specific words involved as well

0:17And the first one is who the heck are you and that is all about authentication

0:22And more importantly making the individual or entity or system prove who they

0:27are

0:28So it could be as simple as you and I sitting at this computer logging on to a

0:32banking website or you and I at this computer

0:34Running a secure protocol like S H connecting to a network device or to a

0:38server or it could be us logging on to

0:41Microsoft Active Directory for access to resources in our company like access

0:46to printers and servers and so forth

0:47And we touched earlier about authentication options including using two factor

0:52authentication or a multi factor authentication

0:54For even more surety regarding who an individual is and it isn't always an

0:59individual like a human

1:00It also could be a system

1:01so if we have a

1:03Application running here on this computer that interacts with other systems and

1:07they're using something called an API that's an application programming

1:10interface

1:11Think of that like a computer talking to another computer or one system talking

1:15to another system before those APIs are allowed to interact with the target

1:19systems and vice versa

1:20We want to make sure that we are authenticating or making them prove who they

1:24are and that way

1:25We're not leaving ourselves open to some confidentiality breaches by allowing

1:29access to the incorrect parties

1:31So the a and triple authentication is all about

1:33validating who an entity is whether it's a human or a system because we want to

1:39validate who they are before we can go to the next logical

1:41Step and that is regarding what they can do and that's the second a right here

1:46The what we can do part is called authorization and that's all about what you

1:50are allowed to do

1:51And that's if you are a human so if it was a computer system that's interacting

1:55with another system

1:56It'd be the authorization regarding what that system is all allowed to do. So

2:00here's an example

2:01Let's imagine that you and I are logging into Microsoft's active directory

2:05Which is in control security wise of all these resources on our network which

2:10would include access to the printer

2:12What type of traffic we may be allowed to forward through the network and so

2:15forth

2:16So one of the first things that active directory or any centralized

2:19authentication system is going to do is to validate who we are

2:22So not only do we sitting at this computer are we gonna log in but also this

2:27computer itself in the background is part of that

2:29authentication process so active directory knows who the computer is or what

2:33the computer is as well as the user who is logged on to that computer

2:36And then secondly based on who we are that is then going to control the

2:40authorization

2:41Regarding what we are allowed to do for example if we try to go to this server

2:44and we aren't authorized for that server

2:47We are going to be prevented from getting to that server by some kind of a

2:50technical control in place

2:52That's restricting our access and so if it's active directory

2:55That's used to control access in this network that in this example would be the

2:59mechanism that's controlling access to the server

3:02So whenever you see the concept of access control, I want you to think first

3:06and foremost

3:06That is a very vague term because access control is simply controlling

3:11You know what an individual entity is allowed to get to and there's lots of

3:15different ways of implementing access control active directory

3:18B1 option in a networked environment

3:20We can have access control lists and firewalls that are all set up to implement

3:25the access control and the goal of the access control

3:27Regardless of how it's being implemented is that once we identify who an

3:31individual is to make sure they can get access to what they need access to

3:34But at the same time not get access to those systems and resources that they

3:39are not allowed to have access to

3:41For example, some users may have access to some parts of a database and other

3:45users may have access to all of the database

3:47And yet another set of users may have access to absolutely none of a database

3:52Based on the needs of the organization and the access control that's been set

3:55up for those users who are members of certain groups

3:57All right

3:58So let me clean that up a little bit and let's talk about the third A and that

4:02third A here is

4:03Accounting and we can write that out as what did you do and most of the time

4:07that's going to be implemented in some type of a

4:08Digital trail regarding what a user did so if a user logged in here first of

4:13all

4:13They'd have to prove who they are as they log on to the system and then based

4:16on their authorization

4:18Let's say they could use this printer and they could access a database over

4:21here and they could also send some traffic through the network

4:23And that would all be controlled by the authorization what they are allowed to

4:26do

4:26And then they accounting would be about what they did do so the user logged on

4:31they use this printer

4:32They made changes to this router if they had access to do that or they

4:36forwarded traffic out to some website that was risky

4:39Etc and our accounting component of triple A would be the element that's doing

4:44the logging and details

4:45We're getting what occurred so it helps cement this concept of triple a let me

4:49give you a couple examples of that

4:51One would be let's imagine that you and I are logged into this computer

4:55computer to and you and I are in charge of

4:57network administration for the infrastructure and also the servers and maybe

5:02some printers and other things on the network

5:04Well, if you and I are logged into this computer and then we connect to for

5:08example

5:08This printer and we have to authenticate there again and then we connect to

5:12this router

5:13We have to authenticate there again and we access this database. We have to

5:16authenticate there again

5:17That's a lot of times of having to put passwords in place. So a lot of times we

5:21use the concept of s s which is an acronym for single

5:25sign-on

5:27Think of it like a one-stop shop for logging on so you don't have to log in

5:31over and over and over again

5:33So a single sign-on we're making it easier for the authentication part and one

5:37example of implementing triple

5:39A would be in a networked environment using a protocol called takx plus which

5:43is a protocol that was originally created by Cisco systems

5:46Oftentimes this is referred to as takx spelled like this takk - a

5:51Xe so that's how you pronounce takx or another protocol that also does a very

5:55similar function is a protocol called radius

5:58And here's an example of how that could work

6:00So we're still going to log into this computer but this time we are going to

6:03use a centralized triple a server

6:05And we're going to authenticate so now the triple a server as far as the

6:08authentication goes knows exactly who we are

6:11And then once we try to start accessing other resources like maybe connecting

6:14to manage the switch or to this router or to this firewall

6:18Each of those devices is checking with that triple a server to say hey

6:22This person is trying to you know make these changes here or accesses devices

6:26Are they authorized and then the triple a server can pass that information to

6:29that respective device saying yep

6:31This is the user so-and-so and they are definitely authorized to do this or

6:34that the other or they're not authorized at which point the firewall or the

6:38network device that's checking with the triple a server

6:41Could implement the access controls by allowing a change for example to be

6:45implemented or not

6:46Based on what that user who's already authenticated with the triple a server is

6:50allowed to do and then furthermore on those same types of systems

6:53They could also do accounting regarding what actually happens. So the user who

6:57's logged in here made these changes this switch

7:00These changes this router made a couple additional changes to the firewall and

7:04those are all kept in log files as part of the accounting

7:07So that way we know exactly who is logged on and regarding the changes that

7:11took place

7:11We know exactly who did it and exactly what they did because those are all

7:15included as part of the accounting function in this logical concept called

7:19triple a

7:19And using these protocols are not the only way to implement triple a and single

7:23sign-on

7:24We also have other services that are very popular like Microsoft ad which is an

7:28acronym for active directory

7:30Which again also offers a way to do single sign-on as well as controlling and

7:35authorization and accounting regarding what people did

7:38And if we go outside of an active directory environment

7:41We also have things like OAuth and LDAP which we'll discuss more in separate

7:45videos

7:45But however, just an idea of what those can do

7:47Let's imagine that we're logging on to a new site and they say hey do you want

7:50to authenticate with your google account

7:52And what they're doing in the background is they're leveraging

7:54Some single sign-on techniques where we're already logged on to google and we

7:59're simply leveraging that google login

8:00To get further access to other systems and so oAuth and LDAP

8:05And one other option is called saml

8:07Are different methods of implementing that single sign-on type of approach so

8:11that a user doesn't have to create separate accounts

8:14And have separate passwords and do separate logons

8:17For additional resources across the internet that they may want to have access

8:21to and that's by leveraging

8:22These types of protocols where these guys are then leveraging the existing

8:26authentication services

8:27Of companies like google or facebook or apple for the authentication

8:32[BLANK_AUDIO]

0:00Another important concept in the world of security is the concept of zero.

0:04And you might say, Keith, what do you mean zero? And with zero, I'm talking

0:07about zero trust.

0:09Now, to help appreciate zero trust, let's go back to the old days, a decade or

0:12two ago,

0:13when an individual, if they were on the corporate network, they might be able

0:17to do pretty much

0:18anything. For example, let's say we have this computer that's wirelessly

0:22connected,

0:23so they're connected to an access point, which leads to physical connectivity

0:27to the network.

0:27And then once they're on the network, they can start running utilities like N

0:32map to

0:33discover the network, or they could try attack tools. Even that may not be

0:37legal to do so.

0:38What is stopping the user from using Nmap to discover the network?

0:42Or perhaps this user is setting up their own services like a DHCP server in the

0:47attempt to

0:47trick other devices or provide incorrect information regarding the DNS server

0:52or their default gateway

0:53and so forth. Because in the old days, once a user was on the network,

0:57especially the

0:58internal network at a company, there was full trust. Often times there were not

1:02additional

1:02controls that controlled exactly what that user was able to do once they were

1:06on the network.

1:07So zero trust is the exact opposite of that. Zero trust says that we want to do

1:12effectively

1:13AAA authentication authorization accounting for everything. So is that mean

1:19before this printer

1:19is allowed to interact, we want to make sure we know it's this printer and

1:23verify that it can

1:24only communicate with authorized users. The answer is yes. For this access

1:27point, do we want to verify

1:29that only authorized users can get access to it? And then once they're

1:32connected,

1:32that they can only do exactly what they're allowed to do based on security

1:35controls. The

1:36answer is yes. If we have this server that's on the network and it wants to

1:40communicate with

1:40other devices or have other clients connect to it, do we want to make sure that

1:44both of those

1:45devices are who we think they are? So the concept is we don't want to just

1:49trust anything until we

1:51know who it is, who they're connected to, or the case of a system with APIs,

1:55what that system is

1:56and who is communicating with. And that's the idea of zero trust. So unlike the

2:01old days a

2:02decade or two ago, instead of allowing traffic wherever it wants to go inside

2:06the network,

2:06with zero trust, we're authenticating everything, verifying who they are,

2:10controlling what they can

2:11do and effectively doing accounting on everything as well to track what

2:15happened. So let's take a

2:16look at a realistic approach to implementing zero trust is first of all, I'm

2:19going to start off with

2:20policy, which effectively means managerial types of controls that specify what

2:25we want to have

2:26happen. And that's going to lead to specific procedures, which within me

2:30followed to make

2:30sure that policy gets implemented correctly. And so part of implementing zero

2:34trust is just to

2:35realize the different types of communications that are happening on our systems

2:39today. And the concept

2:41of zero trust can apply to corporations and service providers and even down to

2:46a private network,

2:47such as your home. So one way of thinking about or these considering all the

2:51different types of

2:52access that may be needed is to think about the concept of planes. And I don't

2:56mean air planes,

2:57although those are pretty cool. But with planes, we have different planes of

3:01functions. For example,

3:02if we have a user here that's communicating and their traffic is going through

3:06the router,

3:07through the firewall, out to a service provider out here on the internet, or

3:10some website on the

3:11internet, that would be referred to as the data plane. That's user traffic that

3:15's being forwarded

3:16through the network. And then go ahead and put end user traffic to be a little

3:19more clear there.

3:20And then within this company or within the service provider or at this branch

3:24office,

3:24we also need a way to monitor and manage our network devices and our systems.

3:29And that management

3:30component, whether it's being done from a computer that we're sitting at, we're

3:33managing network

3:34devices, where we have systems that are managing our network devices, that

3:37management function

3:38is referred to as the management plane. So part of the consideration for the

3:42management plane would be,

3:43okay, what systems need to talk to other systems for the purpose of management

3:46and

3:47collecting data and making changes. And as part of our management plane, we'd

3:50want to make sure we

3:51identify exactly which devices and systems and users need to communicate with

3:55other systems for

3:56the purpose of management. And also as part of that, want to make sure that we

3:59're using secure

4:00protocols so that we can avoid the situation we looked at earlier, where an

4:04eavesdropper who is

4:05capturing data off the network, we absolutely don't want if that does happen.

4:09We don't want

4:10that unauthorized individual to be able to see the actual contents of that

4:14packet. So we use

4:15encryption or encryption protocols to help support the confidentiality there.

4:19And then the third

4:19component or third plane I'd like to chat about is how does this firewall or

4:23this router or this

4:24switch? How do they know exactly how to forward? Now from the topology, we can

4:29visualize that, oh,

4:31if computer two sends a packet going to the server and this router gets it, it

4:35should forward it that

4:36way to the firewall and this firewall should forward that way. But how exactly

4:39do they know? And behind

4:40the scenes, there's a lot of control protocols that are being used to educate

4:45the networking devices

4:46on how to operate. And that process regarding how to operate or how to forward

4:50is referred to as

4:51the control plane. So the control plane from a networking perspective on a

4:55router, it could be

4:56dynamic routing protocols on a switch. An example of that would be its Mac

5:01address table that it's

5:02learning dynamically, which Mac addresses live off which ports. Or if we are

5:06dynamically implementing

5:08VPNs across our enterprise, it could be instructions regarding what are the end

5:12points of those VPN

5:13tunnels. So we could actually place a VPN from this firewall here going out,

5:17for example, a little

5:19router or firewall at the branch office to encrypt all the traffic that's going

5:23back and forth as it

5:24crosses over the internet. So the instructions regarding where those VPNs

5:28should exist is also

5:29part of the control plane. So in a zero trust environment, we want to consider

5:33those planes for

5:34data plane management plane and control plane, and then put in the controls

5:38that are appropriate to

5:39enforce our policy. And based on the vendor and what's possible, here would be

5:44some desired

5:45functions, it'd be desirable to have adaptive identity. And here's what I mean

5:49by adaptive

5:50identity, let's imagine that we want to allow a user will call it user number

5:53one. And in this

5:54case, it's called admin number one, we want admin number one to be able to

5:58manage and work with

5:59the switches, this router, this firewall, these servers that access point, and

6:04this printer.

6:05However, they need to be logged in from this computer or from a computer

6:10internally to do that.

6:12As opposed to them logging in, for example, from home, even if they have a VPN

6:16that's coming in,

6:17adaptive identity can be aware of the situation regarding, for example, where

6:22that user, in this

6:23case, admin one is logging in from, and have that influence or inform what they

6:27're allowed to do.

6:28So again, adaptive identity is adjusting to not just who the user is, but also

6:33things like where

6:34they're logging in from or the IP address they're coming in from, or the time

6:38of day, another criteria

6:40to control the access for the same administrator. And one of the goals of

6:44implementing security

6:45is to reduce risk. Another way of thinking of that is to reduce loss. And so by

6:49implementing the

6:50proper controls, for example, with the administrator being able to log in here

6:54and do his job or her

6:55job, but the same administrator not being able to log on from another location,

6:59that's an example

7:00of reducing risk, because if that user physically has to be on-prem inside the

7:04building at one of

7:05these computers, and we're not allowing them to VPN from some other remote

7:09location, although that

7:10might be a little frustrating for the administrator, if they need to log in

7:13remotely, the benefit of

7:14doing that is that if we have something who's compromising our system from a

7:17remote location or

7:18attempting to, by having adaptive identity and controlling where they can log

7:22in from to do their

7:23work, we're reducing risk. And the controls that we're putting in place are all

7:27intended or should

7:28all be intended to enforce the policy. Another way of saying that is policy

7:32driven access control.

7:33So one example regarding policy based access control would be that for the data

7:37plane,

7:38we might want to say, you know what, if you're a user on this internal network

7:41right here,

7:42and you're going out to the internet, we want to go ahead and allow certain

7:46types of traffic if

7:47it's going from left to right. So from a firewall perspective, we could set up

7:51this side of the

7:52firewall as green, we'll call it inside. Now it doesn't always mean that we

7:56want to allow every

7:57single possible protocol to be able to go out to the internet, but we could

8:01allow a broad range

8:02of common applications like HTTPS and DNS and so forth from the inside to go

8:07out to the outside

8:08world. And one way of doing that is identifying on the firewall that everything

8:12over here is in

8:12this zone called inside. And then we could specify at the same firewall that

8:16everything out here in

8:18this direction is considered outside as in the outside zone. And then for the

8:22initial flows of

8:23traffic, we could allow specific flows of traffic in this direction. And then

8:27for the reply traffic,

8:28due to a really cool feature called stateful filtering, the firewall can say,

8:32Oh, this traffic

8:33started over here. And the traffic coming back is simply the reply traffic

8:36coming back. But at the

8:38same time, they have some entity out here on the internet, try to initiate a

8:41conversation or

8:42initiate packets going into our network, we could have some default rules in

8:46place that say, no,

8:48sorry, any traffic that's being sourced out here, just trying to come into our

8:52network or into our

8:53servers, other than specific protocols and specific IP addresses, we could deny

8:57that by default. And

8:58that would be an example of using the firewall as a policy enforcement point

9:02for traffic. In this

9:03case, user traffic, that would be going over logically the data plane. So let

9:06me clean that up

9:07just a little bit. And let's talk about getting from here to there. Let's

9:10imagine that we have a

9:12zero trust idea in mind. However, when we got the network and we got the

9:17systems, that policy that

9:18implement zero trust was not currently in place. So over the past weeks and

9:23months and years,

9:24we've been implementing and getting better and better. And one way of actually

9:27getting closer and

9:28closer to a zero trust network where everything has to be authenticated and

9:33authorized and accounted

9:34for, one way of doing that is with a gap analysis. And a gap analysis ideally

9:39would be performed

9:41by somebody who doesn't have skin in the game. Because a lot of times people

9:44who are actually

9:45building and supporting the networks, they've got some biases. And so if you

9:48need a third party

9:49company or a third party entity or a different department in your organization

9:54that can take

9:55an unbiased look at it, they could go through and say, okay, so here's your

9:58policy, here's your goals

10:00regarding zero trust. And they could go through and identify, okay, where are

10:04we doing a great job?

10:06And where is there room for improvement? So let's imagine there's a gap

10:09analysis and they've

10:09identified like 15 things that need to be fixed. Now, unfortunately, it's not

10:15likely that we can

10:16fix all those at the same exact moment. And I added a few lines to make it 15.

10:20So the next thing we'd

10:21want to do with our gap analysis is once we identified what needs to be

10:24improved, we'd want to go

10:26ahead and prioritize those. So some of those would be super priority, meaning

10:29they have the most

10:30risk associated with not fixing them. And we want to work on those first. And

10:33then we would follow

10:34it up with our next set of priorities, so that we're spending our time

10:38attacking and correcting

10:40the highest priorities first, which should be based on the highest risk or the

10:44most potential for loss

10:46as well as the spots that make us the most vulnerable. Also, another thing to

10:49consider with a gap analysis

10:51is just remember that it's a process. It's not likely that we can rip out the

10:56entire infrastructure

10:57and put everything brand new in. It's going to take some time. And there's very

11:00likely going to be

11:01compromises. And that's why it's important first to identify with a gap

11:04analysis, where the weaknesses

11:06are, and then to approach it systematically, taking care of the high priorities

11:10first.

11:10[BLANK_AUDIO]

0:00In a previous skill, we took a look at some categories for security controls,

0:04which involve technical controls, managerial controls, operational controls,

0:09and physical

0:09controls. We also took a look at control types regarding the purpose for those

0:13controls.

0:14So here in this skill regarding security concepts, I'd like to just discuss for

0:17a moment further

0:18some additional physical controls. So let's use this service provider right

0:23here as an example.

0:25Let's do a logical approach regarding a person or an entity who might want to

0:29get into that

0:30physical facility. First, let's start at the parking area where we could have

0:34as barricades

0:35and/or ballards that actually come up out of the ground and that would prevent

0:39a car from passing

0:40and going into the parking lot or further in. If we had those physical barric

0:44ades in place and in

0:45association with that, we could have a guard check who is in control of those

0:49physical barriers that

0:51could be checking ID and validating individuals before lowering those and

0:55allowing cars to enter.

0:56Or if there's people on foot, that security guard would also be able to see

0:59them. Now to control,

1:00make sure that's the only place they'd come in. We could also use fencing. So

1:04we have a fence

1:05around the perimeter and I've got a question for you about a fence. Is a fence

1:10regarding the

1:10control type, is the fence a deterrent or is the fence preventive? And the

1:17answer I suppose

1:18would be how tall is that fence? Does it have razor wire on it? Can it be cut?

1:23Can it be overcome?

1:24So again, depending on the type of fence, that fence may be acting as a

1:28deterrent and/or

1:29preventive as far as people getting access into the area. Also in this area

1:34here, as well as the

1:35entire grounds, it'd be ideal if there was proper lighting and that way as it

1:39gets dark, under the

1:40cover of darkness and attacker won't have an easier time or a much easier time

1:44if there's

1:45appropriate lighting. We also probably want to have some cameras in place and

1:48those cameras

1:49could be external in the parking area and looking at the external of the

1:53building as well as cameras

1:55internal. Now cameras inside, especially cameras that record both audio and

2:00video, we'd want to

2:01make sure we had signage, physical signs and disclosures saying that recording

2:05was going on.

2:06Also for our employees inside the building, we'd want to make sure they signed

2:10a document and

2:11probably at least once a year indicating that they've taken security awareness

2:14training and that they

2:15are aware that cameras are involved and that they're recording video and/or

2:20audio. So for an

2:21individual who wants to get past the guard, there should be some kind of

2:24identification.

2:25Oftentimes that's a badge, like an access badge that may have digital circuitry

2:29in it that can

2:30identify who that user is. So that may be required here at the guard area. It

2:34also may be required

2:36further into the building. So let me go ahead and put a building here and I'll

2:39put a little roof on

2:40there as well and I'll label this main building. So there could be a reception

2:43ist here that could

2:44act as a deterrent and then for individuals who want to go further in, their

2:48badge may be required

2:49again to go in. Now in a sensitive area, there also may be what I used to call

2:54a man trap. However,

2:55the current term is a vestibule, although I'm going to label it man trap

2:59because it's easier to spell.

3:00And this man trap, I guess, could be called a person trap, allows one person to

3:04enter. They would

3:05then authenticate very likely with their badge or if we want to use multi

3:09factor authentication,

3:10it could be their badge plus a pin number or something else that they know in

3:13combination with

3:14their badge, at which point it would allow them to continue through and that

3:17would do one person at

3:18a time. And then throughout the building, we could also have a series of

3:22sensors. So those could be

3:23sensors on doors, they could be motion sensors. There's a lot of different

3:27types of sensors

3:28based on what we're looking for. So there's infrared sensors. There are sensors

3:33that can detect

3:33pressure changes. There are ultrasonic sensors. There are microwave sensors.

3:38And also what we're

3:39talking about sensors, we could also have devices that are doing weight. So for

3:43example, here in this

3:44vestibule, the man trap, we could have as people go in and authenticate, it

3:48could weigh them. And

3:49then when they leave, they could be weighed again. So again, people could have

3:53a big lunch and things

3:53like that. But for looking to detect, you know, a significant weight change

3:58between in and out,

3:59which would imply something was brought in or left the building that could act

4:03as a safety net

4:04right there to help identify some of that activity. Also in the building, it'd

4:08be a great idea if we

4:09had the appropriate locks and notifications if unauthorized people are present.

4:13So I've been in

4:13environments where as I was walking down the hall, even with the top secret

4:17clearance, if I was in a

4:18part of the building where certain things were happening, I'd have to be

4:21escorted and carry this

4:22little lantern like thing that beeps every 30 seconds. If they heard the beep,

4:26they were working

4:27on something they needed to close the door for. They could close the door or

4:30stop having a conversation

4:31etc. To predict the confidentiality of whatever it is they may have been

4:35working on. So physical

4:36controls as one category are an important aspect in the overall security

4:40landscape.

4:41(clicking)

0:00Also in the world of security concepts, I'd like to chat with you for a moment

0:03about some

0:04technology regarding deception and disruption. Now normally we'd think about

0:08these concepts

0:09of deception, disruption from a perspective of what an attacker or hacker might

0:13try to do

0:14towards a victim or towards a target. However, for our discussion now, I want

0:18to chat about

0:19these two techniques or these two concepts from the perspective of trying to

0:23trick or

0:24identify the details of what the attacker or hacker is attempting to do. Also,

0:29I'd like to point

0:29out that before you start implementing any kind of hacking or deception or

0:34disruption technologies,

0:36you'd want to make sure, especially if it's not your own home network that's

0:39staying contained

0:40in your home network, you'd want to make sure you have authorization on the

0:44networks you're

0:44going to do it on. Because if you do some of these techniques and you do it

0:48without proper

0:48authorization at your company or on the public internet, that could be a

0:53liability if you do

0:54something illegal. All right, so with that warning in place, let's talk about a

0:58few of these techniques

0:59and one of those is to create a honey pot. Now, when you think of honey, I'd

1:03like you to think of the

1:04character Winnie the Pooh, who absolutely loves honey. So if we have an

1:09attacker somewhere out on

1:10the internet, let's think about what they love. If they're trying to compromise

1:14us and do it over

1:15the network, as far as the network and systems are concerned, what they love

1:19are open and available

1:21ports and those sorts are commonly associated with layer four protocols. And

1:25then where to the

1:26point the attacker is going to love if there's some known vulnerability or if

1:30there are some

1:31ports and protocols open and available on our network, which are supporting

1:34insecure protocols,

1:36things like FTP or telnet and many, many others, which if are used are a

1:40security vulnerability.

1:42So the first question is how would an attacker discover, for example, what open

1:46ports there are?

1:47Let's imagine these two servers have been made available to the internet. Now,

1:51not just all the

1:52ports and protocols, but let's say the firewall is allowing just HTTPS, which

1:57at layer four is

1:59using the protocol TCP and the well-known port for HTTPS at the server side is

2:05TCP port 443.

2:07So if an attacker is curious about what ports are open and they start scanning

2:12effectively,

2:12they're tricking how the TCP/AP protocol stack works by doing a TCP send

2:16request in and then

2:18seeing what comes back. And so if they do a TCP send request, the

2:21synchronization request to TCP

2:23port 443 at an IP address that leads to a server and they get the follow-up

2:27packet and the follow-up

2:28from the server going back to the client would be an acknowledgement and their

2:31own send requests

2:32and they refer to that as a Synac coming back. So if the attacker simulates a

2:36connection request

2:37with the send and gets a response back, that that's the attacker. No, hey, that

2:42port TCP port 443 is open

2:44and the associated well-known services behind that are HTTPS services. So what

2:49an attacker may do is

2:50do some scanning of, for example, the 100 most likely ports or they can do a

2:55scan of 65,000 ports

2:57at every single possible IP address trying to determine exactly what services

3:02and ports are open.

3:03So how does an attacker doing a scan equate to a honeypot? Well, we could on

3:07our own networks

3:08place a server that's not a real server, meaning it doesn't have our critical

3:13services on it,

3:14it may look like our web server, but behind the scenes it just has a ton of

3:19open ports. For example,

3:21we could open up TCP port 23, which to the attacker would think, oh, they have

3:26got a

3:27telnet server running there or if we open up TCP port 21, the attacker, if they

3:32scan that and

3:33got a response back, we think, oh, they have an FTP server open or if TCP port

3:3780 is open and

3:38response back, the attacker will think, oh, they've got HTTP services running.

3:43And then furthermore,

3:44they can start to try to take advantage of those. So a honeypot would be a dec

3:48oy effectively,

3:49not a real server, but just something to keep the attacker busy and also for

3:53our own purposes to

3:54identify that we have an attacker who is looking for open ports so we can be

3:58made aware of that.

3:59So we could have alarms that are going off. So this system right here will cut

4:02server

4:02array if it's set up as effectively a decoy, that would be an example of a

4:06honeypot. And if we had a

4:08whole bunch of servers, for example, server A, server B, and we had some other

4:12locations and

4:13server C over here and across the internet, that would be an example of a honey

4:18net, a network of

4:19honeypots. We also may have on some of those honeypots and honeynet servers. We

4:23also may have some

4:24files that intentionally look like an easy target or intentionally look like

4:29desirable information.

4:30For example, on the servers, if we have a file called passwords dot txt, and in

4:35that file because

4:36we're putting it on our servers as part of a honeypot, the actual content of

4:40that passwords

4:40dot txt file should not have anything too critical. Or if we had a file that

4:44had misinformation or

4:46some other intellectual property, which wasn't real or faked, that we wanted to

4:49get into the

4:50attacker's hands, that'd be another example of a honey file. And while we're

4:54talking about

4:55terms for deception and disruption that begin with honey, let's also discuss

4:59the concept of a

5:00honey token. And honey tokens can come in various forms. For example, if one of

5:04our sensitive files

5:05our fake sensitive files had credit card information in it, perhaps we're using

5:10certain strings of

5:11credit card numbers, fake ones. If those credit card numbers are attempted to

5:15be used, effectively

5:16that acts as a signal saying, Hey, you know what, this was attempted to be used

5:19. And it came from

5:20our file. So in that sense, it could be used as way to detect that the data

5:24that was stolen is

5:26actually trying to be used. Or maybe we even didn't detect that the attacker

5:30got that information. But

5:31the moment they start trying to use those credit card numbers in this example,

5:35I'll put cn.txt here

5:36for credit card numbers. The moment they start using those, that's the

5:39indication that that file

5:40was retrieved and is now trying to be used by an attacker. So it's primarily a

5:45detection method or

5:46a trap that can help us identify what's going on with the attacker and what

5:50they have access to.

5:51So as a quick example to help reinforce the concept of a honeypot, I'd like to

5:55take you on a journey

5:56to this computer right here. And here on my home office network, so I'm going

6:00to be doing this

6:01against just my home office network, nothing out on the internet. I'd like to

6:04go ahead and do a quick

6:06scan from this computer just to kind of see what other devices are here on this

6:11local network. And

6:12based on the scan I'm going to be using. What are some open ports and protocols

6:16that can be

6:17detected? And the tool I'm going to use on this little computer here is called

6:20N-Map for network

6:22mapper. And I'm going to be telling it to do N-Map space and specify my subnet

6:26here. And my office

6:27network is the 192.168.1 network with the 24-bit mask. So it'll do a scan of

6:32the entire network space,

6:34identify which devices are there, and furthermore which ports and protocols are

6:38open. And I have

6:39one device on this network segment which is set up as a honeypot and from the

6:44output. I'd like you

6:45to guess which device it is. All right, so here is my command prompt on this

6:51machine right here.

6:52This is computer two. And here's the command I'm going to issue N-Map without

6:56any other parameters.

6:57And then this network segment, the 192.168.1 subnet with the 24-bit mask. And I

7:01'll press enter.

7:03And now it is going at it. So I can press enter while it's going and it'll show

7:06us the progress.

7:07So it's 60% done, 72% done, almost there. And we'll let it finish. All right,

7:14and it is done.

7:15So here is the first device at 192.168.1.1. And by default, N-Map to the scan

7:20of 1000 ports.

7:22And so 995 were filtered. So here it has the port and protocol. And it has the

7:27service based on the

7:28well-known ports and protocols for those services. And then based on the MAC

7:32address, that's the layer

7:33to ethernet address on the device itself. It's also making an educated guess

7:38based on these first

7:39six characters of who the vendor is saying this product based on the MAC

7:43address is from Fjordenet.

7:44And it is right. That's a Fjordenet 48 firewall. Then we scroll down a little

7:48bit. Here's another

7:49device at .75. And it has six services that is able to identify based on the

7:53ports and protocols.

7:55And it's got some insecure protocols that are open. So HTTP is another example

7:59of a

8:00insecure protocol. HTTPS is secure, but HTTP isn't. So that might be one the

8:04attackers

8:05could be interested in. And as we continue to scroll down, here is yet another

8:09one. So that's

8:10at .100. And this has a whole bunch of services. So this almost looks like a

8:14honeypot, but that's a

8:16Windows server that I use for a lot of functionality here on my home office

8:20network. But there is

8:22FTP insecure and open. There's HTTP also insecure and open. There's LDAP. And

8:28that is the insecure

8:30flavor of LDAP. So if I was an attacker and scanning this network, I would see

8:34all those as

8:35potential opportunities. So if we scroll down, here's another device. This is

8:39an ESXi hypervisor

8:40running on a Dell server. And it has these ports and protocols open. Let me

8:45scroll down a little

8:46bit. So here's another device at .107. And that is a NAS device from Synology,

8:51once again,

8:52with some open ports and protocols that are insecure. And again, here on my

8:55home network,

8:56that's not a big deal. But if these were on a network that was publicly

8:59available, those would

9:00be security issues. Then I've got this device at .111. And this isn't even the

9:04honeypot yet.

9:05So let me scroll down and let me take you to the device right here, which is my

9:10honeypot. This

9:11is an intentionally vulnerable system where there's no critical data behind it.

9:17So it has FTP open,

9:19telnet open, DNS is open, the insecure flavor, HTTP, and the list of hits goes

9:25on and on and on.

9:26And it's showing based on the Mac address that this is from VMware. And that's

9:29because this little

9:30honeypot is a virtual machine running on a hypervisor. And it's going down to

9:35the rest of my devices

9:36as well here on my little office network. So this device right here at .141 is

9:41an example

9:42of a honeypot in action. So behind the server, we could go ahead and place

9:46honey files that,

9:47again, are not really containing sensitive information, but look like they are.

9:51And we can

9:52make them available via FTP or telnet or HTTP to make it easier for a potential

9:57hacker to get

9:58access. Now, one of the concerns also is that if it looks too obvious, like

10:02there's too many ports

10:03open and a attacker may see that and say, you know what, that looks too good to

10:07be true.

10:08Probably is. And they may leave it alone because they don't want to be detected

10:11,

10:11especially if they start using some of the information that they gleaned from

10:14the files and other

10:15resources available behind some of these open ports and protocols.

0:00In this video, I'd like to give us both an opportunity to help reinforce some

0:03of the core concepts that you and I have talked about in this set of videos.

0:07And here's what I invite you to do. Before you continue on to the next video,

0:11where we'll do a summary of this information together,

0:13I'd like you to take just a moment and give it some real thought regarding the

0:17CAA triad, those three acronyms, confidentiality, data integrity, and

0:21availability.

0:22I'd like you to list one way regarding how to implement each of those items.

0:27Next, I'd like you to imagine that you and I are sitting in front of a customer

0:30and they want some non-repudiation, the ability to go ahead and validate for

0:35sure who is responsible for some type of activity.

0:39Maybe it's sending an email message or making a transaction.

0:43What I'd like us to do is explain to the customer what can be used to implement

0:48non-repudiation.

0:49Next, I'd like you to go ahead and describe the concept of AAA.

0:52Now, to help bring this home, I'd like you to imagine that you and I are

0:55sitting in front of a potential customer that we're going to go in and help

0:59them improve their security posture.

1:01And we want to have something to talk about.

1:03And for a framework, we want to talk about the basic components of AAA.

1:07So I'd like you to imagine that we're sitting in front of that customer and

1:10take a moment or two.

1:11And you can either do this in your mind or if you have a loved one or some

1:15other person who will sit with you for a moment, take a moment,

1:19and actually walk through the process of describing the concepts behind AAA.

1:23And of course, if you get stuck on any of these, feel free to pop back to those

1:27previous videos for a quick refresher.

1:29And then I'd like you to think about for a moment the concept of a zero trust

1:32network and identify or think about what are the default permissions allowed in

1:38a zero trust network.

1:40And the keyword there is default and in a zero trust environment.

1:45What are the default permissions?

1:46And then last but certainly not least, I'd like you to describe and again, we

1:49can imagine doing this in front of a customer,

1:52describe the benefit of honeypots, honey nets, honey files and honey tokens.

1:57So this entire process, I would encourage you to take somewhere between three

2:00and ten minutes to go through it.

2:02And then when you've given this some thought, join me in the next video and we

2:06can compare notes together.

2:07So have some fun with this exercise and I'll see you when you are ready.

2:11[BLANK_AUDIO]

0:00So now that you've had a few minutes to consider these on your own, let's

0:03tackle them together.

0:04So starting off with listing one way of implementing each of the elements of C

0:08AA,

0:08list for full list CAA, that's confidentiality, data integrity, and

0:13availability.

0:14So the task is asking us to list one way for each of them. So for

0:18confidentiality,

0:19we can use encryption, either encrypting disks or encrypting network traffic

0:23using, for example,

0:24VPN or secure protocols. And another way of helping enforcing confidentiality,

0:29of course, is to require logging in so that only those people who have

0:33correctly logged in

0:34can see the data and have access to the systems that they're entitled to.

0:38Then for the data integrity, the major answer there is going to be some form of

0:42hashing.

0:42So if we have a file that we downloaded, we download it to our computer, they

0:47also have

0:47published a hash associated with that file. And so we generate that hash. And

0:51if the hash that is

0:52published for that file matches exactly the hash that we generate locally for

0:56that file,

0:57that means that we have data integrity, courtesy of hashing.

1:00And then for availability, it means two. And you might say, Keith, what do you

1:05mean two?

1:06Well, it means redundancy. So instead of having one disk, you'd have two disks.

1:10Instead of having

1:10one firewall, you'd have two firewalls. Instead of having one server, you'd

1:13have two servers

1:14that work in conjunction with each other. And that way, if there's a single

1:18point in the network

1:18that fails, it's tolerant to that and can still function. So that's also

1:23referred to as fault

1:24tolerance, sometimes referred to as H.A. for high availability. All right, so

1:28that is task number

1:29one done, done, done. And then for the second item here, what can we use for

1:33non-repudiation?

1:34And the answer I'm looking for here, based on our discussion in these sets of

1:37videos,

1:38is digital signatures. So just like if we went into a bank and we made an

1:43agreement for a loan

1:44and we signed our names, they will pay it back. They can use that later to show

1:48us, yeah, you

1:49agreed to this, here's your signature. It's proof that you agreed to it. And in

1:52the world of cyber

1:53security, a digital signature, for example, on an email or regarding a

1:57transaction or on some type

1:59of a digital certificate, that can be used as proof and supply non-repudiation.

2:04The person who

2:05used that digital signature can't go back later and say, Oh, I didn't really

2:08sign this, if indeed

2:10they did. Or at least if they said they didn't sign it, the digital signature

2:13would be proof

2:14to the contrary. All right, then our third step here is describe the concept of

2:19AAA and the AAA

2:20and the concept of security is all about authentication, meaning who are you or

2:24who is the entity

2:25to validate the identity. The second A is authorization, what are they

2:30authorized to do?

2:31And then finally, we have the accounting, which is tracking through logs,

2:35usually,

2:36what exactly did they do? And then as we continue on, what default permissions

2:40are allowed in a

2:41zero trust network? And the answer is zero. Hence a zero trust network,

2:46everything needs to be

2:48identified, everything needs to be authorized, everything needs to be accounted

2:52for. And that

2:53way, there's not just like a hard shell on the outside, somebody logs in and

2:57they can do whatever

2:58the heck they want. A zero trust network is going to require effectively AAA

3:02every step of the way.

3:03And the tricky part there for the zero trust network is which vendor or vendors

3:07are we going

3:07to use to implement that across the board? And most of the time is going to be

3:11more than just a

3:12single vendor using a best of breed approach regarding their technologies to

3:16implement a

3:17zero trust network. And finally, we're asked to describe a benefit of honeypots

3:21, nets,

3:21files and tokens. And the answer there is we can help identify or detect the

3:26fact that we are being

3:27compromised or attempting to be compromised by an attacker. Because we have a

3:31honeypot and multiple

3:32honeypots, which would be an example of honey nets. And we have some fake files

3:36there and also

3:37indicators when those files and the contents and those files are being used.

3:40That can help us be

3:41aware that not only is there a security threat present, but that security

3:45threat is active in

3:46trying to get into our stuff. So it's a great detection mechanism to help us

3:49identify that

3:50attacks are underway. So thanks for joining me in this set of videos and in

3:54this skill. And I look

3:55forward to seeing you my friend in another set very, very soon. Until then, I

3:58hope this has been

3:59informative and I'd like to thank you for viewing.