Understanding Information Assurance

0:06Today we're going to talk about the CIA triad.

0:10And no, this isn't the Central Intelligence Agency.

0:13Although, that would be fun.

0:15But it's a little bit different.

0:16So we're going to talk about Confidentiality, Integrity,

0:19and Availability.

0:20That is the CIA triad.

0:22And we're going to talk about something called

0:24nonrepudiation, and the role it plays within information

0:28security.

0:28So with no further ado, let's jump in and get started.

0:32So the CIA triad, what is it?

0:36Why is it important?

0:37Well, the CIA triad--

0:40tri, meaning three-- has three sides,

0:42as we can see in this drawing--

0:43confidentiality, integrity, and availability.

0:48Those are the three pieces of the CIA triad.

0:53Now, why is this important?

0:54Because within cybersecurity and information security,

0:58we are working to ensure--

1:01that is key here-- that is kind of our job

1:03is to ensure the CIA triad.

1:06So what does this really mean?

1:09Well, it means we want to work to provide confidentiality

1:13and work to provide integrity to our data

1:17and the availability of our data.

1:20So let's go a little further now and talk

1:23about each of these individually and kind of the role

1:26that they play in this triad.

1:29So we're going to start off with confidentiality.

1:31We see Mr. Hush Hush down here.

1:34Now, when it comes to confidentiality,

1:36what we're trying to do is make sure

1:39that only those who are authorized to access our data

1:43can access it.

1:44That means those who are unauthorized, well,

1:48we don't want those folks to be able to access our data.

1:51We want to keep it confidentiality.

1:53We want to restrict access to it.

1:55We want to use something called the premise of least privilege.

2:00And we're going to dive into what this means more later on.

2:05But we're going to practice something called

2:06least privilege, meaning we provide

2:09the least amount of privilege necessary for someone

2:12to do their job.

2:14So if we have hundreds and hundreds

2:16of thousands of files and folders and directories

2:19and all of the wonderful resources that we have,

2:22we don't want to give everybody out there access

2:25to all of these things-- absolutely not.

2:28We want to remove that.

2:29We want to say, this person needs access to only this.

2:32Maybe this person needs access to these things over here,

2:36and this one to a couple of these over here.

2:38But that's all that they need access to.

2:40That is least privileged.

2:42Now, why is that important when it comes to confidentiality?

2:45Because if everybody has access to everything,

2:49well, there's no confidentiality at that point,

2:51necessarily, because we need to control who

2:54can have access to everything.

2:56We want to make sure that those unauthorized individuals don't

2:59have access to any of the things that they shouldn't have access

3:03to.

3:03So really, when we're talking about confidentiality,

3:05what we've been talking about here,

3:07is something called access control.

3:09And there are several different types of access control.

3:12And we're going to dive into those later on.

3:14But this all on this right side of the screen here,

3:18well, that's access control in a nutshell.

3:21What else can we use to provide confidentiality to our data?

3:26Well, just think about this.

3:27If you send an email to someone, it's

3:30going to go out across the internet.

3:32And what is out there on the internet?

3:34Well, there's lots of things on the internet.

3:36It goes through different service providers

3:38as it jumps through various networks to get from point A

3:41to point B to point C, and maybe finally down

3:44here to your destination, where that user can open up the email

3:48and read the contents.

3:50Well, as your emails and other data

3:52traverse the wide world of the internet, which is the Wild,

3:57Wild West out there, who's to say someone

4:01can't go out there and take a look at your email?

4:05Well, because it's absolutely possible.

4:07These emails are sent in plain text.

4:10So what can we do to combat this?

4:11Well, let me make a little room here.

4:15We can use something called encryption.

4:18So we have our email over here.

4:20What we're going to do is we're going

4:21to use a key of some sort.

4:23And we're going to encrypt this email so that anybody that

4:28doesn't have that key, they cannot read the email.

4:31So as it traverses the internet and all the different paths

4:35it may take before it gets to its final destination, anybody

4:38out here who doesn't have the key,

4:39they're not going to be able to read that email,

4:41meaning we are going to maintain the confidentiality

4:45of the contents of that email.

4:47Hey, super cool!

4:48So then when it gets down here to its final destination,

4:51the user can take their key, and they can open that email,

4:55and read it.

4:56And voila, there we go.

4:58We've achieved confidentiality.

4:59So there's a couple of different pieces.

5:01We can use encryption to help with confidentiality.

5:04We can use access control to help maintain confidentiality.

5:09And why are we maintaining confidentiality

5:12in the first place?

5:12Because our data can be sensitive.

5:16It can have trade secrets in it.

5:18Maybe it has sensitive privacy information in it.

5:20We need to maintain control of our data.

5:24And part of that is maintaining the confidentiality

5:27of the data.

5:28So that's the C part of the CIA triad.

5:31What about the I?

5:32Good old integrity-- there we go.

5:35So integrity, this is ensuring that our data is accurate.

5:41So why is our data not accurate?

5:44Did we mess something up?

5:45Did we miscalculate something?

5:47No, no, no, no, no-- something totally different.

5:49This is dealing with making sure our data hasn't

5:52been tampered with.

5:55Because just the same example we used

5:58before when we were sending an email-- if I go over here,

6:01and I take an email, and I send it out,

6:03it goes out across the internet and through all

6:05the different routers and devices

6:07out there to get to where it's finally

6:09going through different service providers and such.

6:12And the user gets their email.

6:14And originally, I was placing an order.

6:16So I want to order part number 1234.

6:20And I want to order a quantity of five.

6:24That's what was in my email.

6:27Well, if someone tampers with that email

6:29and they change that order to part

6:32number 6321 and a quantity of 500,

6:39well, that completely changes my order.

6:43And that is why we need to protect integrity.

6:46Not to protect our orders, necessarily-- but sure,

6:49of course, that's one example--

6:50but because we need to ensure that our data is accurate.

6:57We don't want it to be tampered with.

6:59We need to ensure the integrity of our data.

7:02And some different ways that we can do this,

7:04we can perform error checking.

7:07So for example, in this instance,

7:10if I use some type of mathematical equation

7:13to give me an output of what my original message equals--

7:17maybe it actually equals x3269 in some mathematical equation--

7:24actually, we call this hashing.

7:25And this value now represents the email.

7:28So I could actually attach this to the email,

7:32and then when it gets to the other side,

7:34we could run that mathematical algorithm again.

7:37And here it would equal y3112.

7:43So that's what that equals.

7:44So if I take my out of this message x3269,

7:48does this value equal that value?

7:51Well, the answer is no.

7:53So that means that our message was tampered with.

7:57And this is part of something like error checking.

7:59We're looking to see if our data was tampered with

8:03and the integrity has been compromised of our data.

8:07And if you think about this is one example.

8:10But what about when it comes to medical information?

8:12Well, that could be very dangerous,

8:15as you could imagine.

8:16If someone's medical records were tampered with

8:19and we didn't have the integrity of the data,

8:21well, maybe something they were allergic to gets

8:24changed in their medical records,

8:25and then they get a treatment, and they

8:27have an allergic reaction.

8:28You see where this could go.

8:29This could be very dangerous.

8:32So again, we're looking to protect

8:34the integrity of our data.

8:36And really, one of the best ways we

8:38can do that is through error checking or something we

8:41call hashing, which uses a mathematical algorithm

8:46to calculate a value, just like we looked at in this example.

8:50So that's the I leg of our CIA triad.

8:52We've got one more to go.

8:54And that is the A or Availability.

8:57So here we're looking to make sure our data is--

9:00well, it's available, meaning we can use it.

9:04If our data is not available to us to use, well,

9:08what good is it?

9:10We can't actually access it and use it.

9:12We've got to have it available to us.

9:13So how can we protect our data and make sure it's available?

9:18Well, one of the things we can do is practice access control.

9:21Just like we talked about in our confidentiality, access

9:25control, if we allow unauthorized users to access

9:31our data--

9:32well, guess what-- those unauthorized users--

9:35wahahaha-- well, they could go out there and delete our data.

9:39Well, then it's not available to us.

9:42Or they could change the data and compromise its integrity.

9:45So then it's inaccurate.

9:46And if it's inaccurate, it's of no use to us.

9:49So again, it's affecting the availability.

9:52Another thing we could do is put some type

9:54of security controls in place to help

9:59protect our data-- make sure it's available-- because we've

10:02got all those bad guys out there on the internet, who

10:05might do something like cause an attack against our environment.

10:09And if they're trying to attack, maybe we

10:11can put something like a firewall out here.

10:14And that firewall is going to help protect us.

10:17So this is a security control, something

10:19we put in place to control the situation.

10:22And it's related to security.

10:24So we could do a firewall, or maybe an intrusion detection

10:28system that we could put in place

10:30to analyze the traffic as it's coming through

10:33into our environment.

10:34So we can help keep the bad guys out,

10:37making sure that our data is available.

10:40We can also build redundancy into our systems.

10:46So instead of running our data on one server,

10:48we actually spread the data across multiple servers

10:52in maybe a cluster so that if we lose one of those servers,

10:56we still have our data available to us.

10:59So redundancy, we could have redundant power.

11:02That's pretty important, because if the lights go out-- well,

11:05guess what-- our servers go down.

11:07Our infrastructure goes down.

11:08We lose access or availability of our data.

11:12The same for our HVAC or air conditioning and ventilation,

11:16because when we're dealing with lots of network equipment

11:19and servers and such, it generates lots of heat.

11:21And if it overheats, it's no longer able to function.

11:23Well, it affects the availability

11:26of the data on those devices.

11:29So it's very important that we have redundancy

11:32as part of protection for our availability.

11:36So those are the three things that make up the CIA triad.

11:41That's our Confidentiality, our Integrity,

11:44and, of course, our Availability.

11:47That's the CIA triad.

11:48And that's really what we look to protect

11:51within information security.

11:54So we're looking to protect all of these things,

11:57because when we do that together,

11:59when we have all three legs of the CIA triad, well, then

12:03we are going to be winning at security

12:06and making sure our data is accurate, and available,

12:09and kept confidential.

12:12We've got one more thing to talk about,

12:14and that is something called nonrepudiation.

12:17So it is a strange sounding word,

12:20so let's go ahead and break this down.

12:21We're going to start with repudiation.

12:25Now, repudiation is the ability to say

12:29that you didn't do something.

12:32That's what repudiation means.

12:34Basically, I didn't send an email, or I didn't open a file.

12:39So that is repudiation.

12:41But if we put non in front of that,

12:45so we have nonrepudiation, it means

12:48that you don't have the ability to say this.

12:52So let's talk about some of the examples of nonrepudiation.

12:57So when it comes to emails, if you have nonrepudiation,

13:02you can't say that I didn't send this email.

13:07So as it goes out to its recipient over here

13:10and the recipient reads it and says, hey,

13:13did you send this email?

13:14You cannot say, I didn't do that.

13:17See, that's not an option with nonrepudiation.

13:20So we have proof that the person sent the email.

13:24What about accessing a file, maybe

13:27making changes to the file?

13:29So we changed a little bit in the file.

13:32And the question comes about, hey,

13:34who made the change to this file?

13:36Did you do that?

13:37With nonrepudiation, the person can't say, I didn't do it,

13:41because we have proof that they did.

13:42So really, with nonrepudiation, we're

13:44looking to prove that someone did something.

13:49That's what it comes down to.

13:51But this isn't necessarily a bad thing.

13:53We're not looking to catch someone

13:56in a crime or something, necessarily.

13:58It could be that you want to prove that you sent it.

14:01See, I sent this file.

14:02I changed that file.

14:04I sent the email.

14:05Whatever it is, you can prove that you did.

14:07But how can this be done?

14:09Well, when it comes to proving that you sent an email,

14:13let's say, you could use something called PKI.

14:17And that is our Public Key Infrastructure.

14:22And this is dealing with encryption keys.

14:25So earlier we had talked about using encryption

14:27to encrypt an email to maintain its confidentiality.

14:31So if I take my key right here, and I go ahead

14:34and I use that key to digitally sign my email,

14:40which basically means you take the key,

14:42and it runs that hashing algorithm

14:44that we talked about earlier, and it puts that data

14:47into the email.

14:48So since you are the only one who has access to this key--

14:52it's your private key.

14:53You hold it safe, and you don't let anybody else have access

14:56to it-- that way, when this email goes out,

15:00and you've digitally signed it, you can say, I sent it.

15:04And you have proof because you signed it with--

15:08that's right-- your key right there.

15:11So that is an example of nonrepudiation.

15:14You want to prove that you sent it.

15:15And since you're the only person on Earth

15:17who has access to that private key, you can prove it.

15:21You've digitally signed it.

15:23And we can sign files as well.

15:25You can sign various objects.

15:28But again, oftentimes we use PKI, or Public Key

15:32Infrastructure, with our private key to sign a piece of data

15:37to prove that you did something with it.

15:39And that is all about nonrepudiation.

15:42You want to make sure that you can

15:44prove that you did something with some digital assets,

15:47like files.

15:48And again, also, it could be the other way.

15:51So if you're looking to see if someone did something,

15:54you can find out, again, by nonrepudiation.

15:57So that is the CIA triad.

16:00Of course, as we talked about earlier, that's our CIA--

16:04Confidentiality, Integrity, and Availability--

16:07and nonrepudiation.

16:10I hope this has been informative for you.

16:12And I'd like to thank you for viewing.

0:00I've got a question for you. Have you authenticated today? What kind of

0:05question is that? Well, think about it.

0:08Have you stopped to get gas on the way to work? You put your credit card up

0:12against the proximity reader or you stuck it in the gas pump machine credit

0:17card reader and you got to put in your zip code.

0:21Okay, that's a type of authentication. When you got to work, did you log into

0:24your computer? Well, that's definitely a type of authentication.

0:28So you'll see we authenticate all the time. We just really don't think about it

0:32necessarily.

0:34So that being said, there's many types of methods for authentication.

0:40So what do you say we jump in and talk about some of these types of

0:43authentication?

0:45All right, we're going to be talking about types or methods of authentication

0:50because we authenticate all the time.

0:54Right, we log into our computer at work and we provide a username and a

0:58password. That's a form of authentication.

1:01We go to the ATM. That's right. We go out there to the ATM because we need a

1:05little cash.

1:06And what are we going to do? We're going to put our card in there and then we

1:09're going to type in a pen number.

1:12Well, that's another type of authentication. Maybe. Maybe you're going on a

1:17trip.

1:18And this trip, you got to go to the airport to go on this trip because you're

1:22going to take an airplane, right?

1:24All right, cool. When you go in there and you go through security, what do you

1:27provide them with?

1:29Well, you got to provide your ticket. That's right. They want to see your

1:32ticket.

1:33They're going to want to see your ID or your passport, whatever it might be.

1:37But again, we're authenticating here. Maybe. Hey, you sign into your smartphone

1:42.

1:43You got your smartphone here. And what are you going to do to sign into your

1:45smartphone?

1:46Well, you're going to provide a pen or maybe you use a pattern.

1:51So instead of a pen, you decide to use some type of pattern on your phone that

1:56you use with your finger.

1:58Well, that's another form of authentication. These are all methods for

2:01authentication.

2:03So let's talk about the different methods. There are actually classifications

2:09that go along with this.

2:11So we're going to start with something you know. Aha. So what is something you

2:16know that you might authenticate with?

2:19Well, how about a password? That's the most common something you know.

2:24Or it could be a pass phrase. So instead of a single password, you have a pass

2:30phrase.

2:31So your pass phrase could be, you know, I like to eat pizza. And that is your

2:35pass phrase.

2:36Or we talked about earlier using a PIN number with your credit card or debit

2:40card.

2:41Well, there you go. PIN number. What's something else you might know that's

2:45often used as a security question.

2:47Well, how about mother's maiden name? Yep, that's used quite often.

2:53So these are all something that you know. That's key. There's something that

2:58you know.

2:59Okay. So that is something that you know, as I just said.

3:03What's the next one? How about something that you have?

3:07Ooh, this is a little different here. So what's something that you carry with

3:10you every day that you have?

3:13Well, probably some form of ID. So it could be your driver's license.

3:18It could be that you're carrying a passport or maybe a work ID that you have

3:24that you carry on a line,

3:26or a rent or a net, right? Or maybe you have a device, something like a USB

3:31device that we see here.

3:33Oftentimes these are known as UB keys or sometimes they can be called smart

3:39cards of a form of smart card.

3:42But it's something that you have. Well, what about something else that you

3:46might have?

3:47Do you have a smartphone with you? Well, yeah, probably so.

3:51Most of us do. And on those phones we can install apps.

3:55And several of those apps.

3:58And an example of an app that you might use for authentication would be some

4:03type of authenticator app.

4:06Or something else on your computer. Is there anything on your computer that

4:10might be able to authenticate you?

4:13Not something you type in, but something that's already there that you have.

4:16Let's think about this. Think about round, maybe chocolate chips, maybe some

4:22coconut in there, maybe some nuts.

4:26That's right, cookies. So cookies can be maintained on our computer when we

4:32visit certain sites and they can help authenticate us.

4:35So cookies is something else that you might have. So so far we've talked about

4:39something that you know.

4:41And now something that you have. And next is something that you are.

4:48Aha, a little bit different. So something you are. Well, you are an eyeball.

4:52Well, you have an eyeball. Most likely. And this can be used to authenticate

4:57you.

4:58And really when we're talking about something that you are, we're talking about

5:02biometrics.

5:04So it could be a retina or iris scan. It could be a scanning of your

5:09fingerprints.

5:11So you've got fingerprints. Everybody has unique fingerprints. So we could be

5:14scanning those.

5:15It could be a facial pattern. So it takes a look at your face and all the cre

5:22ases and crevices and features.

5:24And it comes up with a digital pattern for your face. So it could be a face or

5:29a pattern scan.

5:30Or it could be a palm scan. So you can actually scan your palm and everybody

5:36has unique patterns within their palm.

5:39But again, this is something that you are. So it's these features of the human

5:45body.

5:47Okay, so we talked about something that you let's hear it. No, something that

5:52you have.

5:54And now something that you are. What's next? How about something you do? Oh,

5:59okay, that's a little different.

6:01So something that you do. We talked about one of these before. When we talked

6:04about a pattern unlock on your phone.

6:08So that was a pattern. Something that you do. Something you draw. It could be a

6:12signature.

6:13It could be a signature validation. That's something that you do.

6:17It could also be a keyboard typing characteristics.

6:23Because believe it or not people type differently. And we can actually analyze

6:29the typing patterns that people do.

6:32It's how quickly they press the keys, how intensely they press the keys, those

6:36types of things.

6:38And you can actually come up with an identification pattern. So again, this is

6:42something that we do.

6:44So we had something that we know. Something that we have. Something that we are

6:49.

6:50And now something that we do. All right. And believe it or not, we got one more

6:54to do.

6:55That's right. Somewhere. Not something but somewhere you are.

6:59Because you could be anywhere in the world. And we have systems out there

7:05providing security based on rules that are going to be based on where you are.

7:11That's right. So you could be at headquarters. You're at the main office.

7:15So when you're at the office and you're sitting there at your computer working

7:20and you send data out.

7:21Well, it's going to come from the office. And the office devices.

7:25Basically the edge devices we call it on the network that connects to the

7:30Internet is going to have an IP address associated with it.

7:34And this IP address is an address that we use in network communication.

7:38And when we have an IP address that's on the Internet, it's known as a public

7:42IP address.

7:44Those are globally unique. Okay. So there's only one of them in the world with

7:50that IP address.

7:52So when you go out and your data goes out to the Internet, it has this IP

7:57address here attached to it. Okay.

8:00So then when it goes down to a system over here, the system can say what IP

8:04address did this come from.

8:07And if it came from the IP address associated with headquarters, well, then

8:12guess what?

8:13You're allowed to access the system or access specific data, whatever it might

8:17be.

8:18But again, somewhere you are. And this is generally going to be an IP based

8:23rule that is in effect.

8:25So you're looking at the IP addresses associated with the actions.

8:31So it could be from a specific geographic location because believe it or not,

8:36certain IPs are associated with different regions.

8:39So maybe the US or Canada or South America or Australia, all these different

8:46regions around the world have different IP addresses associated with them.

8:52So if you're coming from a specific country, you can access it.

8:55Or maybe if you're coming from a specific country, you cannot access it.

8:59You know, there's lots of different examples here. But again, somewhere you are

9:03.

9:04So let's do a quick review again. We talked about some some things.

9:09So something you, what was the list? Well, something you know, very important.

9:16Of course, our passwords and pins and such pass phrases, something you have.

9:20It could be a USB key cookies on your computer or a smartphone, something you

9:24are.

9:25This is your biometrics. Remember our fingerprints, Palm Scan, facial recogn

9:29itions, something you do like your signature or a pattern unlock.

9:35And then also somewhere you are. So again, that was generally we're looking at

9:44your location within the world, the globe.

9:47And that location was associated with an IP address. Okay.

9:53And those are different methods of authentication.

9:57And we use lots of them. Most commonly we use a username and passwords.

10:01A lot of folks today are using smartphone apps or authenticator apps.

10:05But is this enough? That's a good question. This fellow down here definitely

10:09thinking about it.

10:10Is this really enough? Because we know passwords can be hacked, right?

10:15It happens all the time. We see password dumps being put on the dark web.

10:19Breaches that occur all the time. Where data is stolen from various vendors and

10:24such.

10:25So we know attackers are out there trying to fool our authentication message.

10:29So bad guys out there looking to get in. So what can we do to ensure this isn't

10:33happening?

10:34Or at least try to minimize the chances of this happening.

10:37Well, guess what? That's what we're going to talk about in the next nugget.

10:40There we go. So I will see you there shortly.

10:43I hope this has been informative for you, and I'd like to thank you for viewing

10:45.

10:45[BLANK_AUDIO]

0:06So the question is, is one type or method

0:11of authentication enough?

0:13Well, today, probably not.

0:15And actually, I would recommend you use more than one.

0:17What do you mean more than one?

0:19More than one method of authentication.

0:21And we talked about something you know, something you are,

0:24something you have, all those things.

0:26Well, what if we use more than one of those to authenticate?

0:29Hmm, interesting, that's an interesting thought

0:32you got there, Bob.

0:33[LAUGHS] Well, we do this, and it's

0:35called MFA, or Multi-Factor Authentication.

0:39So let's jump in and talk about this.

0:41So the question we're trying to answer is here.

0:44What can we do?

0:45Well, what do you mean, what can we do?

0:47What can we do to ensure our authentication is

0:50more accurate than a single username and password?

0:55Because if we can build more accuracy into it,

0:58more depth, then we can try to prevent the bad guys

1:04from getting into our systems, because we

1:05know that they go out there and they crack passwords.

1:09So they can figure out what a password is.

1:12So if they know what your password is, and they configure

1:16your username, well, then they're

1:18able to get into your system.

1:20Well, that's not cool.

1:22Well, no, you're right.

1:23It's not.

1:24And that's why we want to use MFA,

1:28Multi-Factor Authentication.

1:30So again, we talked about the things

1:32that you have, you know, you are, you do--

1:35all those things.

1:36Well, instead just one of those things,

1:39what if we used multiple of those things?

1:43And that multiple becomes multi-factor authentication.

1:48We're using multiple factors.

1:50Oh, OK, I see where we're going with this.

1:53So something you-- let's fill this out real quick-- something

1:57you know, your password, your PINs.

2:00Something you have could be a USB key, your smartphone

2:04with an authenticator app.

2:06Something you could be your fingerprint,

2:09like we see over here, or retinal scan, or palm scan.

2:12Then there's somewhere you are.

2:17So this is your location based on your IP addresses.

2:20And something you do could be a pattern,

2:23or a signature of your keyboard typing characteristics.

2:25We talked about those things.

2:27So again, the idea here is we want

2:28to combine these so we have multiple ways to authenticate.

2:32So it's not just one hurdle to get through for the attackers.

2:36So you have to enter your username and password.

2:40OK, got that.

2:42But we talked about just using your username and passwords,

2:44and how passwords are cracked.

2:46They're found out through data breaches.

2:49So we know this really today isn't enough.

2:52So what could we do?

2:54Well, we could include a fingerprint scan as well.

2:57Oh, OK.

2:58Because that's going to be a lot more difficult for an attacker

3:01to find your fingerprint somewhere and use it

3:04against you--

3:06or something that you have, your smartphone

3:09with your authenticator app on it.

3:12So this authenticator app.

3:15What they do is they use a rotating PIN.

3:18So this PIN number might be 348621, but every 60 seconds

3:24it rotates to a new PIN.

3:27So next, it might be 213861.

3:31Who knows?

3:32But the idea is it rotates every 60 seconds.

3:35So your PIN at that point changes every 60 seconds.

3:39So that means, in this instance, if an attacker

3:41wanted to get in, they'd need to know your username and password

3:44and have your phone.

3:45But not just have your phone.

3:47Remember, oftentimes we have to log in with a PIN

3:50into our phone, or use a pattern.

3:52So that's another one even on top of that.

3:54So this is pretty cool.

3:55Now, I do want to say these rotating PINs are sometimes

3:59known as a One-Time Password, or OTP.

4:04Just it's sometimes used interchangeably, that or a PIN

4:07in this instance.

4:09But you see it would be much more difficult for an attacker

4:12to gain access into the system if they not only had

4:15to know your username and password,

4:16but also had to be able to provide this PIN.

4:19Or you could do somewhere you are.

4:22So you can only log in from the headquarters office.

4:25Oh, OK.

4:26So that, again, makes it more difficult for the attackers.

4:29And this is all what we're trying to do.

4:30We're trying to lock down our systems.

4:32And authentication is the front door to our systems.

4:36So when we have our system, you've

4:39got to get through that door to get in.

4:41And if this door, the more hurdles we can put in,

4:43the more things that the attacker needs to provide,

4:45or anybody needs to provide to get through the door,

4:47the more secure it's going to be.

4:49But we kind of have to balance that out,

4:51because if we combine all of these

4:55to be able to get through the door,

4:57well, that's going to be a real pain for your users every time

4:59they want to go through that door.

5:01Absolutely.

5:01Every time they want to log into a computer system,

5:04they've got to have something you know, have, are,

5:06somewhere you are, something you do.

5:07That's too much.

5:09So there is too much.

5:11We can say that.

5:12So it's ideal to have, generally,

5:15like a username and password and some type of rotating PIN.

5:19Now, it's not only in an authenticator app.

5:21They also come in little fobs or keychain devices.

5:26And oftentimes they look kind of like this here.

5:29And they attach to your keychain.

5:30It's got a little LCD screen on there.

5:34And it'll have that PIN on that screen.

5:37And again, this PIN will change every 60 seconds or so.

5:41So those are another option out there for this.

5:45So when we're combining multiple methods of authentication,

5:48we increase the accuracy of our authentication.

5:53So it's more accurate.

5:54It's not just a username and password.

5:56It's an additional factor of authentication,

5:59meaning it makes it harder for those bad guys out there

6:03to get into your system, because we want to keep them out.

6:07So we can see here when we use multiple factors

6:12of authentication, it makes it harder for the bad guys

6:16to get in, and it makes it more secure.

6:18And that's why we should be using

6:20multi-factor authentication on our systems.

6:23I hope this has been informative for you.

6:25And I'd like to thank you for viewing.

0:06Something that you are.

0:08That's what we talked about earlier.

0:09And we said it was basically about biometrics, something

0:12that you are-- your fingerprints, your retina

0:14scan, your palm scan, all of these things.

0:16And biometrics are pretty cool--

0:18stuff right out of the movies from way back, right?

0:22We started imagining how we could

0:23use this for authentication, and sure enough, it came about,

0:26and we're using it today quite often.

0:28However, there's something we need

0:30to talk about when it comes to biometrics.

0:32And that's what we're going to talk about right now.

0:34So guess what.

0:35This should be no surprise to you, but--

0:39that's right-- errors happen.

0:42And when it comes to biometrics, these

0:44are pretty darn complex systems.

0:47Let's be honest.

0:48And the more complex a system, the more likely

0:51an error is going to happen.

0:54So when we talk about this, it may be a new type of biometrics

0:58that we're working with.

1:00So if it's a new type, well, yeah, we're

1:02going to have errors with it.

1:04Ah, so this could cause us some problems

1:06with authentication, as you can imagine.

1:09So it may be that a system is having issues when

1:12it compares biometrics data.

1:16So let's say it's comparing one fingerprint

1:19with another fingerprint.

1:21Well, if it's maybe a new algorithm or something that's

1:23being used, there could be some problems here.

1:27So let's talk about these errors and actually something

1:30called error rates.

1:32And this is something you should be familiar with.

1:34So biometrics-based error rates-- there's four of them

1:37we're going to talk about here.

1:38So the first one is called the false rejection rate.

1:42And this is rejecting a legitimate user.

1:46So if I am authorized to access a system

1:50and I've been set up in the system,

1:51and I scan my fingerprint, and it

1:53tells me, [MIMICS BUZZER] wrong answer,

1:54you can't have access, well, that is a false rejection.

1:58Now, the false rejection rate is a rate--

2:02how often is this happening?

2:04And of course, the lower, the better,

2:07because we don't want to be rejecting

2:09legitimate users because they need access to the system.

2:12And next step, we're going to actually jump down.

2:15We're going to skip the crossover error rate.

2:17And we're going go down here to false acceptance rate.

2:21And again, this is a rate.

2:23So how frequently is this happening?

2:25Now, false acceptance, as you can imagine,

2:28we're falsely accepting something.

2:31So that means we shouldn't accept it.

2:33This is permitting unauthorized users.

2:37So if someone's unauthorized to access it,

2:40and we scan their fingerprint, and we falsely

2:43accept their fingerprint and allow them in,

2:47that is a false acceptance.

2:49And the false acceptance rate, again, the lower, the better.

2:53Absolutely, we don't want to falsely accept

2:55someone's biometrics data.

2:58Now we're going to go back up.

3:00We're going to talk about here our crossover error rate.

3:04Now, this is the point at which our false rejection

3:08rate and false acceptance rate are equal.

3:11So in this instance, again, the lower, the better,

3:18because we don't want to reject legitimate users.

3:21We don't want to allow unauthorized users.

3:24We've got one more down here, and this is

3:26failure to enroll rate, or FER.

3:29And this is, basically, failure during the initial account

3:34setup.

3:36And this is because the system is

3:39unable to read or properly assess the biometrics data

3:43from the user.

3:44So that means it's having a hard time

3:47analyzing the biometrics data, which then could lead

3:50to false acceptance and false rejection, which would then

3:56make our crossover error rate rise, which is exactly not what

4:01we want to happen.

4:03So these are some things you should understand

4:06about the biometrics systems.

4:08And yes, most of them work great, absolutely.

4:11However, really why you need to understand

4:14this is because if you are working in information

4:17security, and you are in charge of deploying

4:20a new biometric system--

4:22aha-- you need to consider these factors.

4:25That's right.

4:26Because these things are going to be published

4:28as data with the systems.

4:30And you'll have to put it through its testing paces

4:33so that you can verify that these rates are

4:36acceptable to your organization.

4:39So that is our biometrics factors and things

4:41you really need to consider with the systems

4:43because they are very complex systems and specialized.

4:46I hope this has been informative for you.

4:48And I'd like to thank you for viewing.

0:00[AUDIO LOGO]

0:06When it comes to data, not all data is equal.

0:10And what I mean is we have different types of data.

0:12One of those is privacy data.

0:14This is data that is considered private

0:16and should be kept private.

0:18And that's what we're going to talk about right now.

0:21All right, we're talking about data privacy

0:23because we want to protect my data.

0:26And without a doubt, customers want

0:28you to protect their data--

0:30absolutely.

0:31And if your company, right down here,

0:33if you can't protect your customers' data and it does

0:36get breached or compromised and let out into the world,

0:39well, guess what?

0:40They may look elsewhere for services.

0:44And we don't want to lose our customers.

0:46We want to keep them happy.

0:48So we need to protect their data.

0:50And this is where data privacy comes into play.

0:53So let's talk about this.

0:55So there are privacy laws and regulations out there,

0:59and they vary based on where the data is

1:02and where the data comes from.

1:04So let's talk about a couple of these.

1:06Now, within the European Union, they

1:10have something called the GDPR.

1:13And this is the General Data Protection Regulation,

1:18and this regulates the collection of privacy data

1:22from EU citizens.

1:24So that's key here-- this is for EU citizens

1:29and is about protecting their privacy data.

1:33And it doesn't matter if your company operates in Antarctica,

1:36let's say.

1:37If the customers are in the EU and they're EU citizens,

1:40then that company has to abide by the GDPR.

1:45And, believe it or not, if they don't, they

1:47can face fines as high as 20 million euros

1:51or 4% of the company's prior year's income.

1:57Holy moly, that's a lot!

2:00That's right.

2:01EU takes data privacy very seriously, without a doubt.

2:06Now, what about in the US?

2:08Well, within the US, we have various laws and regulations.

2:14One of which is HIPAA, H-I-P-A-A,

2:18and that stands for the Health Insurance Portability

2:22and Accountability Act.

2:25And this requires strong protection

2:27of health care information.

2:29So here we're looking at health care data.

2:33So we're talking about patient records, patient information,

2:36and such.

2:37So here we're protecting health care data.

2:39And many individual states within the US

2:42have put into law their own privacy regulations and laws,

2:47so you've got to be aware of the location of your customers

2:50so that you're going to abide by these laws to avoid penalties.

2:53So again, we also have state laws.

2:57Now, not all states have a privacy law, but some do,

3:00so you kind of got to be aware of this.

3:02And the thing is data privacy rules are constantly changing.

3:06So as a security practitioner within the information security

3:10field, you've got to keep up with these changes.

3:13Now, these are just a couple of them.

3:14There's lots of various data privacy laws

3:18and regulations because countries all around the world

3:21have their own laws and regulations

3:23dealing with data privacy.

3:24So got to be aware of that.

3:26Just you don't have to go memorize them all,

3:29but you need to understand that data privacy is a real thing.

3:33And we need to protect our privacy data.

3:36Now, what is privacy data?

3:38That's a good question.

3:39We've talked about privacy data, but what really is it?

3:43Well, this is data associated with persons.

3:46This is your private information.

3:49So what is classified as private information?

3:53Well, there's actually a classification called PII,

3:58and that is Personally Identifiable Information.

4:03So PII is data that, when put together,

4:06you can figure out who it belongs to.

4:09So it could be if you have a full name

4:13along with some other information--

4:15it could be an address, maybe a phone number or a Social

4:20Security number or a driver's license number.

4:23All these things can be put together

4:24to figure out who certain data belongs to.

4:28So this is the whole idea of private information or privacy.

4:31You want your personal information to be kept private.

4:34It needs to be secured.

4:37Because, in the past, companies have collected

4:39all kinds of private information from people,

4:41and it wasn't successfully secured

4:45because they didn't believe it had the merit to be secured.

4:48It wasn't some type of secret sauce recipe or trade secrets.

4:53It was just Joe Bob's information

4:55and Fred's information and Sally's information.

4:57Who cares, right?

4:58Well, absolutely we care.

5:00This is our private information.

5:01It needs to be secured properly.

5:04And that's why these regulations have come about.

5:07So let's talk about some key concepts of data privacy.

5:11Now, number one is informed consent.

5:16And this is usually a signed form of sorts or click-through

5:20where you accept or consent to something within a website,

5:23and it indicates that the individual

5:25has consent to your organization for collecting specified data.

5:30So here you're saying, yes, you can collect my personal data.

5:34I'm going to provide it to you.

5:35OK, so you are consenting to this.

5:38And the informed part here is that they're

5:42going to tell you how they are going to use your data.

5:48So together, those are informed consent.

5:51We also have a privacy impact assessment,

5:55and this is an assessment of an organization

5:58in how it uses private data.

5:59How is this data processed?

6:02How is it shared?

6:02How is it maintained in accordance with privacy laws

6:06and regulations?

6:07Next up is minimization, and this is the idea

6:11that organizations should only collect as much data

6:14as they need to perform the task at hand.

6:18So, oftentimes, less is more.

6:21The idea is when you are collecting private data,

6:24you don't want a bunch of excess data

6:26because, as an organization, you have to protect that data.

6:29The more you have, the more risk is associated

6:32with managing all of that data.

6:34So you only want to collect what you need.

6:36And then lastly is destruction.

6:38We need to ensure that that privacy data is

6:41secured from creation to destruction-- its entire life

6:47cycle.

6:47And we need to make sure that it is properly destroyed

6:53when it's no longer needed.

6:55So those are some key concepts-- our informed consent,

6:58our privacy impact assessment, minimization, and destruction.

7:04All right, so one more thing I want to bring up

7:08is biometrics data.

7:09We've talked about it.

7:10We've talked about the different error

7:12rates within biometric systems.

7:13But biometric data is private data.

7:17It's someone's fingerprint or retina scan or palm scan.

7:21Whatever it might be, it needs to be kept private,

7:25especially when it's used as part of a biometric system

7:28because that is part of their authentication as well.

7:32So I just wanted to bring that up

7:33as one last point when it comes to data privacy.

7:36I hope this has been informative for you,

7:37and I'd like to thank you for viewing.