Hey, everyone, welcome back to the course in this video. We're to talk through some fundamental security concepts, so we'll talk about things like what cybersecurity is. We'll also talk about things like the CIA triage, defense in depth, as well as identity and access management and data loss prevention.
So what is cybersecurity? Well, this is a great definition from Dr Receive here, and basically, I'll read it to you real quick. Cyber security is a mission focused and risk optimized governance of information which maximizes confidentiality, integrity and availability, using a balanced mix of people, policy and technology while basically improve over time. Right? So what does all that mean?
Well, cybersecurity. Think of it as Avery holistic type of view of things
right that bake into the organization's mission. So what is the company trying to accomplish? What are the critical business operations
and what are some of the regulations, etcetera, that in standards that the organization has to follow?
And how can we wrap all that into maximizing things like confidentiality, integrity, availability, which is a c a tree? Odd.
Using these methods, which is people basically processes and technology, and again, keeping in mind that cybersecurity isn't Hey, we're now now. We have cyber security in the company. It's always evolving over time. There's always new threats. There's always new vulnerabilities. There's always new changes to the organization, right. One day you might be selling umbrellas,
and the next minute you're selling mask right, as we have seen during the the Covert Pandemic. So
there's a lot of changes over time and so sorry. Cybersecurity itself is always evolving over time.
So we talked about the CIA treated. So what is it? What is this actually right? We've got confidentiality. So we always want to keep the data safe, right? So confidential. Onley the right people can access that data.
So, for example, let's say that I worked as a nurse. In fact, I did work as a nurse in the past. So let's pretend I'm working in a hospital and Beyonce is a patient, right, but not a patient of mine. HIPPA states that I shouldn't actually be looking at Beyonce's chart, right? I could get in trouble. I could even get fired. Or possibly depending on what I'm doing,
I might even get prosecuted
for criminal activity as well as hit with civil fines because I'm not supposed to be looking at that right. Beyonce's not my patient. I shouldn't be looking at that now. However, if I am the nurse for Beyonce in that situation, then I should have access to it. Right? So confidentiality is basically just making sure that the right people
have the right access and nobody else can access that data
integrity is just making sure that this is actually the data, right? So if I there was a game we played when I was younger in school, this the teacher would basically whisper something in one person's ear, and then that person would whisper it to somebody else and somebody else you know s so on and so forth, right? Whispering in someone else's here.
So by the time it got to the last person,
in theory, it should have been the same message, right? So if the teacher it said CIA tree odd, it should have been the last message of saying, Hey, the message you sent is CIA CIA tree. Odd. However,
we know how kids could be silly, right? So the teacher might have said, uh, chocolate chip cookie for the first person and By the time I got to the last person, it was purple unicorns jumping off the bridge while eating umbrella cupcakes, right, something totally random that was totally unrelated to what the teacher had originally said.
That's what we're talking about with integrity, right?
We wanna make sure that the data is actually the correct data. It's not been corrupted, has not been compromised in any way. And then, of course, availability Just being
the right people can actually access that right data at the right time. So if we think of things like DDOS attacks, which we'll talk about later in the course, that's preventing people or at least preventing them to some capacity from accessing the data that they should have access to, and so that becomes an issue of availability. So it's an attack on availability,
defense in depth. Think of this in the best light as
your house, right. So if I have a house, I might have a fence around the house to keep a burglar out.
I may also have some dogs, right? Thio discourage the Berkeley from coming. I might have a security system. Uh, I may have like firearms, depending on where you live?
Um, I might have door locks. Right. I should have door locks, right? Window locks. I may even have some bars on my windows. Try to keep people from breaking in if they get through all those other things. Maybe I live in a gated neighborhood. Right? So all these things are just what we call defense in depth. It's just putting layers in place to help prevent
the bad people from coming to us and discourage them. So they go someplace else, right? So in our example,
let's say we have a very nice big screen TV and we don't want anyone to steal it. So we put all those things in place. The wall, the dogs, the security alarm system. Maybe we have a security guard. We have security cameras. We have bars on our windows and doors and we have lox everywhere. And maybe we have firearms and etcetera, etcetera, right.
We have all these things. And so the the adversary
jumped our fence. Then they get bit by the dog, right? And so maybe they get past the dog. At that point, they get to the window, they can't get in. They try to the door. They can't get in. Maybe the security guards outside. They tackle them. You know, You see how it is, right? There's all these different things in place. It's gonna be frustrating for them. So instead, they see the fence.
A lot of times we're just gonna go to the neighbor, right Or especially, they hear the dog sparking. Or they see a sign that says security cameras and use for security alarm and use.
They're going to go to the neighbors where none of that stuff is and they'll take their TV, right? So that's what we're looking for here. Now when we talk about it in the aspect of security and a company, we're talking through things like our administrative controls, physical controls, technical controls, right, so administrative. That's our policies and procedures. What you should What should you be doing?
Physical controls, Things like making sure people scan in or having door locks or
locking uh, certain areas, having things like man traps, etcetera, technical controls, that's arm or logical stuff right on our network. Right. So, making sure we're hardening devices using firewall sims, I d. S I. P s segmenting things using containers, etcetera etcetera. I didn't even access management
Um, basically, all this is is making sure the right people can access the right systems, right? So going back to the example of me as a nurse for Beyonce,
just making sure that when you put someone in, for example, a nursing group like saying that there are nurse, that they're actually a nurse, right? So because you I mean, I'm speaking from my experience in health care, working insecurity. You want Thio identify it? A. A lot of instances by the work role, right? So role based access control.
In that example of Beyonce,
I would make sure that all the nurses have a certain level of access now, technically, that each nurse like, If I wasn't Beyonce's nurse, I could access Beyonce's chart right, because
I have access as a nurse work role.
But the hope there is that there's been measures put in place, especially with training, etcetera, that I know I shouldn't be doing that,
making sure that the right people have the right information, right. So again, making sure that I can actually access the chart of the patient that I need
and then make sure it's at the right time.
So when I worked a Zaner Sin Healthcare,
there were it was pretty much I could chart any time. Which was scary for me when I moved over back into I t. And Insecurity. Because if I could chart remotely, anytime, soaking an attacker right, they could get in there and do things. And so I was always concerned over that. And that's actually one of the reasons why I went back into I t. And transition into security
because I had seen some of these mistakes being made. But just making sure that basically the right people,
you can access the right systems. Uh, and they get the right information from those at the right time that they need it. So some of the tools we can use for I I am mentioned robots access control right for the nursing staff, and you could set it by that single sign on. So that way, if I'm at an organization, I don't have to put in
72 passwords, access all the things I need for the day
I could put in one password. It authenticates me across the board, a tool. A lot of companies used for that is rippling.
They use that you could look at your pay stubs, all that stuff. You can also access all the APS you need multi factor authentication, keeping in mind that you want this through like an authenticator app or something else, and preferably not going to your cell phone
and then privileged access management again. Just going back to making sure the right people can access to write stuff and making sure that we segment privileges and limit privileges for users that don't actually need it. Another issue I have seen in health care is a lot of times people just get the keys to the kingdom, and they don't actually need all that access
data loss prevention. So when we're talking about this, we're really just talking about protected, personally identifiable information. Excuse me and making sure that things like your Social Security number, your employee information, all this does protected protecting our I P. Making sure nobody's stealing our intellectual property and making sure that we have visibility over everything right. Where's our data? What's in use?
And make sure we understand what's actually going on on our network
so quick quiz question here. This part of the CIA tree at insurance data could be access when it is needed. Which one is that?
Alright. If you guessed availability, you are correct again. Adidas attack is one attack against availability of data. Let's just making sure the right people can access the right data at the right time.
So this video, we just talk briefly about the CIA triage data loss prevention a swell as things like identity access management.