Earning the Certified Information Systems Security Professional (CISSP) Certification proves you have what it takes to effectively design, implement and manage a best-in-class cybersecurity program. The CISSP is one of the most valuable Cyber Security Certificates in the market today.
We just posted a 13-hour course on the freeCodeCamp.org YouTube channel that will prepare you to pass the CISSP exam.
Mohamed Atef created this course. Mohamed is a Cyber Security consultant and a certified instructor with 20+ years of experience in Cyber Security projects.
The course teaches you the theoretical concepts and explains the implementation of those concepts in a real business environment.
The course covers the main 8 domains that are included in the exam:
- Domain 1: Security and Risk Management.
- Domain 2: Asset Security
- Domain 3: Security Architecture and Engineering
- Domain 4: Communications and Network Security.
- Domain 5: Identity and Access Management.
- Domain 6: Security Assessment and Testing
- Domain 7: Security Operations
- Domain 8: Software Development Security
Watch the full course on the freeCodeCamp.org YouTube channel (13-hour watch).
Transcript
(autogenerated)
I work with different types of organization, government, multinational organizations such as IBM, private sectors, and law enforcement.
And I have 16 courses published online.
nine of them are bestseller courses.
And all my courses are in information security.
And as you can hack my previous CISSP training was a best seller courses for two years.
And I'm proud to say that I helped hundreds of students to clear their CISSP exam from the first step and, and get certified and joining the information security career, which has a very high demand in the market today.
So the course is not just about the skills and knowledge set you will learn.
But also it will guarantee that if you follow my plan, and use my resources, you will be able to pass the CISSP exam easily, which is a must, if you plan to get an information security job or position.
Before starting our training, allow me to give you a brief about the value of the CISSP certificate what is exactly the CISSP certificate.
If you know about that you can skip this lecture and move to the next lecture.
But if you are new to the information security, and you need to know more about the information security field, and what kind of certificate you need to hold, to be able to find a decent job in this field.
Maybe you need to listen to this lecture and the upcoming lecture.
If you plan to work in information security, or you are moving from your current career to information security career, you need to hold a professional certificate holding a professional certificate in in this field.
It's like holding a license. Think about it.
If you know how to drive a car, but you don't hold a license, you don't have a license a driving license, no one will allow you to drive his car.
While if you have a driver license.
It means that you know how to drive a vehicle and how to manage a car.
Same concept apply for information security.
If you plan to work in this field, you need to hold the license.
So holding an information security certificate, it's like having a license.
And usually when we are doing interview for candidate for information security position, if they hold a certificate like CISSP it reflect that they have a good knowledge in information security.
And sometimes we can skip some questions because just by having this certificate, it indicates that those people know about information security implementation.
So it's a very, very valuable asset to have if you plan to work in information security.
Now, it's not the only certificate in information security, we have a lot of certificate, we have the CISSP we have the system we have also certified Information Security Manager we have certified Information System auditor, we have a lot of certificates.
But what is the value of the certificate? Should I start with it or should I start with another certificate CISSP or certified Information Systems Security professional is certificate issued by IC squared.
And you can go to their website, know about the certificate and the value of this certificate and how to hold certificate versus what is the prerequisite for the certificate and so on.
But if you do a lot of research yourself about the top 10 information security certificate, you're going to find that CISSP is the first one we have other certificate but still CISSP is the most valuable certificate.
And if you do more research about the value of the CISSP certificate, you can find out that the most recognized certificate in this field is the CISSP remain one of the most widely recognized of all information security certification, and it's mentioned more frequently in job posting and classify job ads.
So you can do your homework, you can do some research.
To know which certificate you should start with And you will end up that CISSP is the most valuable one.
Now, it's not a hard certificate or it's not a technical certificate, you need to be aware of CISSP, it's more into the information security management area.
So even if you have like a weak technical background, you don't have to worry, you may spend more effort and more time, and I'll be supporting you the full way until you get certified.
But we should not consider this as a technical certificate, because CISSP is not a technical certificate, it's more into the information security management certificate.
So this is quite important to understand that even if you are just starting, it will take you a little bit more time, and it will take a little bit more effort.
But you don't have to worry about it.
Because to be able to get your certificate.
It's not about the amount of knowledge, you know, it's about thinking as management, or sinking as information security specialist.
This is not thinking as a technical people.
And actually, I know a lot of people that came from a technical background, some of them were network administrator or security administrator, they came from a pure technical background, and they failed the exam, because they depend on the on their technical knowledge, which is not the main issue here.
Okay.
And in the upcoming lectures, I'm going to give you some idea about what I'm talking about how to think, as an Information Security Manager, or information security officer and so on.
But the objective of this specific lecture is to show you the value of this certificate.
And as you can see, it's very, very valuable, and very, very recognized.
So it was it's a very good investment in your effort and your time, until you get the certificate CISSP curriculum consists of eight different domains.
And to be able to pass the exam and get certified and find a decent job, you need to not just understand the terminology and concepts related to those eight domains.
But also you need to know how we should implement them in a real environment or a real organization.
That's why I will not depend on your background.
But I will start from scratch.
And I will explain all the terminology and definitions.
But also, I'm going to show you how we are implementing them in a real life environment.
How if you get hired in a specific job? How can you do a risk assessment? The type of risk management? Or our I'm sorry, the type of risk assessment that we are following? What is asset management? What is asset security? What is a different domain in any information security management system? And how realistically out are we doing it.
So what I'm trying to say is that the objective of this training, it's not just to read the slide, or to explain a definition or the terminology, it's not like that.
It's to give you the real experience, in a sense that if you get hired tomorrow, after getting certified, you will be able to start working in this environment and start doing your task in an effective way.
So I will be sharing with you a lot of plans, document templates, showing you how we are doing it in real organization, and so on.
So the eight different domains in the CISSP curriculum would be first the security and risk management.
And the first part of this domain, it's like an introductory part where we are talking about what do we mean by security? What is the different element of an information security and so on.
And then we're gonna move to a very, very important topic, which is the risk management usually risk it's one of the initial task that we are doing in security implementation, you need to identify what risk you are facing to be able to consider what security control you need to implement.
Then we're going to talk about the asset security.
Again, the first two domain is the first step to implement an Information Security Management System.
Think about it if you are implementing security.
in your home, you need to buy some alarm system, or you need to buy some, or hire some security guards or something like that, how much you're going to decide how much you will spend on that.
on security, it depends about the asset values that you have, what do you have in your house, right, and it depends about what risk you're facing.
Those are usually two main steps you are doing to be able to decide about what kind of security you will be implementing.
Because if you don't have that much assets at your house, you should not spend 10 or $20,000.
To secure your house, it doesn't make any sense.
If you live in a place where it's a very secure area.
So the risk, it's not that high, maybe you don't need to spend that much.
So same concepts apply on business, but in a bigger scales.
So the first two domain, if you understand them very well, you will know how to start implementing Information Security from scratch, how usually you are starting this field, then we're gonna talk about security engineering, then first domain will be about communication and network security, this domain was the previous in the previous version of CISSP, and still the same.
And then we're gonna talk about identity and access management, then security assessment and testing and security operation.
And finally, software development, security.
So those are the eight different domains that we will be covering in our training.
And as I told you, it's not about the terminology.
It's not about because actually, insights exam, they are not testing the amount of knowledge or amount of information, you know, they are testing how you can utilize them for implementing Information Security Management.
So it's quite important to relate or map whatever we are explaining to real life scenarios.
This is the best way that will allow you in a very short period of time to understand the concept and pass the exam.
To think you need to know about the CISSP certificate first.
This certificate is technology neutral.
I mean, it's not explaining a specific technology.
It's talking about general terminology related security.
After all, this is not the technical certificate, as I mentioned before, second points as the CISSP keep changing.
Sometimes they change the curriculum.
And sometimes they change the exam.
And they do that every couple of years.
So it's frequently keep changing.
So one that is covered by this course is the latest one, this course is fulfilling the latest CISSP requirement.
According to IC square, the CISSP exam will change in 15 of April 2018.
So this course is for the new CISSP exam that is effective after April 15 2018 is the same curriculum, it's still eight domains, but the ways that they will be always that they are changing the exam is completely different than the previous one.
In the new exam, they have specific topics from the course that need to be covered very well to be able to pass the exam and get certified.
And in IC square, you will find a link if you click on this link, it will show you all the details about the new exam.
So this is a document from IC squared website.
I will attach this document to the lecture.
But you still can go yourself to IC squared website and download it.
And here you can find the new exam information right now.
CISSP it's more interactive exams called the cat exam.
It used to be six hour right now it's three hour and it has from 100 to 150 question and multiply choice passing rate is 70%.
Still like previous and exam language is English and where you can take the exam.
Now those are the eight domains that we will be covering inside the course.
The amount of questions related to each domain is here.
So risk management 16% of the exam, which is a high percentage as it management 1012 but still you need to give attention to all domain, you don't want to lose any question.
And this was the old exam information.
It used to be six hour tones within 50 questions, but it's not there anymore.
And it used to be 10 domain.
But right now it's a to me.
And in each domain, you will find what actually are the important topic that you need to be aware about for this domain.
So you need to understand the security governance and principle, you need to understand the compliance you need to understand the legal and regulation and so on.
So it's like highlighting the important point of each domain, which will allow you to map those points to what you are learning in this training, or in any other training.
So it's quite important that you print this document, and you keep it beside you.
And after finishing each domain, you need to understand or need to highlight the points that has been covered.
And you are comfortable with those points.
And you need also to highlight the points that was not that clear.
And you're going to have a chance to contact me directly in case you are missing any point or you need some additional resources, or you have any doubts of question about any specific point.
But after all, this would be a reference before sitting inside the exam, you should have a check sign beside each one of those points.
So this is a very, very important topic, or a very important issue to consider.
What are the requirement for the new exam that is launched after April 2,018/14 of April 2018.
To think you need to know about the CISSP certificate first.
This certificate is technology neutral.
I mean, it's not explaining a specific technology.
It's talking about general terminology related security.
After all, this is not a technical certificate, as I mentioned before, second point says the CISSP keep changing.
Sometimes they change the curriculum.
And sometimes they change the exam.
And they do that every couple of years.
So it's frequently keep changing.
So one that is covered by this course is the latest one, this course is fulfilling the latest CISSP requirement.
According to IC square, the CISSP exam will change in 15 of April 2018.
So this course is for the new CISSP exams that is effective after April 15 2018 is the same curriculum, it's still eight domains.
But the ways that they will be always that they are changing the exam.
It's completely different than the previous one.
In the new exam, they have specific topics from the course that need to be covered very well to be able to pass the exam and get certified.
And in IC square, you will find a link if you click on this link, it will show you all the details about the new exam.
So this is a document from IC squared website, I will attach this document to the lecture.
But you still can go yourself to IC squared website and download it.
And here you can find the new exam information right now.
CISSP.
It's more interactive exam.
It's called a cat exam.
It used to be six hour right now it's three hour and it has from 100 to 150 question and multiply choice passing rate is 70%.
Still like previous and exam language is English and where you can take the exam.
Now those are the eight domains that we will be covering inside the course, the amount of question related to each domain is here.
So risk management 16% of the exam, which is a high percentage as it management 1012.
But still, you need to give attention to all domain you don't want to lose any question.
And this was the old exam information.
It used to be six hour ones and 50 questions, but it's not there anymore and it used to be 10 domain but right now say to me, and in each domain you will find what actually are the important topic that you need to be aware about for this domain.
So So you need to understand the security governance and principle, you need to understand the compliance, you need to understand the legal and regulation and so on.
So it's like highlighting the important point of each domain, which will allow you to map those points to what you are learning in this training, or in any other training.
So it's quite important that you print this document, and you keep it beside you.
And after finishing each domain, you need to understand or need to highlight the points that has been covered.
And you are comfortable with those points.
And you need also to highlight the points that was not that clear.
And you're going to have a channel to contact me directly in case you are missing any point or you need some additional resources, or you have any doubts or questions about any specific point.
But after all, this would be a reference before sitting inside the exam, you should have a check sign beside each one of those points.
So this is a very, very important topic, or a very important issue to consider.
What are the requirement for the new exam that is launched after April 2,018/14 of April 2018.
The first domain of this course will be about security risk management.
And this is very important to me.
And it includes a lot of points and topics that we will be covering.
And even inside the exam, you will find a good amount of questions related to risk management because actually, the first approach to any security implementation should be from a risk management perspective.
So you need to understand what do we mean by risk management? What is risk in the first place? Can we calculate risk? Do we have risk management strategy.
So you don't have to worry because you're going to start from scratch.
And we're going to explain the risk management process, step by step with a lot of real life scenario, and a lot of document templates that will help you if you are doing a risk assessment yourself to be able to understand how it's done.
But the domain is not only covering risk management, but we're going to cover a lot of other points.
Like for instance, we're going to start with some definitions, which is quite important to this training.
So you need to understand what is risk what is threat, vulnerability, governance, compliance, those are very important terminology for anyone who is working in information security.
So we're gonna start with some definitions, what is CIA and other relevant definition? Then we're going to talk about security documentations.
Realistically, you will be involved with a lot of documentation in your work, policy procedures, guidelines, you need to understand how it's done.
From where can you get templates, what is the difference between the policy and procedures and baseline and guidelines and so on.
So it's important to know the main documentation that we are using.
And then we will talk about risk management.
This is a very, very, very important topic.
You need to understand risk from scratch, because it's it's a main core of areas of any security implementation.
Then we're going to talk about threat modeling.
Also, we'll be talking or covering business continuity planning, and I'm going to show you how it's done.
And what is the difference between business continuity and disaster recovery.
We will be covering acquisition strategy and practice personal security policies and security ordinances and trainings.
So those are some of the points that we're going to cover in this domain.
But it's not about the definitions, because it will not help you if you do just understand the concept.
It's not really what we are looking for.
I want you to relate whatever we are explaining with real life implementation.
So for instance, if we are talking about risk management, you need to understand what is risk management what is risk assessment is a different type of risk assessment, how it is done, what is the risk management strategy, can we calculate risk, so we need to start from scratch, and you need to know how it's done with real implementation, or live documentation.
That's why on the student portal, you will find a lot of templates.
So if we are talking about risk assessment, for instance, and you need to know how it's done, I will show it to you.
But also, I'm going to keep some templates on the student portal that will help you, if you are doing that realistically, or if you get hired somewhere, you will be knowing or having some documents that will guide you how to do it.
So it's important to relate whatever we are talking about with real life implementation.
In this lecture, we're going to explain some important information security terminology, those terminology will be used during this training.
And you will be used them realistically in any job or any position.
So we're going to start with the very basic definition, which is the CIA triad.
Ci, which stands for the confidentiality, integrity and availability is the definition of the security.
Let me explain it in a different way.
How can you define secure security? How can you see that your company is secure? Or let's take it on a smaller scale? If you have a laptop, or a smartphone, how can you see that this smartphone is secure? If you just assign a password on it, you will consider that secure.
Okay, maybe you have a smartphone, and you did assign a password on it.
So you can prevent unauthorized people or unauthorized access.
But what if you lost the phone, that's mean, you're lost information.
So I cannot say say saying that just by assigning a password, we will consider that security.
So security is to provide three different elements first, confidentiality, which is making sure that no authorized user can access the information.
And a good example would be a password when I'm assigning a password on my computer, or on my smartphone, or on any system, why I'm doing that, because I need to make sure that only people who got the password to be able to access the information, which reflect that only people who are authorized can access the information.
But if someone is not authorized to access the information, I will not give him password.
This is a small definition of confidentiality.
Okay, integrity, which means that I should not be manipulated or should not be changed.
So what I have a lot of critical information, they had not been hacked or stolen, but there has been modified.
So I need to prevent that I need to put some control that information should not be been modified unless it's authorized.
So I cannot have a bank account that has $1,000 and tomorrow I check it's $50 someone logged in and change the information he didn't steal the information they change it.
So providing integrity is one of the security element.
Sir is availability.
So also one of the important elements in any security is to make sure that the information is available all the time.
And if you are take if we are talking about the same example which is your smartphone, and assumes as this smartphone has a lot of important information, contacts, emails, personal picture, personal venues, and so on.
And you did secure it with a password but you lost it, you lost the information so it also didn't help you.
But if you are taking backup of the information and you lost your phone and the information, it's backed up so you can restore it on any other device.
Then you provide availability for the information.
So my point here whatever we are doing in information security should provide one of those three elements.
If you are assigning password, we are talking about access control and assigning password.
We are doing that to provide confidentiality.
If we are in Clip things information.
We are encrypting the information to provide confidentiality and integrity.
And we're going to see that while we are talking about cryptography, if you are taking backup, it's for providing availability.
And usually we are writing said in most of our security documents that we did this solution to provide the following elements, confidentiality, integrity, availability, and so on.
It may seem easy to understand, but sometimes you get some question about that.
It's kind of tricky.
Sometimes they will ask you for instant backup is for providing What is it confidentiality, is it integrity is the availability, backup has nothing.
Sorry, encryption encryption is for providing what it's for providing confidentiality and integrity, and it has nothing to do with availability, while backup, its availability solution, and so on.
So, whatever we are doing in this training should be or actually an information security in general should be to provide one of those three elements.
The second important definitions set of definitions that I would like to refer to will be the following First assets, what is an asset? Now, to be able to explain the asset, we need to, like distinguish between physical assets and information assets.
Okay.
So for instance, let's take your smartphone one more time.
your smartphone has a lot of information on it, right? This information, you know, could be very important for you may have important contacts, important email important document, the picture, and so on and so forth.
If you lose your phone, for some reason, you forget your phone somewhere or you lose it somewhere.
What do you what will be your main lost, it will be the phone price, or it will be the information on your phone.
Most probably you will be more upset about the information on your phone, because it will take you time, especially if you're not taking backup frequently.
So you need to get all those contacts again, and you need to get all those emails and all those information one more time.
Right.
So we usually have two different types of assets, we have the physical assets, things like computers, this shares and so on.
And we have the information asset, which is most cases are more important to any business or personal Zen's a physical asset.
So most of the time, the information that you have on your laptop, it's most important, then the laptop itself, or on your smartphone or on your tablet.
And the same concept, it's an even more it's on the business perspective.
So usually business the information that they have, it's more valuable and more important, then the physical assets, think about the bank in the bank, info informations that they have all the customer information and all the financial information, transaction and everything.
If is this more valuable? Zen's the physical asset of this bank, like chairs, and table and so on? I mean, for instance, if a bank lost a share, she'll get broken, or a computer get broken or crashed? It's it's some kind of damage, okay, it will cost them some money.
But what if, what if they lost the customer information? What do you think about that? Think about the banks that lost all the customer information and their balance, what will be the last the damage is the low low cases that will be against them and so on and so forth.
So usually, and because we have a specific domain about that, as an organization, you should have a list of all your assets, especially the information assets, a lot of people will have an inventory for the physical assets, they know all the computer, all the shares, all the tables, they have an inventory for them.
But many companies don't have the same list that includes information assets, which is realistically more important than physical assets.
So it's quite important to understand what we are protecting.
Because in another like way, I cannot have an assets that was million and spend a couple of 1000 of protecting them, or vice versa.
I may have assets doesn't also Much and spending 1 million to protect it.
So it's an important concept to understand.
But don't worry, we'll cover that in upcoming lectures.
So you need to understand that I need to identify what exactly I am protecting What is my assets, information assets, which is more most important and physical assets as well.
Now we're going to talk about threat vulnerability and risk.
I will not spend a lot of lectures talking about definitions because I will devise definitions on different relevant literature.
So, what is the threat? And what is the vulnerability? Okay, vulnerability is a weakness in your system.
Now, before explaining this part as well, you need to understand that we are not talking only about technical security, we are talking about technical security in this course, and physical security and administrative security.
So when I'm talking about weakness, I don't refer only to weakness into the computer system, and the servers and so on, I'm talking about any kind of weakness.
So for instance, you may have a door that doesn't have a look, it's a weakness, you maybe don't have enough firefighting equipment, it's weakness.
So you need to understand that security is a very generic concept.
And when we are talking about information security, we are talking about securing them technically, and physically and administrative security as well.
And we were going to give a lot of example while going through this course.
But again, vulnerability is a weakness in the system, while threats, it's an event that potentially may come and may do some damage.
Let me give you a small example.
Let me start with the technical example, if your computer doesn't have an antivirus, this is a vulnerability, it's a weakness.
What could go wrong, because of that, you may get infected with a virus, this is a threat.
If you don't have a firefighting equipment in your building, this is a vulnerability.
What could go wrong because of that fire may happen, this is a threat.
So this is the difference between a vulnerability and not all vulnerability will have a threat.
So for instance, I maybe don't have an alarm system in my company.
It's a vulnerability.
But I have an alarm system in the whole building.
So I have a threat because I already have a lot of meaning in a different place, but in my company I don't have.
So what I'm trying to say is that not all vulnerability, would have said, I may have an open port on my computer.
It's a vulnerability.
But I don't have any program or any service that can be hacked, because of this port.
So I don't have this right.
So usually, when we are identifying all vulnerability, we need also to identify the threats related to them.
I will not spend too much time explaining definitions because I decided to divide them on different lectures, relevant lectures.
But I will go through the important part.
So I explains assets, the threats, the vulnerability, I need to talk about risk, which is the main concept in this domain.
And a main concept in security in general, what is the risk? A lot of people think about risks that it's a technical terminology, which is not it's a business terminology.
So what do we mean by risk? Because you need to distinguish between threat and risk.
What is risk? I'll give you a small example.
Because in this domain, you're going to learn how to calculate risk.
It's important.
So I will assume that we have we don't have enough firefighting equipment in our company.
What do you consider that? Is it a threat or vulnerability? It's even an ability that I don't have enough firefighting equipment, sprinkles and so on.
Now, what if a fire happened? What do you consider the fire? It's a threat.
So what if a fire happened? And according to that there was some damage in the company that was 100,000.
What do you consider that this is the risk.
So the risk is the likelihood of a threat occurring, but most important, is the damage that will happen because of this threat.
And we're going to learn how to calculate that because actually, this is your approach to management.
If you To implement the information security management system in any company, you need to explain the management if anything went wrong, how much they will be losing? And accordingly, how much do you need to as a countermeasure, so I can see for my management, okay? If a fire happened, we're going to lose 100,000.
So I need 10,000 to buy some firefighting equipment, it makes sense, right? But if you need goes there, and you tell them, you know, we need 200,000 to secure against fire, no one will, will will obey No, I will understand that you need to have figured so the risk is the amount of loss that the company will lose in case of any threat, or cure.
We also have a terminology control, which is the countermeasure.
If I install an antivirus to mitigate risk, again, we're going to explain all those definition in the risk management part.
What do we consider that control, I'm putting an antivirus, if I'm assigning a password, it's a control.
If we are like getting firefighting equipment, it's a control.
So is the countermeasure that we are using to mitigate the risk or try to reduce the risk? Okay.
social engineering is weakness into human play people.
And we're going to explain this part by the end of this domain.
So social engineering engineering is a type of attacks that target people try to compromise system from.
So it's a type of attack sometimes, you know, someone is calling an employee and company and ask them for like some informations or credential.
It's an attack that target people, it's not targeting technology, or physical security, and so on.
And finally, defense in depth, which reflects that you should have different layer in security, I should not depend on only one layer.
So only having a password on my smartphone and consider that security, or having a password on the company.
laptop, and this is his best security I can implement.
But if I'm have I have a password on my computer, and it's inside a room that has a lock, or an access control outside, and I'm also taking backup in case anything crash.
So you should have different layers.
So if one failed, you can use the other one.
So those are some of the definitions that I need you to be aware of.
While we are starting our training, and to understand the different terminologies that we are going to use.
We still in the introductory part.
And let me ask you this question.
Why are we implementing information security in any organization? Why we are buying equipment and hiring resources? and spending money to secure the information in any organization? Yes, I agree that it's because the information is a real asset of any business.
But what I'm trying to say is it an option, can any organization today decide not to implement information security and the lose whatever threat it's not information security in any business.
Today, it's more as a mandatory, it's not an option.
And there is a lot of regulation and compliance and governance that enforce the implementation of information security in any business.
So for instance, if you are holding credit card information from your customer, you need to follow the PCI DSS which we're gonna talk about it's, it's a standards that you need to follow if you are working in health industry, or health business, hospital or a clinic or something like that, you are following HIPAA law and so on and so forth.
So what I'm trying to say that the first approach to the implementation of information security, it's to understand which standard or which compliance or regulation you are following as a business.
And if you get an interview in like, hospital, for instance, as an information security officer or whatever the title is, you need to know About the HIPAA law, what is needed to be implemented to follow their great because it's not an option.
And if you do not comply with the regulation, there is some legal consequences for that.
If you get hired, or you have an interview in a bank, as an information security specialist, you need to know what rules I'm sorry, workflow and regulation and compliance, they are following.
So implementation of information security, it's not an option.
And this is why is there is a lot of like needs for professional Information Security right now, to implement and to comply with the law, as arise, there will be a lot of consequences, legal consequences for that.
So implementing information security, it's not an option, and it should align with the business, it should not be holding the business down.
And this is also quite important.
Some people think about security is that you go somewhere and you just block everything, you do not allow USB on your computer, you do not allow people to connect to the internet, you do not allow people to download anything, you do not allow people to go to like different places inside the company.
And you know, these things, this is security.
But it's not, you need to balance between the efficiency of the business.
And between the security.
Beside as we just spoke, that information security is should be aligning with business strategy and objective, and law and regulation as well.
So for instance, if you are working in a hospital, and you fail to implement the requirements for a specific framework, it may end up with a big fine on this organization, and maybe some jail times for the CEO or for the senior management.
So you need to align with that you need to implement the information security to secure the customer information.
And most important, secure all kinds of information, not just the customer information, but all the business information, and most important to comply with the law as well.
So keep that in your mind.
That business should align, I'm sorry, security, information security should align with the business strategy.
And it should follow the law and regulation and standard risks need to be mitigated which we're going to cover very well in this domain.
Resource Management, you need to measure the performance by evaluating and monitoring and reporting information security, governance, so it's not just implementing, but you need to know how effective is it.
And this will involve things like Incident Management and log management, and we will cover those topics.
But as an overview about the importance of information security, implementation, and how important is it to follow the compliance regulation, and even certificate like ISO 27,000.
In the previous lecture, we spoke about the importance of information security implementation.
And we clarified that this is a requirement, sometimes legal requirement or compliance requirement or standard requirement.
But after all, its requirement.
Now I would like to focus about two different terminology is that you should expect the question about them inside the exam, because it's quite important due diligence and due care.
What do we mean by that? And instead of reading the definition, let me give you a small example.
And let me know what you think about it assumes that you get hired in a bank as an information security officer, in a sense that you you will be someone who are responsible for securing the information of this bank, customer information, transaction information and so on.
And assumes that this bank has been compromised has been hacked, and some financial information like credit card, customer credit card information has been stolen.
Now, whose responsibilities? Is it your responsibility? Definitely, it's yours because you were hired to secure those information, right? So it's your responsibility.
And it's not just like, a regular responsibility is a legal responsibility.
So what will happen in this case, if the bank get hacked and some information gets stolen or lost? Most probably you will be taken to the court.
Now when you go to the court They will ask you two different questions.
The first question will be, are you aware of those vulnerability and those weakness in your system, you will aware that there is a lot of weakness inside your system, technical and physical and so on.
Okay, so if your answer was yes, I was aware, because I used to do a risk assessment, I used to do vulnerability assessment penetration testing.
So I used to check the weakness in our system system.
And I was aware that the rose weakness that may lead to compromise ation, this is called due diligence that you did your research, you were aware about your setting your infrastructure, your equipment, your software, and what is their weakness? The second question from the court will be, what did you do to secure those weakness? Did you follow the standard? Did you request like some additional resources? Did you update the software, and so on and so forth.
So this is called you care that you were following the standards, the best practice the compliance to mitigate those risks to fix those vulnerability.
This is called you care.
So what if you answer yes, I requested some equipment, I requested some resources to the management, because I knew that those verbal cues, risky, but management said we don't have a budget this year.
Now whose responsibility it became right now it became management responsibility.
So the point here is the due diligence and due care concept said, when you get hired somewhere, you need first to be aware of the weakness and vulnerabilities that they have.
And we can do that usually by checking or doing Governability assessment, doing the risk assessment, which we're going to do in this domain, doing a penetration testing, following the standards, these are some standards that we're going to talk about in future lectures that you can follow just to be sure of awareness.
And I'm sorry, to be sure of the weakness and vulnerability.
But this is not enough, you need also to take action to secure them.
This is called Did you care and liability here mean who's responsible for securing the business information and securing the business assets, because the role and responsibilities should be quite important.
If you have a policy and procedures in your organization, and you all your your employee are aware of that and they break this policy, it becomes every legal responsibility.
But if you don't have a policy and procedures and some employee did something wrong, he do not hold any responsibility, it's your responsibility, that you didn't have a policy and procedures.
And even if you have an employee is not aware of it's useless.
That's why we need to do awareness for people telling them this is according to the company policy, it's not right or result should not be done.
And after that they can take responsibility for from their action.
And a small example for the liability part assumes that you have a possible policy and we're going to talk about the policy and the major policy in your company saying that policy should not be shared.
If you have an sorry password, you have a password policy and the password policy is saying that password should not be shared.
So, each employee knows that if you have a password to his account, he should not share it with the colleague, his colleague, okay.
And maybe this makes sense, but realistically what I saw in many companies that sometimes someone take a day off, so he will give a policy to his colleague, so he can follow up with past daily tasks that you need to do okay.
If there is a policy saying that and you find out that one of the employee give gave a password to his colleague, and for some reason the password get lost or someone logged in with this password and did something wrong, okay.
He will take responsibility for that because he knew that there is a policy in the company and you as an information security specialist or officer, you did some awareness about the major policy in your organization.
So he will take responsibility for them.
But if you don't have such policy and the same scenario happened, what you can do about it, you will take the responsibility for not having a policy so those terminology, you delegate and you care and liability is quite important, because after all, you will be involved in some legal requirement.
So we need to be aware of that you need to be aware of the legal requirement for any system.
Let me end up this lecture is another example.
If your company or your bank most probably has severe and scam, where you are capturing video, and or recording video and keep them for a while in your organization, how long it should be kept? Low surveillance can because it's one of your responsibility, how long it should be kept? Should it be kept one months? Should it be kept two months? Should What do you think? whatever number you're going to answer with is wrong.
Because you need to know according to the law and regulation to your country, how long did you begin? So I'm working in some places where they have to keep all the logs or let's say the recordings valence recording for 90 days, if you as an information security officer are not aware of that, and he decided to kept them for only 30 days to save storage on your servers.
And some incident happened.
Like someone breaking or any incident happened and law enforcement came to you and told you me Show me the video recording from two months.
And you said I don't have that I only keeps up for one month.
This is a big problem for you.
Okay, illegal problem.
It's something.
So you need to be aware of the legal requirements, the compliance standards deniability, because you don't want to get into legal problem in your position.
Information Security positions are getting paid very well.
But they also have a big legal responsibility, you need to be aware of them.
I know we didn't cover that much yet.
But let's take a question related to the introductory part, just to give you an idea, or to relate the topic or the points that we covered so far, with real exam questions.
So the question is, which factor is the most important item? When it comes to ensuring security is successful in an organization? Is it senior management support? Is it effective control and implementation methods? And is it updated, and relevant security policy and procedures? Is it security awareness by employees, actually, all of them are important to implement security in any organization, but which one is the most important one? Now, think about it.
If you get hired somewhere to work as an information security professional officer or specialist or consulting, whatever the title is, and you need to implement information security, and as we agreed information security is yours is not just technical security.
It's to implement technical security, to implement physical security, to implement administrative security, and so on and so forth.
Right? To be able to do that, you need two people, you need the employee of this company to support you, in a way or another.
Giving you the requested information explained to us the business function to be able to decide about what controls you need to have and so on.
If you do not have management support for that, no one will cooperate with you.
But if you have a senior management support at the beginning, in a sense that management sent an email for all the people in a company or I'm sorry, all the employees in this company telling them that we are implementing an Information Security Management System and you need to cooperate with this specific person.
Otherwise, no one would give you support.
So the right answer for that would be senior management.
So it should start if you get hired at any organization, it should start is that you need to sit with management and tell them that you need to have management support.
Otherwise, you will not be able to implement anything.
No one will cooperate with you not because they want to do it this way.
But unless they have a management sub requirement or it's I'm sorry, unless it's a management requirement.
You know, they will not consider that as a high priority.
So It's a very important point that security without management support is useless.
In previous lectures, we spoke about the concept and definitions related to information security.
So, from where should I start? If you get hired somewhere, or you got this question, in any interview, how to start the information security implementation? Should I start requesting hardware and software and requesting document and requesting? Should I start working right away? If I get hired in a bank or in any organization, I should start by checking the compliance.
Because as we agreed that the implementation of information security today, it's a legal requirement.
So I need to know what compliance do I follow.
If you are a bank, you are following specific laws and regulation.
While if you are a hospital or clinic, you are following us of law and regulation.
While if you are a small grocery store, there is as of law and regulation as well.
So we need to understand what is the legal requirement when it comes to information security.
So it's not by buying the latest and greatest equipment and hire the most sophisticated expert in the field.
It's not like that, it understand what is needed, according to the law and regulation.
And this is a compliance.
So this is from where she should start.
And you you will find a lot of like similarity between different compliance.
So most of them will request you to do a risk assessment, for instance, you need to identify the risks that you are facing, to be able to select or to be able to get the right countermeasure for them.
Most of them will request to have like a annual penetration testing, and vulnerability assessment, and so on and so forth.
So it's not that hard.
But the thing is, you need to start from there.
Because you're going to build your policy and procedures and whatever is coming, according to that.
And I believe I already give you an example in a previous lecture, for instance, the surveillance cam, is a surveillance video recording, how long should you keep it? Okay, this is critical because if you are not aware, this will not be like a an excuse, that I didn't know that I should keep it for 30 for 30 days, or for 90 days or so on, it will be a legal problem.
We don't have something called I didn't knew about that.
You need to read the compliance, you need to sit with the legal department and ask them which compliance and regulation and law we are following.
So you should start from this point, because there is some critical point that you cannot ignore.
So compliance is quite important in our business.
And as I was saying, you should start by sitting with the legal department and ask them what is the regulation and compliance that you are following.
And you need to understand those flow very well.
And consider them in your information security implementation.
Identify the safe harbors that could help 's organization avoid penalties.
You didn't know that you need to keep those recording video recording for 90 days, you will hold some legal consequences ends organization, it may end up with fines, it may end up with some jail times in some low end regulation.
So it's not easy.
It's a critical.
So for instance, if you are following HIPAA law, which is regulation, and it's a compliance for holding the patient information in any hands, business, so you are hospital, you are working in hospital, and you didn't implement the right control to secure the patient information.
And for some reason it gets leaked or compromised or even lost.
I think it's a very big fine on the hospital.
I think it's 200 million or something like that.
So it's not an easy punishment.
It's a hard one.
So it's very important to start from this point.
And I suggest as an assignment that you can do because I don't want to just to depend on those videos and the resources and the books that I will provide you, but I need you to do some research yourself.
So, I want you to check for instance some information about HIPAA law or some information about some standard regarding, for instance, holding a credit card information, if you are taking credit card information, you are accepting payment by credit card and you are securing the savings.
Do you have some standards that you can follow? Do you have some regulations that you can follow? expect that this is like an interview questions.
And let me know is there any standard related to credit to holding credit card information? I will keep that as an assignment.
And feel free to drop me an email with your answer.
And I will let you know what I think about it.
Another point that I would like to raise here and this is become very, very common right now, which is a privacy issue.
Okay.
The personal informations that you are keeping in your organization? Do you have any, like cry using them.
And I believe, you know, those there you are following this Facebook case.
And this session that happened in Congress regarding the leakage of some personal information.
This is an exact privacy issues that we are talking about.
And people who are working in security in Facebook, if they find out that they didn't get those personal information, safe, and they didn't, because the say the point here is that say we're sending those information to other vendors.
So they take permission from the owner of source information that say we'll give it to vendors or as a business and so on.
So here we have a very important terminology is called personally identifiable information, PII, you will find this terminology in different places.
Okay, which is what are you doing with the personal information? Who are getting access to the information? Do you have the right to exchange those information or sell this information to other marketing entity or something like that? This is quite important.
So holding personal information is a big responsibility.
And you need to make sure that you are following whatever law and regulation regarding personal information, personal information could be something like your name, social security number, your address, your phone number, your email also says consider personal information.
Finally, I would like just to refer to some us information privacy law, I want you to have a look about them, you know, some information related to privacy, we are not actually it's not a legal course, you just need to have an idea about it.
Most probably you may get one question.
So these examples are not, because as you may know, those flow are only applicable in us.
And we have a lot of international students.
So in the exam itself, you don't find that much of question related to a specific US law.
Because most of the information law are related in Europe and US.
But still getting a brief about zero, with the name of it will not hurt you, at least you will know that there is a law related to health industrial or where there is an old lady to privacy and so on and so forth.
before resuming in our domain, I would like to refer to a very important document that you need to have while preparing for your exam, which is a sunflower document.
When you enroll in this course at the beginning, you receive a lot of material and resources, books and PDFs and presentation and so on, which goes through the different topic and terminology and explaining everything related to the curriculum.
But there is a document that you need to have which summarize everything inside the CISSP which is a CISSP sunflower document, the sunflower document, it's the documents that summarize all the definition inside this course and even point to some of the important point and The like tricks inside the exam.
So it's a summarization document when you finish the course.
And actually, while you are studying the course, whenever you finish one domain or another, you need to go through the related terminology in the CISSP document.
And there is two different versions, the first version was 1.1, under the name of the CISSP summary, and the second version was version two, under the name of the sunflower CISSP, cram study.
So let me show you how to document look like and then let me give you my recommendation about which one you need to study.
So the document consists of 25 page, and it's divided by domain.
As you can see, we have domain one in different color, where all the concept and definition about domain one is explained here.
And even sometimes, you will find that they are pointing to some important terminology by putting some underline or in capital letter, or something like that.
So you know, domain to domain three.
So sometimes, as you can see, here, they are writing a definition about hosted based ideas, and they are putting that it's getting the event from the lock system, for instance.
And they put that in capital letter, which reflects the importance of this piece of information.
And actually, I saw a question, what is they're asking you from where they are getting the host based IDs from where he's getting the event.
So you will find this kind of, of pointing to the important point.
And as you can see, each domain has different color.
And what I usually suggest that you should print it on an EC paper.
And literally, you need to memorize all this document before sitting inside the exam.
Because as you may notice, CISSP it's filled of definitions.
So it's covering too many topics.
Okay, but just a brief about each topic.
And this is a concept related to the CISSP.
It's one mile wide, and one inch deep.
So we are covering a lot of topics, but just a small definition about each one of them.
So you need to have all those definitions related somewhere or written somewhere, because actually, some of the question Unless, you know, I mean, not all the questions are scenario based.
But we have a good amount of question which is actually description or right definition about something.
So they may ask you about the speed of light.
So you should know that the T one is 1.5 megahertz.
So all the definitions are combined in this document.
And it's very, very important that whenever you finish any domain to go to the relevant domain in the sunflower good through old terminal terminology, and highlighted the points that you are not aware of, or it's new to.
And after a while, you will find yourself memorizing most of the content of this document, this is a very, very critical document that you need to study to pass the exam.
Now let's get back Why we are using two different versions, we have 1.1, which I just show you.
And we have version two 1.1 with the previous CISSP edition, which was 10 domain.
So you will find the structure of the 10 domain, while version two is a new version, which is the eighth domain.
Now is the point in the point is why I should not use only version two.
Since this is a new one, actually, I still find the version 1.5 1.1.
more effective, maybe it will take some it will take you some effort to find out the terminology in the old same old structure of 10 domain.
But I can see that this one was really well made in the sense that whatever they are writing, it's very, very applicable to the exam.
So I still trust this one's a new one.
I don't know why.
So I recommend that you study from version 1.1, even if it's not going through the same structure as the domain.
Or if you are comfortable with version two is fine.
You can study for it, but compare between them.
Just take the first domain and see how it's covered in 1.1 and how it's covered in version two.
If you are more comfortable with version two is fine.
But keep it in your mind just to go through especially important points once that is underlined or bold or something like that.
Keep that in your mind because I believe it's very, very effective document so As the beginning, please keep that on your desktop.
You don't have to wait until you finish the courses and study, starting studies sunflower, now you should work parent parallely.
So whenever you finish domain, please go through the equivalent domain in sunflower and start, start reading all the point and clarification.
And as you can see, it's quite summarizing.
So it will not take us that much of effort.
And take notes highlights the important points by but literally before sitting to the exam, make sure that you went through all the domains from here, and you are not missing any terminology or any definition.
In this lecture, we're going to talk about ethics and the purpose of encouraging ethics in any organization.
Now, we all know that ethics cannot be enforced, you cannot enforce someone to have good ethics.
But you can encourage good ethics in any organization.
And right now, a lot of organization, when you get hired, they will give you their code of ethics.
And you need to read it and sign on it.
So it's kind of theoretical topic, except you may expect the question about that inside the exam, especially related to the well known code of ethics.
So icy squares, they have their own code of ethics, you need to be aware of the internet, they have the code is their own code of ethics, which we're going to talk about it.
So we'll go briefly about the coso code of ethics, because a lot of those points make a lot of sense.
And then I'm going to show you how you can find them.
How should you expect the question about that inside the exam.
So obviously, any organization need to enhance or need to encourage the good, good ethics in their organization, and moral values and so on.
And as I just tell you that, right now, some organization, when you get hired, they will give you a code of ethics to read.
And it makes a lot of sense, like you should act responsibly, you should do you should not do anything illegal, you should be working like this kind of sense.
I'm going to show you a few of templates related to that.
But in general, it's not about the policy and procedures only because the thing is, in the upcoming lecture, we're going to talk about any organization, when it comes to information security, one of the main task, or one of them main things that they should have a folder that have all the policy and procedures, and user need to be aware of those policy and procedures, because if they break any policy or procedures, you have the right to take an action against them legal or regular action.
But ethics is different story, you know, it cannot be enforced, but you can encourage them.
So how exactly it's working, how can you encourage good ethics in your organization? So organization always document is expecting ethical behavior, a and they share that with their employee.
This could be a sex that is related to legal or law or not, in the sense that maybe someone can misbehave, but it's not illegal issue.
So is it acceptable? So if someone for instance, like took some information, he didn't sell them to any competitor or do anything illegal, but he just raised them in a way or did something like that? Do you accept that in your organization? So you cannot take legal action against him because he didn't do anything wrong.
But still, it's unethical.
So this is what we are trying to say is that you need to encourage the ethical behavior, not just to prevent legal action, but also for people to act responsibly.
So how it's done, it's usually done by code of ethics.
And I will encourage you to go online and search for, like, some of the well known code of ethics and read what is Insider.
And as I told you, you know, you will not be surprised, because a lot of those points make a lot of sense.
So what we're going to do is that we will share with you two of the main code of ethics.
And if you get a question inside the exam about code of ethics, most probably it will come from set, I'm going to show you a questions once we finish spar related to codify sex.
So as you can see, there is a lot of code of ethics, where you know, related to is HIPAA Sox.
So if you do some more research online, you will find a lot of them.
Let us know, let's move to the first one.
And actually, I saw a couple of questions related to this specific one.
A lot of people do not know that there is something called the IAB or internet architecture Board of Essex, where, in brief, they are saying, if you are using the internet, you need to prevent those kinds of action.
Now a lot of people are using the internet, you're not aware of that.
So for instance, you should not try to unauthorized access to any of the internet resources, you should not to disturb any internet user, we should not wasting resources, such as people capacity.
You should not modify the integrity of the computer based information.
So you should not also compromise privacy of people.
A lot of point, which is quite obvious, right? I remember the question who came in size exam was asking if you spread? I don't recall the exact like sentence.
But the idea was, if you spread the virus on the internet, is this against the internet architecture Board of Essex? And if you take the questions, straightforward, spreading the virus on the internet, it seemed wrong.
But it's not in the internet architecture, architecture Board of ethics.
So that's why you do not just count that you will use the common sense to answer the question.
No, but sometimes it would be kind of tricky questions, as you can see.
So this one, I will strongly like, focus on it.
And you will see that this is one of the code of ethics is a sunflower document.
So please write those down.
You know, and you don't have to write them down, actually just read them and memorize them.
Because if you got the question size, it most probably it will be about that, because a lot of people do not know that there is an internet architecture Board of ethics.
The second one, which is IC square code of ethics, and still is the same concepts that you should be acting responsibility, you should behave as a good conductor, you should not like share any information that affects the business, this kind of information, actually do not break any law, or legal issue, and so on and so forth.
Now, this could have xx, you're gonna need to sign it, and send it to IC square once you pass the exam to be able to get certificate.
So once you pass the exam, to get the certificate, you need to download the IC square code of ethics from their website and sign it and send it back to them.
And I have to tell you there are quite serious about that.
If you break any law, if someone like report you to ice squares that you didn't follow the good good sex in any way.
They will suspend your certificate, I knew a few cases where it really happened.
So it's not just a piece of documents that you sign.
And that's it.
No, actually they are taking that quite seriously.
And you should know that working as an information security officer or any related position.
It's a big responsibility.
So those are the measures, code of ethics that I wanted to share with you.
And I want to tell you that it's not just a theoretical part.
Also, you may face a question about size and size exam.
Besides realistically, the last few years, I can see that they are really raising concern in any organization or business to encourage the good ethics in their business.
Let me share with you an exam question related to code of ethics.
So the question was about the basic ends internet, RFC 1087 state which of the following? Now, if you remember, in the previous lecture, we spoke about the internet architecture Board of ethics.
So is it saying the internet is a privilege and should be treated that way, or internet components includes the broadband media, and the local user components, or software viruses, and internet viruses should be treated differently, or internet professional, are subject to same sex responsibility as any of us our industry.
Now, I'm, I know that a lot of people will not be able to memorize all those kinds of codes and all the definitions in this course, some of them you have to actually, but some of them, it's it's not easy to memorize all all code of ethics and this kind of statement.
So let's remove the things that doesn't make any sense.
Definitely, number two, which is internet component includes a broadband major and the local user components, it doesn't seem related to the code of ethics, right? So number two should not be like should not should not be there.
Number four, also, it's really weird internet professionals are subject to the same ethical responsibility as any other industry.
It's really general.
So if we exclude two and four, we're going to have one and three remaining.
Now, many people selected number three right away, that software virus and internet virus should be treated differently.
But actually, is the right statement, if you went back to the previous lecture is the right statement whose internet is a privilege as and should be treated this way.
This was the first code of state first statement in the internet architecture Board of ethics.
That's why I'm telling you that when it comes to the code of ethics, you have just two, you need to get an idea about the measures one, which is the internet architecture Board of ethics, because a lot of people do not aware of it.
And the IC square code of ethics, my expectations, as they will not ask about the internet, the IC squared code of ethics, because this is something that you're going to need to sign after finishing the exam.
But if you're going to ask about anything related to the ethics, it will be the internet architecture Board of ethics.
all previous lectures was more into the introductory part, talking about what is the element of security, talking about the ethics, talking about the definition of threats and risk and vulnerability and so on.
But starting from this lecture, we're going to go into the real implementation of information security of any organization.
And he started from here, I would like you to start taking notes into what we're going to talk about, because the point that we will be covering starting from now, it's very important for the implementation of information security in any organization, it's very important to pass the exam, it's very important for you, if you sit for an interview, and we're going to start with security documentation.
A big part of your job will be to prepare a lot of security documentation.
And in security, everything needs to be documented.
It's not enough to say that I know about it, it needs to be documented.
So for instance, if you have a business continuity plan in which we're going to cover in a different subject, it's not just to be aware of the plan, but it needs to be documented step by step in case of any disaster or any incident.
What should be done.
If you have a policy related to how are you get rid of information if you are working in government or military, they have the specific way destroying information is it written? If you have a policy related to for instance, creating an email if a new employee join your company? How we should request for an email Is there any policy showing? What is the step for creating an email? Or what is the requirement for creating an email.
So everything in security needs to be documented.
This is one point.
Second point, people need to be aware of set.
So if I join a company, as a regular employee, I need to know that this company has their own information security policy, I and I should be aware of that.
And we're going to cover that in some upcoming lectures that awareness need to be there to tell your employees that guys, we have information security policy, and it's located in this specific directory or this specific website.
Because if they are not aware of the policy, and they break the security for any reason, intentionally or unintentionally, you will not be able to do anything about it.
But if you informs me that there is a policy and in case they broke the policy for any reason, now we can take action against them, considering that most of the major incidents that happens the last 10 years with because of people you to people not due to technology.
So all of the major compromised ation of organization like different company, RSA, Aramco, Saudi Arabia and different kinds of compromised nations that happened to company and led to a loss of millions of dollars was because of people.
So that's why this specific part of the course is quite important.
Talking about security documentation and specific documentation that I would like to refer to but as a as a beginning, need to understand that a big portion of your job is to prepare a lot of security documentation.
And if you are following any framework, like ISO 27,001, or HIPAA, or PCI DSS, all of them request 's organization to have a security policy and procedures.
And if you have a any audit, if you receive any audit coming to your company, one of the main questions that they're going to ask you do you have a security policy and procedures and they're going to check it? And then they can ask people do you know that your company have a security policy and procedures.
So I just want you to give some attention to this lecture and do some research about it.
Now we're going to talk about what are the main security documents that should be inside your organization and your role will be to creating them if they are not them from the beginning, but also reviewing them annually and modifying some if any modification is needed.
So, what are the main security document first the policy you should have a policy for every process and everything related to information in your organization.
For instance, you have different system in your organization and you are giving people password.
So they can access the system according to their like job description and their functionality.
Do you have a policy Do you have a policy related to the password your organization password, for instance, the policy should say that support should be complex.
So password should be changed every 90 days or whatever duration.
So password should not be shared as a password should not be easy to figure out and people should be aware of that.
So, if any problem happened, because someone shares his password over the internet or to someone or something like that, he cannot say I didn't know that, that there is a password policy.
So, this is a very small example is that you should have a password policy written include everything that should be inside the password.
If you are exchanging information, you have different departments in your organization or you are dealing with customer and you are giving this customer information pricelist offers and so on and so forth.
Do you have a policy regarding information exchange? Maybe some of us who publish information are critical.
How are you dealing with critical information if you are an entity like government or military and you are destroying information from time to time, you have a policy regarding information destruction, that like documents should be for instance destroyed using a shredder.
You should not just write or throw them in any recycle or in any plate.
No It should be cut by shredder so it cannot be reassemble one more time because As you know, one of the attack is to check in any company garbage or something for any critical information.
Okay? What if you as an organization, all your critical and sensitive information are on the computers.
So what are you doing if you plan to change the laptop and the computer that you are using, okay, are you just going to format the hard drive and that's it, you know that even if you format your hard drive six times and rewrite on it, you can retrieve whatever was in this computer.
So, there should be a policy related to exchange in the computer, whenever we are changing the computer, we have a policy to make sure that no information is that route or was originally on this computer has been can be recovered.
So the policy, it's a very, very important document and actually you should have a policy about anything related to the information.
So we are talking about information exchanging we are talking about information this.
This drawing we are talking about password we are talking about, for instance, encryption, if you are using encryption to secure the information to have a policy regarding that, and so on and so forth, I will show you a very good source from where you can get a lot of policy, because it's such an easy document to write by the way, okay.
So it's better to start to something like templates or a good resources from where you can get some policies, I'm going to explain the difference between a policy and procedures and guidelines and so on.
Now, before showing us is the source from where you can get policy, you need to understand that policy as a definition is a high level statement of management.
And it just contains the purpose and scope and compliance mapping in the sense that the policy will not include how to do it.
So for instance, if you have a password policy should say that policy needs to be completely complex.
And it needs to be changed every 90 days.
But it will not say how to go into the system or into your computer and change it to a complex password, it will not say how to step by step how to assign a or how to make to enforce the password to be changed every 90 days, it will not explain how to do it.
But it will just mention the policy what it's saying and most important, mapping wizard compliance.
So it will say we should have a strong password.
Because ISO 27,001.
In this specific section, this specific control is requesting and PCI DCs in this specific section and this specific control is requesting them and so on and so forth.
So you should match the policy with the requirement.
So because if you got any audit, they will check the compliance and saying Okay, show me the control related to that.
So you can show them that you have a policy that is saying 12345.
So it should be mapping, or met with compliance or a framework.
Before moving and explaining the different kinds of other security document let me show you some of the policy of some of the resources or website from where you can get policy as a template and you can use them in your company.
A very good resources for that will be sense.
website sense, they have their own website says it's a very huge security organization.
And if you go to their website and go to resources, and you go to CES Security Policy Project, you will find they have a lot of templates that you can use.
So for instance, you have general policy, or you can click on it.
And you can see we have acceptable encryption policy we have, for instance, clean desk policies that all employees should have a clean desktop.
You should not leave sensitive document on your desk, you should not leave sensitive information.
Maybe it gets stolen or lost.
It's a policy.
Okay, not all policy are technical, as we're going to explain in a few minutes.
We have for instance, the data recovery policy, we have digital signature policy, you can download whatever you need to download according to the business and the process you have.
One policy is quite important.
The email policy.
People are using the company email they don't know what is regulation.
When it comes to using the company email that you should not use this email or you should only use it for business purpose.
You should not use this email for anything offensive to your employees.
You should not use it for threatening people just kind of thing.
And again, it's not enough to have a policy, but people need to be aware that there is a policy, because if the brakes policies, then you have the right to take legal action.
So those are like possible polls in the general polls.
Okay.
Going back, you will find other kinds of policy, for instance, you're going to find the network policy, you're going to find that so it's a very good source from where you can download templates that you can use application policy and so on and so forth.
Okay.
Now, before moving to the other kind of document, you need to understand that we have two different kinds of policy.
One is user policy and non user policy, you can categorize them.
So things that is related to the user, like for instance, password, somehow, user need to be aware that what needs to be followed when it comes to passwords, especially think about changing passwords, do not write the password on a piece of paper and or sticky note and put it on your screen.
This is user password, email policy, this is user password, user need to know it when it comes to using the company email, is there any restriction okay.
But some other policy will be technical policy, like network policy, encryption policy user has nothing to do that.
Okay, software development policy, and so on and so forth.
So, to summarize, that, one of the first step in information security implementation, that the company should have an information security policy related to whatever assets they have, the assets is mainly information.
So how they are dealing with information, how they are dealing with exchanging the information, deleting the information, using the email using the password.
As the beginning, this is quite important.
And it's a main requirement for any compliance or framework.
how it's working, usually, we are writing those policy and putting them in a shared folder and allowing or notifying user that guys kindly Be aware that if you are using any of the company assets, because email is considered a company assets information is considered as a company assets is a list of customers and suppliers, consultants, information assets and so on.
If you are using any services or you are using any company assets, there is a policy that controls it.
And this policy is located exists in this specific shared folder, or on the company portal or website by doing that, and thinking about the legal issue and the liability.
Now, you are saying to the employees that if you are not aware of the policy, this will not be as an excuse if you did anything wrong, because you are not aware of the policy.
So getting the policy is important, but also as informing using say, is this same importance, that user need to be aware of the policy.
Last point before moving to the next lecture is that policy need to be reviewed once per year.
So it's not enough to have a policy, but it needs to be reviewed once per year, and you need to write on the document control as you're gonna see later on, that it has been reviewed this year by this specific gentleman and so on.
In the previous lecture, we spoke about the security document, and especially the policy, what is the policy, and why it's important to have a policy and why it's important for user to know about the company policy and so on and so forth.
In this lecture, we're going to talk about the different document because it's not only the security policy that you need to have, but also you need to have standard procedures, guidelines and so on.
So you need to distinguish between them.
And most probably, you're going to get one or two questions about that inside the exam because security document is quite important in any organization.
And as I just mentioned in the previous lectures that in any audit, the first thing that they gonna ask about will be the show me is a policy that you are following in your company.
So everything needs to be written.
So we already spoke about policy, which is a high level statement.
It doesn't include any steps for doing anything, but it will tell you for instance, if we are talking about email policy, it should not be used in something that is not related to work, it should be business oriented, you should not be using it for any offensive way.
Attachment should be the maximum attachment should be that much Each user of the company should have like, storage capacity of that much, and so on so forth.
Then we have the standard and the standard, it's more than what needs to be followed when you are doing the policy.
So for instance, when we are talking about password policy standard usually is eight characters that include letters and numbers small and Captain, especially, this is a standard.
So the standard is something that you should refer to when you are creating the policy guidelines is more as an option.
I mean, you should follow the standard when you're creating the policy, because it has to be followed.
But guidelines is more like an option.
So for instance, standard cubbies as possible should not be less than eight character, you should follow that when you are creating a policy.
But maybe the guidelines will tell you that 10 will be better or 12 will be better.
You can follow the guidelines except it's not really mandatory sorption procedures is a step by step process in the sense that when someone is joining the company, how are you creating the email.
So you have a flow chart flow chart that showing that you receive requests from HR, and approval from security teams that this guy is signed the contract, he signed a nondisclosure agreement, he did that.
So you create you follow this request to the technical team to the to create a email for him.
So it shows you step by step, how things is done.
So policies motion or work procedures is step by step guide.
And I will share some of those documents attached to this lecture just as a guidance.
baseline is a minimum acceptable security, in a sense that, for instance, if you buy a new computer, and you're going to join this new computer or laptop to your company network, what should you do? First, you should remove access to the USB, you should remove the unused services, you should install the latest patches, you should do this.
So you have a checklist for any computer, you cannot attach any computer to your company network unless this checklist is fulfilled.
This is called baseline.
So most probably here will give you a question about a specific document, like what document should include the step by step implementations procedures, or high level statement is a policy.
So it's very, very important, not just for the exam, but realistically, it's very important also to be aware of what kind of policy any company should have.
I already like pointed to a very good website from where you can download this template and use them.
But also, I'm going to attach few of those documents in this lecture that will help you identify how the policy look like or the standard or guidelines and so on.
And again, it's not just to have them especially as a policy.
I keep repeating that because it's quite important because I saw in very, very in many interview, that the auditor will come to any of the company, employee or user and ask him, Do you know that you have a policy in your company, and many people didn't know about it.
So you as a security team, you get the part of the blame because of that, because you should inform the users and the employees that we have information security policy related to all our services and assets.
And it's located in this specific location.
Let me show you a sample for a policy.
Now, this is an email security policy.
As you can see, a lot of common sense statement is there.
Like personnel should use the email for business.
It should not be used for personal use.
You should not be using any offensive email, and so on and so forth.
So as you can see, the email policy, it's common sense, but it's not important about the policy itself.
The important part of the policy, it's to map it with a well known framework or a standard that you are following.
This is extremely important.
So it's not to have as much policy as you can but you should have a policy, that match or that map different system or Standard or framework that you are following.
So here, this policy, it's a part of the ISO 27,001.
And you have to specify which control and what is the name of this control.
So this one was requested or it was a requirement from ISO 27,001.
This is the number of control, and what was the control name, it was electronic message.
And this is the statement that was required.
So my point here is that when we are doing a policy and procedures, it's not just to add the policy, download them from the internet, and then use them in your company, this is not the right way.
The right way is to check which framework you are following or which standard you are following, or which regulation you are following and doing a policy that fulfills this requirement.
And accordingly, if you get an audit, regarding this framework, you can show them that regarding this control, we have a policy.
Now what will be remaining is to show them an evidence that user is aware of this policy.
So I wanted to show you a part of a policy just to to indicate or just to clarify what is what should be mentioned in the polls.
Now there is another part that I will share.
On the student portal, I'm going to put a lot of like policy templates, besides I already showed you places from where you can get policy and procedures.
But my point is the policy format, it's well known, you have document controls, and you have the scope of the policies and you have the policies themselves and you have like the if you have any exception, and then which is very important mappings of policy was a framework, because as I keep saying, and I will keep saying that, that information security, it's not the field where you should try or ask people what should be done, it's just a field where you are following the best practice or standard or regulation.
Before moving to the next topic, let's discuss the relation between the different security document in a sense, from where should I start from creating a security document from any for any organization from where should I start? And definitely I should start as it showing in the following chart from the low end requirement.
So usually you should know what is the law and regulation related to your business as we mentioned earlier, and according to that, you should create policy, which don't forget policy adjust it is a statement of management.
So, for instance, if you are following PCI DSS or if you are following ISO 27,001, where there is a requirement for an audit domain for an access control, so you should have the policy related to access control.
And management tool says that we need to have a policy related to access control and from the policies and we can create standards and guidelines and procedures and baseline and so on.
So the point here is that we usually start from the law and regulation is not just by creating a huge amount of policy, it should be mapping different kinds of standard controls into standard and framework.
This is quite important.
As I showed you in the previous lecture.
Also we have different kinds of policy, we have regulatory policy.
This is that should be done.
According to the law.
We have an informative policy, we have advisory policy, things like for instance, social media policy that you should not use or you should not publish personal information or work information on social network.
It's not into advisory.
It's not like if you break it actually if you break it second zero, but some of the policy will be more into the advice part, but some of them will be more into the compliance part of that if you break the policy, it's against the law.
So even in policy we have different types.
Then from policy, you are creating the standards, the guidelines and procedures and the baseline, which we already explained in a previous lecture.
So this is a relation and what is quite important is from where should we start.
So if we are following ISO 27,001 which we have different domains for each domain, we should have a policies that maps or control required in this domain.
This is the right approach if you are following PCI DSS also you need to create a policy that enforce control in this standard, and so on and so forth.
So this is the proper approach for creating a policy and procedures and guidelines, all security documents needed for any organization.
This is a very important topic in our course, which is risk management.
And it's not just important for the exam purpose.
But actually, as a security specialist, you need to understand the risk in a very deep way, you need to understand what is risk in the first place, then what are the risk methodology risk assessment methodology? How can I do a risk assessment? What is the risk management strategy? What is the residual risk is very, very important.
And not just for the exam, but also I believe, if you attend any interview, this will be one of the main questions that you're going to get, they will ask you about risk in different ways.
So, it's quite important to understand the risk.
That's why I'm planning to give you a lot of lectures related to risk even deeper reasons, the course content just to let you very familiar with risk, and let me explain to you why.
If you get hired somewhere, and they ask you to implement security in their organization, from where should you start? I know we already mentioned that you should start by checking the regulation and lo and so on.
But even so from where should you start? Or let's take it in a simple way.
If you need to implement security in your house, if you need to secure your house, from where should you start? And what will be the factors that you're going to consider when it comes to spending on security? How much you're going to spend on your house? If you need to, like secure your house? What should you get? Should you get an alarm system? Should you get a like a security guard surveillance scam? How much you willing to spend? it depend? It depends on two different factors.
First, it depends about what do you have? What are you securing I mean, it doesn't make sense that you spend $10,000, to secure your house that have some assets that was $2,000, you should not spend 10,000 to secure 2000 right around.
The second point is the risks that you are facing.
So if you are in a risky or a bad neighbor, maybe you're going to spend more that if you are in a secure area, if you are located in a place where is the result of earthquake, because there is a lot of tornado and the wizard has a problem, maybe you're going to spend more because actually security is not just against hacker and malicious hacker, you are securing against any kind of threats, fire, tornado, anything that may lead to losing your assets.
So the first point is the value of assets.
And this will be explained in depth in the next domain.
Second point would be what risk you are facing.
So if someone is living in like secure neighbor definitely will not spend money.
Same like someone who are living in a bad neighbor.
So risk allow you to first consider how much you're going to spend on security.
This is one point and we're going to see that in the next lecture.
Secondly, what is the priority.
So if you are a very located in a good place where you don't have any kind of earthquake or or tornado or floats or so on, you will not spend money on devices or you will not spend money or for something to prevent that because you don't face this kind of problem.
Maybe the probability of happening is very low.
The earthquake is happening once every 50 years.
So I should not buy any things to secure my home or my company against earthquake for instance.
So it's quite important to understand risk.
So first, let me explain what is risk.
We already explained at the beginning the threats and vulnerabilities.
So what is a vulnerability as I told you before is a weakness.
So if I don't have a firefighting equipment, this is a weakness in my company, what could go wrong, the fire may happen which is a threat, okay, because of the vulnerability and the threat, what could be the consequences? Building damage, I can lose that I can lose productivity I can lose life because of that.
This is the risks the consequences of a threat multiply vulnerability By the way, you can learn how to calculate Because it's quite important to calculate risk.
So you can know what is a priority? What is higher risks? And what is lower risk.
If you don't have a security guard, what do you consider that a vulnerability or weakness, what could go wrong? deceive, or someone could break in? What will be the consequences of that loss of equipment or loss of that, this is the risk, and so on and so forth.
So this is the definition of risk.
Now, in the upcoming lectures, we're going to first explain this, in a like a deeper way, we're going to talk about the framework that we are using to do a risk assessment, then I will show you a couple of risk assessment tools, because actually, doing risk assessment is not easy.
Even ice square recommend to use an automated tools, because it's not easy to keep sinking about everything that could go wrong.
And what would be the consequences of that, you know, it needs a lot of experience to do that.
So after explaining the risk, I will not just depend on sat down to to to explain the risk.
But also, I'm gonna add a couple of video first showing you a couple of product, like what are the risk assessment products that you know, because usually we are doing risk according to a couple of survey, which I will share on the student portal and sit with people and give them survey and according to that, you can understand the risk besides your original a lot of templates.
But there is some products that you can use to do a risk assessment, and it will give you better results.
Because if you mitigate risk, which we're going to explain in the next lecture, which mean you are like working on or spending money to decrease the probability of happening.
This will be a good approach.
But the point is, after explaining the concept, I will also utilize or explained, it's not advertising for anything, because those are not cheap products, but at least you need to know what is in the market.
And by the way, if you need to get the best of this course, do not just depend on the lectures and the knowledge you are getting from the lecture.
But for instance, if we are talking about risk management, and we are explaining that you should do some research, what are the best products that do risk assessment? What is the difference between those different products? Because if you go to an interview, he may be asked you about definitions.
But he will also ask you about what is in the market today that is doing that? What is the best DLP what is the best case assessment tools, and so on.
So I strongly suggest that you keep a piece of take notes about the knowledge.
And whenever you finish a subject which is quite important, like risk management.
I also suggest that you go and search for products that doing that just to be familiar what is in the market, not just to get the theoretical part.
So risk, it's not a threat, it's the damage that may happen if a specific weakness or threat has been exploited.
That's why usually we have to formula for risk, it could be risk equals threat into vulnerability, or sometimes risk equal probability into impact.
So if we have a specific risk vulnerability, that or weakness that has a probability of happening 10% and if it happened, it will cost us $100,000 shows the risk will be 10% into 100,000, which is 10,000.
This is how to transfer risk as a number and by the way, risk management.
It's the only module or the only domain inside this course that has some formula that you need to memorize.
And we're gonna see that during this domain.
So, risk is the amount of loss or amount of damage that happened if a specific vulnerability if a specific threat has been exploited.
Now, as I told you security approach used to come from the risk itself.
So if you, like get hired to implement a Information Security Management System, or any kind of security implementation in any organization from where should you start? So assume that you get hired and a bank or a company asked you, we need to implement some security to secure our information from where should you start Should you just tell them? Yes, we're going to buy the latest and greatest equipment and appliance, this and by doing that this is how it will be come secure? No, it's not going this way there is a risk analysis process that you need to be aware of.
So, it should start by assets identification, what do we have as an assets? What exactly do we protect an assets actually do not mean only shares and computers and tables, but there is some assets that is more costly than that like the company information, this is an assets, can you tell me a bank, a huge bank, the information that he has, how much he tours, if there is a bank and has a lot of customer information and sell financial transaction and all their financial information, how much Xu such information wars, what if those information get compromised, what will be his his bank lost? Right? So you need to start by identifying these assets.
And not just the physical assets, but also their non physical as company reputation as an assets, what exactly it represents, if we have big, big companies that get if you get compromised, no one will trust it anymore.
And we saw a lot of stories in the last few years about measures company that people lost confidence, because they get compromised more than one time, this is an asset that has been lost.
So we need to identify the assets first, then we need to identify the vulnerability or the weakness, what weakness those people have, what vulnerabilities they have.
Those vulnerability could be technical vulnerability.
So for instance, they are using some old operating system, some legacy system, sir website is not HTTPS, those are vulnerability.
And then we need to identify the threat.
Can those learnability be hacked or exploited, I mean, I may have an open port on my computer.
This is considered a weakness or vulnerability.
But this open port doesn't have any service so no one can hack it so I don't have a threat for that.
So I should identify as a vulnerability and then check which vulnerability has a threat associated to which vulnerability can be exploited? The number four we need to do four and five proper probability qualification probability qualification and quantification Nam quality ification mean based on quality and quantification based on quantity, the point here is okay.
We are identifying the vulnerability and we are identifying the threat.
What is the probability of this specific threat to happen, for instance, let's talk about fire as a weakness.
So, we are working in a company we have a lot of electrical equipment, we have a data center we have a lot of electrical devices.
A problem may happen a fire me or cure right now, this is a vulnerability the threat said a fire may occur because of that.
Now, what is the probability of that happening? I may have some previous information.
I mean, I noticed like everything here a fire happened.
So this is called say quantification.
It's based on quantity.
Because I have figures I have number white, if we're talking about qualification mean, I assume based on other people experience with, so I don't have a solid background about that, then we have to identify the financial impact.
And actually, you're going to do all this process by some formula later on in this domain.
Because after all, if I'm expecting to have a threat, like a fire, okay, so if a fire occurs, what will be the amount of loss I need to evaluate the financial impact because according to that I'm going to the site and this will be done by numbers.
within few lecture, I'm going to decide how much I'm going to spend on this specific impact.
So we are saying for instance, that if a fire happened, it may cost the company 100,000.
So I need to buy equipment that was less than 100,000.
doesn't make any sense that you know if a fire happened and my loss will be 100,000 I will buy an equipment with 10,000 which was $1 million.
So financial impact because you have to Do a cost effective solution.
And this is how you will face the questions as exam, they will not ask you how much you're going to spend, they will give you a scenario.
And they will tell you they spend that much on this specific threat.
And is it cost effective.
So you have to calculate and you have to seize the assets value, and you have to see how much is lost.
And then you have to see how much they spent.
And according to that you decide if it's effective or not.
And finally, in the risk analysis process, you need to determine the countermeasure based on the financial impact, and also the risk itself, I mean, it should reduce the risk of happening.
This is one of the framework.
This is related to fire departments something where you know, this is how they are doing the qualification.
Like you know, the likelihood, say probability of happening, say put value, and the impact the put insignificant minor.
This is qualitative probability.
Now, when we do a risk assessment, and we start identifying the threat and vulnerability and financial impact, I have four different strategies that I can take.
First one is to mitigate the risk mitigation.
So, mitigation means I'm going to spend money to reduce the risk.
So, for instance, I have a web application that is very important.
And if it gets compromised, this is an ecommerce website, I'm going to lose a lot of money, like Amazon, also sites that benefit by minutes.
So what I'm going to do, I'm going to buy a web application firewall or some appliance to protect my web server, this is called mitigation, I spend money to reduce the risk I cannot reach, risk zero, I mean, risk, please write it down risk cannot be eliminated, say will always be a risk.
But I try to reduce the amount of risk.
So mitigation means spending money to reduce the amount of risk I can accept, mean, okay, I found that to reduce the amount of risk, I have to spend a lot of money and I don't have a budget.
So what I'm gonna do, I'm going to accept the risk because after all, risk is an uncertain event.
I mean, it may happen or not.
So I decided, Okay, it will cost me too much.
So I'm going to accept the risk.
Let's mean, if it happened, I'll find a workaround if not good.
So accepting risk mean doing nothing about it, okay, we have avoidance strategy, sometimes the risk is too high.
So, for instance, we are opening a business in a specific areas, it is very, very risky, and it has a lot of like a bad area.
And people may get hurt, so I decided not to open a branch sir.
So I will not do even the activity.
So it's different than accepting acceptance mean, I'm going to do the activity.
And if it happens, risk happened, I'll find a workaround avoid, I will not even do the activity because the risk is too high.
And finally, we have transferring and transferring means we are remote transferring the risk to someone else like insurance, instead of buying fire equipment and so on, I'm going to buy insurance policy, if fire happened, they will be paying for the risk not me This is called transferring risk, very, very important to understand this strategy.
The fourth strategy show not all risks can be mitigated because after all, it will cost you a huge amount of money.
So summarize could be accepted ceram risk could be transferred somewhere else, some risk may be avoiding.
So it's very important to understand the different risks.
This lecture, it's very important insights is domain, which is assets for evaluation.
And we're going to also explain some formula to calculate the risk and to calculate or to evaluate the effectiveness of the control.
So this is the only part inside the course that has some formulas that you need to memorize for the exam.
Now on the previous lecture, we explains the risk what is risk how to identify the risk, how to manage risk risk principle How to mitigate and avoid or accept and what is what is the definition of zOS principle or transfer? Now, this was just an introduction.
So previous lecture was just an introduction.
Now, on real life how do we implement risk from where should we start.
So, to be able to identify or to do a risk assessment, or to choose some countermeasure to reduce the amount of risk, we need to start with evaluating our assets.
So, the first thing we need to do inside the risk management, it's to identify the value of our assets.
Now, in assets, we have two different types, we have the physical assets like hardware like shares like tables, and this is actually it's not the main assets that we are looking for, but it should be considered computers, hardware, printers and so on.
But the really important assets that you need to evaluate will be is the data asset.
So, data or information assets, so, this is important part, imagine that you are working in a bank, the bank has some devices are some physical assets, he got some computers and some printers and some scanner fine.
Those are easy to identify the value I can tell you have 1000 computer, or 100 computer each computer has been bought was $1,000.
So, our physical assets was $100,000.
But can you tell me how to identify the assets? The information assets? What is the value of the bank information? If it the bank lost those information? How can you consider the lost of the bank or how much would be the loss of the bank.
I mean, it's easy to calculate if we are talking about hardware.
So, the information and the data, those are the acid sets taking some effort to evaluate the value.
We also have software but also software is easy to identify the value.
Now before go before start explaining the formula.
I'm going to talk to you about some different techniques that is used for assets evaluation.
So, we have different way we have the inventory if any organization has an inventory system, we can refer to that we have assets management system or accounting systems those will help the first three one will help in evaluating the physical assets because inventory will include all the hardware and prices or the accounting system.
While this one Please take note about this one delfy technique, it's a technique used to evaluate information assets and it depend about expert opinion and survey.
So, the key word here is expert opinion and survey, we are doing survey to expert people to be able to identify the value.
So, you are not requested to understand how it works, but you need to know what is delfy technique, it's a technique that is used for assets evaluation and it depends about expert opinion and surveying anonymous survey.
So, if you got any questions as examples, so stick keyword what technique is used for evaluating assets based on expert opinion or survey it should be delfy technique.
Now, here is the important part in this course, I am sorry this this domain assumes that I was able to calculate all the assets values of i have the tangible assets, things like hardware, computer things like printers tangible and the intangible the assets like information and that and I ended up that my assets value both of them equal 100,000.
I'm going to put simple number for simplifying 100,000 so my assets value will be 100,000.
The second part of the formula will be and why whatever I'm doing right now, it needs to be done for each threat or for each vulnerability.
So, assuming that we are talking about fire, so, first I did calculate all my assets was 100,000.
The second value that will be given to you inside the exam is something called exposure x potager factor an exposure factor is usually a percentage.
So, exposure factor, it's a percentage and at present the amount of loss that will happen if a specific vulnerability or sled has been exploited.
So, if you are talking about five to calculate the file, we are saying okay, we have our assets, tangible and non tangible roles 100,000, the exposure factor of the fire of the fire will be 30%.
Meaning that if a fire happened, my loss would be 30% of the assets value from where they are getting those values, there is different way for getting that there is some standards, there is historical information, but actually, inside the exam, you will be giving us information you have one vulnerability that we are analyzing, and He will give us the essence value is that much the exposure vector is that much, then you need to calculate something called s, n, e, or single loss expectancy, which is equal to AV multiply e f, that's mean, every time the fire happen, how much we're gonna lose.
So it should be 30%, multiply 100,000, right? So it will be 30,000.
So the first formula is that you need to memorize will be the single loss expectancy, which will our case would be 30,000.
Then he will give you another input.
So three input you should have inside the question.
And you need to calculate two formula.
The third input, it's called a R, oh, sorry, or annual rate or currency.
So this mean, this vulnerability is that we are talking about how many time it happened per year.
And it's usually an integral.
I mean, if it happened one per year, so it should be one, if it happens three times per year, it should be three, what if it happen one every three year it should be one over three, one, I mean, it should be one over N, the formula should be one over n, where n is the number of occurrence of this event.
So if we are talking that this event happened one every year, so it should be one, what if it was one every three year I'm sorry, and it's number of year.
So it will be one over three.
So, we are talking about 0.3 So, they are Oh will be zero point C.
So, a zero is the annual rate of occurrence.
Now, the last formulas that you need to calculate.
So, you have three input and you have to Formula into memorize the input that will be given to you will be the AV assets value would be the exposure factor, which is the amount of damage that will happen if any vulnerability took place and will be a r o which is the annual loss expectancy, and we should end up with a le annual loss expectancy.
According to that what is my annual loss expectancy from the fire should be SLE multiply a ROA are Oh, so it should be 30% or 30,000.
Multiply 0.3.
Let's open the calculator.
So, we are talking about 30% 30,000 123 multiply.
So, you will be allowed way to a calculator inside the exam 0.3 and the value should be 9000.
So, our l e will be 9000.
Okay, so what exactly does that mean? Does that mean I should not spend on fire equipment more than 9000 per year, because the amounts that will is lost from fire would be that 9000.
So it doesn't make any sense that my loss would be 9000.
And I'm going to spend 20,000 on fire equipment.
So this is a very important part inside risk is a cost effectiveness, it's not about just implementing the latest and greatest technology to reduce the risk, it should be cost effective.
And actually, sometimes inside the exam, you will not get the questions that straightforward, but he will give you a scenario he gonna say is that a team is working on risk in an organization and they found that the assets value is that much they found the exposure factor, they found this is a row and they will give you how much the company spent.
So he will tell you, the company has spent 14,000 is it cost effective, plus or minus.
So you need to calculate to be to understand how how much they actually should be spending, and how really say spent according to the question, and you give your opinions, this is not cost effective, this is minus 6000, they spend more than should be expected.
So this is very, very important formulas that you're going to need to memorize.
And as I told you the inputs that you're having says exam result, and as assets values exposure factor, zero, and you're going to need to calculate SLE, and you need to calculate le and your objective is to understand the how much you should spend on each threat because you do that for each threat, fire hacking, physical security, any threats that you should expect, you should do this calculation to be aware of how much we need to spend on this specific control.
So, very, very important formula, please write them down.
Game then is apart, or the vulnerability usually is coming from different places.
So it could be theoretical, it could be actual exploitation, safety.
So vulnerability could be different kinds of an ability physical in technical, we should consider all kinds of vulnerability and do the formulas that I showed, I just show you the area of individuals.
physical security, people who's working in operation should be analyzing the physical security vulnerability electrical, software, network personal risk type, we have the manmade risk, which is something like internal risk, safe employee mistakes or natural disaster risk things that you can do nothing about it.
So, if you are in an area where there is a lot of tornado and float, you have to work with that I mean, you cannot you can do nothing about it.
So when we are doing risk, we need to identify all the risks that we are expected, right? But when you do that, when you start sitting, and you should, because actually it is not easy to sit and to start sinking thinking about everything bad that may happen in different areas in physical security and technical security in personnel in HR.
It's not easy, but you will end up with a huge amount of risk.
So I cannot assign or put a countermeasure for each one of them it will be endless, because you know sometimes you have 1000s of risk not just 100.
So, after doing After identifying the risk, we need to identify the term to determine the probability and to put some periodic answer at some priority need to be taken into consideration.
Let me give you an example assumes that we are in an organization that and we are doing a risk assessment.
So we start identifying the risk.
Now this specific organization exists in a city where there is a lot of tornado and float.
So this has been considered as a risk because it may happen and it may end up with closing our business for few days until it's a problem losing some customer I need to consider that.
But also we have a risk for instance, for earthquake but this is very, very rare.
that happen I mean tapping every like 2030 years.
Now, if I have a budget to buy some control, should I divide the budget equally on those two specific risk? Definitely not, I need to give one of them more priorities and other because according to that the tornado is happening every year.
So the probability of happening is very high.
So I have to assign a budget for that, well, it doesn't need to be considered, but since it's a very real threat, so I need to allocate lower budget.
So when we are doing the identifying risk, you need to put priority because you will not be able to mitigate all kinds of risk.
In doing priority, we have a qualitative and quantitative analysis.
Quantitative mean, I'm giving a priority according to some number I have the last 10 years, a fire happened every year.
And this is very, I mean, pessimistic.
But for instance, so I have, I'm putting pureology according to numbers, while qualitative risk analysis mean, identifying the probability of the risk, but based on the best practice, like I'm saying, this most likely to happen, I cannot put the figures but I'm putting most likely or will not happen.
So I'm giving names, but I cannot give numbers.
So, this is how to identify as a qualitative analysis likelihood we need to know the risk, we need to know the impact this is the formula I was telling you about extremely important.
And you should understand what is a quantitative analysis and quantitative analysis, very important thing about the safeguard or about the confirmation eight should be cost effectiveness, you will be requested to evaluate the effectiveness of the cost from the question, it should reduce the risk you should not implement the control that will increase the risk and it should be practical, not a theoretical part.
So, when you implement the control, it should match those point.
So should not suggest theoretical things that cannot be implemented.
But the first one cost effective.
And this is what he may ask you inside the exam.
And as I told you, it will not be straightforward question, he will give you a scenario, he will tell you how much they spend on countermeasures, and he will ask your opinion, so you need to calculate, and you need to get the annual loss expectancy and to figure out what is the better amount to be, or the best amount to be spent on this specific risk? Let's take an exam question related to risk management.
Risk Management can be very complex and overwhelming.
It's virtually impossible to consider every possible scenario during risk analysis, which is true, very hard to analyze all different scenarios are all possible scenarios.
However, threats are methods available that can be produce better results, which of the following would provide the best results when carrying out risk analysis? Do more quality analysis, more qualitative analysis which we explained before? use manual audit, use existing automated tools, or focus primarily on the critical assets? So which one is the best way for doing risk analysis? What do you think? Doing a qualitative analysis, you remember is a quantitative analysis, it's a part of the risk analysis.
It's not the full process.
So definitely This is not the right one, use a manual audit, and manually mean it's not precise or it will not be effective.
focus primarily on the critical assets.
This is also a part of the risk analysis, but it's not the full risk analysis.
So the right answer will be using an existing automated tool because the automated tool will have a lot of scenarios will grab a lot of built in capabilities, surveys and so on.
So it will give you better results and explanation of this question as you can see that using an automated tools, which usually has a lot of information Insert database that can be used right away.
And instead, instead of figuring rows information out, will give you a better result.
So, the point that I'm trying to raise here first is that when it comes to things like risk analysis, or risk assessment using an automated tool, it's much more effective and will give you better results.
That's why in the next lectures, I will follow up to two of the major automated tools that we usually use in risk assessment.
Those are expensive tools, by the way, but you should be aware of them.
Because as we agreed at the beginning, it's not about the concept.
But also you need to know what is in the market today, in case you sit for an interview, or you join a job where they are using these tools.
The next lecture, it's not a part of the exam, but just showing you a couple of tools like arsha, for instance, from RSA, which is a very effective risk assessment tool, or Eris.
They also have a GRC, and so on, but I believe Archer it's most common and used in different entity.
So I just want to show you one of those automated tool for your own knowledge, not for the exam purpose.
Another point that I would like to clarify is that a very important factor that you need to consider to pass the exam is to sink like ice square.
This is quite important because sometimes you may find one of those uncertain more realistic to you.
It's not about what is realistic, you it's what about ice squared is sinking.
It's very, very important to get that mentality to be able to pass the exam and you can set by time, you don't have to worry about that.
We're going to take a lot of exam questions and you start, you will know how ice square are thinking and you're going to get the same mentality.
After finishing the risk management, we're going to move to the Business Continuity Planning and disaster recovery planning.
Now risk management is a previous version of CISSP was a domain by itself.
And business continuity and disaster recovery was a different domain.
So by combining them together, they make the first domain one of the biggest domains.
Of course, Business Continuity Planning is a very important topic and it has a lot of terminology that you need to be aware of.
And you will find good amount of question inside the exam about the BCP and DRP.
So please studies as part of the domain very well take notes.
And after finishing the domain, I'm going to show you the best way to practice the exam question related to those domain.
So let's start the findings of Business Continuity Planning and disaster recovery and different terminology related to them, and how to create them besides the different document that is included in the BCP and DRP.
Now our first objective will be to explain what is the difference between business continuity or BCP, and disaster recovery plan or DRP.
Business continuity, it's mainly a business document.
And we try in such document to identify or our business function and to give them priority and to see how to recover the business.
What is the most important business function to recover first.
So business continuity, it's a business document, it's not a technical document.
While disaster recovery, it's a technical document.
And once we finish this part, we are going to see the sunflower document and see is a definition for both of them insert in the sunflower document.
So let me give you a small example.
assumes that you are a training center.
Okay.
So Training Center what exactly the type of server he is providing.
It's providing it's it provides training and to be able to run the business What do you need? I need equipment, I need a location.
I need equipment.
I need this I need computers I need instructor I need operation reception.
So those are the requirement that allows the business to running.
Now in the training center, we may have this From the partment so we have the sales department, we have the training department, we have the operation department, right? Now, when we analyze the business, what is the most important department or business function that is needed for the business? It should be the training department.
I mean, if you have a training, you have a course running.
And you don't have an instructor, for instance, how can you run the training, you have the sales team, you have the HR team, you also finance team, but you don't have an instructor from the training team.
So the business will not be running.
So according to that, maybe I need to get another instructor to become a backup.
This is the business continuity, I'm analyzing the business, identifying the business continuity and identifying the important business function.
And I'll try to find some option in case any problem happened, I'll be able to run my business.
So it's a business document.
And as you can see doesn't have any it doesn't have anything technical so far.
Disaster Recovery will be is a technical document, I mean, for the same example that we are talking about training, maybe you need to have computer What if a problem happens on the computer, we will not be able to run the business.
So now I need to figure out a technical documents that how can we recover if a failure happened to any computer to take a backup from the software or something like that.
So Business, Business Continuity Planning, it's all about identifying the business, knowing what business function is inside, giving priority to business function and to identify what is most important business functions that you need to recover firsts and seconds and search to be able to run the business.
Where is the disaster recovery, it's a technical document.
And actually disaster recovery, it's part of the business continuity planning.
So a part of it will be the disaster recovery.
This is an example of business continuity planning.
And I'll I'm going to add some template to this lecture.
But it's very important to go through it because actually, it's not easy to implement the BCP unit, as I told you need to understand very, very well, it's a business, and what is the critical business function? So for instance, when we were talking about the training center, I told you that we have different departments.
So when you analyze events business, what is important department is, let's simplify the question.
If I have a trainer and I have a reception guys that sitting at the reception area for the old for all new students who is coming for training, which one is most more important, is the instructor or the reception.
Most of them are important, but instructor are more important than the reception guy.
The business can be running without someone staying in the reception area.
While it cannot be running without an instructor.
So now I need to have another instructor but no need to have another reception because I cannot few days result.
This is an idea about analyzing the business and the factors or the requirements needed for the business.
So it's not a technical document.
It's a business document.
We have different kinds of framework.
But you're going to need to know about manliness This is related to a fire department, business planning framework.
They are all the same idea.
But let's let's go through it.
And let's talk about the steps.
So the first things that you need to do if you are implementing a business impact a business planning.
Business Continuity Planning is first you need to have a project initiation.
Before doing the process itself, you need to do that as a project.
What do we mean project project has a start date and end date.
So you need to do you need to say I'm going to do a business continuity planning that will start on this specific date and will end on that date.
And I'm going to need those resources and this will be my deliverable.
So it needs to be clear.
And also this would be the project manager or the program manager.
This need to be identified as the beginning because actually this is a long process and unless you put an end date and you assign resources It will not never end.
And you're going to do a lot of meetings and a lot of interview a lot of survey, it's not an easy process.
So you need first to identify your resources and identifies the lens of your project.
And who will be responsible, who will be in charge.
Once we agree about that, one second step will be starting the Business Continuity Planning and how to start by risk evaluation and control, we need to start first the risk, identify our risk, and identify the controls that need to be done or put inside the place.
The third part, which I believe it's the most important part in this BCP, it's called the business impact analysis.
And it After identifying all the risk and all the threats, I need to identify if this specific threat or vulnerability took place, it will affect my business with numbers, the most important part is a bi a or business impact analysis, it should have figures, because according to that, the management will agree or disagree to do this planning.
So it should say, Okay, if my our system get compromised.
And I get that from the risk evaluation and control, I know that we had a lot of bad experience.
And our system or not, the latest do not provide the latest protection software and hardware, and we have some old operating systems.
So one of the skills, we may get compromised on the business impact analysis, and we're going to see a sample during this course you're going to say, Okay, if it happened, if we get compromised, we're going to lose $1 million.
And according to that, we need to have a, for instance, another server or we need to buy some security appliance.
So the BA, this has figures, it will translate the threats and the risk and compromise ation to numbers.
And it will shows how our business will be affected.
Okay.
Now, once we created the business impact analysis, by the way, a very important point is a sequence of the steps when you need to be memorized.
So you you may get asked inside the question inside the exam.
What is the third step to be done in the business planning out is the business continuity planning? What is the second step, but actually, I'm going to point to that from the sunflower once we finish this domain after that, to start developing our business continuity strategy.
Okay, so now I know if a problem happened, this would be affected money wise, or timewise.
So I can say, Okay, if a tornado happened, we will be off for a few days.
But we are a multinational company, we cannot be offered today, we're going to lose a lot of customer.
So our business continuity strategy will be to take another site in a different location that doesn't have doesn't have this kind of problem.
And this will be stand on standby site.
So my people will be moving here.
But if a tornado happen, I'll be moving my people there, this is a business continuity strategy.
fifth step would be emergency response and operation.
This is considered a very, very important step in the business continuity plan, because they consider the most valuable assets inside your organization is people.
It's not hardware, it's not information, it's people.
So the first thing that you need to do in the business impact analysis is to have an emergency response, response, and operation, okay, how to evacuate people how to tell them the assemble assembly point, after any kind of major disaster or problem doing that, we're gonna after doing all the business continuity and emergency you're gonna end up with a BCP or business continuity planning.
Now, after doing the business continuity planning, and how can we continue our business in case of any problem happen, and where should be the list of problem and effect of problem it will be in the risk evaluation and in the business impact analysis.
After doing that, and have a plan, you should not put just write the plan down and put it in your drawer you have to do an awareness training program.
People need to be aware of this planning.
So if a disaster happened, they know who to call or they know where to move or say no, but if you do the planning, even if it was in perfect planning, and no one is aware of, it's useless.
So you need to implement awareness and training program number eight, it's to maintain that you have To check your planning at least once a year, by the way, all the planning that we are talking about in the domain need to be reviewed once a year, or at least one time per year.
Why is it because sometimes the factor or the parameters that you depend on your planning does not exist anymore, for instance, assumes that you planned that if a disaster happen, you are going to move your company or you're going to move your stuff to another location that you arranged.
And you can use a specific transportation company, what if this transportation company went out of business and you you were not aware of.
So if a disaster happened, you try to call them they're not sorry, they went out of business.
That's why you need to maintain, you need to reuse it at least one per year to make sure that it's still applicable and nothing has been changed.
Number nine, it's to inform the public relation.
And number 10, is to communicate with public authority.
This is, you know, in case for major things, Fire Department police department, you need to let some aware by your planning if a problem happened.
This is another framework.
And I believe this is the ones that you need to memorize the number NIST, publication 834.
And it's similar to what we explain maybe less steps but it's similar.
You are developing a pilot statement, you are conducting a business impact analysis.
And if you need to memorize steps, it should be from zero, not from the first one.
So don't forget that the second step is to conduct a conducted business impact analysis.
And then identify the preventive control develop recovery strategy, develop an IT contingency plan on step number five, this is what is the disaster recovery planning will come plan and test and training and plan for maintenance.
So this is one that you need to memorize.
But I explained the first one because it's shows more detail.
And I want you to be aware of such details.
As the threats that we may expect could be natural threat could you could be a human cost could be technology costs.
So you consider why we are doing your risk assessment all kinds of threats.
So as we agree on the previous lecture, what is the most important document inside the BCP is the BI or the business impact analysis, what exactly you should find inside the BI you should find and a list of all the business function inside this organization.
So it will explain how the business is going first, if it's a finance organization, if it's a broker, Stock Exchange broker, if it's a training center, how's the business is working, how's the process related to businesses working? So it will first explain the business and this is not easy to do.
I mean, you have to understand very well, how's the business is running.
And in real life, you have to do a lot of meetings with different departments to understand if you are coming outside the business, if you want to understand the house, the business is going and what is the important function of the business.
So you need to identify the business function of the business like the previous example we explained on the previous video.
If it's a training center, you're going to need to know how the training is going from the start student came for registration, where they register and then those information how they will be saved and to house they will be creating a course and informs the instructor and requests the material.
According to that you will be knowing the main business function and then you start giving them priority.
What is the most critical business function? What is the business functions that if it's doesn't exist, it will stop the business.
But you need to put that with figure with numbers.
So as you can see, you need to have a list of business function and you get to give them priority.
You need to possibility of reduce the efficiency of operation.
We're going to see an example in a few slides.
You need to identify the resources needed to restore if a problem happened to restore the business function or our business, what resources is needed, technical resources, human resources and so on.
You need to know the estimated tolerant downtime we're going to explain this concept on next lecture, this has some numbers.
But the most important thing for management is the impact of the financial impact.
So this need to be very, very clear if this problem happened, how much the company will lose, because you're going to identify a budget, according to that if you're going to lose 1 million, if for any disaster happened, so maybe you need to allocate 800,000.
Or maybe you need to allocate less than 1 million back, I cannot allocate 2 million from my budget for some things that will have an 1 million finance impact.
So the business impact analysis is very, very important it show as I told you how the business is running, where is the weak point and how to recover the business and what is the resources needed.
Don't forget that a human is considered number one.
So inside the VA, you should also consider as a human factor, how to make sure that they will be safe for any disaster.
And it make as a goal of bi, it ensures that your business will continue according to this document, you're going to plan for the BCP.
And you're going to make sure that if any disaster happened, you will still run your business.
So this is actually a very, very important document.
There's a process of doing that.
Number one, again, it should be project planning.
So you should start by planning for Zba has a start date and end date should not be an endless process, because you know, I work with a couple of those process.
And by the way, I'm going to share some template with those lectures.
And unless you have a plan, it will end up meeting with meeting was meeting with different departments.
So planning needs to be done and project planning should be done as a project when you have someone responsible for this project.
And you have a timeline, this project trip start on date and end date and before that you should have management support.
Unless you have a management support, no one will obey no one will give you any information, you will have very, very hard time, then you need to collect the data.
I mean, how can I know you know, how's the business is running, what is the income if a problem happened, how much you're going to lose.
So you need to collect that.
You can do that by interview, you can do this by survey, you can do that by observation, but you need to collect information, do not take only from one source sitting with someone who will give you some information.
So you build on that you have to take from different resources and compare between them.
Because realistically, whenever you see to some departments, they will give you the impression that they are the most important department sales organization.
And without exams, a business will not be running even no departments that is not that important.
They're gonna do that.
So you have to do your own observation, you have to collect information from different areas, and you have to analyze them.
And they usually say if you need to work on this field business continue to answer surecolor which is well, well well, in demand today has high demand today.
It's better to start with an expert, I mean, do not take a course or read the book and then go and do a business contingency planning for any organization.
Because it's a little bit complicated process realistically.
And you don't want to take any risks there.
I mean, I don't have experience I go the organization, I'm going to tell them that I'm going to do for you A BCP and then you start going through what you read in sizable and then disaster happens they try to implement this plan is not working, they will take some legal action against you.
So if you need to work on this field, as I told you to well demand field or high demand field, it's better to start with an expert.
So we will talk about data collection, the critical assessment and vulnerability assessment as well.
So we are identifying what is important assets that we have and what vulnerability you are expecting.
This is a bi critical business process.
This is actually one of the vulnerability assessment model or example.
So for instance Zephyr, the vulnerability could be a flood damage damage happened for flooding.
This is what this is a physical vulnerability, okay.
So risk of occurrence.
This is as you can see, quantitative and they are given from one to five.
Look where one is low and five is higher, because this happened every 1015 years.
So the probability of happening is one.
Okay, if it happened, what would be the impact on our business it will be 20 5000 and how to mitigate that how to reduce the risk, it's to standing order or, you know, sandboard or sandbag, or whatever control you're going to put, okay? Second one, electrical failure, this is a physical, and it happened from time to time.
So I'm going to give them a risk occurrence of two.
And if you tap in what would be the impact will be 100,000.
And how to mitigate that.
When you give them to management, maybe they will accept some and do not accept some, so they may for the second one may mitigate this spend 100,000 bucks the first one because the risk is so low.
So second, we're gonna accept that if it happens, we're gonna find a workaround, and so on and so forth.
So this is an example of a vulnerability assessment.
Now, before going to the next lecture, I just want to show you, the BCP from the sunflower and what exactly needs to be memorized from there.
So let me just increase the size a little bit.
So the business while you are doing that, to have led to reduce the downtime of our business to make the business working.
The BCP is now government requirement in some countries.
I mean, if you are a supplier for government, they will tell you, before we work with you, as a government, we work with your private organization, you have to show our show us our business, continue your business continuity planning, because if something happened to your business, and you don't have a plan to recover, you're going to affect our business.
So we become more as a government requirement and measure company requirements.
So it became very important.
That's why I told you, it's in high demand in the market.
So we are doing that for it's a business document.
And don't forget that the first thing that you need to do inside the business is emergency response planning.
So first thing it says the BCP is not how to recover the business is how to make sure that people are safe.
What is the scope is a big it's very, very important document, you should know what is inside the BI.
Okay, business impact analysis has a risk and it has business functions or priorities lost.
So the BCP, as you can see, it's a business document, while the disaster recovery, it's a technical document.
In bcb, you're going to find some terminology.
And those are very important and most probably, you will be getting some question about sight inside the exam.
Now, the first terminologies that you need to be aware and it should be written on the first section of the BCP, it's called the maximum tolerant downtime or MTD.
So, how can we initiate the process of the BCP? I mean, if you are doing a business continuity planning from any organization, what will be the first question you ask for management before start working on a planning and collecting information.
So MTD, it's the maximum acceptable downtime for any organization and this number should be coming from the management.
So you're going to sit with the management at the first meeting and they can tell you Okay, our organization MTD, it's five hour means that we can be down we will accept to be down for maximum five hour but we cannot be down for six or seven hours our downtime acceptable downtime, it's five hour and as I told you, that should be coming from management says this is called the MTD.
So, which is the maximum acceptable maximum tolerable downtime accepted accepted by management and they will tell you do whatever it takes to make sure that we will not be down more than five hours.
So, whatever problem happened we can afford to be down for this amount of time.
Some of them will be lower like you know government or law enforcement they cannot be down for like six seven hour they will tell you we can be our down for 30 minutes for instance.
So, the maximum tolerable downtime or the MTD, it's acceptable downtime by management.
Now, let me first go to this one.
So assumes that oh You sit with management and they told you that the acceptable downtime it's or the MTD is five hour.
So said okay, let me test Let me see how can I recover the system.
So, you start doing a scenario, you crash the system or you do whatever scenario and then you try to restore the business and to get functional again it takes you seven hour.
So, they are realistic values that you are testing it take your seven hour, what do we call that? It's called the RTO or recovery time objective.
So, RTO it's the values that you are giving based on the testing.
So, management told you it I need to the maximum amount of time I can be down is five hour you did your test and you tried everything and you cannot be up before seven hours.
So, you go to management he said I did according to the resources I have I cannot be up before seven hours this is called the RTO definitely definitely what will be your objective to make the RTO equal MTD or to make some difference between them zero.
So, this would be your objective So, you can tell the management okay if we need to decrease the seven hour to five hour maybe you need to spend more money because you requested to be down five hour.
So first terminology is MTD.
Second terminology is RTO.
We have a certain mineralogy it's called the recovery time recovery point objective.
And this is related to backup.
How frequently should we taking a backup? It is a question came asking about the value related with backups, the key word was backup is RPO.
This is related to the amount of time where we need to take backup every hour every two hour because according to that I can afford to lose the data for one hour or 30 minutes depends about how frequently I'm taking backup.
Those are three important terminology but I need to add two more terminology from the sunflower which is mean time between failure and mean time between repair.
So let's go here.
And let's go to the last section.
Here those value are very, very important definitely you get question about certain size exam.
So we spoke about mtgs RTO RPO.
Now, those time we as those concept, which is mean time between failure and mean town between repair.
What exactly is this mean and what needs to be increased? And what need to be? Because most probably he will not ask about definition or this is stand for what but he will ask you what do we need to increase and decrease.
Now Meantime, between failure it's the time between a failure in any sense.
And for instance, assumes that I have a server and from the previous experience and for the previous from the previous history, I know that this server failed every six months.
So the mean time between failure is six months for the server Okay.
Now what will be my objective definitely my objective will be to reduce I'm sorry to increase the mean time between failure.
So anytime a failure every one year every two year but not every six months.
I need to increase MTTF.
While mean time to repair its amount is take you to repair the server.
So assumes that I know that the server will fail every six months or seven months frequently.
But it takes me one hour three hour to repair it.
So I need to decrease this amount.
So MTTF need to be increased when mttr which is the time needed for repairing the system need to be decreased.
Don't get confused about that.
Take notes about that, because it's very, very important, those terminology for the BCP.
So the terminology are very, very important when it comes to the business continuity.
When we are doing a BCP, you need to have someone in charge, because you will be doing a lot of work will be sitting with a lot of people.
So someone needs to be in charge.
We do not call it the project manager is called the program coordinator.
So program coordinator is one in charge for the BCP and he's the one who's planning and who's assigning assignment to the team and doing the resources and he will be the one accountable.
So if a problem happened and the plan is not working fine, he will be the one responsible for that.
This is the BCP team and it should have people from senior management from security from business partner for remote business associate from it from legal.
And I think if it's the government sector, they should also have someone from PR, because if a government disaster happens to government, someone need to go to the media public and explain what is the situation, but if you keep everything secret, this is definitely will affect their business and people will start losing trust in that this is their responsibility is the ones that we explain and one more time Do not forget that people come first.
So whatever BCP needs to be implemented, the first thing to be done is people planning now this is the content of the BCP is a statement, statement of authority role and responsibility plan goal and objective, applicable law, regulation, everything it needs to be evaluated one per year, at least, to make sure that it's still applicable and that all the resources that are depend on it still there.
So, okay, now, when you do a BCP or dr, it need to be tested, otherwise, it would be something academic.
So, we need to test and we have different way for testing.
So, for instance, we have a full interrupters that we are simulating real disaster and do a full interrupt this will involve transporting people to other places and recovering and it will take time, but you have to do that, we have another kind of testing is called the walking through testing, which is just sending this plan to different departments and they will check if it's applicable or not and sign we have a parallel testing we are keeping your business running but you are doing a parallel testing on a similar site.
So, there is different kinds of testing for the planning and you need to implement most of them especially the full interrupt because you need to see if this plan is realistically or not.
And it needs to be maintained one per year at least.
Okay, so before going to disaster recovery, to close the BCP.
As I told you, the Business Continuity Planning should have some plan in sight and one of the important plan is called the emergency planning.
So the emergency planning will explain it's a sub plan for the BCP will explain what should be done for evacuation and for making sure that people will live or oral will be evacuated inappropriately.
Now, here's the question I saw inside the exam.
They are telling you if a disaster happened, what should be done first, first, number one evacuate people.
Number two, implement the BCP.
Number three, implement whatever I mean, let's talk about one or two evacuate people or implement the BCP.
What do you think? I believe some of you may think evacuate people because people come first.
But actually, you should first do the BCP because inside the BCP, it will have the plan for evacuation.
Because you cannot keep screaming to people evacuate the place say when you're gonna have a lot of damage and people who would hurt themselves.
It should be done according to the plan.
Sousa evacuation plan is a part of the BCP.
So it should be done.
According to BCP, it should not be done randomly evacuating people because unless it's planned, it will do a lot of damage.
So don't get confused about this kind of question.
Everything should be should be going according to plan in any domain.
The objective IC squared is that you should have planned for everything and everything should be going according to plan.
Second part will be the disaster recovery planning or DRP.
And I think the DRP its sub plan for the BCP because the business continuity is the generic plan, while the DRP its technical plan for recovering the system but not all business.
Only depending on the technical part, some business some some operation, some sales, some training.
So the DRP is only focused on the technical part.
And on this lecture, we're going to see the same terminologies that we went through the last time on lecture on the network domain where they will be repeating the type of backup type of frayed redundancy and so on.
So the disaster recovery plan, it's about how to recover the technical document, technical part of the business.
And I'm going to add some template to be aware or to check how it looked like now, in the disaster recovery plan, you're going to find the risk, what risk may affects the technical infrastructure the cost and benefit as a priority should be cost effective in disaster recovery, you have things that need to be recovered on short term mid term long term by the way, when we are talking about long term usually, especially in planning it mean more than five years.
So things not can should not be recovered all of them at the same time.
I mean, no, unless your business needs it, but you need to identify what needs to be done on short term and what needs to be done on midterm and what needs to be done on long term.
So if you need to recover on short term, you're gonna need to do mirroring site.
We the re explain that again on midterms need to do a rebuilding.
Okay.
So, one of the things that we are going to re explain one more time it was explained in details in the network and telecommunication is a type of backup first before talk about type of backup, how backup will be taking? Are you going to take on tape or disk? Are you going to do a mirroring, backup mirroring mean a alternative? backup? Are you going to do remote journaling electronic voting? Do you remember what is remote journaling and electronic vaulting backup, which is a site remote sites that take down section by transaction like banks, or remote sites that take bulk backup.
So just memorize what is full backup and differential backup an incremental backup, full backup or taking a full backup incremental or taking the last change is a change from the last taking backup, and differential are taking the change from the last full backup.
If you don't memorize that, please refer to the backup lecture incisor network.
While this part has been explained, the difference between differential and incremental and male is the difference would be while you are restoring you need less amount of tape if you're going to do a differential backup.
In this lecture, we will be talking about alternative sites sometimes in your plan for major disaster.
And for critical business you may need to have an alternative site.
So if a disaster happened and you are not able to run your business from your presence sites, you may need to another site you may need to move to another site.
So in alternative sites, we have let's see five notice for first site is called the host site.
And another name for it is mirroring site.
And this will be a site that is fully equipped with furniture and machines and even data and information are synchronizing from your primary site to the mirroring site.
So if a problem happened or a disaster occur, you just need to move your people from your current site to the mirroring site.
And they will be able to be up and running within hours.
So the definition of hot site or mirroring site is a site that can be up and running within our you'll be having your business up and running.
Then we have the warm side and warm site.
It's a site that has equipment and has computers and communication except it doesn't have that.
So if a disaster happened, you're going to need to move your people and you're going to need to get the information tapes and recover or restore them.
So it will be up and running within days.
So as a definition, a warm site is a site that can be up and running within days.
Then we have to Cold side is just a place with light and communication into furniture, machines, you need to have data.
And this is, can be or can recover the business or can be up and running within weeks.
We also have a site called the portable site or sometimes called site on when it's like a van where it's, like, you know, has some main devices that allow you to run the business from the van.
Now, besides those alternative sides, there is a very important side.
And quite interesting also, it's called the mutual site.
So this site, also you need to be aware of.
So let's see.
So we have both sides, the warm sides, the cold sides, the mutual or multiple.
This is one or Yeah, mutual aid agreement side or reception agreement.
What is that exactly? Now, some business cannot afford to have two different sides with equal to his own equipment.
And after all, it suicides that you may never use, I mean, maybe there's a certain level, you would never accuse, and you may have never to move to the alternative side.
So you are paying rent, and you're getting furniture, and you're testing people, but you may have not to be able to use it.
And besides, as I told you some business, it's very hard to have replicate site.
For instance, in newspaper companies that publish news, you know, those equipments that they have, are very, very expensive.
And they cannot have an application of that.
So another way for for alternative side is that assumes that have a newspaper, I can check for someone that has the same business but are located on different city or on different places.
And we can have an agreement together it's called mutual mutual aid agreement, saying, Okay, if a disaster happened on my site, since you already have the same equipment, because we are on the same business, I'm going to go move my people from my site to your site, and they will be working on your site.
And if a disaster happened to you, you can move your people from your site to my site, and they will be able to resume working using my same the same equipment I have.
So this is theoretically it's actually very effective, except practically, it's very hard to enforce.
So Justin, for instance, happen you take people that are quite busy don't have so you cannot enforce it.
But theoretically it seemed very realistic idea.
So, those are the different kinds of site and you should know the definition what should be up and running within hours or days or weeks and so on.
So, getting back to our presentation.
So type of site is also important.
Now, Recovery Team should be many similar to the BCP team has every member of the team and those are the people that whenever a disaster happens, they know exactly what to do and they know where to start and they have all the process and not forget just terminology, which is the RTO and MTD and so on.
Okay, and we have also a team called the salvage team, what is the salvage team is the team that is responsible that once the disaster is finished, he need or his responsibility start I mean recovery, Recovery Team start when the disaster start to start working, you have the plans to do everything.
Now the disaster is finished, people has been moving to the alternative site.
Now they are working fine and just finished.
So I need to get people back to the original site.
Who's doing that the salvage team service team start once the disaster finish and their responsibility is to retrieve the people to get the people back to the original location once it's clear, and once the location are ready to be used one more time.
So those are two different team.
When a disaster happens, the Recovery Team start first.
Once everything is settled and every people and everyone has been moved to the other side and they are working fine.
You need to get some back who's doing that the salvage team.
The plan also need to be evaluated periodically one per year and to make sure that still valid nothing has been changed.
And also we have some kind of test.
checklist tests are also called working through, we have a mirroring site test, we have a offsite test, so it needs to be tested as one.
So this was a part of domain related to disaster recovery and business continuity, it's very important.
And in today's market, this is actually extremely important.
And most of the framework like if you need to implement ISO 67.
If you need to implement ISO 27,001, or any type of framework in your organization, you can see that one of the main requirements that your organization should have a business continuity planning and disaster recovery plan.
So realistic is very, very important.
That's why I added a lot of template to this.
domain.
Let me know if you have any question.
And I hope the domain was clear enough.
Thank you.
We already covered a lot of topic in this domain.
And we still have like couple of topic remaining.
That's why beside the exam practice questions that I will be sharing with you.
I will also would like to refer you to a very good website for questions for taking different quiz related to some of the topics that we covered so far.
This website, which is macro Health Education website, it's one of the best website from where you can find a lot of question that has the same idea or the same kind of tricks that you may find inside the exam.
The only problem with this website is that it's categorized based on the old format.
So you will find them as 10 domains, like the third edition, not as for domain, I'm sorry, eight domains.
So according to that, you can work on this website, practice those topic, but based on subject, not on the domain, you will not be able to map them as domain names with the new curriculum.
So for instance, business continuity and disaster recovery, you will find it here while risk you will find it here and most of them are in the same domain, and so on and so forth.
So if you go to any of those domain, you will find two different quiz.
Each one, each one has around 50, or like 52 questions, but they are quite good and very similar to the real exam practice.
I want to tell you to point First, you will not be able to run those exam practice question on your mobile, you have to run the exam practice question on your computer because they request Flash Player.
So this is one point.
The second point is that regarding the URL, let me show it to you.
I will add this URL inside this as an additional resources in this lecture.
But be aware set is case sensitive.
So it's better to copy and pasted from the notepad files that I will attach it.
So it's it's a URL is a case sensitive URL.
So let's see, you know, how's the exam look like? Let me tell you very important point.
So, this is for instance, which of the following best describes continuity of operation plan? And you will find different kinds of answers.
Now, the point here is that when it comes to reading the question and answer, the most important part is reading the explanation, even if you select the right answer.
So let's see the questions and let's discuss you know, how you should analyze the question.
So, what is the following what of the following best describes a continuity of operation plan it establish senior management and headquarter After a disaster, outline roles and or security, order of succession and individual role of task make sense plans the system is the network's the measures application recovery procedures after the stablish disruption convention contingency plan should be developed for each major system and application.
I think this more into the disaster recovery area include internal and external communication structure, rule, identify specific individual who will be communicating with external entity? Yes, of course, inside the continuity planning communication plan should be focused on the malware hackers, intrusion, attack, and other security issues.
Now let's let's do a specific technique, let's remove the answers that do not apply at all, which I believe it's true and false.
Because this one only focus about malware and hackers and, and as I told you, in the business continuity, maybe something else happening maybe like an earthquake or a tornado, or maybe someone left the company, and you know, like the know how of specific technology or something.
So number four, it's very limited.
It's not about it's only about technical.
And number two, the same.
We are talking about system and network and application.
But as we saw in the business continuity, it's it's it's not just about business, maybe it needs technology, and it need equipment and application to be running, but also it keep people and process and so on.
So we are between one and two, establish your senior management and headquarter effort after a disaster.
Our clients role and authority order of success and individual roles Does this make sense? By eliminating to answer you're gonna have a 5050 chance to answer right one.
And number four.
Number four, include internal and external communication structure and role identify specific individual who will be communicating with external entity.
So if you think about it, number four only talk about communication is that you need to specify who's going to communicate who, which is a part of the operational plan, but it's not the full operational plan.
But number two, which is having a senior management headquarter people will be known as the role and responsibility, I think this more into the right answer.
So sometimes, you cannot find the full convincing answer, but you need to select, you know, what could be the best one? So according to that, I eliminate two of them.
This doesn't make any sense.
So I have a 50 50%.
To choose the right one.
I would go with number one.
And let's see, as you can see, is giving you the explanation of the answer, is it right or wrong? And the explanation is quite important to reason even if you need the right answer, because, as I mentioned before, it's quite important to understand how IC squared is thinking this is what we are trying to teach you.
It's not about the knowledge, because as you can see, it's not that deep.
But it's about how ice squared is is sinking, what is their mentality.
This is quite important.
So you need to understand if you got this right answer by coincidence, or you really saw it the same way I squared is thinking about the operational plan.
So this is very, very important.
And this is one of the very effective website.
So besides the exam practice questions, this is also one of the websites that whenever you finish a topic, and you find a quiz about this topic in this website, I strongly recommend that you use it, it will be very, very useful for you.
So the website is that I'm going to attach the text document that includes a URL.
It's an excellent website, but it's not a replacement from the exam practice questions that I'm going to send to you.
Now we're gonna talk about a serious threat to any organization, which is employee.
If you noticed that the last few years, maybe the last 10 years, most of the major incidents that happened to company or most of the company or an organization will get compromised.
The main reason for that was the internal employees.
And actually I believe that more than 70% of the main attacks that happen because of internal employee.
And think about it employee in any organization have close access to the data.
They know the weakness of your system and your process and your control.
And they are the weakest link.
I mean, they can do harm to your company, intentionally or unintentionally, sometimes an employee, maybe steal information from the company and sell it to another company, or maybe they get fired.
So he need to do damage to the company.
So he deletes some critical data, or maybe unintentionally, I, you know, receive an email with a link, he don't care, he don't follow the company policy, hey, click on the link consulted company gets compromised.
So usually the employee represents the weakest link because they can do like damage intentionally, intentionally or unintentionally.
That's why as an information security specialist or or information security officer, you should give a lot of attention regarding controls that you need to apply for employees, you need to do some process when you hire people, you need to do some process when you fire people, you need to do some process, like awareness to people saying that you need to be aware of the policy and observe breaks the policy is not there is no not an excuse.
Saying that I don't know it's not an excuse.
So we're going to talk about that in this upcoming lecture.
So it's quite important to understand the sleds that come from the employee.
So how should it start, what control I can implement to secure my data against employee mistakes.
And as I mentioned, intentionally or unintentionally, first things there is a terminology that we're going to use in different places, which is called need to know the data owner, his ones that need to specify or determines they need to know to the information.
So for instance, if you are a function and manager, you are the HR manager, or you are the finance manager, right? You are someone who can say that this guy jack, for instance, he should have access to those files.
While this guy Baba, he should have access to other files according to his functionality, according to his job description, right? It's not right to like give all your people all kinds of axes.
This is actually quite risky.
And this is what may lead to problems and what may lead to a lot of issues and compromising of system.
So you you are giving not yourself but I'm talking about data owner will determines the need to know information to a each job role.
This is as I told you, quite important.
So we saw in some organization that it's done, it's not done this way, people get hired.
So me, I will inform the technical team, to if this guy get hired and HR give him access to the HR folder that include all the fire of HR, or give him access to all HR application it sometimes this way, you should have a list of the people that has access to different system and different files from the data owner.
And you should follow that.
It's maybe like common sense.
But realistically, it's not done this way.
I saw some company, when people get hired, you know, just to save themselves effort and planning and writing down different axes according to their job description, they will give any new employee access to everything, which is very, very risky.
And other controls that you can implement, it's to create a job sensitive profile that include what kind of security is required.
So for each job, and actually also this thing to be done from the functional manager, we need to have a security profile regarding the level of security or river of information security higan access, and according to that the administrator uses profile to assign authorization permission.
So it needs to be designed it needs to be like a plant and that the owner need to be by the way that the owner It doesn't mean necessarily the guy who created the file or recreated the program.
It means the owner who is responsible of the file On the next lecture, we were going to talk about the difference between the data owner and the custodian, which is quite important.
And you should expect the question about certain subjects and but this will be covered in the asset management in the next domain.
So, some of the controls that you can implement, maybe it's related to HR, but you as an information security officer, you need to be aware of things like background check when you get hired when you hire someone, you have according to the job sensitivity, but you have to do a personal interview, you have to check the history verification, work history verification, you have to do a criminal background check, drug use check, reference check.
And it depends about the sensitivity of his job, maybe you have to do all of them or some of them.
So the screen is the verification before hiring, it's quite important.
Also, things like financial and history review, personal screening, lie detector in some, like law enforcement or armies are doing that security clearance.
So those are some of the control that should be in place, especially by HR, but you need to make sure that they are in place.
Another important topic that you need to do, or any another important control, which is NDA or the non disclosure agreement, each employee need to sign an NDA because you're gonna have access to the information he gonna have access to data.
So you need to make sure that he will not leak those data out.
So you need to sign this form.
And I will attach with this lecture, a couple of like template about NDA, but this is quite important.
NDA non disclosure agreement, maybe will not prevent the employee for leaking data.
But if it happened, you have a legal documents that you can take action using this document.
So how will it look like I will attach a document but it's what very, very important documents that you need to make sure that all employees has signed before they get the before they get hired, beside.
Also, depending on the sensitivity of the data sets they gonna have access to or sensitivity of the information you may change in the content of the nta.
Sometimes you may make this NDA valid till after even after the leaves a word for like five years, people who are working in places like intelligence agency or armies, they are signing a lifetime NDA that whatever they have, they will not have access to disclosure, even after long time.
Now we're going to talk about some employment policies that you can implement in your organization to mitigate the risk of employees, the threats that's coming from employees.
And to be able to use this employment policy, you need to understand the ROB responsibility very well.
And those are the policies The most common one, but you're not able to implement them unless you know what they're doing.
And also you need to identify the critical business function in any organization.
Those policy used to be a part of the operation security.
I mean, if you are doing the exam quiz that I show you before in one of the lectures, you're going to find a question related to those policy is operational security part.
But in the next lecture, I'm going to go briefly about each one of those what exactly is a meant? We already spoke about the need to know policy.
least privilege, which also means that people by default should have least privilege, unless they need additional privilege.
So someone gets hired, I should not give him access to everything and privilege to everything.
I'm just going to give them the minimum privilege, and then according to their role and responsibility, and maybe new assignment or new tasks that get assigned to them.
Maybe I need to raise their privilege according to that.
But by default, they should go as they should get the least privilege.
So what I'm going to do in the next lecture, we're going to talk about each one of those policy in a very brief way.
From sunflower because actually sunflower cover throughs very well.
And I suggest that you do some, once you finish this part.
So you go to the exam practice questions, or actually the quiz websites that I showed you, and to solve some question from operations security related to the policy.
But first, let's discuss those policies step by step.
So in this lecture, we'll be talking about some of the administrative security policies, the major one, and most of them has been covered, as I told you before, so we have the separation of duties that critical tasks need to be the role and responsibility need to be separated, depending on the criticality of the task, need to know no one will should be able to check or to see the information unless you have a need to know permission or have to need to know, least privileged people by default should have least privilege.
I know it makes a lot of sense.
But in real life, this is not what's happening.
Because I saw some places where because people keep asking for more privilege, the administrator will give everyone's full privilege, and you know, just to make himself comfortable, and one will not call him.
So a lot of those policy are a lot of source best practice.
I'm not really implemented there, I'm making a lot of sense, but I'm not a bad job rotation.
This is this is actually mainly into the financials department where you need to move people so around.
So people that are working on a payroll should be moving to for instance, expenses and people on expenses.
Because if any fraud is there, and you are moving people from zero position to other position, fraud will be discovered mandatory vacations, this is also in most of the financial department.
And it's usually targeting the head of the department.
So mandatory vacations that people should take a mandatory vacations, that should not be less than 10 days, because they can take couple of days.
And still no one will be able to figure out any fraud or anything like that.
But if you leave for 10 days, and someone will be replacing him during the vacation, he will be able to discover any fraud, antivirus management, how are we going to manage antivirus, I cannot keep people I cannot let people install whatever antivirus they want, and managing the way they wanted.
Now we can do that in a centralized way where we can update the antivirus.
Who can verifies activity, we can check the malicious behavior and so on.
auditing should be done frequently closed shop, change control and change control is that what process do we have? In case someone requests some change it more it's more into the application part or software but assumes that someone requested a firewall change.
You have a developer team and they requested to open a port on the firewall, do you have a process for that or you just let's just people call the network administrator and he will open the port for him stuff like that it should be written in a form and it should be assessed I mean it should be validated by opening this port Are we going to have any problem What is the reason for having this port open and then it should be approved.
So you should have the process for change control, configuration management management, same option, same issue.
If you need to change any configuration Are you good doing that through a procedures or adjust someone calling someone and ask him to change any configuration and patch management patch is very very important and in your organization checkings update and patching their application, but it should not be done individually everyone should update or not update it shouldn't be done centralized.
And most of the organization has some software that manages So, if we are talking about Microsoft Windows, there is a service called w SOS that do the centralization loses updating centralized they have a server that has this role w SOS and he will test the patches and then it will be distributed on the machine.
So it should be done in a centralized with Microsoft Windows or any other product.
Also, I would like to show you a couple of extra policy inside the sunflower, which I believe is quite important separation of duty already spoke about least privilege to men control which is to person review and approve the work for each other.
This is one way for controlling the security it's an administrative technique.
Dual controls a two person are needed to go completed tasks like movie, when people try to launch a missile, the two people need to open, like, or use their own key together to scold you or control.
rotation of Did you spoke about mandatory vacation need to know employment, employment, screaming or background.
It's mainly into the HR part, where if you are hiring someone especially sensitive position, you need to do a background check just to make sure that you know, he is suitable for such position.
So those policy you have to read, you have to memorize them, you'll be able to know the regular one.
I mean, if I'm telling you let's privilege it makes sense.
But what about two men control? Or do well control sometimes you get confused about that.
So this need to be written the administrative policy or administrative management control and to be memorized.
Then there's also as a policy, security auditing, yeah, this also it's important terminology clipping level, what is a clipping level clipping level is to identify the level of error, where you should expect something malicious, let me give you an example.
Some system will allow users to log in three time a try to log in three time, but if he failed to log in three times successfully, it will be blocked for like one day and you have to call this service desk to allow the service like banks.
But some other service give a chance for five attempts as a service give to attempt.
This is called the clipping level how many attempts I should allows user to try to log in.
And after that, I should block it because it seems suspicious there is no like standards, or it depends about how complex your system is.
So if you are giving user passwords, that is 15 character capital and small and, and letters and numbers and so on, most probably, you know, he may need like four or five attempts.
Well, if you are giving user a pin number of four number three attempt will be enough.
So clipping level, it's to identify the number of unsuccessful attempt that the user try and after that you block him because this is seen malicious.
So please write it down is quite important.
You should audit the event from time to time because a lot of people are just checking their logs and event just in case there is a problem.
But actually, you have to do that periodically just to identify your baseline what is normal and what is not normal.
So you need to do that from time to time, you need to identify the events, the time of the event, who did that event and so on.
Now, also the security monitoring and evaluating any kind of violation is very important.
Some people are doing that intentionally zero value violating the policy and some people are doing that intentionally.
So it's very important to monitor people and to analysis, the violations as they are doing.
Maybe someone is doing something wrong, because they are not aware of the company policy about it.
But maybe someone is doing something wrong because potentially he need to do something harm to the computer.
So I cannot give the same penalty for both of them.
If someone is doing that, unintentionally, he's not aware that he should our company policy regarding emails that mean company mail should not be used for private reason.
He was not aware of that.
So I just need to inform him What if someone is trying to like some company confidential information, using the email, this needs to be taken in consideration and a hard action need to be taken against this guy because this is a malicious activity.
So I cannot give the same kind of punishment for both people.
They are both misused the email but in a different way.
So you have to analysis the violation.
Security Team I'm sorry, security threats, disclosure, destruction, safe espionage, hacker and cracker we went through that before unauthorized access is a security violation.
There is a physical violation type logical I mean, it's quite you know, quite clear what we are talking about.
incident response.
This is actually a big a big subject.
And instant response.
It's the proper action to be taking in case of any incident.
So incident could be small incident big incident, but you should have a procedures, what should be done first and what should be done next.
The first thing you should detect that this is an insert, a virus has been spread inside network I should first detect, then content mean I try to stop the bleeding, then I should start system cleaning removes the virus, then reporting and documenting that.
So in future, I can prevent that.
Then assess training and awareness, I should do some lesson learn and start training my team what happened, what was the best actions that was taking what was taking and can be taking in a better way next time and so on.
And then evaluating our production and then vulnerability testing.
So those are the steps in incident response just to make sure things enhance.
So people will be aware later on what to do.
This is operation security quite small module.
And the only important is the policies the best practice or control, and this terminology, clipping, living and stuff like that.
Even in case of employee termination, there is a proper way for doing it from a security perspective.
So if an employee get terminated, first, you should disable his account immediately.
And then you should inform him and give him around 15 minutes to take all his belongings.
And why we're not giving the world we're just giving him 15 minutes to not allow him allowing him to do any kind of damage.
So if you inform an employee that he gets, he was fired and you leave him till the end of the day, imagine the amount of damage that he can do, he may delete a lot of file because, you know, after all, he's so upset.
So, you need to inform him and you need to give him 15 minutes to to collect all his belongings and then you need to escort him to the door.
I know it seemed very mean but this is how things is going.
So terminated employee is also a big threat to any business.
So, from this discussion, this lecture is a previous lecture to source are some of the controls that you can implement to reduce this kind of threats and to put controls on the employee which is considered the weakest link in any organization.
We have two point remaining in this domain.
I know this is a very big domain.
Actually, and it combined a lot of previous domains.
But we still have two point remaining.
We're going to talk about security awareness.
And then we're going to talk about security testing.
Now, security awareness, it's a topic related to the previous lectures for employees.
And actually, this is a very, very important topic, maybe you're going to explain what is security awareness and why we are doing it.
But actually, it's the main requirement for any compliance.
I mean, if you are ISO 27,001 certified, or if you are following any kind of standard of compliance, you're going to find that one of the main requirement is to do a security awareness for all your your employee frequently, it's not a one time process, you have to do that once per year.
And I saw myself any audit that was related to ISO 27,001, or any other kind of compliance, one of the things that they will always ask about, show us their attendance, or an evidence that people attend the security awareness in your company, and why is he doing that, because as I mentioned earlier, is that most of the incident and most of the compromising system was because of people not because of technology.
So as we keep saying the last few lectures, that employee are the weakest link in any organization, they may do damage intentionally or unintentionally.
So you have to provide them with a security awareness session, once per year, it shouldn't be like a full five day training or even a full day training, it could be like, one session couple of hour and you start explain to them the threats, the their role and responsibility, which is very, very important.
Because the concept here that you should eliminate, I didn't know.
So if someone did something wrong, he should not say I didn't know because if he's attendings outwardness and he knows that he should not click on settings that come from an unknown sender or any such suspicion email or any suspicious SMS.
So he will tell you, I didn't know but if he attends a witness and he will be aware of the new threats, what is ransomware what is a virus, what is what is the best practice when it comes to mails or SMS that will prevent any problem with a company network or data or information, he will be more responsible because by attendings awareness, he cannot say I didn't know.
Beside, he will know that he is responsible if he did something wrong, he will take a responsibility for that.
And we saw that in a lot of companies that if people didn't attend that, they don't care, whenever they receive an email, they will open and say they will download the attachments, they will click on the link because people think you know what could go wrong, but when they attend to witness and they knows that there is a threat, and if something went wrong, because of their behavior or because they are like not giving attention to that they will face problem could be legal problem could be business problem, but they will face problems, they will be more careful.
So it's very, very important to arrange those security organization.
And actually, I can share with you some of the presentations that I did for a security ordinance is that you can do to your company or your organization or your department.
And by the way, security awareness should not be done only for IT staff or the IT department, but it should be done for all the company employees from HR from finance from operation, everyone should attend this awareness session.
It's the main requirement.
And as I was saying, whenever you have any audit, one of the main things that they are asking about an evidence that people attended this employee and they will go and ask some random employee, did you attend to awareness? Do you know your role and responsibility? Another objective or scope for this security evidence is to tell people that we as a company, we have a security policy and you need to be aware of those policy and set locations This is quite important, because if the employee is using any company assets or service, there should be a policy which we already explained at the beginning of this lecture.
So for instance, he has a laptop from the company, you should have a policy related to portable device or laptop saying what he should do to secure this laptop.
If he's using the internet in your company, you should have an internet policy.
So, he should read this policy before start using the internet.
And you should buys by reading the policy he will know what should what can be done and what Couldn't he couldn't do it or should not be done.
If you are giving people an email from the your company domain, you should have an email policy saying what is the best practice and what should be done and what is not allowed to be done.
And we already spoke about policy but if you are doing those policy and employee are not aware that there is any policy in this company, or in your organization's are useless.
So point is you doing the policies and you have to inform the employee about the policy and their location, say they don't need to memorize all the policy at but at least they should know where they can get those policy.
And they should know that if they are not aware of the policy, it will not prevent them from any punishment if they did something wrong.
So you are saying Okay, fine.
If you're using any service, just have a look about the policy related to the surface.
Because by not knowing the policy, it's not an excuse.
So security organization is quite important.
And one more time I'm offering some of the free presentations that I did for employees for security awareness, if you're going to help you improve your security in your organization.
Let's start with the second domain, which about asset security.
This is actually a short domain.
It's not like the previous one, where we covered a lot of topics.
Here we only gonna talk about asset security.
It's maybe a short domain, but actually and realistically is very important.
So if you plan to start an information security implementation in any organization from where should you start and looking simplifies a question at your house, I and I believe I already gave you this example before but at your house, if you plan to secure your house based on what you're going to decide what to secure and how much you're going to spend, usually based on the value of the assets that you have, you may have a computer you may have a laptop, you may have money, you may have assets in your house that you need to secure and based on risk.
So, if you are in secure area, you will not spend that much like if you are in in an unsecured area.
Right.
So two factors usually let you decide about how are we going to implement security and how much you're going to spend to secure same concept apply in any business according to what we're going to secure our organization according to the value of the assets that we have and the risks that we are facing.
And to take an example let's talk about the bank.
What assets does the bank have? They have physical assets and they have information assets, physical assets like computers, laptops, share stables and so on.
And information assets like customer information customer transaction, as a bank rep reputation, those are the information assets.
What do you think or smooth? What is more valuable? Is it the physical assets? Or is it the information assets? I mean, if z bank is a bank, last couple of chairs a couple of table get broken or something like that.
How much would be his last one is the bank loss some customer information with as a fight with financial transaction, how much this will last? Right.
So usually the information assets is the most valuable assets to any business.
And in any business they used to have, like an inventory was all the physical assets but they don't have any information assets.
And this is what we're going to start with how to create an information asset register So before showing you how to do that with a couple of templates, you need to understand the terminology or the definition of an assets.
Assets.
It's not just the physical assets could be a physical assets or information asset.
And take your smartphone as an example.
your smartphone was something, you maybe spend 500 or 1000, to buy it.
But you save on on this phone, a lot of information, you have contacts, you have email, you have personal photo, you have personal video.
So if you lost your smartphone, what will be your real last? Would it be the phone itself, the price of the phone, or definitely, you will be upset about those $500 or $1,000 that you lost.
But most probably you will be more upset about the information on the phone, how much time you're going to need to recover.
Also, those contacts, how much time you will need what if someone reset your password, still steal your information on this phone.
So usually the information is the real assets that we need to configure.
So in this domain, I'm going to show you how to create an information asset register, which is very important and usually any information security frameworks like ISO 27,001, or PCI DSS, or even any other ISO, like as a business continuity is one of the first requirement whenever they come for an order, they will check Do you have an information asset list? Because if you don't have How can you secure them? If I don't know the value of the information that I have? And they are not written in one list? How can I secure them? How can I decide what needs to be secure or not? So what we're going to learn in this domain will be first how to create an information asset register, and what is the information asset register in the first place, then the asset classification.
And here we're going to talk about the classifications asset owner, the custodian said we're going to talk about privacy protection.
We're going to talk about asset retention, how long should I keep an asset? And what is the policy when it comes to the retention, then that the security controls and finally, secure data handling? So let's start with the first leg.
from our previous discussion, we agreed that as a business, you need to have a list of all your assets.
Now, what are those assets? And what are the assets that is usually available, and what is the assets that you need to do it yourself.
So if you go to any organization, you will find that they usually have a list of all the physical assets, things like computers, or laptops share stable, cables, switches, all those are listed in assets.
And sometimes it's under the, it's managed by the finance department.
Because they need to know how much they spend on that some times they have an asset, the apartment and so on.
But the weakness is usually in organizations, they don't have an information asset list.
And this is what I'm going to show you in the next lecture.
And if you go to any or if you get hired anywhere, this is one of the main lists that you need to make sure is there because if you get any audit or any compliance audit or legal audit, they will ask you for that.
Because the information as I explained in the previous lecture, is your main assets as a business, right? Think about banks, for instance, how much that information was, can they afford to lose any of those information? If you have a bank account and you lost it? is it acceptable? Can you take legal action against the bank because of that, is anyone going to trust the bank to open an account if you lose one customer information is quite important, right? military or government what is their information and how much it was and so on.
So in general before showing you how to create the asset list, which is a very important document is organization.
And you are not one who's filling it by the way, say information asset list or the information asset register is usually filled by department you are just making sure that they are filling it right.
So if anything gets lost, you will be knowing who's responsible and who is not.
So, in any organization, what kind of assets they have, they have hardware, they have software, they have data assets, physical systems.
In documentation, ITM or it asset management is to manage the lifecycle of those assets, to have the list where you are writing down all this information.
But as we're here, we are talking about anything that hold assets.
So if you have an external hard drive that includes a lot of files and documents, this is an asset.
If you have an application, or a database that holds customer information, it's an assets, and so on, and so forth.
So you need to have a list that have all those asset information, which I'm going to show you in the next lecture.
And you need to write down the cost.
And also, you need to identify the ownership of the assets.
Now, this point is very important.
And let me have your attention on that.
Any asset list, as we're going to see will have the name of the asset, but also you should include the owner of the asset, and the custodian of the asset, what's it what is the difference between owner and custodian.
So for instance, if you are working in an insurance company, and you have a list of all this customer information, or all the customer information of this company, okay? Which is very important, because if someone was able to steal this list and send it to a competitor, he will know your customer, and what did you are giving them, and maybe you can give better deal and steal all your customer.
So as an asset, it's quite important, just the Excel sheet that includes all the contacts and financial details, finance details, the contact information, and so on.
Okay, who's the owner of this file? It's an Excel sheet, is it you maybe you are the one who created but are using owner looking at ask you this question.
If you leave the company, do you have the right to take this finals? You definitely not.
That means the owner is not you even if you are not, if you are the one who are creating, who created this file, you still are not the owner, the owner, in most of the cases is a company, right? While What do you call yourself, you are the custodian, you are the one who are managing this fight.
So most of the times the owner will be the department will be the company.
But the custodian is one who is managing this fight, who modifying who decides the importance of the fight, who decides the classification.
But he's not the owner in zoo in a sense that he do not have the right to take the fight if he leaves this company and go to another company.
So very important to understand between the difference between owner and custodian.
And it would be very useful if in the sheets that we're going to create in the next lecture, besides identifying or writing down all the assets that you have.
Also, you need to identify the owner of the assets.
And the custodian.
custodian means a person who is managing zest Inc, in case something went wrong, or a fire get lost, Who you gonna call or who you're gonna, like, talk to who's responsible was the owner, most of the time, it will be the department, or it would be the company, or it could be the CEO as a senior management and so on.
Also, according to the list, you're going to implement the security controls to protect those data.
So for instance, if you have a list of all important file that represents report or a budget or a payroll, okay, according to set, because it's written in the files as those are confidential that you're going to decide how I'm going to secure them, do I need to encrypt the drive to any to assign a password on them.
So having an information asset register will help you either identify what needs to have security and what not maybe in the list, you have a document like a brochure, you have like a brochure template on your computer or maybe some some advertising document, the unknowns are quite important if you lost them, it will not affect your business, it will not affect your reputation and so on.
Okay, so having this list will help you to do that.
So I want you not just to take the knowledge from this domain, but I want you to create an information asset list yourself.
Okay.
It's important to apply classification as you're going to see according to sensitivity of data.
So it's not just just writing down the list of information and list of software and list of data that you have in the list, but also you need to classify them.
You need to identify the owner and custodian.
Very clear, be very clear about the regulation policy requirement and about the legal as well.
What do you mean by that? Let me give you a small example.
Which is very, very important, right? logs, any application or any software or any computer, they have logs, right? And in one of the lecture, I'm going to show you how to check the computer logs.
If you have a surveillance cam, for instance, in your companies, you are keeping video recording video, right? How long those logs or those video you should keep them? Should I keep them for one month? Should I keep them for one day? I mean, I'm recording so surveillance video, and I keep them in some storage in my company, or I'm capturing logs from my system, and I keep How long should I keep them? What do you think? Should I keep them for two days for one week for one year? Because I cannot say I will keep them forever, because it will take storage.
And by keeping all those recordings are all the slugs you know, it's an endless process.
So you have to keep them for a time or for like a period of time and then get rid of them.
Okay? Let's assume that you decided to keep them from for one week.
Because you checked and you don't have enough storage.
So you decided to keep all those recording.
And also slugs for one week.
And then a robbery happened to your bank, or someone steal something, or someone like hacked to the company network and steal critical information.
You're gonna inform law enforcement, and then law enforcement will come and ask you what is the video recording? Okay, it happened after two or three weeks? What are you going to tell them? I only kept them for one week? Or the logs I used to override the logs every one week? This is not right, you're going to face legal problem because of that.
Okay, so we need to know about the legal because it's different from one country to another.
And it's different that if you are working in a government different than if you are working in the private sector.
So one thing you need to do before starting creating those asset lists, and starting managing them is to contact the legal department guys, could you let me know? How long should I keep the logs? How long should I keep the information? How long should I keep even the information of this organization? The documents the list? How long should they keep it according to the law? And you should follow that.
But saying that I didn't news, this is not an excuse.
Usually, this kind of jobs information security officer or consulting or specialist.
They are getting paid very well, but they have a legal responsibility.
So we need to check with legal department first, what is the regulation? How long should I keep the assets and so on.
Now, after having this discussion about information asset list, our asset management Let me show you how to create one.
And I'm going to ask you for small practice to create your own information assets.
And then we're going to evaluate it together.
Now, let me show you how to create an information asset list.
Also known information asset register, you may find different name related to the information assets.
Some of them will be AI, AR, or ita m whatever the name is, but the concept is having lists that include all your information assets, and their classification, and their owner, and custodian.
Don't forget those terminology owner and custodian.
So I have some of the templates, which I'm going to share with you.
But actually, if you search online, you can find besides you can modify in the template.
It's not like you have to use this specific template, but you can modify so let me open one of them and let's discuss what should be inside the asset list.
Now, now, before showing us the different item is asset list.
Let me just tell us that who should like write down all the information that you have.
Because this is not an easy task you have here in this list to write all the software's that you have all the computer that has information that also document, digital document and hardcopy document.
So you have some Excel sheets, you have some reports some PowerPoints, you have to write down all this information is there a classification where they are located, how important they are and so on and so forth.
Who's in charge of that is it you? Definitely not because you need to have a list of all the information assets for all your organization, much as it HR they have important information finance they have important information.
So you have to give each of those departments a list and need to ask them to fill it.
Your responsibility is to show them how it needs to be filled.
And this is very important for the exam, because you're gonna find many questions as the exam related to the information asset management, about classification, about labeling, and so on.
But also for a business, because any audit that will comes will first ask about it.
And if you go to any interview, this is one of the points that you need to raise shows them that you know that you should start by having an information asset list.
Because if I don't have a list of all the valuable assets in my company, how can I know what to protect? Right? So what should be in this asset? So again, your responsibility is to make sure each department our feelings, and our updating them as well, because as you know, that information keeps changing some new information is there some other information will be written under retention, so it needs to be updated frequently.
So we're going to talk about update later on.
But let me show you first the list and as I told you, you can change it, I will leave the process right now, we don't need to talk about the process, this will be covered in a different topic.
And we're going to start from here, name of this, what is the name of this, it could be a document to be a folder, a digital document, it could be a hardcopy document, it could be a software, a database, whatever the name, then.
So I'm gonna assume that we're going to start from the name of this, you can even give a number, the description of this.
So for instance, if the name of the asset it's like a document name.
Now, what is inside this document, just a brief description? This is a list of all the company customer, what type of information? Is it hardcopy? Is it an electronic copy, you can choose from, or you can create a drop list where you can specify what kind of assets is that? Is it the personal data? Yes or No, this isn't very common, some of the document will not have this field.
Is it? Personal sensitive data? Also, this is in case, you know, we're talking about privacy.
So the information asset details sensitive customer data, so the data is it related to the business related to the customer, but still, I saw a lot of document towards they didn't categorize them if it's a personal customer, but it's up to you.
Here, we're going to talk about classification, this is very important, you need to classify the data according to what according to the classification level that you have in your organization.
So, in your organization, you should have a classification level, how much level of classification you have, is it four or 532? Do you have secret and public Do you have confidential secret.
So, you should not invent the classification level here, but you should have your own classification level in your business and you should apply this is a confidential, this is a prior internal documents, this is a public document.
So you need to write down here is the type of the classification.
Because according to that you will know which document or which assets because actually, as I told you, we do not just talk about document, we talk about we talk the talk about document electronic data, software databases, removable media, like a CD or like a flash drive, and so on.
So according to the type of classification, you're going to decide what kind of protection you're going to use.
Again, who should assign that is it you know, is one who's filling this information, which is that a custodian is one who specifies a classification here.
It could be that the owner, its owner is a person but if the owner is like a business or department, it could be as a custodian or as one who's managing it.
Now, for the security, CIA.
It's recommended to write down the classification of this asset when it comes to integrity, availability and confidentiality.
So you can say for instance, for confidentiality is very sacred, but availability.
Also, I am sorry, is very high, or integrity medium so you can choose based on it needs to be classified.
And the importance of that, what about integrity? Are you going to allow people to define this document Or you're going to put some control to prevent any modification to protect the integrity? Is the document need to be available all the time not any assets need to be available, is it the website is letter these maybe need to be available 24 seven, because that's critical.
So you need to put like the classification or the level of each one of those integrity, confidentiality and availability.
Two important fields that, you know, I saw some comment in some old because of that, that you should have that the asset owner as asset custodian, I keep saying that, because I don't want you to lose this question size exam, some people get confused between what is difference between the owner and custodian.
And as I mentioned, owner is one who are like, own this assets, like the company, and the custodian is one who's managing it, like the employee, okay, owner could be the manager, or senior management as I told you, but after all, think about this way, who gets the right to take this asset, if he leaves the company, this is the owner and says, since those are assets to the company, that's mean, you don't have the right even if you are working there to take it while leaving the company.
Here we have data retention.
Now data retention, because each assets has like lifecycle.
Afterward, you will not keep all the assets located somewhere for a long time, think about the documents that you have even the hardcopy document, if you are working like in an hospital, or do you have a lot of document and patient information and blood test and a lot of document Are you going to keep them in the same place like lifetime.
Definitely from time to time, you need to take those assets and keep them in an archive or maybe in a warehouse or something like that, how long you need to do the data retention.
Now this could have some league and reference according to the data that you need to it needs to be retained every how long.
Once again, you can customize it according to your business.
But I'm just showing you an example for a information asset register.
And guys, your work is an information security specialist or custodian I'm sorry information security officer or working in this field will have a lot of documentation I mean, you will be involved in documentation like policy procedures planning, just recovery planning asset list.
So whenever we are talking about a specific document or a specific, take that very seriously, because you may face a question about set inside your interview, not just in the exam, but when you go inside the interview, they will ask you what document you should have what is information asset document, because those are the assets.
Those are the things that when you have an audit, they will ask about it.
And if you fail to prove an evidence or chosen this documents as me, you are not doing your job.
So it's quite important that when we are looking at talking about the documents, like a policy, like an Asr, I'm sorry, information asset register, AR, or any other document, it's important to download them, check them, modify them, create a template, or recreate the demo.
Get familiar with such document.
Okay, analyze each field, because once you get hired, you're gonna have to take those document to different departments.
And to explain to them what is this document is all about.
So it's important to take, especially the things that has practical or documentation quite serious, because besides the exam, it's important for the exam, it's also important for your shop.
One last point before moving to the next lecture, which is this document need to be updated frequently.
And when we when we are going to talk about document control, where we are writing all the information about this document you need to show when was the last update, it's not a one time process.
So it needs to be updated frequently usually, most of the company are doing that once per year.
So every year you need to update it and you need to right on the document controls that it has been updated on this specific date and time by this person.
So this is quite important.
Another point which is management support, okay, as you can see, many of the document will need some input from other departments, and some of them will need a full input from the department in a sense documents like this, it will be fully done by the department, business department or functional department.
So unless you have management support, no one will will, like, leave what they are doing and start filling such document.
And this is a critical document for any business.
So you need to have a management support in the sense that if you are not getting any kind of cooperation from department, you can report back to management.
Because after all, you are taking responsibility of the information security of this organization.
So that's why in the first domain, we explained the importance of the management support to be able to implement the right information security system implementation.
In this lecture, we're going to talk about classification and labeling.
classification.
It's one of the main requirement when you identify your assets, but it shouldn't be done randomly, you should have a classification policy that identify first, how many levels of classification Do you have, some organization will have three, some organizations will have four.
So you need to follow the policy for from the level of classification you have.
Second, the policy will include the criteria that you should use to classify the information.
So based on what you will identify this asset as confidential, or confidential and restricted, or internal.
So it shouldn't be done randomly, it should be done according to a policy.
Now, the first question will be who should classifies information? Should it be you as an information security specialist or information security officer, or it should be the information owner.
Most actually, it should be the information owner, because he's the one who can identify the value of the information or the value of the assets.
And according to that, he can say that this information is confidential, or internal, or public and so on.
Plus vacation should be written inside the information asset register, as we saw in the previous lecture.
But also it should be written on the assets itself, which we call labeling.
So labeling it's to identify as acid from the level of say, classification.
And I'm going to show you a couple of examples in the next lecture on how to do labeling on z acids, but why you have labelings acid.
First, to be obvious that this is a classic classified document or internal document, but actually most important that some of the software and some of the application that is used for preventing the leakage or the loss of data can only be working in case you have live labeling on the assets itself.
And we're gonna see that in the next lecture, and I'm going to show you a couple of products who's doing that which is a DLP.
So, some of the software like DLP software will not be working unless you have your information classified.
So labeling which you should expect the question about it inside the exams, the classification in general and labeling, you should expect many question about inside the exam, need to understand the difference between classification and labeling.
So in this lecture, I'm going to go through the common classification levels.
And in this second lecture or the upcoming lecture, I'm going to explain the labeling process with showing you a few of the samples.
And then we're going to talk why you are doing labeling and how it can be effective or how it can be useful when we are using some software for leakage prevention.
So in general, there is two different kinds of classification there is a military or government classification.
And there is a commercial classification military which is applicable to low military or US government or any government in general.
And it's more restricted.
While commercial has different level of classification, like as you're gonna see right now, things related to copyright things related, so in to know how for for a product or something like that.
So Usually you have two different kinds of classification, let's go through them as an general idea about the classification.
So the military, in general could be more or less, we have different four level of classification, we have the top secret, and to define its information that if it gets this close, a great or grave damage to national security, we have the secret, which is like serious damage, and we have confidential which is damage to the national security and we have unclassified, which no damage will happen in case of disclosure, this is the most common military classification as I mentioned, could be more or less, while commercial classification is kind of different.
So, we have the corporate confidential, which is the information that need to be protected provided to an individual outside the enterprise.
We have the personnel confidential like the employee information, or the customer information, we have the private, we have the trade secret, you know, things like you know, how have specific product, how it's done, and you have the client confidential.
So, those are the common type of classification in the commercial section, but again, how many levels you can use depends on your business or it depends on your organization.
Besides you should also check if there is any, especially if you are working in government, you need to check if there is any kind of law or regulation regarding classification.
So, in some country, they are enforcing old government to follow a specific classification schemes.
So, before you start identifying the level of classification, and start explaining it to the functional manager, so they can explain it to their employee, you need first to check if there is any requirement.
Law requirement when it comes to the classification.
And here I'm talking about government specially Let me remind you that you are not the one who's doing the classification, you are not enforcing the policy to be implemented a classification policy to be to be implemented.
And you are explaining to different departments what is the criteria is that based on the gonna do the classification and act according to the output.
Regarding asset classification, you will be implementing so proper control to protect those assets according to their level of sensitivity and sec classification as well.
Now, as we explain the importance of classification, and classification is not an option.
It's a must.
In any information.
If you are implementing an SMS, you should classify your information they will not accept to approve your SMS unless you classify all your assets.
Next step will be labeling and labeling is to write down the level of classification on your document.
So it could be a stamp on your document.
Or it could be if you're using digital documents like Microsoft Word or Excel or PowerPoint or any other document, you should have right on the document on the header or footer is a type of classification and on the document control.
Why are we doing that we're going to see on the next lecture some samples and then I'm going to tell you why we are labeling the assets was our classification.
In previous lecture, we spoke about classification and different classification schema.
In this lecture, we're going to talk about labeling, which is adding the classification to any assets.
And to give you a small example, we're going to take the information asset list, which is one of the security document.
If you go to the first sheet here you will find all the document control information.
This document has been introduced or has been written by whom and when it has been updated.
And don't forget that most of the information security document need to be updated at least once per year.
And as you can see here, there is a classification you need to add.
Here's the classification type.
What do you consider this document? Is it the top secret secret confidential.
Again, it should follow the classification policies that you are following in your organization? Now, here's the point, why are we adding labeling, some people will add settings, like header or footer, writing down, if it's hard documents, he will put that in like a stamp.
But let's talk about soft copy document why it's important to do that, for many reasons.
First, it's one of the requirements, one of the compliance requirements.
But second, which is quite important is that some of the software that you may use to prevent leakage will depend on that.
And let me clarify, we have a very common software that we are using right now is called DLP, or data loss prevention.
Some people are calling it data leakage prevent prevention.
The DLP is a software that monitor any information like sending email or copying the document from from your computer to an external hard drive or resend an attachment.
And according to the classification level, that the document has an accordance of policies that you should implement, it can prevent that last few years, we heard a lot, especially from military, you heard a lot, a lot of leakage happened in different organization.
That's why a lot of company right now are considering using DLP.
And there is a lot of products, and I'm going to show you a couple of product in the upcoming lecture.
But those products when you install them on your network, what happened is you can assign a policy that please do not allow, for instance, a confidential document or this top secret document to be exchanged.
So according to that, if you try to send an email, if you have a DLP installed on your company, and you try to send an email, and this email has a top secret label on it, the policy will apply and then you will not be able to send it.
So you try to send it by email, it will tell you that you are not allowed to send that you try to send it by copying using a USB drive or a hard drive.
Because there is like top secret word on it, it will not be copied and so on.
But to be able to use a DLP you need to have a labeling system.
Because what if the user didn't write down anything here, or he removed what was here.
So you need to have another software that loses labeling part is that whenever he creates a document, he will not save it unless it has a label on it.
So it's like two different softwares that you need to be able to prevent any leakage of data or to be able to prevent any loss of that.
First we need to have a classification then we need some software or even some policies that each document needs to be classified or need to have a label and then you can use a DLP that will prevent zelicah jobs that so it's a very important approach that you should consider especially if you are working in a government or a finance entity or any place where they have very critical information that you need to prevent against leakage of data or loss of data.
So let me show you a couple of products and how exactly they are working.
And then you can relate what we are seeing to the DLP and the importance of labeling, for preventing leakage.
So let's see couple of product as a proof of concept.
In this lecture, we're going to talk about privacy.
If your business are maintaining or are collecting customer information, for instance, you are a hospital, you need to keep your patient information such as their name, their social security numbers, health history and so on or you are keeping customer credit card information or you are keeping any kind of personal information for customer.
You need to follow a lot of flow and regulations.
But first you need to be aware of them.
So there is a lot of compliance or actually law that will enforce you as a business to maintain the privacy of this information.
And a very good example to explain what could go wrong because of that to the facebook, facebook.
The last few weeks there was a big incident in Facebook, the privacy scandal, Facebook are collecting information and They are not just collecting personal information such as name and email and an information like that.
But also they are collecting behavior information, they are checking what kind of ads we are clicking on, what kind of groups we are joining.
So, he tried to get or to analyze your interest.
And according to that, they start or this is what, you know, the legal issues that raised the last few months related to Facebook since they are taking such information and sells them to vendor.
So people who are interested in traveling, they may send sells that to a traveling agency, because they know that from your behavior, you are you have interest in such activity.
So, this is considered private information, they are collecting your private information.
And without taking permission, they are sending that to other also a third party or other kind of vendors.
This is a very good example about privacy breach.
And as you can see, you know, the problem has been raised.
And it went to the Congress.
And there is a lot of legal consequences to that, because Facebook didn't take permission from you to sell your information, even if the service was free, it's not giving the right to sell the information to any other entity.
So, this is an excellent example about the privacy that if you are maintaining private information, you should follow the P i or the personally identifiable information PII.
So what should you do when it comes to maintaining the privacy of the information as we agreed privacy, which is collecting personal information, such as social security, contact information, names, email and so on, this is a legal channel challenge.
Because if you misuse that in any way, there will be a lot of legal consequences.
And I already gave you an example of Facebook.
So you need to first identify what will be collected, I should not collect information that doesn't have need for my business, how it will be collected, how how it will be collected and protected.
Because again, if any breach happened, you will take responsibility.
And those legal requirements are very hard, how long private information will be kept resource information private for for lifetime or it has like a retention time how collected information will be shared? Are you going to share them with other entity? Did you take permission for that? What about the other entity may do you have any guarantees that they will not be shared with other entity who keep hearing about credit card information gets stolen, you keep hearing about personal information or social security number.
And I believe a few years back it happened to Sony, where a lot of personal information has been stolen and sold in the dark web.
How proud private information will be disposed.
As we spoke at the beginning of this section, that the information has a lifecycle.
So after a while, you're going to need to dispose that you will not keep them forever.
Right? So what is the proper way for disposing this information, all those factors need to be considered when it comes to maintaining the private information.
Don't forget that as a result of privacy law, it's different from one country to another another.
But in US and Europe, they are very strict.
And in us, you know like a pillow.
For instance, if you lost intentionally or unintentionally like patient information, according to HIPAA law, this is a big issue you're going to pay a fine with millions and maybe some jail time for for senior management.
It's It's It's very serious topic.
So what you need to do as I keep saying that is that if you join a business that depend on or keep customer information, you need to sit with the legal department and you need to ask them what legal or workflows they are following.
And according to that, because you're gonna need to put more control on those private information.
And don't forget the terminology we said p AI, which stands for personally identifiable information, what is the personally identifiable information could be named Social Security number, credit card number, address, phone number all those are considered private information.
So it's quite important to start by knowing the privacy laws that you are following.
Because they are different, if you are us is different than UK, or Europe, and which low also according to the business.
So it's important to start by knowing what is required according to law.
This is an important point because before we spoke about the difference between the owner of the data and the custodian of that and and if you remember, we mentioned that the owner usually is a business, it's not a person, unless is the business owner, or it could be the senior management is the owner of the data.
This is in general and custodian is one who's managing it in private information, or NPI is the owner is the person who gave uses that.
So if I'm logging to a website, and I'm writing down, or I'm filling an application to your company website, and I'm writing down all my personal information, and you are keeping them who's the owner, right now, it's not you, as a business or as a, as a company, it's me still me.
So the owner here is different.
It's not like previous lecture where the owner used to be his senior management, or he used to be the department and so on.
So it's important to know the compliance organization, how they are handling this data.
It's important as well, to try to balance between the protection and effective of the business, you have some customer information, definitely you're going to need to use them in your business.
But how can you knows that it will not be leaked in any way.
So if you are dealing with a third party, for instance, and you need to share with them some personal information to your business, not to be shared for any advertising purpose, or something like that, how can you knows that he will not keep it, and then send it to a third party or another kind of advertising business.
So there is a lot of challenges when it comes to managing the private information.
So I don't want to keep it not to be used, which will affect my business.
And if I'm using that in my business, I need to make sure it will only be used for the purpose of the business, not for any advertising or anything else.
You need to consider the ethics and legal restriction.
When protecting private that it's quite important not to get someone number and try to misuse that or get someone information and try.
This is Escobar but the legal part actually is very strict.
So the first approach to the privacy, if you are collecting private information is to know it's to know which flow you are following.
Also, you need only to collect the information that it's needed for your business.
So for instance, if you are allowing people to make purchase online, what you are getting the name and address, shipping address and getting the credit card information, you should not ask for information that is not used for transaction, like you know, where are they located, what kind of car you're driving is your house rented or this information has nothing to do with information do you need to make the transaction.
So you need to make sure to limit the collection.
Now, maybe you don't plan to misuse it.
But getting a lot of information will raise the risk of losing it.
So if I have a huge amount of information, and I'm only using 30% of them, I need to double my effort to secure all of those amount What if I only collect the information that I need, I will reduce the amount of controls that will be implemented to secure so it's not an advantage to get information and saying maybe I'm going to use it later.
It's not like that, because it will take you time to secure them and if you break if it gets breached for somehow you will take responsibility so you are raising the risk of that.
So if not, do not collect any information if it's not needed.
databases, most of the information will be saved private information we're still talking about private information will be saved in database.
And just by doing a small research online, checking, like the last few years breaches actually, just few days back, Twitter has been compromised.
And I publish that on my Facebook page and actually it has been everywhere online that a lot of account has been stolen and to To request user to change their information.
Now, this is a privacy breach, right because Twitter, collect our information, and they should secure them.
So by getting breaches information gets stolen, this would be an issue.
Also, especially as a credit card information, which is all also kept in databases, it gets compromised.
Usually attackers are looking for this kind of database, it gets compromised.
And they took this credit card information once they are doing with binary, you know what attackers are doing when they see the credit card, they're not using it online to like, buy something because it's traceable.
They will sell it on the dark web on the internet, some of the website, you can go and not yourself, of course, any malicious hacker can steal his credit card and all offers them online, they are selling each credit card to his $1.
So that's it, he is breaching database, it has 1000 or 10,000 or 100,000 credit cards and said this credit card online and getting 100,000.
And it's untraceable.
So those databases that holds the API, your responsibility is to provide the best or the most secure controls that you can have.
So if you have regular database, but you have as a database that has PII, most of them need to get your secure attention, but the PII database, gonna need to do twice the effort to secure them, monitoring them putting access control, encryption, we're going to talk about the controls that can be implemented.
In this lecture, we're going to talk about asset retention.
Any kind of assets could be data could be media could be hardware, or software, or even people need be kept for a specific period of time.
I cannot keep all the business and ongoing business information for lifetime.
Right.
So you need to have a policy that are mentioning how long we are keeping our assets, different kinds of assets, because this will be considered your internet role.
But this should not be interfering with government law and regulation.
So for instance, in some government, they ask you to keep all the logs or the surveillance cam, for 90 days surveillance cam recording for 90 days, I cannot have my policy saying I'm going to keep it only for 60 days.
So whatever policy you are doing to for data retention, it should match or it should be it should not be interfering with government.
law and regulation.
So the acids that we're going to cover here would be different kinds of data.
How long are we going to keep data? media saying media, which is the device is the device that holds data, like CD or DVD or external hard drive or USB, hardware software people, we're going to talk about each one of them, but as you can see here, you should first check the compliance, then you should have a policy.
I cannot do that based on what I think, Okay, let me this year decide to retain the data for six months, while next year I'm going to do it in a different way It shouldn't be done this way, usually have a policy, in case of any audit, you're going to say that I'm retaining the assets according to our company policy.
And again, you should consider the legal requirement in this policy, that how long you are keeping according to the legal requirement.
And sometimes also, you need to consider the disposal.
So maybe I'm keeping the information for 10 years and after 10 years, I have a secure policy for the disposal of the assets.
So what are the considerations when it comes to the retention? What should you consider? First, as I told you, you need to consider the law and regulation.
First, you need to make sure if you are in government, you need to see what kind of flow and regulation regarding the keepings information.
If you are a private military, each entity has their own law and regulation.
Then you should write policies that met that map this law and regulation and you add to it, how long they are going to keep different kinds of assets.
Because you're going to find that it's not specific period of time.
Like usually financial information it's usually kept for seven years, while surveillance cam recording is usually for 90 days.
So it's not like it will be one specific Time or duration for all your assets it depend.
So second one, it's extremely important avoid compliance issue, and lawsuits regarding retrieving and retaining the information.
So you are an information security officer in any business, you decided to keep the information only for three days, sorry, three years, the financial information.
Now, for some reason, government or any entity requested information that was before four or five years.
And you told them I don't keep them anymore, I just retain them for five years.
And in Zulu, zR saying it should be seven year, you got to take the whole party.
So you're going to take all the legal consequences for that.
So it's quite important to understand that it may lead to lawsuits and legal problem demonstrates that you have a secure store environment.
Also when it comes to securing, besides in the policy, writing downs, the duration, also you need to make sure that you are secure them if you're saving them or storing them in a secure environment.
Okay, information storage machine should allow for a timely data search or retrieval.
So you're going to keep them somewhere how you're going to retrieve them if it's needed.
Is it an easy way for doing it all you are keeping somewhere where it's hard to retrieve or it will take time.
Everything like emails, instant messaging, policy procedures, audit report, all of them should be retained for a specific period of time.
Liquor is a big issue as we explain.
IT department should not be sole manager of business record retention.
So it's not just the IT department responsibility, but it's all department or department in specifying the duration, maybe IT department need to provide the infrastructure needed.
But after all, its own department responsibility.
Do not expect user to help the company, why retention requirements.
We as an information security people, we are always facing this kind of resistance, you know, people are not cooperating that much.
So you need first to have a management support, and then need to follow up with your requirement until it's fulfilled.
This is about what you need to consider when you decide about the retention policy.
I think sens has a very good retention policy, you can read it.
And if you need one, just let me know that the retention, as I told you it depends.
And by the way, I think this is one of the questions that you may face.
Inside interviews.
How long do you need to retain? data? So what if you get a question like that in an interview, they ask you, you're going to be hired here, how long you're going to keep the data? What will be your answer? A very good like methodology when it comes to interview.
Okay.
It always depends.
Always start your answer with it depend because this is really the right answer.
We don't have solutions that fit for any kind of business or organization.
It always depends on something.
It depends on the storage that you have it depend on the law and regulation it depend on many factors but it always depend.
media attention media, which is the media that keep order stores information like the tape, backup tape, CD and DVD, hard disk, removable flash drive cloud storage paper kit.
And the best practice just to keep them in a secure place.
If you are retaining them.
Do not put them in a place where no good or it has a thing or some lighting, because as you may know that sunlight are affecting the CD and DVD, any things that may affect those detention.
It should be locked in a safe place and you should have an inventory about them.
I cannot keep like storing backup tape and they don't have a list about how many backup tapes Do I have.
So you should have an inventory for that.
Make sure that any magnetic A major should be away for magnetic field.
And the roses story about the company, this is actually a real story that they were following the best practice when it comes to backup, but used to keep the backup tape in a place near like a power station or something like that.
And because they didn't do any kind of restoration testing, which we're going to talk about later on, is that it's not just taking a backup, but you have to do a restoration testing, I don't have to wait until something went wrong, and then I restored the information.
But I need to do that from time.
So this company used to keep the backup tape, they were taking backup daily and keep it in place, but the place was near a magnetic field.
So when a problem happened, and the information get destroyed, and they try to restore all the backup tape was useless.
So it's quite important to keep them in a secure place far from magnetic field.
But it's more most important to test them from time to time.
automated system for inventory as a explain.
Don't forget the restoration testing is quite important.
Hardware retention for the hardware also, I need to keep them as long as possible to utilize the cost.
I need to consider hardware role in protecting data, maintain hardware, so you can retrieve all data include no major hardware support, and that if you are getting rid of hardware, is that to make sure that no information can be retrieved from the hardware.
So even the disposal of the hardware they need to be according to a policy and using the proper tool that prevent data for getting retrieve software retention.
Also same rules apply.
What do you need to consider when it comes to how long I'm going to give? Because the software has a life cycle as well.
So after a while to get retired, so the retention, finally, the personnel retention? Now this is a hard one, what are you going to do about it? You are keeping someone for working in your company for a long time he start to get the secret of four keys start to know about the know how.
How can you protect your business when it comes to this because there's not really an asset that you can keep? So for instance, I'll give you a good example.
What about people who are working in Pepsi or coca cola? And they know the secret of how Pepsi it's done? Or Coca Cola.
Right? This is the big assets because actually this is our main assets.
If those people like left the company or sell the secret to another competitor, Pepsi will lose their business or Coca Cola, right? What do you think they are doing to protect against many things, first, they will not give the full secret to only one guy secret will be divided between different people.
So regarding the recipe of doing Pepsi, or Coca Cola, usually four or five people, I'm just assuming I don't know exactly how it works.
But the ways that I think it should be managed that this secret should be between different people.
And no one should know about the other one in ways that if someone left is a part that he know, will not allow him to sell it to any competitor, I should let him sign an NDA.
Even after he is leaving the company, he don't have the right to sell the circuit or to sell whatever information here.
And according to that, if it happened, I can take legal action against him.
So personal retention, this is actually the challenge How can I make sure that the information that people is keeping in their mind get not leaked, or get not misused? We're gonna close this domain by talking about that a security control implementation.
As you may know that I may have different state that could be addressed in the sense that data could be stored somewhere or on imaging, or data could be in transmit moving from one place to another how to secure data in different state.
Before going through some of the best practices regarding data security control implementation, I would like to refer you to a very important document.
It's not really a document it's more as a checklist that you can use in your business to check if your data is secure or not.
This document can be downloaded from free from sans website.
You'll notice in this course, that IC square is referenced to send In many locations, so it's one of the good sites that you can use for downloading policy and procedures, or downloading a lot of templates like checklists.
So, before going through some of the best practice, let me show you the documents that I'm referencing.
And kindly Be aware that I'm going to attach this document to the lecture.
So in case you fail to find it, it's a free document, I will attach it to this lecture.
So let me show you how the document look like.
So to get the document, just Google it, search for sens.org checklist for implementing data security controls, and you're going to find this checklist.
It's a PDF file.
But it's actually quite impressive.
Because instead of like implementing those controls randomly, it will give you this checklist, it's very long, actually, it's 19 page, but you don't have to implement all this control on is ones that apply, or it's applicable to your business.
So for instance, this is the data protection and here we can write if it's met or not.
And the comment is here, like it will be implemented as a future or we are working on a solution or something like that.
So do you have a solution for monitoring, discovering, identifying, analyzing, and look every instance? Yes or no? Do you have, for instance, data processes an application on host Yes or no? application being accessed, like a clipboard or print screen, or you are allowing that or not? Because someone can misuse that? Yes or No, and so on, and so forth.
Again, you can choose whatever you see, it's more applicable to your business.
But this would be a checklist.
And those are the controls that need to be implemented based on the type of business that you are running.
And here you can choose if it's done or not.
And as you can see, it's divided by section monitoring a lot of things.
If you have a DLP solution, it will give you question if the P solution is fulfilled some of the requirement or not.
So it's an excellent documents that you can use.
Now, let's get back to our slide.
So after going through this document from sense, as you can see, there is some options that you can use in general, for that security control, like use an approved drive encryption, encryption is very important topic and it will be covered in depth in the next domain.
Identifying the sensitivity of the data, which is a part of Zed will be classifying information.
If you are using a cloud storage, you have to check if you know it's it's a secure cloud.
And we're going to discuss in the cloud, how to verify if this cloud is a secure solution or not.
A lot of government has a concern when it comes to using the cloud.
So I will share with you an excellent cloud checklist security checklist that you can go step by step and accordingly decide if this is a secure cloud solution or not.
This is very important actually, which is implementing an automated tool on a network border to ensure sensitive information does not keep the network.
And as you can see, it was quite clear here isn't that they recommend to use DLP we already explained the DLP solution.
And I showed you saw some of the DLP and like product as a proof of concept.
But the point is the DLP or data loss prevented prevention.
And some people call it data leakage prevention should be implemented if you need to secure your data.
And it will put a very tough control on data in a way to not be copied or moved or emailed and so on.
So this is in general, let's divide them to that address.
And that in transmit that address it mean it's stored somewhere.
So the place where you are storing this data should be encrypted.
And by the way, this should not be done for all data.
Because encryption is not easy.
As you're going to see a next domain.
When you decide to use encryption.
It means you need to generate key you need to maintain key This is a big overheads in a bit of organization.
So it's not really best practice to encrypt everything, you just need to encrypt the sensitive data.
But if you have some data that is considered public, or is not like sensitive, you don't have to encrypt the drive where those data are stored.
But again, that encryption will be explained as a concept in depth in the next domain.
Access Control, allow it to be data to be accessed through a password using permission Access Control will be also as a topic explained in a different domain.
password management control to removable media removable media need to be secure in in a safe place where it cannot have like a physical damage, because as we keep saying that we do not prevent only against malicious hacker, but we also prevent against any circumstances that may lead to losing the information.
So, if you are storing those removable media in a place where they can be like damage or something like that is the same reason that will be lost.
Labeling, which is quite important.
documentation, very, very important to have a documentation about all your data that in transmit, which means that how to secure data while it's moving.
If I'm providing like web services for my customer, now the customer will be writing down their credit card information, and it will be transmitted from server side to the web server or vice versa.
I'm using email whose confidential information concept apply, which is using encryption, but we have different kinds of encryption for that and transmit.
So we can use a secure connection like SSL, we can use encryption for emails this specific protocol for encrypting email like PGP or s mime.
So it's all about encryption, but choosing the encryption according to the state of the data.
So to summarize, we need to implement encryption for all kinds of data at rest, or in transmit, and do need to have some control.
And one one more time using the same checklist will help you a lot to identify if you are implementing the best data security control or not.
Thanks security, architecture and engineering is a third domain our course.
This is a big domain because it cover many topics that used to be separate domain is a subdivision.
So for instance, physical security, which is one of the topic is Islam, it used to be a separate domain by itself in circulation.
Cryptography was a separate domain.
And we usually get good amount of question about cryptography, security architecture with separate domain.
So you're going to notice that they combine many domains together in one subject, which is security, architecture, and engineering.
In this topic, we're going to talk about some are an introduction boards that includes the security and Engineering Lifecycle, the system component, then we're going to move to a very important topic, which is the security models.
This is actually a very important topic.
It's a little bit academic.
But I will try to be as simplified as I can to let you know about the concept.
We're going to talk about control and countermeasure in an enterprise security.
We're going to talk about information security capability, design and architecture, vulnerability mitigation, we're going to talk about mobile security web based system.
We're going to talk about cryptography.
And cryptography is a very important topic.
And as I told you, for the exam purpose, you will get some good amount of question about cryptography.
You don't need to dive very deep into cryptography, you're going to talk about the basic terminology or definitions related to that.
What is symmetric? What is asymmetric? What is a block cipher? What is so we're going to cover everything that you need to know for the exam purpose.
Then we're going to talk about physical security.
And I will point because actually, physical security is a very big topic, but I'm going to point to what do you need to know for the exam purpose? And realistically also what you do need to know.
But I don't want you to lose the question related to physical security because they are quite straightforward.
Some points they always ask about cryptography also, also you get very good amount of question about cryptography that you should not lose.
So while I'm explaining this domain, I'm going to focus about what do you need to know for the exam purpose.
Now kindly Be aware that you're going to need to take some notes from this domain, and it will need some memorizing, I know that some people are not comfortable with that.
But still, you're going to need some memorizing when it comes to this specific domain.
Also, one of the good points that we're gonna learn about this domain which is measuring how can I measure security in a computer environment, if I have to do different machines that I need to use in my, my work? Which one should I choose? Should I choose the HP? Or should I choose the Dell for us? Is it measured this way by the brand name? Or do we have a way for measuring the security if the following concept can be implemented, so it will be that great or if not, it will be said great.
This is very important to understand a way for measuring the security, any computer environment, we're gonna learn about that in a very simplified way.
So let's start and let's take it step by step.
And let's see how can we get to understand the security architecture and engineering very well.
This domain is covering two main points, the security architecture.
And this will focus about the different security models, it will focus about the way for measuring the computing system security and the different standards used for that.
And the security Engineering Lifecycle.
As you're going to notice, our as you're going to learn in this platform is that we have a security Engineering Lifecycle.
So, point is that you should all you need to consider security in all phases, as you will see in a few seconds.
So security is not just during the designing or it's only during the implementation or operation and so on.
But you need to consider in all phases, the security and in the next lecture, we're going to introduce an excellent list publication that will give you the measure principle when it comes to security design.
But before we start, you know, there is some like security design principle, which is quite general.
So, always assumes that you are under attack do not like design your system in basically and then according to the threats and according to the vulnerability you start taking action.
So, for instance, let's talk about patch management, which is an extremely important topic should you manage all the updates and patches to your system frequently or should I do that whenever a new threats has been introduced, and they recommend a specific pattern you should be proactive in ways that they should be like regular tasks to be done.
So, you should always consider yourself under attack.
You need to create a framework for consistency in ways that you need to secure communication need to protect the storage resource, you need to harden the system hardening system in patching system managing updates, magic all application update, ensure that integrity confidentiality and of course availability You should also in a ensures that the entire information system must be incomplete with security intentionally.
So, whatever information systems that you are using, it should have security implemented in secure it should be considered while implementing or upgrading reviewing during all phases.
This is like a general design principle but let's move to the security Engineering Lifecycle.
So, as you can see, we have five different phases in security engineering is stopped by initiation.
When you start the zap, decide exert kubal implement security in your organization, then development and acquisition collecting information about what system do you have what that is you can use all kinds of applications that will be used in your business and then implementation and then operation and maintenance and finally disposal.
We will go through them during this domain but with different examples, so it will be quite clear.
But the point is that this is considered the security Engineering Lifecycle.
Now let's see that in a like a checklist, Or some best practice how security engineering should be implemented.
I would like to refer you to two very important document that you should download from nest website, nest, or National Institute for Standards.
And technology is a very important website in our course.
And we're going to download a lot of document from nest.
Sometimes they don't ask about the content of the document, but they may ask about the document name, which NIST Special Publication are covering common security framework, which NIST Special Publication are related to risk assessment, log management, and business end of this course, which there is resources, I'm going to give you a list of all the NIST Special Publication numbers that you need to be aware of, and what they are about.
So here, we're going to talk about two common security framework, we have NIST Special Publication 814, and NIST Special Publication 827.
And we're going to cover more the 827, because actually, it's a big document.
But you should expect the question about that inside the exam.
It's all common sense.
I mean, it's not really physics, but it's common sense.
But still, you need to go through them briefly and to understand what is the security framework, according to NIST.
So NIST, Special Publication publication 814 are talking about organizational level respect perspective on creating a new system or policy or practice, what should be considered when you implement a new system or a policy or procedures.
And there is a principle in 14 practice for IT security.
But the major one is the NIST Special Publication 827.
And this one is giving like a set of engineering principle for system security.
And it's giving a structured approach for designing, developing and implementing IoT security, which map to the security Engineering Lifecycle.
It has 33 principal in six categories.
Let's have an idea about the NIST 827 principle.
Now, I will go in general about them.
But I will let you read them and take notes about whatever, like you need to memorize in the NIST 827.
So first category is about security Foundation, now in this category is focusing about security is not just the technical security.
And this is quite important.
And I have been saying that since the start of this course, that when we are talking about security, we are not just talking about the technical security, if you have a good technical security, but you don't have a physical security, it may lead to the same result.
If you have a technical security and physical security, but you don't have an administrative security same issue, by the way, logic and security are reference to the IT security.
So sometimes when they ask you about logical security, they meant it security.
So here is talking about that the foundation of security should be not just on the logical or technical part, but on the physical and on the administrative as well as the beginning.
And we already covered that in the previous section, which is you need to establish security policy as design Foundation.
The document, you know are explaining each point, but I'm going through the critical ones ones that you may find inside the Excel.
second category is about risk risk based.
And we already talked about the importance of risk and that the security implementation are initiated by the assets value and risk.
So the risk actually is one of the big challenge in any business.
For instance, you first you need to understand that we cannot eliminate risk we will always have a risk, which we call residual risk.
So whatever you're doing, you're reducing the risk but you cannot reach zero risk.
But sometimes and this is quite important point and this is area where you you can find quite Besides exam, we have something called the risk acceptance list in a way that assumes that you have a system is a legacy, it's a legacy system, a very old system that your company depends on.
But this old system can only work on an old operating system.
So it can only work on Windows Server 2003.
And we saw that in many company, and as you may know, Windows Server 2003 at a very, very vulnerable operating system.
So, your recommendation as security professional is to upgrade the Windows Server 2003 to the latest version 2012 or 2016.
But they cannot do that, because if they do that, they will not able to run the system, which is very critical to the business.
Now, what should you do in this case? In this case, because we cannot enforce to stop the business because of security, but also we need to take some like countermeasure.
Now, there is a technical solution for that, but this will be discussed in the network and domain, but sometimes what if you don't have a solution, you just need to accept the risk the same way it is, in this case, if the business or the management did not accept you to the business requirement to change some settings or to upgrade the operating system, you need to get from them is the risk acceptable acceptance list.
So usually you have a phone call the risk acceptance, risk acceptance list in ways that if you are doing a risk assessment, and you find some risk, and you suggested some mitigation, but due to the business requirement or view due to some technology limitation, the management decided we will not do anything about it.
What are you going to do about it? You cannot enforce, right.
But you can let the management take responsibility for that.
So he said, okay, you're going to need to keep those old operating system you knows that there is a risk for that, I have to clear my site.
So please sign this risk acceptance lists that you are aware of the risk and you're accepting it, because after all, he is one responsible for all security Enza.
But you cannot keep it like verbal like management request, because if something wrong happened, you know, most probably he will deny that he suggested anything, or he gonna say is that I don't know about technical stuff.
But we hired someone to deal with it.
So you don't want to be in this situation.
So this is very, very important point, which is the risk acceptance list.
That is a document usually signed by management saying that we accept the risk because of the business need.
But according to NIST 827 you need to reduce this risk acceptance in ways that you should not everything that mentioned and management, discipline, disapprove, approve, okay, you should write it down in the risk acceptance letter, it's not done this way, you need to try to convince the management and when you reach To that end, Sen, you need to let him sign the risk acceptances.
So it's very, very important point.
The second point also, it's important in ways that you should always assume that the external system are unsecure, sometimes we are integrating our system with some third party system, like some payment gateway or any other system.
So we have our own system, and then we are integrating this system with another system.
So I should not say that, yes, those people are very, very secure.
I will not consider any security problem from their side.
Let me work on my side.
No, you have to make sure whatever system you are integrated with, you have to assume that is not secure.
And you have to check all the control.
And you have to communicate to them and to see what security are in place.
So always assumes that the external system are unsecured do not take anything for granted.
Yes, this is a big name.
So what could go wrong? I'm gonna integrate my system resources.
No, no, you have to check what controls they are using and so on.
cost effective 100%.
You get the questions that about that instance exam.
It's not about getting the latest and greatest technology and security.
It's about the effectiveness of course.
And we already saw some example in the risk assessment part.
So before deciding how much you're going to spend on security, you need to decide how much it was.
So this is quite important.
So usually you get to get question about that insides example, but it will be in the risk part.
Other point, which is the easy to use set, you know, whatever standard you are following whatever technology are for, do not get the complicated one.
So, you know, try to make things easy to use increased risk resilient, reduce vulnerability, we're going to talk about this topic reasonability is very, very important topic, which is, you know, the vulnerability assessment as that need to be done frequently once every six months, for instance.
And most of the problem related or vulnerability raised will be need to be solved by patch management by updating the system by retiring some old operating systems.
So it's it's a must does doing Governability assessment frequently.
And we're going to see that later on how we are doing for nobility assessment.
And what is the purpose for that? And what is the difference between vulnerability assessment and penetration testing? Okay, design was the network in mind in the sense that, as we keep saying security is not just technical security, or logical secure, security is technical, logical, and administrative.
So those are some main of the main points in this special publication.
But I strongly recommend that you go through it and highlight some of the points printed and highlight some of the point because it's rich area for questions.
And as I told you, this is maybe seem straightforward point, but when you're going to see them inside the exam, as you're gonna see, in the exam practice question you can see how again, manipulates was point.
So in this lecture, we'll be defining a very important definition which is TCP or Trusted Computing base.
If you remember from the previous lecture, I told you that what we are looking for trusted computer base, what we are looking for in this domain, it's how can we measure the security in our system and we'll focus on the computer or not focus on the network right now, my focus is a computer now give you an example if you are buying some machine, how do you know that IBM machine with this kind of processor and this kind of harddrive how secure they are? Right You cannot take a decision based on other people's opinion you need to have some standard to follow.
Now, from now on, when we will be talking about system on computer we're going to give them another name which is a trusted computer based Trusted Computing base it's three different devices inside the systems the hardware, the framework and the operating system.
So when we are evaluating now, we will not evaluate just the hardware we will not evaluate the framework only framework is the software is that installed on hardware like for instance the room the room has a bias This is software to manage the bias This is called the framework and operating system.
So evaluating will not be based on on hardware will not be based on your own framework and will not be based on the operating system we wouldn't be evaluating our system based on those three of them.
Instead of saying hardware and Freeman operating system we're gonna name them Trusted Computing base.
So this is the evaluation areas that we will be talking about the trusted computer base, or the abbreviation which will be the TCB.
How can we evaluate the TCP? Now, we'll be talking about a little bit about the architecture of a computer.
So let's talk about hardware architecture.
In hardware, I'm going to talk about the processor and we will be talking about the storage and some other definition.
Some of them will seem very basic, but it's okay.
Now, let's talk about the CPU first, and CPU.
It's the main unit inside the computer where it's doing all of the processor CPU, it's divided logically to three different three different part CPU, it's a value or arithmetic logic unit, MMU, which is memory unit and seal.
Those are the components of the CPU.
The arithmetic logic unit is the one is doing all the processing is the brain is the the ones that analyze and calculate and do everything.
The MMU it's a memory unit.
And this is a part of the processor where it's used as a memory you know, when you go to buy a computer, and you're going to tell you that this company pewter has l one hash, sorry, and one cash this amount, this is the amount of memory inside the processor.
And this part is very, very fast.
I mean, this is the most fast part of memory inside your system.
Then we have the CPU control unit.
When you run any program, let me show you some small example, when you run any small program, any program this program, let's assume that you are running Excel or Word or anything, this program will launch some process.
So if we open the task manager and go to details, you'll see that each program I run it's running some process.
So either be for instance has to process a word maybe have more process, and each one of those process will launch with him something called threads, which is the comment itself.
So each process has many threads.
So each application has many process and each process has many threads, and those threads will be sent to the CPU to be to get executed.
The processor can only execute one thread per time, maybe it seems slow, but this is how it go.
And who's responsible to do that who is responsible to send one thread per other and he will not send two threads together they have to set one by one until it gets executed and he sent another one this is the control unit This is what the control unit is doing.
Okay, so control unit are managing the thread that is a part of the process that is a part of the program going to the ACLU to be executed.
Now we'll be talking about primary storage, it's your harddrive and secondary storage is I'm sorry, yeah, z memory I need to talk about virtual memory I need to talk about memory in general Okay.
How many types of memory do we have? Okay, we have n one cache, this is the first type of memory and n one cache is a very very high speed memory.
So and usually located on the processor itself CMU so this is a very high speed memory and it's located on memory we have the L two cache which is also very high speed except it's slower than N word cache and this is would be located on the motherboard itself cache and we have the ram which is a slower one okay.
So ours amount of family now we have another concept is called the virtual memory VM and the virtual memory do not get confused that with virtual machine I'm talking about virtual memory is a virtual memory are a part of hard drives that you are taking and it will be acting as a memory so you can take a part of hard drive let me show it to you if we right click on PC you right click and you go to property because you can change from here as well.
And in property let's go to Advanced setting should be in performance he goes setting and reform here you ego the virtual memory is the amount right now is that much and you can change it.
Now the question is if I take a part of her harddrive as a virtual memory, I mean it's acting as a memory just mean I can increase the memory of my computer without adding memory.
So I can get a computer with two GB and take from the hard drive because our drive is usually much bigger than the memory.
So I can take whatever amount and my computer will be extremely fast.
Actually, this is not right.
Because the virtual memory it's not really a virtual memory it's not really added to the hard disk to the ram because the point is there is a big difference in speed between the RAM and the hard drive.
So ram usually the speed is with nanosecond just mean one and mind zero while the hard drive speed is with millisecond mean one and three zero millisecond okay.
So there is a very very big difference in speed.
Don't forget that please RAM is was nanosecond while virtual memory is or harddrive is memory second, but what will happen is when you take a virtual memory from your harddrive, it will act like a temporary storage.
So for instance, you are open a lot of program, and now we need to open another program inside the memory, you don't have any space, he will check inside that I am what is the programs that is less used.
And he will take that inside the virtual memory.
So it's like a storage between the hard drive and the RAM.
So don't get confused about that.
And, you know, don't let this question trick you.
You have the input output device things like keyboard mouse, you know, any input output, we have a driver, which is software that identifies the hardware to the computer.
And we'll have the computer bus, which is just some passes inside your computer, you know, you have to buy a bit and we have the 64 bits, how many buses, or how many paths of information are inside this computer.
So those are hardware architectures that you need to be aware of.
As we agree on the beginning of this course, a very important area in each domain that you should be aware.
And some good amount of question will be coming from there is the vulnerabilities and attack.
So whenever we are talking about the domain, access control, physical net network anything, you're going to find that there is a slide that talks about the vulnerability and xetex.
And you should be aware of the definition of zetec.
And some attacks are quite clear.
But some attacks, you may need to write down some like definition, or some key word about this attack.
So now we'll be talking about the TCP vulnerability.
Now let me remind you what is the TCP is a trusted computer base, which includes the hardware, the framework and the operating system.
The good thing about attacks that some of the attacks will be repeated in most of the domain, which will make things more easy, but some of the attack could be new.
So for instance, backdoor and trapdoor we are aware of that backdoor, which is things like software's that open a backdoor on a system like a Trojan or this kind of malicious softwares that allow someone to connect hiddenly This is called practo.
Do you remember what is a maintenance hook, because it's very, very important maintenance hook act as a backdoor.
But actually it has been implemented for good use, and has been misused.
So some developers and some programmers when they create a program for any organization, they knows that after delivering this program, a lot of support will be required, especially at the beginning.
As the people are not aware of the program problems, start showing up and so on.
So developers to make things more easy for him, he will open a backdoor that allow him to connect remotely to the system and do whatever support is needed.
But sometimes they are doing that without taking permission from the business.
So I'm doing a program or an application for any organization, I will open a maintenance hub.
And whenever they call me for support, instead of moving there and leaving my job and everything, I can remotely log in from my location and try to solve this problem.
It looks fine, but actually it can be misused.
So if anyone else will be or any malicious hacker will be aware of this maintenance hook or this backdoor, he will try to compromise it and try to get access to the system.
That's why we always say that when you do an application, when you are getting a developer developer to do an application for your organization, you have to let him sign that he didn't left any maintenance hook inside the application.
This is very important from a security perspective, because as we agree, maybe it has been used for good reason, but it has been misused as well.
We have CTO CTO, and I got a call assistant for what but this is an attack that try to get advantage from the traffic going between the client and the back end server.
Let me show you a small example.
So if we open Firefox, for instance, Firefox has a very nice feature called sometimes actually it's nice for malicious hacker and nice for people who's testing as well.
It's called temporal data.
So if I open the menu, and you go to Tools actually adds on that you have to install it for free.
And you get to find temporary data what sample data is doing it just intercepting the traffic going out from your computer and Change it.
So as a proof of concept, if I go here and I go start temperament, I mean, whatever is going now I want you to intercept it, and I try to go to Google.
So the request is going from my machine to Google to get the page request to be intercepted by this program.
And you will be allowed to change, I can ask him to go to the URL.
Now how's that can be useful for any hackers.
Don't think about the scenarios that I just gave, assumes that you are buying something from the internet.
And the developers has create a very good ecommerce website for this company.
Now for a user, he went and he bought something.
And this thing was costing 1000.
Now while he's writing his information and saying, he's buying an item was 1000.
And before clicking on submit, he can temperature data and change the 1000 to $1.
Now he'll be buying something was 1000 was that was $1,001.
So this is manipulating the traffic between the back end server and between the client.
Or maybe I can try to reset the password and sends the recipient to my email instead of going to the right minutes, and so on.
So intercepting the traffic between the mutual support request between the client and the server, this is called to TCU.
Just like the key word, or maybe if you try that yourself, you'll memorize it.
Okay, another attack, which is a buffer overflow, buffer overflow, it's a very advanced attack, but very, very effective as well.
buffer overflow is just manipulating the memory.
So for instance, let's take any program like a calculator, for instance.
So the calculator is a way to work that when you are writing down some number, those number would be saved inside the memory.
So I'm writing a number, and the number will be saved inside memory inside one specific location inside memory, where the programmer who does a calculator has assigned the location inside memory to save this number, and then you put another numbers and you do some formula.
So everything will be done inside memory, nothing could be saved on your hard drive.
The question is, whoever created this program, while he was developing or creating this program, he was assigning some location inside memory where all this information will be saved.
And then some processing will be done on them.
While he's doing that, and assigning some locations had memory, you have to put the size, what would be the maximum size let's say why you notice in calculators that it has a maximum we cannot keep writing number because it has some limitation, which is very good after a while it will stop taking number.
So now he stopped taking number, but what will happen if you have a program that do not validate input, so you have a maximum 100 for instance, and instead of 100, you put 1000.
So, if the program was not well made like this calculator, he will he will take all 1000 but the place where those 1000 need to be stored actually has a limitation on size, which is 100.
Now, where are you going to put the remaining 1000.
So those remaining will be saved inside randomly inside the memory.
So now the hacker was able to reach inside the memory by the buffer overflow.
Now, there is some places inside memory that if you reach them, you will be able to allow the computer to execute anything.
And this is what exactly we are trying to do.
We are getting an application when we are doing penetration testing.
And we check if it's affected with buffer overflow or not.
And then we try to send as much information as we can, if it's affected, I'm going to send some payload, but I need to make sure that it will go in a place in size in memory where whatever you send it will be executed.
This is called buffer overflow.
So remaining attack, it's a covered channel attack and this is where the traffic has been manipulated.
So you're assuming that your traffic is going from A to B but actually is going from A to B through C okay.
So attacks are very important and the sunflower will help us that what is it I think the closing so sunflower will help you know he can identify identifying zetec but sometimes you will not find all attack in the same place.
I mean it's usually especially is a common One would be located in one area.
So here, you can see his attack cover channel.
Even there is two types storage cover channel cover chernick cover cover timing channel, we have here, he didn't mention anything about other attack, like the buffer overflow, because this was mentioned in network.
So you will find the attack in different location.
But after all this need to be actually memorized.
And if any attack, it's new to you, you have to write down how it work.
And you know, a good way for memorizing zetec will be to go through any YouTube video to get the concept how it works.
Okay, so attacks is very, very important, for example, and understanding all the attacks.
In this lecture, we will be talking about some things that confuse a lot of students, because it's a little bit academic, which is security modeling.
And we're going to try to simplify that as much as we can.
So we have some security models that we can implement in our organization.
Except it's not implemented.
By surname, I mean, you will find that some appliance or some application or some software, are working according to those models.
So we will not say that we're going to implement Weber or BLP, or Clark Wilson.
It's mainly into the concept of this implementation.
Now, before explaining those implementation as a measure one of them I just need to point to that the first thing that you need to do is you need to know is this model are providing What are this model providing confidentiality or integrity or availability? And this is one of the questions that you should expect, he will ask you better is providing What if you implement the better model? Is it about confidentiality, or integrity or availability, and so on.
And don't forget to write down the key words that I'm going to mention during this lecture.
Because this is extremely important.
So I'll take the first one BLP, or Bella Petula, and Bella Petula, it's almost the first model, and the only models that provide confidentiality.
Now, let me clear to you, and let me clarify to you, what is the LP model.
So we're gonna go to our sheet and assume that I have a classification of information this way.
So I'm using emek, classification, mandatory access control on my own, the information that I have, has been classified to top secret, secret, confidential, and unclassified.
And you remember, how's that model is working, you're going to have your information will be classified, they will have different security level, and then each user will have a clearance level.
So assumes that we have this type of classification and you as user has a secret level.
Okay, so you are inside this level, you have a secret level.
Now, what is BLP saying? Okay, and one more time VIP, it's about confidentiality, it's not about integrity or availability.
And actually, this is as I told you, this is the only model is that is about confidentiality.
So what is BLP is saying, or Bella padula is saying, No, read up.
Write it down for you.
Yeah, sorry.
So what is BLP? saying? Let's put an error here.
No, read up and no, write? down.
So if you are implementing DLP, That's mean.
No read up and no write down Let me explain it to you if you have a secret clearance.
So you can only check the secret information the information that is classified secret, in this case you will not Be able to read up pride as a secret clearance user, you cannot read the top secret.
So it makes sense.
And you can also not allow to write down.
So you will not be allowed to write down.
So you l from the secret level you cannot write inside the confidential level.
And why is that, because if I know secret information, which is more important than confidential information.
So if I'm allowed to write on the confidential, I may, I may write something that should not be written, I may write some secret information into the confidential which will affect the confidentiality.
So, you are not allowed to read up and this is quite clear.
But you are also not allowed to write down because as I told you, whatever you're going to wrote, or you can wrote something that should not be allowed or should not be available for confidential user.
So, VlP number one, it's a confidentiality model.
And it's saying no read up and no write down.
Second model.
It's called the better and better model.
It's the opposite of VlP number.
First thing is that bebber, it's providing integrity and not confidentiality.
And whatever remaining it's about content integrity, only BLP it's about confidentiality.
So Weber model is providing integrity.
So if your organization need to provide integrity, you're going to need to work on Biba model.
Weber is the obit opposite of BNP.
Okay, so BNP are saying no read up and no write down, baby, I will say no, right up and no read down.
So baby is the opposite of BLP.
So what am I saying? The opposite, which is no right up and No.
Read down.
And it's not a confidentiality model.
It's an integrity model.
Now let me explain the concept.
So beta is the opposite of DLP.
If we are on the same scenario, what do you have a secret cleanness? Right? Now, if you are allowed to write up or read them, what will happen? Now let's assume that we have some information.
And the information was confidential, people are not 100% precise.
They have some general information.
Okay.
For instance, let's assume that we are talking about financial information.
So people in confidential level knows that their organization are doing well.
And the organization are getting profit, but they don't know any numbers.
They don't know any figures.
Right? They know that says the company are doing well.
People in secret level knows the figures.
So know that the company are profiting 2 million, 3 million, they have numbers.
So the information is a secret level are more precise than the confidential.
People in top secret know a lot of details.
So they know the bonus for this top management, where people in secret don't know about that, you know, since there is a profit and they know the figure, but they don't know the bonus.
And they don't know the details and what deal has been said with a good price and so on.
Now, if you allow people from secret to write up, they may write something that affects the integrity.
Okay, so I know that companies are doing one shot, but I don't know the details.
So if I writing on the upper level, I may write that that may lead to confusing people in top secret.
So top secret people has more precise information.
And maybe they get confused if you are allowing people from a lower level to write information.
So maybe lower level do not have this precise information.
So they will write anything that will confuse what they know.
So I'm affecting the integrity if I'm allowed to read down so for instance, I'm in secret and I'm allowed to read down some breathing so confidential.
My information inside the secret clearance is more precise and more Exactly our number of precise sensor confidential levels.
So I'll get confused myself, I don't know who's whom to believe.
I went to the confidentiality confidential level, and I wrote the information.
It's, it's different than mine.
So now I'm affecting the integrity.
So VlP, it's about integrity.
And I'm sorry, BLP is about confidentiality data is about integrity.
And don't forget that no read up and no write down.
Let's get to the other model, we have Clark Wilson model.
And in Clark Wilson, some terminology out there.
So Clark Wilson model, our sink to sink, and some key word very important key words.
Number one, that user should use information to program.
So the first key word here is a program.
So what Clerk will also by the way, I'm sorry, Clark Wilson, is also about integrity.
It's not about confidentiality.
So, what Clark Wilson is saying that user should be able to access information through application or through a program right.
So, for instance, if I have all my information written in books, and everyone who can access those book would be able to see whatever he wants, this is against Clark Wilson, when Clark Wilson Singh, which is make a lot of sense that you should put your information inside any program assume for Excel sheet, you are putting all the company data information in an Excel sheet and you are putting permission to user So, one user when he login, he will be able to see some column as the user will be able to see another sheet.
So a key word here, it's a program user should access program, parole Okay, user should access information or data through a program.
So, the second concept, so security is a program.
second concept in Clark Wilson, it says that user intersec interaction should not be interfering.
So, if we are taking an Excel sheet and we are both writing on the same time, on the same sheet and an on the same cell, which one will be the updated one, actually, Excel is not allowing that but as a concept, so user transaction should not be interfering.
This is what Clark Wilson is saying in his model.
And as I told you, this is a integrity model.
The third one, which is very, very important is called Brewer Nash.
Brewer.
Nash has a very important terminology or key words that definitely he is asking about Breuer Nash, he would mention this one, it's called the conflict of interest.
Very important terminology.
conflict.
of interest.
So if you got any questions asking about conflict of interest, it's broadness now let's explain rule.
And it's it's how to be implemented.
By the way, there is another name for Brewer, Nash, it's called the Chinese war.
And you'll understand the terminology from the explanation.
What Brewer Nash is saying is that sometimes the control will be taking based on the decision.
Let me give you a small example.
And I hope, I'll be able to explain it well assumes that I am a lawyer, and I have two client against each other.
And I have to select one of those clients to become my client against the other one, so I need to take a decision.
So if I select client a, and I'll be able to see all the information of client a, so my decision was client a, I should be prevented from seeing the information related to client B, because this will be a conflict of interest, because now he will be against my client and I'm trying to take charge or I'm trying to sue him for anything.
If I took client B to become my client, now I should not be allowed to check the information of clients.
So the control has been implemented according to my decision.
This is called the conflict abroad.
This was the causative Chinese role.
So according to your decision, a shiners role will be built between The information is that you have access to answers or information.
So it's a dynamic access control list, according to your decision, so conflict of interest, it's a very, very important terminology that you should be aware of.
Those are very important for modern ceremony, cosmologists, you can read the definition, latest means there are layers.
But those are extremely important and 100%, you get the question about certain size exam.
Now, before moving from this part, I want just to show you that he details the onset on the sunflower document.
Because as I don't do, it's easier to read this part from sunflower.
So from sunflower document, let me just increase the size a little bit.
And let me show you how it has been explained.
And then we're going to talk about the implementation of that.
So let's see, where is the models BLP Rico? So we have DLP.
Don't forget, it's a confidentiality model.
It has been developed by the Department of Defense and so on.
And what exactly it's saying, no read up, no write down, but they have names, I mean, cannot read up as different as another name, simply erase it.
And by the way, as I told you earlier in this course, that you should be aware of different name because you don't want to lose a question because you didn't know that this is a different name from the same terminology that you are aware of.
So no, no read up, has a different thing, which is simple E and no write down.
It's called the star property.
Okay.
So you should read about VlP.
And it's a confidentiality modern, and so on, we have Baba, it's an integrity model.
And it's saying cannot read up also simply and cannot write down.
It says star sorry, cannot read up cannot read down and write up.
It's the opposite of VlP we have the Clark Wilson and T is the things that is underlined This is extremely important this actually PDF file, anything that is in capital letter or underline Be careful, this is you know, a tricky part inside the exam.
So access to the object should be only through a program.
So those are the models.
Now the question is, how they are implemented in real life, they are not implemented the same way I explained, it's more into the concept of those models.
So the concept that you'll be getting an application or a software on a system that implement BLP or implement bibber or Breuer Nash, and so on, and it could be a part of PMP or so it will be through something it will not be implemented by their definitions this way.
It's a very, very important part security models.
And please feel free to post any question if it was not clear.
And I believe if you want to study this part, it's easier to read it from here quite simplified, because this is you know, as far as you need to know for the exam purpose to remaining part in this domain, which would be the TC sec and IPsec and Common Criteria.
And those are the main objective of this module.
Actually, you remember the discussion we had at the beginning of this domain, where we spoke about how can we evaluate a system and we define a system as a trusted computer base, which is the hardware software and operating hardware framework and operating system.
So, when we started this domain, we agrees and when it comes to getting computer buying computer, how can we evaluate Do we have a reference to refer to that identify which machine now I will not talk I will not say machine or system I will say to a trusted computer based TCB.
So, do we have some things that we can measure or we can refer to that will allow us to know what is more secure than other? The first approach for that was something called the TC sec.
And it has another name.
And please take note for different name, which is orange book.
So TC sec, or orange book has been found from has been introduced by NIST National Institute of Standards and Technology.
And we had the discussion about NIST.
At the beginning of this course, they introduced a book where they have been categorizing the system or the TCB.
And they are saying if you're TCB are providing 12345 this is considered A or B or C.
So nest has introduced an orange book and so the nest actually didn't just introduce the orange books, they introduced a set of book called The rainbow book and they have the font color.
So the orange book has a way for evaluating computers or the trusted computer based.
While we have the red book, this was a book to evaluate the network, we have the Green Book for password.
And you're going to need to know the measures one of them like four of them.
But the details, you're going to need to know the orange book or as a name for that the TC sec, as they put the table or schedule that start from a to d, where d is considered the lower security if your system is z, if your GCB is these, this is considered as a minimum security, while a is a higher one, and they put some definition for that, if your system can provide your trusted computer base can provide this assistance Is this considered A or B or C and D.
Now, this is the part where you're going to need to do some memorization.
I know it's not easy, but if you keep reading them, you're gonna memorize them after time.
So as you can see is a TC sec, which stands for trusted computer system evaluation criteria from nest.
And another name for that is the orange book has different category at start from d, where d is considered the minimum security and a which is considered as a higher one.
So let's start with D mean it doesn't have any security at all.
C mean implement Dec discretionary access control.
So this is considered c one, if it implement that discretionary access controls that we are using in Windows which is permission READ WRITE, and ownership.
And it also has identification authentication and resource protection.
This is considered I'm sorry, implemented that and also as control access protection, or a prevent object reuse, and has an odor train, this is considered C to like Windows Windows, it's implemented EC and it has an event viewer so we are considering computers it has Intel processor, who is Windows operating systems, this is C two and as you can see, it's not very high.
If it can implement Mac windows cannot implement Mac, mandatory access control.
And has which is security label and has an can implement the BLP Bella padula security model and has isolation and has Davis global device level this is considered new one.
If it has all of those and can structure protection, I mean trusted pass it prevent cover channel and has separation of operation or separation of duty and provides that this is considered v2.
If it has also featured beside security domain or trusted recovery, this is B three, and so on.
So this part needs to be memorized because this is very important for the exam.
And you'll get to ask, okay, according to TC sec, if you have a system that can provide Mac and has labeling and so on, which one do you consider this is d or C one or C two and so, so I'm afraid this part where neither memorization.
And this is the only one where we're going to need to memorize this.
I mean, later on or the next lecture, we'll be talking about IPsec and an IPsec.
You'll notice that we have also some category, but you don't need to memorize that much of detail.
This actually was quite old.
I mean, it was like maybe 2025 years ago.
Now we are using different way for evaluating, but you're still going to need to memorize it for the purpose of the exam.
Don't forget the way of evaluations this was an American way because the second one is the next one will be British.
So this one was an American introduced by nest another name for it was the orange book.
So he may ask you about city psychology books is same way and you're gonna need to memorize those categorization of the system.
Last lecture on the security architecture, where we will be talking about as a kind of evaluation system.
I mean on the previous lecture we spoke about the TC sec, which came from nest and God and it has another name department orange book.
And I thought you guys were you have to give him You have to have some idea about the different books that nest have they called the rainbow book, at least the major one and this actually has been written inside a sunflower document so you don't need to search for it.
So the green sorry the orange is about the trusted computer base which is hardware software and operating system.
The red is about the network and I believe the green was about the password system and what you need to know about the rainbow book but the details you need to know the details about orange book, which is a category I showed you in the last in the previous lecture, how they are categorizing and how they are able to measuring the efficient the security of the system, according to the features that it can provide.
Now, the IPsec, it's an American Standard, there is another standard schools the it second, this is actually it's a European standard.
And it's similar.
You don't need to memorize all the things that I asked you to do on the previous lecture.
Except you need to know what is the difference between the it sec and the TC sec.
So let's see Nv and check the it sec.
Now is it sec was different in ways that it was not just measuring one thing? Let me show it to you.
So in it sec.
Okay.
Let me just remove those are the rainbow table books that you need to know the right read and trust and orange and brown, just have a look about them.
And let's talk about the IPsec IPsec was different in ways that it was not just this thing.
The security tests to sync the functionality and assurance It seems that I so here we need to this part.
So it sec, this functionality and assurance, what is the difference between them.
Now functionality, it's the assurance has a scale from A to zero from a zero to a six, where a zero is lower, and a six is a higher while functionalities from one to 10, you don't need to know f1, meanwhat and f2, you just need to know that we have two parameters that we are using for testing.
Now what is difference between functionality and assurance, when we are talking about functionality mean, they are testing if the system can do something or not.
So for instance, if the system are capturing Glock, this is a functionality inside the system.
assurance is to test if the system is doing that all the time, or just sometimes it's do that or sometimes it's not it's it's a continuously of the functionality.
So if the system is doing that all the times it's become assurance.
So assurance, it's to make sure that the functionality it's it's done every time.
So the main things that you need to know about it SEC is that it evaluate the functionality and assurance while on the TC sec it only evaluate the functionality and the functionality as from f1 to F 10.
where f1 is lower and F 10 is higher.
And assurances from easy to e6 where zero is slower and high.
So those are two way for evaluating the system search one because actually the prior problem was TC sec.
And it says that it was main academic.
And besides it was very expensive to provide a high level of security.
So they came up with a another way for evaluating system is called the Common Criteria or ISO.
And it's quite different.
It has a URL from zero to seven.
And it started by identifying what exactly you need to measure because it's the target of evaluation.
And then you you're going to be sending out you'll be receiving a protection profile.
So, ISO will send you what exactly needs to be implemented on the to.
So you said okay, I have an organization I need to have implement ISOs they will send you the protection file, you need to implement source controls, you implement whatever you want to implement, and then you send them the security target, you tell them this is what I did implement with a very big heavy check.
They'll come and they will audit you and He will check that your target of evaluation has the proper pp.
So what you are sending is st security target and they are comparing between the protection profile and that they sent and the security targets that you send and make sure that you implement the security control and accordingly let you get certified.
So you just need to know what is common criteria and how they are measuring.
Also here, you don't need to know those definition just the ways that they are evaluating and what is a zero a one a or how they are evaluating system.
On the next lecture, we're going to start by preparing for the exam.
I mean it's kind of tricky module because a lot of terminology and academic.
So we need to focus about some points and then we need To go and take some questions, and see how are we getting question about this part inside the exam? Now let's take some question about security architecture just to get an idea about the type of questions that you may expect.
So for instance, which is the following statement is untrue regarding Pella lapadula? More than Don't forget, untrue.
See, they usually do that untrue, which is not applicable, at least this kind of thing.
But you could think as I told you, they put that in bold.
So it will be quite clear.
It's the latest security level.
Yes, it is.
It's open, it operate in a highly privileged supervisory state.
It addresses confidentiality.
Yes, it is.
It invokes the simple Security Rule.
Yes, it invokes shows only one remaining that it's not true is the second one.
Let's see.
Sometimes this technique work, I mean, sometimes one of the answer you are not aware of so you can eliminate the ones that do not apply.
And if you end up with this answer, this will be fine.
Next question.
Hi security shop in Pentagon, she has the privilege to read any classified information related to her area for research.
But she is prohibited for reference referencing any unclassified she has a classification clearance, but she cannot read the unclassified, which one is doing that cannot read down, not read down or write up its integrity model not confidentiality, and which one has an integrity model? It's Weber.
So this should be this one.
Let's see this question maintained to other database.
What security modern icing, this one is very, very important to Reed's explanation.
Because as I told you, one of the objective during this training is to get the mentality of IC squared.
And this will come by answering as much question as you can.
So it's very important to read the answer even if your answer was right.
You need to know that you thought the same way ice ice square are thinking or it's just a coincidence.
Okay, let's see one more question.
How can I gain access to a secure system but discovers that he cannot? Or he can only access sensitive data in the database through a customer proprietary application? How do you remember, we agreed that when you see a key word application or software, which models it should be Clark Wilson.
So Clark Wilson is a model relate to you user access information through an application.
So this is Clark Wilson as well.
So you are getting the idea.
But the point is that you have to solve as much question as you can just to get those three key points inside the question.
And also the get to get the mentality of IC squared.
This is a very challenging domain, we still have a lot of topic to cover.
I mean, we already covered the TCP IP security models, we're going to talk about cloud security, we're going to talk about physical security, cryptography, different topics, all under the name of security, architecture and engineering.
And you may face some problem try to relate topic together.
That's why from time to time, I'm going to raise some guidelines, you know, how we can implement so far, what we explain in like some major guidelines.
And this is one of the lecture where we're going to do that.
We're going to just show what is enterprise security architecture buildings, if you consider your company or your organization, security architecture, what should be the major item in the implementation in general.
And then you can apply whatever we spoke about, or we're going to speak about to those five guidelines.
First, you need to have a boundary control services, in a sense that as you know, it's all about information.
This is an information security courses, so you need to understand them.
formation, it's sitting where and it's moving from where, to where, and how.
So if you have like a web application house information are moving from one web application to another web application.
If you have, or you're exchanging information through emails, through medya, how and when the information is moved from one system to another.
And according to that, you're going to decide which control you're going to implement.
This is one point.
Second point, which is quite important is access control services.
Access Control will be explained in depth after to domain and it's one of the domain where you will get a lot of questions about.
So still, you need to implement access control.
And as you're going to see is access control domain.
It's not about assigning a password access control, also referred as the Tripoli, syndication, authorization, and accounting.
So this will be explained in depth since access control, but it's one of the guidelines insides enterprise security architecture, the limitation of access to the data system, I should not allow everyone to access the data, I should only also allow authorized people, then integrity service.
Very, very important.
Maybe you have your information.
But you do not have some integrity control.
Some information can be manipulated, intentionally or unintentionally.
So you are working on it, like in a bank, and people are writing down customer transaction and customer.
What if unintentionally, they change a number? This is against the integrity, right? I'm not talking about intentionally someone or our man in the middle attack and change the information I'm talking someone by mistake, wrote something wrong? Do you have a control against that? Yes, we do have a control.
And we're going to see in the operation security that we can make people we're going to see that we have a control where we can verify each other work in ways that even by mistake, I did something, you know, someone would review it and we'll fix this mistake.
So integrity, it's for an intentional or unintentional modification of the information, cryptography service.
Also, this will be covered in depth in this domain, we're going to talk about everything related to cryptography.
And most importantly, auditing and monitoring service.
Any information security implementation system will have a frequent audit, you need to make sure that everything is going according to the plan.
And you need to audit that frequently, every one year, every three year to renew a certificate and so on.
So we do not just implement the control.
And that's it, we need to have an audit plan.
And we have we need to have monitored metrology, I should monitor how things is gonna get actually this is quite important.
So those are some of the guidelines that will help you in general while you are building your enterprise security architecture.
And you can apply whatever we spoke about so far.
And we're going to speak about in the same domain on those five different guidelines.
The upcoming few lectures will be about very small topics.
Just in each lecture, we're going to give you a brief about one of the service that maybe exists in your infrastructure or in your organization, you just need to be aware about it.
In a sense, you need to know what is the benefit of having such services or technology? And what is the disadvantage or of having said and some terminology related to it.
Now, this part of the domain where we're going to talk about virtualization, we're going to talk about mobile security, cloud security, big data and so on.
It is meant to the same concept that just having a brief about it in a sense that you don't need to dive deep into the subject.
So when we are talking about virtualization, if you didn't use it before, we need to understand what is virtualization and why we should use it in our architecture and what is the risk related to virtualization? When we will be talking about mobile security? We just need to know what is the benefit of using mobile in our architecture and what is the this advantage of using it And so on and so forth.
So it's not like we are talking about virtualization.
So you need to start studying virtualization set very deep.
He knows that this course is not about that.
So course is only about giving you like the definitions.
And always remember the saying about the CISSP, which is it's one mile wide and one inch deep in the sense that we're going to cover a lot of topics in this course.
But you need to understand only the basic definition about that.
So let's start with virtualization.
Each lecture will be just one topic, but I sing by getting those few lectures just having an idea about that you don't need to go deeper than what I'm going to say regarding this specific topic.
You will will guarantee like four or five questions sighs exam because usually ask about virtualization, they usually ask about mobile secure just one question.
You don't lose the questions that has couple of lines that you need just to have an idea about it.
Beside the only topics that you need to be familiar with, because recently, the rose some good amount of question about an insider exam is a cloud security.
Because cloud, you know, it's start increasing in our business right now.
So only cloud, you need to dive a little bit deeper.
But actually, I will not let you search here answer.
I'm going to put for you few cloud lectures from my ccsp course, that will be more than enough to understand the different cloud services to understand the cloud architecture and the cloud security.
So I am glad more lecture about cloud in this domain, because it's all about not losing questions.
So it's quite important to know the amount of questions that we get usually related to topics.
Let's start with virtualization virtualization, as you may know, it just having a virtual system on your physical system, so all my physical computer on my PC, or I can have virtual machine, one or two or three, and they will be acting like a physical machine.
What is the benefit of having that? Definitely, it's cost effective, because I can get one computer or one server and run on it four or five virtual machines instead of fighting or of buying four or five computers.
So definitely cost is quite a benefit here.
We also have a security advant advantage, which is the system, the VM or the virtual machine is usually isolated from the host, in a sense that if it gets infected with something or any breach happened, it will be only the virtual machines that will be affected with that it will not affect the host machine or the physical machine.
So from a security perspective, also it has a benefit.
We have some consideration like to consolidate, consolidate the system onto a single computer, if you plan to have a virtual machine into your single computer.
What do you need to consider, you need to consider that this virtual machine, it will take resources from your physical machine.
So it's not like having 5678 virtual machines are my physical machine, do you? Do I have enough memory and enough storage to support this virtual machine because they don't have a processor by themselves.
They don't have a storage they are taking from your local storage from your local hard drive they are taking from your memory.
So you should consider the security benefit.
As we agree it's completely isolated.
It's easily replacements, you could think about the virtual machine, it's like a file, I'm gonna show it to you in a few seconds, you know, so it's it's usually as a file, if you need to copy a virtual machine, from my computer to your computer, I just can take this file, copy it on a flash disk or something and give it to you and then you can open it from your computer.
So it's quite easier to move than a physical machine.
And I'm going to show you that in a few seconds is easily backed up and restored in the whole system.
This is a benefit.
What is the disadvantage? Usually it's related to availability, what if the system breaks down crashed.
So usually it's the risk that you have set the guests process might break out the sandbox.
So if you have your physical computer crashed all the virtual machine built on it would be rush to visit.
Let me show you a small example about virtual machine.
And just to, like, clarify what we are saying.
This is VMware Player workstation, it's a free VM application, you can download it from free for the for free from the internet.
And there is different products there is virtual box there is Virtual PC, Hyper V different product.
But this is a very common one.
And as you can see, I have many, many virtual machine in a store, I have a Windows Server, I have Windows client, I have some Linux machine, and so on and so forth.
And if you go to any of those machine like Windows eight, this is already installed.
I mean, if I right click and power on, it will start the virtual machine into my physical machine, same concept with the server and so on.
But let's go to the setting.
As you can see, this virtual machine, what is the harddrive space is 16 gb from where it's getting this 60 gb from my physical computer, what is the memories that it's taking one GB, so it's taking one GB and I can modify that I can make it two I can make it 512 MGB but it's taken from my physical machine.
And accordingly, I cannot open many machines in same like time, I have to make sure they are taking enough storage.
And finally, or Also, you can check here, the location of my virtual machine.
So as you can see this virtual machine are located in this storage.
So for instance, if we take this space, okay, let's go to the space, copy it.
And open from an explorer you go.
And if you open from here, File Explorer, just to see the location of this virtual machine.
This is the virtual machine file.
And if I need to move this virtual machine from this computer, rather computer, I'm just going to take this file and put it on another computer and install the same program, VMware Player, then I can go and to my I can sit here.
And I can go to open virtual machine and I can point to this folder.
And this will open the same virtual machine but on a different guest machine.
So it's quite easy to move the same way I was telling you, and it's regular working as regular machine.
So for instance, let me open a server for you here.
Just to show you right click power on.
And as you can see, I can have a server running on my same computer that has understand.
And I can have more than one machine running in the same time.
So this is the concept of virtualization.
It's implemented in different enterprise right now, because it's cost effective is secure, it has a lot of benefit, but you need to consider the concepts that we explained earlier.
And if I need even to open one more machine, for instance, let me show you I can also open for instance a Windows eight machine.
And by doing that, as you can see, I have two virtual machine up and running.
I can have more if I have enough memory and storage I can have more.
But the concept here this is the virtualization concept.
We spoke about virtualization, it was a very small topic just to be aware about what is virtualization what is advantage and disadvantage.
Next topic will be about fault tolerance, fault tolerance, he has to have a redundant system.
So for instance, if you have anything critical in your infrastructure or enterprise and you are worried maybe it crash, I need to have an additional audit application for this resources.
And I will give you a small example.
In your house, you may have an access point where all your devices are connected to right you have an access point or a wireless router.
And all your devices like laptop mobile tablet are connected to it.
What if this hotspot or wireless router crashed for any reason your network could be down so for this device, I need to have a redundant access point or another access point in ways that if this one thing this one will take over and accordingly you should not have long time long downtime for your network.
While your smartphone or your laptop.
It's not considered a critical device because if it crashed, you know, yes, it will be a small problem but your network will be still up and running.
So we need to identify what is your single point of failure? What are the devices that if they fail, they will affect the full business or they will affect your full infrastructure and have a redundant device for it.
So this is quite important, what are the devices that you need to have a redundant or a replacement for most of the time will be something like power, because it's a power crash, you will not be able to work on your device.
So you need to have an additional power supply.
For your critical system.
As I was saying, it's not like every device in your network, you're gonna have redundant, this is not cost effective, but you need to understand which one is more important.
And which one will affect your infrastructure, which one will give you long downtime and have another device for it.
So for instance, if you have in your company, a lot of servers, you need to select which server are more critical to other server, and then put a redundant server for it.
Client same option.
Also for network, networking cables or switches, what if the switch crash it also network could be down, so you need to have a switch for that storage hard drive, you need to have a two or red five, this is considered a redundant red one, audit five, I'm sorry, it's considered a redundant storage in case something went wrong.
So the concept of having redundant because keep in your minds at security.
I keep saying that, because you don't need to forget that, for example, especially security is not just about securing against malicious hacker is as against anything that may happen harddrive crash, it happens.
This is a physical device, it may crash.
Now, it's not about the value of the harddrive, but it's about the information that was stored on it.
Did you have a backup? Did you have redundancy in ways that if it crash, you will have another hard drive that will take over.
So it's quite important to identify your critical assets or your critical devices and have a redundant for it.
So those are some of the guidelines, as I told you, you need to have them as a multiply layer or a multiply levels in always that if one crash, you're gonna have to redundant another crash, you're gonna have redundant in this way, you need to have an automated failover process.
So you have, for instance, and another hard drive with all the information that are you going if the first one crash Are we going to remove it yourself and install the second one, or are you going to utilize for instance, raid one, which is a failover process to hard drive, you can do some windows setting in ways that if one fails, automatically, the second will take over.
And accordingly you will not feel any difference, you will not have any downtime.
So you need to do the failover in ways that it should be done automated.
You need to have applicate devices for the critical one.
This is also related as I told you to the single point of failure.
But it shouldn't be done randomly in ways that I get like a piece of paper and saying this one I'm going to replace this 100 replace, it shouldn't be done this way.
There is some relation to topics that we already covered legs, MTG in the business continuity planning and RTO and RPO.
This point that was covered on the first domain, you need to be familiar, which In brief, how long the company can afford to have the network down.
And according to that you're going to select which one is critical and which one will win, we'll help you get your system up and running in a shorter period of time.
So the concept is clear, I believe.
But the point is it should be based on the acceptable downtime.
And from where you are getting acceptable downtime from the management, you need to say to the management and ask them okay, how long can you afford to have your network downtime? As they said, We can have a downtime for couple of day, no problem.
I don't have to do any redundancy.
I'm going to take backup for everything and if anything went wrong, I have enough time to restore and buy new equipment.
If they're gonna say a couple of hour.
Now I need to say what can lead to more than two hour downtime and then I need to find the replacement for them.
So the point is the full totals need to be built on values.
Not a like random process to be done.
Some of the technique that can be used for the silver full coloring, we are talking about the silver level would be something like clustering, which is very common right now.
And clustering is just combining few machines together could be two or more, and they will be acting as one computer.
So I can have two computer, they will have the same IP.
And they will be configured as a cluster in ways that whenever you install something on one computer, it will be automatically installed on the second one.
And according to that, if any computer went down, the second one will be up and running is the same concept as the raid, if you know about raid one.
But on computer level, we have the network load balancer, or balancing or nlb.
This is not really a full tolerant, but it's just dividing Zulu, instead of having a load on one computer or one node, I can have it on more than one node.
So each request coming to the server, or each few requests will be divided between those two computers, I can use virtualization, and we already saw about virtualization that it can be backed up, it can be a redundant machine, instead of having two physical machine, I can have one of them as a virtual machine.
So if any like server went down, I can replace it with a virtual machine.
Or I can have both of them as a virtual machine and work on redundancy illusion.
I also want to add rate for a storage but actually in this slide, he's just focused on the server full tolerance techniques.
So especially as a clustering is very common right now, when you install things like SQL in SQL Server, it's mostly recommended because this is the database that most of you like to be very important to your business, most of the process will be done on a cluster.
So those are some of the server fault tolerant technique.
In general, new technology is very useful to the business, but also it raises new challenges.
So right now we have things like IoT, artificial intelligence, embedded system, mobile devices, all those new technology have been helping in our business, and it's makes things more effective.
But on another hand, it raises new challenge a new security issue.
So the point here, whenever you plan to implement the new technology in your business, you need also to understand what challenging is coming with.
Let's take couple of them.
Let's start with remote computing and mobile worker.
So in some cases, and in some business, for the effectiveness of the business, you need to allow people to work remotely, maybe you have some of the project managers that keep moving around all the time, and they are working from different sides.
And you need to give them access to the company network to be able to access the resources and so on.
So from a business perspective, this is actually quite good because you are facilitating them.
They don't have to be on site on Zendesk to be able to access the resources, but they can do that from outside in case the business needs it.
But on the other hand, maybe it can be manipulated in ways that what if the Lawson laptop, and someone was able to get the laptop and access this remote connection? What if someone was able to get his credential and log in remotely.
So you need to have some justification for that.
It's not that you need to allow everyone to be able to remote first in it, it needs to be a part of his job description.
So if one request some new employee requests a remote access, it needs to be done through a specific process.
He need to take an approval from his management and you need to give him the control or reserves the setting that will help to secure our network for example.
You should implement VPN, so if someone needs to access the company from outside, I should not give him like any of those free tools that allow to connect to the network from remotely I should do that using a secure connection.
Okay, so are we trying to like hardens a process do not keep it open for anyone.
You should also have some tools on the laptop in ways that if he lost that you can remotely delete whatever is on this laptop and You should inform the employees that in case he lost his laptop, he need to inform the security team right away.
So you can take the action you can blogs account, and so on and so forth.
You should work or having a DMZ is just like an area in your network, where it's you are keeping all the machine that need to be accessed from the internet, instead of allowing people to connect to your local network right away.
So you should have like a safe area or a safe domain.
So this is called the DMZ.
What else do we need to do? We don't have on sufficient I mean, whatever you are doing, you will not reach like a stage where you are 100% comfortable about that.
But we are just following the best practice.
And don't forget that you as a security professional, it's all about following this standard and best practice.
Because if anything went wrong, because it may went wrong, or it may go wrong, by the way, because you know, every day there is a new vulnerabilities, there is a new threat.
So whatever you are doing, you know, there is other challenges that we raise.
But if a problem happened, you can clear from you can clear your site by saying I was following their best practice I was following the standard.
This is quite important due diligence and due care, which we spoke about in the first domain.
In general, and I'm going to add this document with this lecture, you need to have a remote access policy.
And always that if anyone needs to have remote access, he needs to read about this policy, what is his obligation, what he should follow what he should be preventing, and so on and so forth.
The mobile device vulnerability or mobile security, it's common sense what could go wrong with your mobile if you start using your mobile in the business, receiving email, or using any messaging service for communicating with your client or communicating with your team.
Okay, what could go wrong? First, you could lose your mobile device quite easily because it's a small device.
And you'll be maybe lose it somewhere.
You may be a victim of social engineering and in the next lecture, I'm going to show you a small demonstration.
You are downloading a program someone send you an SMS you click on selling.
That's it.
SMS emails, so I'm going to show you different kinds of or I'm gonna show you actually one demonstration that demonstrate how easy is it to compromise a mobile and get all the information just by sending you an email, fake email or SMS was the link inside.
So those are some of the vulnerability insights on mobile and common sense malicious code.
social engineering.
Last of the physical assets get routed, or jailbreaking sexually quite risky.
When you get your mobile and do a route for your mobile if it was an Android, or jailbreaking if it's an apple, quite serious, because you are breaking security into the mobile and you are making it very vulnerable.
So let me show you one or two demo about the mobile vulnerability how it can be done just as a proof of concept.
And let's move to the next topic.
This lecture, it's under the subject of social engineering.
It's not really an attack, but it will show you that you should not trust any phone call or any SMS.
Because as we saw earlier, that email can be spoofed or can be faked on also phone call can be spoofed.
and text messages can be spoofed.
And this will be a small demonstration.
If you search online, you will find a lot of websites, some of them are free, some of them are paid that allow you to spoof your phone call your phone number, and to call someone and it seems coming from one of his friends coming from his bank coming from so you should not trust the mobile number.
If you getting a phone from your bank, it could be a spoofed call.
And let's see a small example about that.
So this is my phone.
And what I'm going to do right now, I'm going to try to make a call spoof cone and I'm going to choose any random number.
So let's see.
I'm going to use this website spoof card This is paid but as I was saying, it's not about which site you're using.
If you search, you'll find the site there is some free site and some pay site.
Let me go to This one and Let me place a call.
Now the good thing about this website is that it's spoofing the number and it spoofing the text messages as well.
So you can send someone an SMS Is that true is coming from, like his work his manager.
And by doing that, whatever link is inside here, you will be comfortable clicking on it.
So let's see, I just need to spoof a call, already sign up.
Let me go to account.
Now, as you can see, I can spoof a call, or I can spoof a text messages, I can record the school I can change my voice, so it became male or female or so you have different options here, you can choose different.
Like voice, you can record the call, and so on.
So let's try, I'm going to put a destination number.
So let me put a number for testing.
To destination number I'm going to choose.
So mobile is that I'm testing? Okay.
And we will type the number and then the caller ID to be display, what number would you like to display.
So I'm going to put it's coming from United States, for instance.
And I'm going to put, for instance, all 612-345-6789 10, you can put any amount of numbers, no problem.
And you can make your voice male or female doesn't matter record the voice backlit, let's test set first.
So this is my mobile.
Okay.
And let's place a call.
Here you go.
And you got to ask you to call a number in United States.
And once you call this number with me, it will activate the service.
So let's see.
Let's see, let's very This is a mobile and let me call the numbers that he's saying.
And let's see what would happen.
So just one second.
Here we go.
So I'm going to call the number for 08 from a different phone.
And for 085165121.
Let's go.
I'm opening the speaker because sometimes is asking about a code.
Sometimes it will run automatically or sometimes some opening speaker Oh, I'm sorry, I forgot to put the US code because I'm not calling from us.
So let's see.
See, so I was able to spoof a phone call.
So I can mix it any phone call I want I can call someone singing this coming from his office or calling someone's looking at it's coming from his manager or his bank.
So this is very, very important and very, very critical.
So do not stress test this kind of attack blindly.
So you are getting a call from your bank.
So definitely is the bank no knocking suddenly.
So let's try this new feature if it's gonna work or not.
But let's try that on a different lecture.
It's not really an attack section, but it will show you that you should not trust anything.
Email can be spoofed SMS can be spoofed.
Mobile, or a cellular number can be spoofed.
So my point is, people trust email blindly they receive an email coming from their manager, they will execute whatever is inside.
They will never think that mail can be spoofed or fake.
same concept applies.
For SMS you receive an SMS SMS from your bank, you think SMS cannot be faked, it can be faked.
mobile number, it can be fake.
So it's not really an attack session section, it's more into the tools that is used into the attack.
So if a malicious hacker utilize such tools, it would be very easy for him to convince anyone to do anything that he wants him to do.
So if I sent an email coming from your friend or from your manager, if you don't have enough background, or you are not aware enough, you may be spoofed by this email, and you will trust that the mail is coming from this sender.
So the first demo I want to show you it's the spoofed website, or the fake, I'm sorry, the spoofed email or the fake email.
If you search on Google for fake email, you will see this specific website.
This is a quite interesting website, it's free, it's very effective.
Most probably it will go to your inbox, if you don't have a proper mail setting, it may go to the junk, but it may go to the inbox, you can test it, you can fake an email showing it's coming from anyone to anyone.
And you can attach whatever you want, you can send it in a text or as an HTML.
So it will shows like you know this message coming from LinkedIn or from Twitter's or this come kind of thing.
So using such tool.
It's very, very convenient.
And I don't know why they are keeping such website up and running.
Because actually, this is very dangerous.
So let's try a demo here.
I'm going to send the mail, that show is coming from Ron Smith.
And I'm going to put an email or let's make it let's make it john smith.
And the mail will be coming from john smith abc.com.
You can put anything you want.
I can type g Smith, she Smith, for instant m s n.com.
And we're going to send this email to myself, I'm going to send it to different email.
So let's try with the emails that I'm using on my testing mobile.
And the thought if Sorry, I'm the G x.com.
And let's type any subject test email.
Let me put any test email.
Okay, so the point is that, can I fake an email or not? Let's see.
And I'm not a robot.
And let's send it now, he's saying that the email has been successfully sent.
Let's see if this is the case.
So I'm going to get to my mobile.
Now this can be used on mobile or computer or whatever.
And let's see, are we going to get anything or not let me refresh.
Here we go.
It's coming from john smith, which it's not an existing person.
And as you can see it showing that it came from john smith, and this is his email to my email.
So I mentioned what can be done using this tool that you can, like, convince someone set an email, he received chemic from his manager, or his wife or his girlfriend or whatever was the case.
And you try to convince him what was whatever it may show it's coming from Microsoft or is coming from their bank.
But I have to tell you, this is completely illegal.
And in some country, it's a federal crime.
So it's not something to play with.
If you are doing a proper penetration testing in any organization, and you see, you need to check if people you know they have enough awareness that if he's they receive a suspicious email they will verify you can use the stores.
Now, only one weakness we have in such tools.
It's a one way process.
I mean, you can send an email showing that it's, it's coming from someone.
But what if the victim replied back, the reply will be going to the right person.
That's why when people use such tools, they will never ask you, they will never ask you to reply back, they will usually ask you to do something inside the email, please click on the link, please download the attachment.
But they will never ask you to reply back sending them your credential or any kind of information.
So if you receive an email and you are USCIS, you are suspecting that this is a fake email, you can try to reply back asking did you send me this email, this would be gone to the website.
And same concept apply for any spoof technique, if you received a fake mobile or a fake phone call from a fake number, you can try to disconnect and call them back and so on.
So, this is one of the tool that if you use such tool with a technique that we explained in a previous lecture, it will give you an extremely good results.
But one more time this should be done in a proper frame.
If you are doing a penetration testing with pride approver cryptography in this domain, we will be talking about cryptography.
A lot of people have problem with cryptography.
And actually, they should not have any problem because it's not that deep, you just need to know the basics about cryptography to be able to understand the concept, and also solve the question related to cryptography inside the exam.
So I saw some people say you went and they bought some books that explain different metallurgy of cryptography.
It's not that deep, it's really, really simple.
And we try to simplify that as much as we can.
And because it's kind of academic, or it's kind of theoretical module, I'll be doing some demonstration while we are going inside the course.
Now what I want you to do, to be able to practice cryptography, I want you to install one specific program called crypt tool.
I already installed it, clip tool.
It's a free tool.
But it's very, very handy when it comes to practicing cryptography.
So it looks like an ode bet.
I mean, when you open it, it will start the program with a file inside.
So we close it, and you can open a new one, so you can practice that.
Now, I also want to show you from where you can download this application.
So if you go to Google, and you search for it down load grip tool.
And you know, it's better to get for me, I prefer 1.4.
Because it's quite easy to use to it's also easy, but a lot of features.
And I'm not very familiar with it.
So but you can download any of those you know, is are the same.
So you can go and you can download.
Now, you have to download the versions that match I mean English or German, you have to be careful.
And I will also I want you to notice below the download link, you can find something called the hash will be explaining that in cryptography.
But anyway, my objective is that you have to download this program, it will help you while you're studying for cryptography.
Now getting back to our subject, what is cryptography? cryptography it's to encrypt a text so it becomes unreadable.
Okay, sounds good.
So I have a text, I'm going to encrypt it and it will become unreadable.
And people who need to read this text or he gonna need to decrypt it to a readable format.
Now, this is the system under which area and security is it a confidentiality feature? Or is it an integrity or is it an availability? I mean, when we are implementing cryptography in our organization? What exactly are we providing? are we providing confidentiality or integrity or availability? cryptography will provide confidentiality and integrity but has nothing to do with availability.
confidentiality, it makes sense because I have some important information.
I'm going to include I'm going to send some someone to someone, and I will send him the key as well.
So he will be able to decrypt it back and be able to read it.
So by doing that and provide the confidentiality to my information, I am sure who actually can access those information.
Because I'm sharing the key was authorized people.
But what about integrity? How cryptography can implement integrity, you're going to see that during this domain, how cryptography can be used to confirms integrity.
But cryptography has nothing to do with confidentiality.
Now let's talk about the process.
And let's talk about two different definition.
So we have a text, we will be run some algorithm on it and it become unreadable text.
We have two concept here is that we need to be aware of what is a key and what is an algorithm.
Let's go to clip tool and let me give you a small example.
Let me close this file.
And I'm going to go work on this one.
So if I write down for instance, the sentence here, good.
morning, class, this is readable, right? Then I can select this text and I can go to encrypt or decrypt.
And I will find all kinds of encryption protocol, I'm going to go to one very classic one, I'm going to go to symmetric classic and we're going to go to Caesar encryption.
This is a very similar very classic encryption Caesar.
And what the Caesar encryption is doing it just movings alphabet I mean alphabet are starting from abcdef.
So I'm gonna ask him to start from E.
So first letter, which is a will be the will be transferred to E and B will be F, and C will be G, and so on.
So I'm just moving the alphabetic, I can do that by them by letters, I can tell him change from A to E or I can tell him movies a letter for letter, it will give the same result and then I'm going to tell him encrypt, then I'll be having another text that is also English letters except it's unreadable.
What do we call that? We call that the cipher.
So cipher cipher, it's unreadable.
unreadable, doesn't mean that it's a sign or a like symbol.
No, it could be English letter, but it doesn't have any mean.
Any meaning.
So what happened is I did transfer readable to unreadable text, okay.
Now it is a question what is algorism here and what is the key algorithm means a message, the message here will shift things letters.
And other algorithm could be changing the letter to number, this is also an algorithm or changing the letter to symbol.
So the algorithm is a message that has been used.
So what is the key, we are hearing that this encryption is 56 bit key, this one is 92 bit, what is the key z key, it's the number of letters that has been moved.
So this one, all alphabet has been shift for four letter.
So the key here is for.
And this is quite easy to decrypt, because the key is very simple.
So if I just select an encrypted text, and I go to analysis, and we go to symmetric and cipher Caesar, he can start analyzing, and he can tell you, because he gives a dictionary file, he will keep moving letters and he until you get a readable text.
And he can tell you that the last letter was D.
So if I'm asked him to decrypt, he can decrypt it.
So the key is that we use right now was quite easy, because it was just moving.
All of them the same amount of letter which is four letter, each one of those characters has been moved for letter.
That's why it was quite easy.
So algorism is how to house encryption is done, while the key is the number of letter, but what if the key was has some randomization so the first letter has been moved for character or for letter, second letter has been moved six certain has been moved to force has been moved 11 and so on, this definitely will be harder to to decrypt.
So when we are putting some randomization on the key, this is make the cipher more powerful and harder to decrypt.
That's why very important things that you should be aware of at the beginning of this domain.
There was a guy his name was Kirsch off and cash offset.
Own encryption protocol should be public.
Everyone should be out Public protocols.
That's why we are all aware of how different encryption protocols are working, I can tell you how Md fifl are working or LMS, or working, or SHA are working.
So it's, it's public.
While What is the secret part? It should be the key.
So what should be kept secret, it should be the key.
It's a very important things that we need to be aware of that the encryption protocol should be in public.
So all people that work in this field, say no, how's the MT five for an lm hash and different kinds of protocol? But what is the secret parts that prevent people from decrypting? They know how the protocol is working is the key.
Okay, so the key should be kept secret, and the protocol should be public.
And why should the protocol should be public, because when you put something public to everyone, a lot of eyes will be reviewing it, and a lot of flow will be found.
And it will be solved.
So it will be more secure.
That's why according to IC squared, you should never suggest to create your own encryption protocol.
Because you know, those protocols that we are taking during this domain has been tested.
But if you do your own, who will be testing and you keep it secure.
So route, encryption protocol should be public well, private key should be kept secret is a secret part of encryption.
And also very important to know that it's not the guy who mentioned that or Oh, he's the name was Kashif.
So this is also very important.
So this is algorism different between algorism, which is the way and Zuki, which is the secret part moving the letter four, or six or two, and so on.
Okay, so we have a key and aggregate.
Now this key has a meaning, I mean, when you see is that we have a key.
That is this key is for instance, 128 byte what exactly is that mean? It means that this key has a number of randomization, which is to have the power of can find the power of Okay, let me write it down power of, sorry.
128.
So when we're talking about a case, that is the length of the key is 120 a bit it means that it has the number of randomizations that it can generate, it's to have the power of 125, to add to have the power of 512, and so on.
That's why whenever the lens of the case bigger is the number of randomization that he can have is bigger, it will be harder to decrypt.
So why not making all the algorism is a very big key, because it's taking a lot of processing.
So it's not wise to use all your encryption with the power with with the keys.
That is, for instance, 1024 because this will kill your network, it will it will generate a lot of processing.
Okay.
So don't forget that all the key are all the encryption are well known how they are working.
And as we spoke, that key are providing encryption or cryptography are providing confidentiality and integrity.
But encryption has nothing to do with availability.
We are talking about a confidentiality right now.
But later, I'm going to show you how it provide integrity.
So this is a process we have a plaintext using a key it will be encrypted, then it becomes ciphertext and using the same key, it will be decrypted in plain text.
There is a small part in this course talk about the history history of cryptography who invented it was, you know, you have talked about Julius Caesar and different ways that he using the cryptography he was shaving the messenger head, and right on it and wait until he is here grew up.
And again, this is one way for doing that.
They were doing on the rope writing on rope and there was a method for doing that.
And the first mechanic device was a device called Enigma device.
And it was invented in World War Two and there was a movie about it by the way.
This was the first mechanic one.
But right now, you know, there was an early era.
The era of encryption, there is a mechanic error.
Now there is a software error, we are doing encryption by software.
And there is a future no one know how it will be done.
So problem is cryptography, as we mentioned.
And as we're going to see inside this module, that we need some things that is simple, do not have a processing or do not need a lot of processing and also need to have something secure.
It's not easy to find something.
Now, this is two terminologies that you should be aware of trampas substitution and sorry, substitution and transposition, you should know that all the encryption protocols that we'll be talking about, they are all using the same, or they will only depend on two different way.
The first one, it's called the substitution.
So all of them are are are done in using only two techniques such as substitution and transposition.
Substitution is the techniques that I just show you encrypt tool, few second back, which is moving the letters.
So one technique is used by most of the maybe all of the encryption protocol is a substitution is shiftings a letter.
Okay, the same way Caesar encryption is doing transposition is to change their location horizontally and vertically.
Let me show you how assumes that I'm writing down something like that.
Are you know, if I need to do a transposition, here's how it will look like? I'm going to take them How are you and we write down H O.
The first I'm taking the first one h o y and then all our oh and then w e u this is called transposition a change from vertical to horizontal.
So the How are you became like this.
So, all the encryption protocols that we will be talking about are using transposition and substitution substitution, just shifting the letter and transposition are moving horizontal and vertical.
Now, on the next lecture, we will be talking about some alternative cipher.
I mean, do we have different format of the cipher a different way for encrypting let's see a different encryption method.
There is different types of cipher.
Not all of them are unreadable text like the one we saw in the previous lecture.
But there is different format for hiding text one of the format, I would like to talk about school steganography, which is hiding a text or hiding any information into a picture.
This is called steganography, because it will lead to the same result, information information will not be available, or will not be accessible unless for authorized user.
So I would like to do a small demonstration to show you about steganography just to try to hide any information could be a text PDF, file, an Excel sheet anything into a picture, I'm going to show you how we can do that manually Actually, there is a lot of application who's doing that, like invisible secrets is a very common application, but I want to show you how to do that manually.
But before showing you I want to show you the setting I prepared for that.
So I have a folder here that has two picture number one and picture number three.
And I would like to hide picture number three into picture number one.
Picture number three could be a picture could be a text document could be anything.
Now let's check the size for this file is 18 kilobytes while this file is 10 kilobyte.
Now let's go to the command line.
This is in a folder called test on the C drive.
So let me go to the command line.
And let's go to test Sorry, go to the route first.
Again, there is some application is doing that.
But the reason I'm doing this demonstration because I would like to introduce a new skills for you, let me show it to you.
But let's do the example first CD test.
And then we can check the file, we have a file called one GP sheet, and a file called three dot jpg.
So here's how to do that manually, let me clear the screen.
And we're going to type copy, then slash be mean copy is a binary of one dot JPG plus three dot JPG into another file called hidden dot g p G.
And by doing that both find has been combined into a file called hidden.
Let's see.
So we have a file called hidden right now that should has those two file combined together.
So this file it said, and now another copy from this file inside zaidan file.
And if you want to check, you can check the size you notice that the size is 28.
While this was 10, and this was 18.
So this is the steganography concept.
Now what I want what I want you to be aware of or as the skills that I would like you to learn, it's how can we identify that? How can we know that this file hide another file, as I told you, it could be image could be excel sheet, whatever.
Okay, so I would like to introduce for you something called the hex editor that allow you to receive the file the same way as your computer is reading it, I mean, this is one of the applications called h XG.
And you can download this one or any other application EXA editors just google it free x editor now when you open this file, this program I'm sorry it will allow you to open any file but you will open it the same ways your computer is reading it I mean, if I open this file, it will open in hex format.
Now what is used a very important use most of the file has some standard characteristic for instance, all jpg image start with FF D eight and end with FF D nine.
While BMP has different start and different end while ti f has C.
So it starts with FFT eight and FFT nine.
According to that if I opens a file that has been combined, this one, this one should include the two filters, right? How many FFT Ah, you should find two because it has to picture inside, and how many FFD nine also to let's see, so if I go to search, and ask him to find a hex value, which is FF D eight, so he can show me the first one, I can then go to search and tell him find again show me the second one.
So he can show me the second one and if you see the corrector before that was a 59 so this is look like the end of the first picture and this is the start of the second picture.
And you can even extract it you can right click on selected to be one but you know he goes the end of the file and you can copy that edit copy and go to a new file and paste Okay, and then you can name it save as I'm going to name it for instance extract x track x x track dot GPG and as you can see, I was able to extract the file in the folder let's get back to the folder so you can see the file has been extracted.
Where is it? Here we go.
So I know we are talking about forensic now it's not the subject but I just want to show you that fire has different characteristic and it will be good It will be good if you are aware of what is a JPG file start with and end with and you open this hex editor in different file and check you know something similar between them.
Besides hex editor has another benefit q sees a spark.
On the right side.
This is called a metadata, which is information about the file.
So if it's a picture, you can know from this metadata when this picture has been taken, like if I opened this one, what kind of time camera.
So here it shows the date where the picture has been taking is a type of camera, and it has a GPS location.
So you can get a lot of information from the metadata.
So I wanted to show you a small demonstration about steganography.
Because just to let you you know, getting a little bit deeper into fire, not for the exam purpose, but for your own use, you know, so hex editor, it's a nice tools that let you know a little bit about some characteristic of the file.
in cryptography, we have to miss out for encryption, we have the symmetric encryption, and we have the asymmetric encryption.
So we're going to talk first about symmetric encryption, because this is a commonly used one.
Now in symmetric encryption, we are using one key for encryption and the same key for decryption the same way we did on the previous lecture in this domain, so you have a text, you encrypt that with a key, and then you send this key to the other side and with the text and ask him to decrypt using the same key.
So you are using one key for encryption and decryption.
Now, before going and resuming or before resuming his explanation, what could be the problem was that the problem was that that now you need to think about different way for sending the key.
I mean, you cannot be sending an email encrypted with a symmetric encryption and attach the key was because because whoever compromised the mail, he will get the key.
So now I need to send the email in one way and consider saying send things accused different way it's called out of band, I need to send it with a different way.
So this become an overheads for me, I'm sending the mail by a message and then sending the key by another message.
This is one of the problem but it's not the main problem.
Now, in symmetric encryption, we have two different way or two different technique.
The first technique that I need to discuss with you is one below here, which is the block cipher.
So symmetric has two type we have the block cipher as a stream cipher.
What is the block cipher block cipher is that for instance, assumes that you have a text or an email that you will need to encrypt using a symmetric encryption.
So we're going to take this email and he will divided to different blocks and with different different block was a specific size.
So you can have for instance, you are encrypting, forget about the image you are encrypting an Excel sheet.
So he will take this Excel sheet divides that two blocks, each block size could be 64, could be 32, could be there is different sizes depending about which protocol.
And then he will encrypt each block by itself.
Then, after encrypting each block by itself, he will start moving them around.
So now to be able to recover or to be able to decrypt the text you need first to read organisms the same way they are, and then combine them together.
And then they could read them.
So block cipher is dividing the text to different blocks.
He's not taking the full text and encrypted he divides them to blocks or pieces, the text to pieces.
And he will encrypt each pieces by itself.
And then he will start moving them around.
Number of round.
Okay.
That's why one of the things that you're going to need to memorize, actually very few protocols, you're going to need to memorize every characteristic characteristic here.
I don't mean just the key because most people think I need to know the encryption and what is its key size.
No, actually you have to memorize the key size, the block size if you are talking about encryption, If we are talking about encryption protocol, block cipher encryption, we need to know is there let me just get user cryptography? Or is it six continuty rule and regulation, I think I missed it.
So you're going to need to know the key, some of the protocol, the block size, the number of round that will be moved.
So you don't just need to know the key for those.
But you need to know the specification as this is one.
So let's see, let me just increase the size.
And don't get panic because just like four or five protocol, you're going to need to know this kind of characteristic.
So let's see, where are they? Same here.
I'm just trying to show you, what are you going to memorize for the exam? block size? Yes, here we go.
So as you can see those specific protocol, you're gonna need to know for instance, this, okay, this is encryption protocol, using z key size is 46.
The size of the key is 56 bit key, okay, and it will divide the text two blocks, each block size is 64 bit as set 64 block size, and how many rounds you will do 16 round.
So only if you put to call actually this section only that you're going to need to know for those protocols, their block size, number of rounds and the size of the key or lens of the key.
So this is a block cipher, while the stream cipher, it's it's encrypting byte by byte.
And so it's not dividing them to block or pieces, just taking the text and encrypting them byte by byte.
And they are using mathematically something called XOR.
And XOR is just one on one equals 00.
And zero equals one.
I mean, you know, there is because after all, it will be converted to binary.
So they have different binary depending about zero and zero, you don't need to disturb about that it's just a mathematic way, just need to know what is difference between block cipher and stream cipher.
And what is the characteristics that you need to know about encryption protocol when we are talking about block cipher.
Now, a very important concept here is called the initialization vector.
What is an initial initialization vector? Here is the question assumes that now is the definition first initialization vector, it's one extra byte added to the key so it can put some randomization to the key.
So let me give you an example assumes that two people wrote the same word.
And it has been encrypted with the same encryption protocol, the result should be the same, right? Because the encryption protocol work on is one specific way.
So the result should be the same.
That's why in the for instance, in Windows, if you check the files that hold all the password is called the same file.
If you check this file, and this file is encrypted with lm hash, you will find that all users it has the same password has the same hash.
But when we add initialization vector, so we add in each time we are using a protocol, one extra byte to the key, so it will get a different output.
So by adding one extra key to the key every one extra key to the protocol, I'm sorry, one extra byte a bit to the key.
Every time it's used, same protocol are used, except every time you will have different output even if the text was the same.
So IV, it's one extra bit added to the key to put some randomization To the text.
So to plain text, when you encrypt them with the same key, I'm sorry, with the same protocol, they will not get the same results.
And this is implemented actually in Linux.
in Linux, we have something called soul.
lt, where it puts some randomization every time.
So if to user create an account with the same password, because Linux are using souls, they will have a different hash.
Those are some of the protocol encryption protocols.
There's double this three, this ID is rc 245, and six blowfish.
And what is the problem with symmetric I told you about the transportation of the key.
But actually, this is not the main problem.
The main problem is a number of key and there is a formula that you're going to need to memorize.
The symmetric encryption has a huge amount of key.
So and it has a formula.
Let me show it to you.
So the formula is it's an multiply n minus one divided by two, where n is the number of user.
So assumes that you are an organization and you have for instant 10 user, how many key Do you need.
So it will be you replace ns 10.
So it will be 10 multiply nine divided by two, it will be 45 key assumes that you have 100 user gonna find that you're going to need a huge amount of key and definitely keys need to be managed key need to be transport need to be issued need to be disposed.
There is a process in key management.
So the main problem is a symmetric, we have two problem.
We have the transportation and we have the number of key but I believe the major problem is the number of key.
Now one more thing, before we leave the symmetric encryption, yes, it's easy to use, but as I told you, it has its own problem, which is this, this is a standard protocol used in US government, but some flaw has been found.
So they created do this and three years.
So, you will find sometimes they give you some abbreviation for those that explain how it has been working.
So for instance, you may find in this they are giving you this format, e three mean that the text has been encrypted three times three different keys.
So they are taking the text encrypted one time was a key send encrypted another time was a key is an encrypted another time was served key, this is very, so it becomes very, very strong and very hard to or it could be for instant E, D, E two, just mean encrypt, decrypt, encrypt using two key.
So they encrypt using one key and then they decrypt the text using another key so you're gonna have a big mess, then you encrypted one more time using one another key.
So it will be very, very hard to so whenever you see this terminology related to the does, you know it means how many encryption phase data and using how many key
On the previous lecture, we explained the symmetric cryptography.
And what is the benefit of using it, which is the simplified method of encryption.
I mean, I'm using just one key is not complicated.
But what is the disadvantage, which is the number of key, large number of key and the transportation.
also explain what is the difference between a block cipher and a stream cipher.
And I'm afraid you're gonna need to memorize some of the abbreviation what is a S stands for, or these stands for what.
But fortunately, everything is written inside the sunflower and couple of pages.
So the characteristic of protocol, which is our size, and which protocol you need to memorize, and those kinds of information, you will find them in the center symmetric in the sunflower document.
Now let's talk about asymmetric encryption, asymmetric encryption, it's quite different than symmetric.
And asymmetric, each user has two different key, public key and private key.
Each user has two key public key and private key, and they are mathematically related.
So whatever will be written in public key, I'm sorry, whatever will be encrypted with public key can only be decrypted with private key.
And whatever will be encrypted with a private key can only be decrypted with public key.
So the key is just doing fun one function, encrypting or decrypting.
Now, here's how it go, assumes that we are working inside and organizations that have 100 people.
So each of those people, or each of those user will have to keep one private key that is saved on his computer, no one has access to it.
And what public key that is hanging on zone, I'm trying to simplify it.
I mean, you know, this is everything is done behind the scene, I mean, user will not notice anything, but this is how it go.
So I'm gonna assume that each user has one key in his pockets, this is called the private key.
And there is one hanging wall and the key for each user on the wall that is reachable to anyone.
So what happened is assumes that I need to send an email to Alice.
So what I'm going to do, I'm going to check for Alice's public key is that as I told you, all public key are available for any user.
So I'm going to check for Alice's public key.
And I'm going to write the email, I'm going to encrypt that with Alice's public key, and I'm going to send her to, I'm going to send her the key.
So I'm going to send that as a message encrypted with her public key.
Now Now I'm now I'm comfortable that no one will be able to open this message except Alice, using her private key, right.
If Alice need to send me a encrypted message, she gonna check for my public key that is available for anyone writes a message encrypted with my public key.
And now she's she knows that no one can encrypt this, decrypt this message, except myself using my private keys have have inside my pocket.
A good example of that would be the website sedation certificate.
Because when a website, buy a digital certificate, so you know, some of the website has HTTPS.
So if you go for for Google, for instance, let's go to Google.
As you can see, Google is HTTPS means this site has a digital certificate, what is a digital certificate, a digital certificate that any website can buy has to function.
First function it guarantee this site, if you have a website, and you need to do some business on this website, you can try to buy a digital certificate from one of the major certificate authority like VeriSign, or Google or GoDaddy.
And they will not just give you a certificate and then your site will be HTTPS, right? Where is he going to verify your existence, they are going to ask you for an ID and they're going to ask you for a credit card.
So they make sure that you are a real business.
So the first benefit of certificate is that you get in to this website, someone is guaranteed this website for you.
The second website is the second benefit of that.
Let's open certificate.
The second benefit of the certificate is so we can go and we can go to more information.
Whenever you buy certificate you got two different key any website that has a certificate, he will buy two different key a private key and a public key.
The private key See, I think, issued by this will be kept on Google website.
Let me see security view certificate, I think should be this key, I believe are one of those key.
But anyway.
So what happened is when you buy certificate, you will get our Google when they bought the certificate, they will get two different key a private key and a public key.
So when you open your website, say we'll send you to your computer, a public key, their public key.
So whatever you are writing, it will be encrypted with Google public key.
And whatever is encrypted with Google public key can only be decrypted with Google private key.
So let's say have awnser web servers.
So this is one of implementation of the Oh, I'm sorry, it's a public key should be here.
Again, so that inside details, and let's go down public key.
It should be down here.
Yeah, here we go.
Here you go.
Here we go.
This is a public key for Google.
And whatever has been encrypted is public cannot be decrypted whose public has to be decrypted with the Google private key.
So this is a very important implementation for their asymmetric encryption.
So the first thing is a digital signature.
The solid digital, one of the implementation is a digital certificate.
Now, this can also be implemented inside organization, where each user, so you can have inside your company something called the certificate authority.
This is one of the roles inside the domain controller, Microsoft Windows domain controller, so you can implement that inside the network where each user will have a public key and a private key.
Now, this is private and public key as we explained and the mythology of using that there is another way for using the asymmetric.
So we saw how to symmetric four.
So we saw two symmetric for confidentiality, okay.
And integrity.
But we can use asymmetric in a different way, which is assume that me and you, we are on a symmetric encryption environment, we have an asymmetric so each one of us has a private key and a public key private key are kept private in my pocket, while public key are available to anyone.
In the previous example, we explained that I want to send you an email and confidential email, I'm going to look for your public keys that is available for you and I'm going to grab the text and send it to you.
I can use that in an opposite way.
So I can do the following.
I'm going to write an email, and encrypted with my private key.
Now if I encrypt that, who is my private key, it means it can be decrypted with my public key, right.
But the public key is available to anyone.
So what I what did I provide by doing set? When we do that, we are providing something called non repudiation.
I mean, if I do say this specific scenario, is that I encrypt my message using my private key, so anyone can open it using my public keys that is available for anyone, I cannot deny that I send this email.
Okay.
This is called a non repudiation.
So it's not for confidentiality, it just for confirming his identity.
And this is the idea of digital signature.
So I can send an email encrypted with my private key if you are able to decrypt it using your public key or using my public key that is available for everyone.
So definitely this mail come from myself.
So I cannot deny that I sent it.
This is called non repudiation, and this is idea of digital signature.
In digital signature, what you are doing is that you are sending an email and you do not encrypt the email.
So full email, but you put an attachment that is encrypted using your private key.
And if the other side, opens his email, and he was able to decrypt the attachment using your public key, this means this mail came from this poor person, it's not a fake email, we usually see that in emails that you receive.
And Bill's email, you find this disclaimer, that if you cannot read if you can read this text, this is came from this specific person.
So this is a digital certificate as a digital signature idea.
So some of the questions as exam for instance, they will tell you and this was actually really question, he asks a candidate a question says exam.
So this is Bob and Alice, if both need to send Allison email with a digital signature, what exactly he need, Bob, private key public key Alice's private key Alice's public key, and zeros like for question continuously related to the same scenario, Alice to be able to open them in what exactly she need, Bob brought private key public key at his private key, and so on.
So it's very important to understand digital certificate and digital signature.
And also to understand what is non repudiation that can be implemented using asymmetric encryption.
So a new terminology has been introducing so asymmetric do not just provide confidentiality and integrity, but also it provides a non repudiation.
Those are some of the protocol that is used in asymmetric RSA ljm.
And there is ECC.
Now we need to know this specific protocol that has specific characteristic, for instance, ACC, it's a protocol, because the problem is asymmetric is taking a lot of processing.
So ECC, it's an asymmetric protocol, designed for small devices, like smartphone and tablet, because they don't have the same processing power, like computer and mainframe and so on.
So this is an asymmetric protocol for a specific device, like smartphone or tablet and so on.
So this kind of notes you need to be aware of you get the question size exam, which asymmetry protocol can be used for small devices or smartphone or subsidize it and they will give you some protocol.
Okay, we'll go through that one more time on when we will be reviewing some of Julian's important point, but I just want to point to that, what protocol is used for credit card machines, you know, those credit cards that you are using that you are swiping your card in, they are using their own protocols called set, this is written in sunflower, so those notes are important.
So not just to know the major one, but the things that is you know, different.
So we spoke about the digital certificate idea, and how it looked like and how it work and we saw an example.
And you should know that digital certificate has different level.
So it is level 10123.
Some of the 11 rule requests the personal meeting.
So this is also will be mentioned in the sunflower document, public key infrastructure or you can have a certificate authority to certificate and each user.
Also we spoke about this implementation bti same implementation.
On the next lecture, we'll be talking about an important topic which is hashing, which is using the encryption into the integrity not to confidentiality.
In this lecture, we'll be talking about using cryptography into integrity.
How can we use cryptography for verifying the integrity of the file, some of the protocol are used for what we call the hashing and hashing will run a protocol or an algorithm on the file and it will get you a value.
And if any modification happened to this file, the value will be changed.
So let's see an example of hashing protocol and how it's used to confirm integrity.
So what are we going to do right now? We'll be opening a file.
Let me close everything.
Okay, so you need to have a hash calculator to be able to test or to do this demonstration and You can find a lot of hash calculator for free, just search online, this is a good one hash calc.
And let me show you how it works.
So you open this program, and let's create a file.
So I'm going to create a file, txt file.
And I will name it for instant secret.
And let me put something inside.
Good morning.
Okay.
And let me save it.
See.
And I'm gonna open another file just to see the value and compare between them.
So here is the situation.
If I take, if I take this file and put it in the hash calculator, it will generate the value.
So those are some protocol, like mt five Sha, those can be used for regular encryption and for hashing as well.
So let's see this value.
So this is a value that has been generated from the file.
Okay, so I'm going to put it here, based.
And you notice that the content of the file has not been encrypted, but he runs this protocol over as a file.
And he got as a result, a value.
Now, if any modification happened to this file, so for instance, I add one space.
And I save that, and I'll take it one more time, let's see what will happen.
Okay, you can see that the full hash has been changed.
So if we check this one, see this one, so any modification happened to the file, even if you had one space, or you add one letter, the full hash will be changed.
But this is has or it has nothing to do with the file contents, file content has not been changed.
But it just showing if the file has been modified or not.
So this is a way for confirming the integrity of the file.
That's why I can send someone a file, and I can send with him the hash of this file.
So if he got a file, he would run this hash calculator.
And if he got the same values, that means that the file has not been changed.
Now, an important point here, is that number one, this has nothing to do with the file name.
I mean, if I change the name, to any other name, do you think that the hash will be changed? No, because the content is still the same.
So if I take this file here, you notice that it has the same hash, it has not been changed.
So it's not related to the file name, it's related to the content of the file.
Number two, is that this is a one way process.
I mean, you get the file, and you run the hash protocol, you get the value, any modification happens, the value will change.
But you cannot do that in a different way.
In opposite way.
I mean, I cannot have the hash, and from the hash gets a fight.
So hashing protocol, it's a one way process while encryption protocol, it's a two way process.
encryption, I can have the cipher and get back the text, or I can have the text and get the cipher knows the hash is one way process beside those protocol, or hash and protocol, but they are also encryption protocol.
So I can ask him here, for instance, I need to change, I need to encrypt the text.
And I can write any text and he will encrypt it with MD five.
Okay, so I can ask him to encrypt, MD five or so can be used for regular encryption, or for hashing protocol for checking the integrity of the file.
That's why, at the beginning of this domain, when we went and downloads the crypt tune, you notice that under each download link, there is the hash of the sling.
And the reasons they do that, especially professional websites that when you download this program to make sure that it has not been modified, or any malicious code has been added to this program, you can run the hash calculator and verify the hash with the one mentioned on the website.
If they are the same, it means that the site is a file has not been modified.
So this is how to use the hash for integrity.
So now, encryption, our record photography can be used for confidentiality, which we explain and integrity by using hash protocol.
in this domain, we will be talking about physical security.
And for many people, this topic, actually, it's a new topic, because most of us came from a technical background.
So when we start talking about the type of fire and type of fences and type of lock, it's not really a very common subject for technical people.
Now, the problem or the challenge in this module is that you will be reading about saying things that maybe you didn't see before.
That's why I strongly suggest two things.
Number one, to open Google Image while you are reading inside this module, and whatever terminology are not aware of just check.
So when he's talking about a specific firefighting tool, maybe you didn't see that before.
So search for the image, you'll be able to memorize that second point, which is in this specific module.
If you go through the book, it will be kind of exhausting.
So it's much more better to go through sunflower, as we're going to do during this course.
Now, there is three different topics that I want you to focus on when it comes to the exam in physical security.
Number one, is power, the different power problem because actually, we always in real life focus about one power problem, which is the blackout or the power, getting cut.
But there is five other problems that you're going to need to know their name, and what exactly do they mean? So number one is a power definitely, definitely don't get a question about that inside the exam, asking you what is a search? What is a spark? Those are all power problem.
Second point is fire.
Fire is extremely important topic.
And there is some memorization five, like you need to know the fire table, what is Class A or B or C or k? Because each class has some firefighting tools.
So you may get a question that if you get a Class B fire, what should you use? co2 water, soda.
So the second point is a fire and type of fire and what should be used against fire in firefighting tools, fire distinguish fire sprinklers.
And actually, the sunflower document has helped a lot to categorize all of those just in one column.
So it would be much more easier to read it from them, but you still going to need to memorize the image.
The third point it's data center, please write down so snowed because if when it comes to physical security, this is the major part that you may expect the question about inside the exam.
So that the center where it should be located.
What is the specification of data center like some students get a question where they have been given a building and a data center and you need to drag the data center to a suitable place a place so you cannot put the data center as the last floor because maybe there will be any leaking or something like that or any under any bathroom or inside the basement.
So in case there will be a float also data center should not have windows, this was quite clear inside the sunflower and it is very common tricky questions they will ask you what type of window should the data center have data center should not have one.
So those are the three point that is considered very important in the physical security.
But we'll be going through all the topic and we're going to give special attention for those points.
So physical security, it's to secure the place physically secure the equipment, secure the communication and secure the building and even secure the people.
So I'm not now talking about technical security.
By the way, another name for technical security is logical security.
So we are securing as we spoke as a communications and that as the physical people and we are securing them from different kinds of threats, internal external natural sled mens Mithra this is all just actually talking.
Now when we are talking about The security, the physical security implementation, we have category.
And this is a tricky part and size exam.
So we have the term mean it's like an indication.
So for instance, a sign on the door that saying authorized people only.
This is not a preventive This is the term.
We have a detective like surveillance scam, we have a delay, like some facility will have more than one door when you go to entrance you have to go through to door This is for to delay intruder.
And we have response like an alarm or something.
It's kind of confusing.
I mean, it seemed quite clear while you are explaining but let me tell you a question and exam questions that came.
It was asking about offenses, what do you consider fences, and actually going to give a small attention to fences on the next lecture? fences? Do you consider that a preventive or editor so a lot of people think fences around the building.
It's a preventive, but actually not according to IC squared, it said the terror because no fences can stop an intruder.
So it's the terror.
So what I'm saying is maybe definition seem quite clear, but real implementation, it's much more deeper than that.
So, you have to be careful.
While you are reading the question, you have to read the question more than one time.
So we are protecting the premises, we are protecting the facility and we're protecting the security from where should we start the physical security implementation, we should start from the physical security should start from getting the blueprint of the building and starting and start checking where is the vulnerable area for instance, we do not consider the place where there is all the power switch vulnerable, but actually it is very vulnerable because if someone was able to reach to this place and disconnect is the main switch, this will lead to a complete downtime.
So they should be giving an attention why well the areas it has the washroom and is the bathroom should not give that much of attention, I should not put some like control Zed or some layer of security and so on.
So you shouldn't identify what is the critical area inside your facility data center power communication, things like that.
So it should start by identifying the critical area inside your facility.
Now the first part in physical security implementation is to implement the barrier and barrier could be fences or wall or door or lighting and so on.
And it's good to go through them but I believe is the most important part of these offenses and to know the different types of fences and many of my students get a question related to fences inside the exam.
Now I'll talk about some of the other techniques and then I'm going to go about fences in more depth.
So for instance, indoors we have different kinds of doors we have the empty doors that is very very weak and can be broken easy we have bullet proof door we have a hinge hidden hinge door usually to make things more easy for yourself whenever you have more than one type just need to memorize the weakest type and the strongest type.
So he may ask you what is the best kind of door but actually you will not find that much of questions as exam when it comes to everything except fences you may find the question about fences.
So as you can see, you have different kinds of doors and all it we have one that usually we are choosing according to the ones that support the high temperature and we use that for data center room so if a fire happened or something you know, world can support the high temperature doors you should choose the door depend on the location I mean, the most expensive and most secure door is waterproof door is that means that I have to put a bulletproof door everywhere.
No I cannot put a waterproof door on a well ocean for instance.
We have the lighting we have the ball but actually what I need to give a specific attention to is the fences because it's very very tricky inside the exam.
So when we are talking about fences, you can see that here inside the sunflowers they put three different category for fences.
Be careful So for fences that has allowance from three to four this is for the third it's not an as I told you it's not a preventive for the third thing, casual intruder or catch so someone who didn't have intention to break into the company when he find the very low fences maybe this will encourage him six to seven This is for it can be climbed easily while the recommended one it's plus eight feet so if he told you what is the recommended fence size is eight feet and don't forget this is the third and please be given attention inside all sunflower document for anything that is underlined or is bold.
So no fences can stop a determined intruder if someone needs to break in the fence will not prevent them whatever resilience is.
So this part is very very important specialist is one this is where it's a tricky part to becoming incisa exam.
So this is the fences part now as a technique will be pointing to but say I'm not that important for the exam but it's good to know about them.
Like type of rock we have the regular look we have a pic resistant rock, we have the combination logs intelligent Look, I mean, you can search for anyone on Google image if you don't know how it looked like.
Okay.
The access control we have automatic access control biometric who ensures that before but I want to give an attention for guards, gate guards, it's considered as the most expensive physical security implementation Why? Maybe it's taking less salary but actually the guard you have because when you are buying an equipment like an IDS, physical IDs or you're buying or you're building offenses, you're going to make just one payment and just set whatever is the payment tools, it will be done one time while God is taking monthly salary and medical insurance and so on, but what is the benefit of having guards it has a judgment part.
So, he can judge the situation it will not be an automated situation.
So, you know this is a different mantra, which is a traps that like hold someone if you try to steal or break through or something like that, just some of the control.
We can have entry restriction we can have exit restriction, intrusion detection, I mean, you know, nothing here need to be explained.
Yes, regarding the IDs, not the technical IDs, but the physical IDs, the ones that can detect motion or can detect voice or electromagnetic IDs in sunflower you will find the list of them.
Let me show it to you just have a brief about them.
So those are the intrusion detection, we observe electromagnetic waves, photoelectric, I just do you know what is a photoelectric, you know, when you try to like in big stores or moles when you reach near the door, it will open automatically.
This is a photo electric it has a photon beam, when you break this photo me, you'll be able to break automatically.
And so you'll be able to a will the door will open automatically.
So there is different kinds of IPS, I'm just pointing to the important parts those are the types that I just show you seven and scam nothing is there type of surveillance, nothing is there.
This is an important part logs, logs should be kept when it comes to physical.
So whoever access the facility you should have his names at times the reason a copy of it, they should be kept and reviewed periodically.
So in physical security like access control, you should have authorization authentication and accounting.
So you should have a logging system and the log system should include such information and it should be reviewed periodically.
So type of alarm will have the line alarm and silent alarm but actually those are the four type.
Some of them is V it's very common and some of them is very like local activation local response.
This is in case you have an alarm that if something happened on this places alarm won't be triggered on the same place.
While local and division remote response This is like fire.
A fire happened in a facility is a trigger the alarm will be triggered on the fire department.
The second is a certain for sexual it's quite not common like remote activation, remote response or remote activation local response.
Actually just like very theoretically, I don't have any example in my mind regarding restricted working areas or critical work area should be Monitor, they should be restricted major risk to secure the digital media like external hard drive CD drive.
Those we will be covering during Operation security, some of the policy to men rule and some other policies that can be used.
So he's just explaining, you know, what should be implemented.
But I'm need to point to the important part for the exam perspective because after all, in physical security, it's usually done by HR people or operational people.
But you as an information security officer or someone managing information security, you need to monitor that.
And you need to know the different options that you have.
Okay, now, let's go to but before going that, don't forget, according to IC square, personal safety, comfort, any scenarios that you have that problem happened, disaster happened, what should be done first, you should focus about people.
So I call them twice a square, personal safety is the first thing to be considered.
Okay.
Now, this is also facility design issue here.
One of the things that is related to information security, it's that choosing the design and the location is related to the physical security.
I mean, if you are taking a site for your company that is outside the city, and in very dangerous area, or is there is no transportation, you are increasing the risk.
Also, you'll find in some premises that they have like a long runway inside or was very high light, or maybe it's outside and maybe the reception area has a lot of glasses, this is a security design to make the intruder visible for a long time.
So the design has a role inside the implementation of the security.
Now let's go to the power issue, which I think it's very, very important and most likely, you will find the question about set inside the exam.
In this lecture, I'll be talking about power issues.
And as I told you, because a lot of people focus on just one power problem, which is cutting the power or the blackout.
So, they are putting all kinds of countermeasures against it, but actually is a six kind six type of power problem.
And it will lead to the same reason I mean, if you get exceeding a voltage, it will damage the equipment, if the voltage is going low, it will damage the equipment and those need different kinds of equipment.
So not always a power problem will be solved by generator or ups.
So we have six type of power problems that you're going to need to memorize the name and their definition and so, you may get the question about certain size exam asking you about what is a search or what is a spark or what is other kinds of power.
So, the electrical problem let's take first they exceed one if the voltage exceed.
So, if it exceed for a short voltage for a short time short voltage exceed this is called the spike one if it exceeds for a long time, this is called a surge.
So spike and surge and what is the counter to the US surge protector? So he will ask you, what do you call is the long, high voltage? Is it surge? Is it sir? spike is it fault is a blackout and so on, then is a complete loss of power.
If it's a short loss of power, this is called full.
And if it's a long term, this is called blackout.
And what is the counter for set ups.
The third one, which is the aggregation in decreasing of the voltage, if it's short term is called sag or PID, if it's long term is called the brown out.
So those are very, very, very important terminology.
As I told you some point here I can guarantee you find the question about the exam fire power problem, and most probably in the data center and the location of data center.
Other problems that we may face things like the aesthetic You know, some people have this problem with a static charge that So, you may need to know about static, just a brief about the charge what could damage What if the static reaches that much it will damage what this amount, but I will, I won't recommend you to memorize all of them only as a major one like what can really do damage you know, like if you got more than 1700 as a static this can really damage ships.
So, this column I believe is very, very important regarding electrical and power problem.
And here is an aymeric observed but it's not explained, but it's very important for us to know exactly what is the type of power problem and cell definition.
The This lecture will be talking about the fire and as I told you, this is the second important part.
So, you need to know the different types of fire the different type of firefighting tools, the different types of sprinklers, the different type of tools used for shutting downs of fire.
So, this is a very critical part and as I told you, it will be very, very good if you open Google Image while you are studying that.
So, the first table is that you need to study is this one the classes fire has been categorized.
So we have class A this is a common one and what can be used to deal with this fire water soda and assets.
Now below there, it explains the role of each one of our like, water is to reduce the temperature while so that this is to reduce the fuel supply.
Okay, the B it's usually from liquid you cannot use water in the B type of fire.
So, it could be liquid, it could be oil, it could be something What should we use gas co2, so the acid and here you can see that co2 has a has a function of reducing the oxygen inside the fire.
See, and this is usually related to us because most of the fire God forbid in eats related to electrical equipment.
So what should we use in NC we should use gas or co2.
And finally is the worst one is it is one for on metals, this will be very, very high temperature file and what should use dry powder.
So you need to know staples there is actually one more it's called key, which is for kitchens material, but it's not mentioned in here.
So you don't need to memorize it.
So classes need to be knowing the type of fire and what should you use in any kind of class.
And the explanation of that.
Now, this is also an important point that fire testing which should be 50 feet from the equipment.
It's rule, okay.
Now, for hanon there is one notes that it's possible to take it down.
But it's they're not using that anymore because it was against environments, they are using something called Fm 200.
So please write it down.
This is very important it was it was inside the sheet somewhere, but I don't know where exactly so we are not using heroin anymore.
Now sprinkle also is very important.
We have the wet pipe sprinkler.
And as I told you, it's good that if you need to see how it look like especially the red one, I mean, I know the wet one or the dry one, you can copy that.
And you can check on Google.
So what is the problem there is a wet and dry.
So problem is wet pipe is that the the water will be inside the pipe.
So what happened is if you are using that in one of the European country or the countries that has a very low temperature, the water will get freezing and it will prevent water from dealing with fire.
So for country from this nature's a dry pipe is better.
There is this one and this one actually, I guess the question myself about this one.
It's called do like water pipe.
Let me just now too.
And this is actually it's though it's doing or it's spreading a huge amount of a huge amount of water.
So I don't know if you saw that before.
I don't know why it's not selecting but if you check on you this one Google let me write it down.
You'll see that it has a it spread the huge amount folder, it's not recommended maybe it will deal with fire but the problem is it will damage whatever electrical equipment you have.
So it's not the best one and as I told you when it comes to memorizing all the different type ulick fire sprinkler system, okay, when it comes to five different type Don't forget the best one sometimes as to what is the best one to be used.
So see it looked like that and it spread the huge amount of water if a fire happens so it's good to take care of fire, except it's not do a lot of damage, it says amount of water.
So the best ones this was our putting see a underline, it's called the pre action, because it's it has an automatic part and it also allowed people to interact, this is considered the best one, get no This one's that one the pre action one.
As I told you, here we go Helen is not recommended anymore, we are using instead of F m 200.
So this is what you need to know about fire restaurant column, it's very important to know those terminology and the different types of fire and fire distinguish and where the fire distinguish should be and the fire sprinkler and so on.
Sir domain is network and telecommunication security.
And this is one domains that has not been changed since the third edition.
So it's almost the same domain.
In the third and force CISSP edition.
Most people who are studying CISSP came from a natural background or technical background.
So they will be feeling very comfortable going through this domain.
And you will not find any problem with this domain except of the amount of memorization that you need to do.
And this will be no this will not be a problem if you are using the sunflower document or the CISSP summary that gather everything together.
So in this domain, we'll be talking about almost everything related to the network network components, network protocol, network topology, network models, network attacks, so we it's considered like a crash course into the network.
Now usually, in any network course, what is the first thing that you should study? So OSI model or open system inter network? So the first thing in any network course that people study if you're taking network plus or CCNA, or Microsoft net, any network, they use to start with OSI model as a standard use incisa network.
So I'll be briefly going through that in case you are aware of that.
But if you already are aware of OSI model with all its definition, you can skip this module except you need to know what exactly do you need to know for the exam regarding xo OSI model I mean he will not ask you for the what is the application layer is doing or what is the presentation layer.
So, he will be asking you about which protocol are working in which layer.
So he may ask you DNS protocol is it's working on which layer or TCP UDP are working on which layer they are recording the transport layer or rip or AIG RP which are routing protocols they are working on which layer.
So, the only part that you have to make sure you are comfortable with is not to understand the functionality of each module, but mainly to understand each module or each protocol are working on which layer this is very very important.
So let me just briefly go through the modern zoie OSI model for people who are not aware of that and then we will be talking about the protocol used in each of the layer.
Now our OSI model has been found I believe in the late 70s to standardize the standardized the communication between the machine so the point is that when two computer communicate together before the OSI model has been in, was introduced.
Different company used to make different systems that can only communicate to each other so IBM was doing computer and they were doing protocols that allows them to communicate together.
HP was doing the same Compaq was doing the same.
So we never find the network Coronavirus.
IBM and HP and Compaq on simulator because they are communicated with different language.
So OSI model is like standardization of the communication.
So everyone agreed to work with this model.
And according to that, now IBM machine can communicate with hp was compact with them, because they are all communicating in the same way.
The objective of OSI model or is the aim of the OSI model, it's to make one standard way inside communication.
And to brief you about that, what happened is if we have to computer here, and computer on the left hand, decided to send an email houses mail will be sent.
So if he sending an email to the other computer on the right side, he writes a mail and then click on Send, now the mail will be sent the same way it's has been sent, I mean, it will be divided to something called packet.
And it will go through seven layer and each layer will do something to this packet.
So the means that I'm sending from the left Left side will be converted to a packet.
And I'm going to show you how the packet look like just you know to be aware of what I'm talking about.
And it will go through seven layer before sent to the computer.
And each layer will do something we have the application layer and the presentation layer both of them mainly are responsible to write on the packet because actually this packet of information is consists of two parts, let me show you how it look like it's consist of a payload and a header.
So let's go to our main friend, Google.
And let's see the information once we finish this module, I'm going to open for you the Wireshark and I'm going to show you how the packet look like that are moving in size in at all so information packet.
So, the packet consists of two parts the part that we call the payload and the header it goes through wrong one Okay.
Okay.
Good.
So, this is how the packet look like okay, we have a payload and we have said that as the payload is information itself and so, whether it's inside or above the packet and has all the information for the sending and receiving okay.
So, the point is as I was saying, I was explaining whenever someone is trying to send something it will be transferred to a packet set consists of two parts header and payload, and he has to go through seven layer and each layer will write something inside the packet.
So for instance, application layer and presentation rail layer, they were right inside the packet the type of information inside the payload so when it sent to the other side, he will be able to recognize what was inside this packet was it all document was it a picture something like that, we don't get that much attention about this layer but we need to start or is important Let's start from the session layer.
session layer has full responsibility to establish a session with the other side he has to choose from on which port this information will be sent.
And port for people who's not aware of that is the logical communication channel between the two computer and how many ports do we have inside our system 65,500 and something and you can check your port by going to the command line and type netstat minus a and it will show you the open ports on your machine and each port is using which service or each service is using which port.
So if you type net state minus a n, it will show you all the ports that you have opened on your machines or sport are opening and if they are listening or if ours are connecting to someone and it will give you some foreign address and so on.
And port usually are divided two different ways.
This is the logical communication channel.
It's not physical.
I mean, I cannot open the machine and show you what is Port 80 or Port 21 or Port 23.
Those are logical communication who's responsible for establishing choosing support and establishing a connection and after Finishing closing.
So connection is a session layer, then information will be sent to information will be sent to them.
Transport Layer.
Now the transport layer has four function to the site, this information will be sent how we have two different way for sending the information we have connection oriented and connectionless.
connection oriented meaning information needs to be sent and a confirmation need to be made that information has reached the destination.
So, you never received an email that is missing some words right? Did you ever open an email and it was missing some more, because those words used to be back and maybe they get lost during the during soy, but you never received an email that they are missing some old or open webpage that is missing some more because the way the OSI model is sending is information that it guarantee is that the packet will reach to the destination.
And how can he do that we do that using two different protocol protocols called TCP.
And another one called UTP.
We TCP and UDP and you TP This is how it work assumes that you are sending an email to someone.
So once he email, we'll be going through the applications and presentations and sessions.
And to reach the transport layer.
Transport Layer, we'll check the payload so content of this packet, it's email, email, it's statistic, I mean need to be sent with a guarantee to reach the destination.
So what's he going to do he gonna write on the header of the packet a sequence number so assumes that your email when it has been converted to packet, it has been converted to four different packets according to the size.
So he would write on the header, this is one from four on the first packet, then this is two from four on the third packet, then this is three from four on first packet and so on.
And then you will start sending one packet and wait for confirmation from other sides that he received one packet then he sends a second pack and waits for confirmation that he received the second and then you will said Sir, what if we didn't confirm the other side didn't confirm that he received the cert packet, he will send it one more time.
That's why you never receive an email that is missing anything because the email is sent by a TCP.
So once email, reach the transport port, he will check the content and he gonna know that this is an email and he will flag This one was a protocol TCP saying Could you please send this information using a TCP protocol where all packet need to have a sequence number and you need to guarantee that it reach on the other hand, some traffic cannot be done this way because of the amount of traffic especially the streaming traffic.
So voice and videos are a huge amount of traffic he cannot keep sending packet by packet and wait for confirmation it will take like forever.
So what will happen is, if the information that was sent was a voice, I mean, you're talking over the internet or video or some analyzer and it will reach the transport layer he can see that this is streaming and he gonna decide let's send it by UDP because it's too much packet and I cannot send it one by one.
And what will happen is once the transport layer decides that it will be sent by UDP the information will be sent all the packets will be sent and whatever each destination region whatever will not reach, it doesn't matter.
So you are sending and you don't follow up.
That's why when you are doing a Skype conversation or any Voice over IP sometimes you are some word will be missing those are packets that has been dropped and not recovered.
So the transport layer is one deciding what to be sent by TCP which is O oriented and what to be sent was UDP which is connection less than the information will be sent to the route network layer.
And this is actually I mean the fourth layer seven and six and five and four those are inside the operating systems operating system RS one who's doing that network layer as for functionality to addressing, I mean it will put in the packet header packets, the IP of the sender and the IP of the destination.
So we're gonna say this packet is sent from this guy to this guy.
So it will be sender and receiver IP and who's doing that this is actually done inside the router tacos router is one who's putting the IP address for source and destination and router usually use protocol right rip eigrp sorry those are the protocol for addressing the vape and e, i, g, RP and OSPF all of those are routing protocols.
And as I told you Sorry Sorry, as I told you that you need to memorize the those protocols on each layer what protocol are working sorry, he she RP, then it will be sent to the data link layer and data link layer is only one also another thing but actually, it's putting the address for the source and destination using the MAC address and not the IP.
So, both network and Data Link are using the MAC layer MAC address, both of them are using the both of them are working as a addressing layer, but one of them is putting addresses using an IP and the second one is using the MAC address or physical address.
And then everything will be sent to the physical where it will be transferred to binary signals and it will be sent over the wire.
So this is the OSI model.
Now, it's very very important.
I know that most people will be aware of this discussion, but I just need to point what exactly you need to be memorizing for this lecture.
So if we just increase the size of this fine.
Okay, so let's take the layer.
I know the sunflower is not going to seem older.
But I just need to point to the things that you need to consider for the exam.
Network radius, we'll talk about radius we already spoke about but we'll talk about some one more time.
Tech's yes this is layer okay.
But this is IP layer about here.
Okay, even if I'm not able to find it normals probably to be here.
Yes, OSI model.
So as you can see is explaining every part but the point is not the explanation.
It's you need to know each one which protocol are working this one, okay.
And he will not ask for this way protocol.
Like CDP Cisco Discovery Protocol, you will ask about HTTP telnet.
To sort application.
So it's working application layer, one for instant, the radius, the RPC, this is what counts the session layer.
While the TCP and UDP is one we just explained inside the transport layer and including SSL and SSH to.
So for each one, you're going to need to memorize the protocol which are working on this layer.
So on the previous lecture, we explains our OSI model and different function for each layer and the protocol who's working on each layer.
And you have to memorize this or order, you know, and you have to put some, like key words that will help you like all people seem to seem to like the lottery, what you can use here, but data processing.
So you need to do something to memorize the steps except I don't believe he will ask you about which layer is after which there.
Now the reason not an older model is that was used on the internet.
And this layer actually was called the TCP IP stack.
And it's very similar to TCP IP modern, except it's only four layer and it matches OSI model.
That's why you can use all OSI model in our machine inside the TCP IP model.
So So OSI model, it's only four layer application hosts, the host network and network access.
And they are matching each other.
I mean, you know, they are similar to each other.
And they can communicate so you can communicate between OSI model and TCP IP.
And this is I believe the slides that you need to memorize, which is the protocol is that working on which layer similar to the previous one, except here, it's in just one slide.
So, what is working on the first layer or second or third or first? So this is how the layers I'm sorry, the different models are explained and what do you need to know about them? So, let me try something I hope I have the program just to show you why are afraid I don't have but you can download Wireshark to free application and Wireshark if you run it, you will be able to see the packet and the payload and the header as well.
So, this is introduction part into the network.
The next lecture, we will be talking about this the network architecture and different network devices, it will be a long lecture that we may have to divide it to two different part.
So let's talk about network architecture and different kinds of devices.
This lecture will be a little bit long, and maybe it will be divided to two or more lecture, because we will be talking about the network architecture and network and network components.
And we'll be explaining how those different devices are working and the different terminology related to them.
So please bear with me, because actually, this is an extremely important part.
Now to be able to build the network What do we need, we need clients computer or smartphone or tablet or whatever client to connect, and we need to have a man media which is a type of cable and we need to have a switch.
So let's start by switch the switch what is the functionality of the switch I mean we are connecting older machine with one central point this is called switch and before the switch we used to have a device similar to the switch but different in their functional functionalities the device that exists before the switch used to call the hub and what was the problem was up I mean assumes that you are connecting five six machine with the hub, how's the hub used to work so, when computer a are sending information to any other computer inside are connected to the same hub, this information will be sent to the switch and the switch will be sending them to all the machine connected to its port because he cannot distinguish the machine from each other.
So, the problem was the hub was that it worked based on broadcasting he cannot distinguish which machine show if one machine is connected need to send the function to another machine He will send to all the machine connected to the hub because he cannot know which machine are the destination switch our mode smarters ends up so switch actually has something called the MAC address table or sometimes called the Kim and the ways the switch is working.
Let's see how it works.
So now it's important to understand how we talk because if you know how it work you will know what is the weakness of the device.
So let's talk about the switch switch.
And as we agree switch are a little bit different son's opposite he holds something called the MAC address table.
So when you connect some machine to the switch, he will be he will identify them based on their physical address or MAC address table so let's open the LAN topology to be able to explain that in a better way.
So we have some machine connected to a switch now As I told you earlier if this was a hub, what happened is when this computer need to send information to this computer, he will send this information to hub and hub will broadcast to everyone while inside this switch things are a little bit different.
So, when you connect some machine to the switch he will open or he will create something called the MAC address table or cam and he will write down the each computer MAC address and to which port is connected.
So, if this computer need to connect to this or send information to this computer, it will be sent to the switch and switch will check the MAC address and he will check on which port is connected and he will send the information so, it doesn't have the problem of the hub Let me show you how to make this look like switch MAC address okay.
So, it was actually more smarter than the hub.
So, this is our MAC address look like you know you have all the MAC addresses and on which ports they are connected.
So this one is connected on port eight zero 12 02.
So by doing that switch are able to not to prevent broadcasting which is you know has its own problem in security and so on.
Now, what is the problem was a switch and why the switch which is a layer two device, it's very easy to compromise.
Now if you know how the switches working, you'll be knowing where is vulnerabilities when you get a brand new switch, the MAC address or the cam has any information it will be blank, how's the switch our buildings the MAC address from the traffic.
So, if this computer send information to this computer, he will send to the switch and switch will send to everyone asking which one holds this MAC address and one of them will be replying back.
And to be more precise, let's assume that this is a new network I got five or six machine and I bought a switch and I connect them so switch right now our mt doesn't have a MAC address.
Now the thing is the switch or a layer two device can only recognize machine baiser MAC address while computers themselves they are communicating using IP I mean if you try to ping from one machine to my machine, you are typing ping space IP.
So definitely there will be a problem here because if you send the packet here and tell to the switch, could you please send it to this specific IP he cannot understand that even if you have some entry inside the MAC address table, he will not be able to understand because we are working according to MAC address and not IP.
Now to be able to solve that once the information on what once the packet is a computer or send the request to another computer using IP the switch will son will send because this is new switch so the MAC address table doesn't have anything, he will send something called ARP request ARP request to all the computer except the one that he receives the request from so this computer wrote the pink space one and 2162125.
So the pink packet has been sent to the switch and the switch will he don't know actually which machine holds this IP and he don't know even what is an IP.
So he will send a request to all the remaining machine scalds ARP request asking those machine guys Which one of you have this IP and one of those machine will reply back telling him I am the one who has this IP and this is my MAC address and based on the ethical to put this MAC address inside his MAC address table and next time when the computer send the request, he will know right away that this request needs to be sent to this computer and the value or the MAC address of this IP will be kept on your computer.
Let me show to show you.
So if we type cmd for instance, arc minus a, you will send all the ARP requests that has been sent from the switch and what reply he received so next time he can communicate using the MAC address.
The point is this ARP reply or ARP request doesn't have any validation.
So my point is if this computer was a hacker computer and this one sent to information to the switch go into an IP and the switch would send the request to everyone ARP request telling them guys which one holds this IP exists is hacker computer.
Sorry.
The it will reply back with something called the spoof ARP reply.
The exam? Yes, I am someone who has his IP.
He's faking his MAC address.
But no, why is that? Well, you can check if this was a right ARP request or not.
So the ARP can be manipulated and you know those sniffing application are spoofing are perfect things are, so they can fool the switch, and they can redirect the traffic closer.
That's why sniffling and man in the middle attack and those kinds of attacks are very easy to do, because you are manipulating the switch, not the machine, it means your machine is very, very secure that has all the layers needed, but you are working with a switch or you already are manipulating the switch.
So this is a problem with a switch that the ARP or some MAC address tables that is mainly based on ARP requests, an ARP reply can be manipulated in different way.
And you know, even if you put some static entry here, this would be hard to implement, it will affect some other appliance like IPS or traffic analyzer.
So it's not easy to prevent this kind of attack.
So this is how the switch is working.
And this is a weakness of the switch.
Now getting back to a bigger layer, or hire.
Now if I need to connect this computer, or this network in my building to another network located in a different city, what do I need to do that we will be needing for a router, because router routing traffic between different networks so he can connect to different land together to become a web.
So we're going to need the router.
So what is the functionality of router router as a functionality need to? Or has a function to the site? What is the best routing to a specific location? For instance, if you open a browser and type www.yahoo.com.
So a request need to be sent to Yahoo to ask for the help page, do you think there is only one pass from your house or your office to servers is many passes.
And the router has to choose which pause he should use to get to your server.
The first way he can.
This is the routers and how's the router working? You know, we spoke about switch switches you working according to the MAC address table, or sometimes called the cam was the router is working according to something called the routing table, he will have all the passes inside the table.
And whenever you send the request, he will open this routing table and check what is the best destination to this specific location.
Now, here you need to know how can we do that? How can we make the router choose the best bus, we have two different way for doing that we have the static routing, and we have the dynamic routing.
So static routing, which is not an effective way for doing that, it's that you specify the location yourself static routing.
So you can go to the router and tell him whenever someone needs to go to static routing.
Whenever someone need to go to the router inside or the Yahoo server, he has to go through this pass.
So he have to go to the networking site, China's undzer network inside Europe.
So he specifies the person actually this is not an effective way because you're gonna have to specify every static routing.
Now is a better way to let the router decide do not change the past.
But let him decide whenever he got the traffic to choose which path and we are doing that by dynamic routing and dynamic routing.
It's to let the router the site.
Now how can we make the router decide it's by assigning routing protocol.
So by putting a routing protocol on the router, you make him decide himself which one you which pass is the best pass.
And we usually we have two different kinds of routing protocol.
I'm sorry about some spelling mistakes, but I'm writing too fast.
And so first one is called the distance vector protocol.
This is not the name of the protocol, distance vector distance vector protocol.
And a good example about this protocol.
It's a protocol called rep or rip version two.
So the distance vector protocol it's a protocols that depend on the distance on some so called route to call.
And as I told you, don't forget the example an example of this This is Victor will be a protocol like read or rip version two, this is distance.
So the distance vector protocol depends on the hop count.
So for instance, if you have two different way or two different paths going to the same destination, one of them has to router until you reach the final destination and one of them has three router he will choose the two router.
So is his checking according to the less amount or we are calling that the less hop count less amount of router ins away.
But this is not necessarily the right approach because maybe you have two different ways that will take you to the same destination.
One of them has two signals, and one of them has five signal.
If you choose the two signal Do you guarantee to reach earlier definitely not maybe it's two signal but it has a very high traffic.
So distance vector rip and rip.
version two are actually depend on the distance vector.
And as I told you, it's not that effective.
The second type of protocol it's called the link state protocol.
This is a type of protocol link state sorry, link state protocol.
And a good example of that would be a protocol called Oh, s p f.
Open shortens his password.
And this is actually very, very effective, because he will consider many things I mean, when you give him our Ask him to reach one destination and he got more than past, he will consider the bandwidth delay the speed of the line and so on.
So he's calculating many factors to took, take the right decision.
So it seems to SPF it's more effective than link state, I'm sorry, links it is more effective than distance vector.
So why people are still using distance vector in some cases, the problem was Oh, SPF, it was kind of complicated to configure sunset easy to configure is hard.
wire wrap is very, very easy.
So if you have a small network, you can use rep by minute to not be that complicated.
We have a third one, we call that the hybrid protocol, which is you know, the best protocol was taking.
Sorry about that.
So we were talking about protocol.
And we said in routing protocol f the distance vector, which is things like rip and reversion to link state, like OSPF.
And we have a third type that we call the hybrid protocol that has both feature.
It's the best protocol, it has a good feature from the distance vector that is easy to configure.
And also, it has the feature of the IP of OSPF that it's checking the route based on many factors.
And it has its own feature as well.
And one of the very well known protocol is AI GRP protocol, this was one of the best routing protocol.
It used to be Cisco proprietary, I mean, you can only use it on Cisco, but right now it's open standard, you can use it on any device.
So this is a routing protocol.
On the next video, we will be talking about the type of firewall.
And then we will be talking about the application which is very, very important where we'll be talking about the type of backup type of raid this will be a very, very important lecture.
In this lecture, we will be going through fire roll and explaining what is the functionality of fire roll, different types of fire roll.
And finally, the different architecture of fire roll how fire roll can be implemented inside your network.
And I believe this is an important area as well.
On the previous lecture, we explained different component like switch how it work and what is its weakness.
We spoke about router.
What is its functionality? What is routing protocol? What is static routing, dynamic routing.
And now we'll be talking about firewall and firewall.
It's a preventive technique.
layer.
So what exactly fire wall is doing? It tracks it's actually inspecting any traffic going in or out of the network.
And you can add some rules so if the traffic matches the rule he can allow or deny.
So it's an inspection device could be an appliance or it could be something Let's see how it look like.
If you went and open control panel on your machine, let's see a simple sub firewall, which control its host based firewall.
Because in firewall we have host based and we have the network based.
So let's use the ones that we have on our computer just to get the idea of firewall.
All control panel, and let's see here, Windows Firewall.
And let's see is turned on for advanced setting, you're gonna see that this is how we are configuring the firewall, firewall usually have two different kinds of phones, the inbound and outbound.
So the inbound are inspecting any traffic coming from outside into our network.
And you can put a rule here.
And according to this rule, he can apply or deny.
And you can even create your own rules.
So you go in on rule, create, and you choose which port and then you click on Next, and you choose if it will be allowed or denied, and the type of traffic.
So this is how we are configuring in general the firewall.
outbound rule, it's inspection of the traffic going from my network to outside.
Now, as I told you, it's an inspection tool.
So it's a preventive I mean, it's like you are putting a security guard outside of your house.
And he's checking everyone ID before coming in his ID match whatever you told them, he will let him in.
Otherwise he will not let him in.
This is ideal firewall.
And I don't believe it's a very effective way for securing because since it does depend on inspecting the packet header, and packet header can be manipulated so it can be bypassed.
It's not actually that I consider the firewall more as a controlling tool, then as a file as a protection tool.
Now, what I need you to be aware of when it comes to firewall is two different types of firewalling.
stateless firewall and stateful firewall.
There is like four different type of firewall application firewall.
But actually, I want you to give a specific attention to those two, but you need to read the full definition which you're going to find inside the CISSP summary.
Now what is the difference between stateless firewall which is the old type of firewall, also known as packet filtering firewall, and the stateful firewall, here is the situation.
Let's talk about about first about the old ones, a stateless firewall.
Assuming that you need to allow people to browse the internet neat allows them to browse website from the internet.
So you create rule.
And you did allow Hello, port.
Ah.
So you put on your rule on your host based firewall and maybe on the network based firewalls that please allow Port 80 because you know that any requests that go into the internet browsing will be going through Port 80.
So any requests going to Yahoo, Gmail, hotmail on the header view, it will have a power 80 it will allow only traffic to power 80.
And the remaining of the port will be I'm sorry, it will allow traffic on port 80 and the remaining of the port will be close.
Now here's the scenario, the requests will be going from your machine to Port 80.
So the firewall will let him go out.
Once this request reaches a web server, Google or Yahoo or whatever, and this web server is sending you back the reply.
In this case, his reply is usually coming on a random port it will not come on the same port.
So he may come to Port 12345 or Port 5555.
So it will be coming on the port on a random port.
And since the fire rule are closing, I'm not I'm talking about the status file, since it's a fire road are closing all the port unless you allow it.
So the reply of this request will be dropped.
So now you will never try to browse any web page it will not open because the reply is the request when successfully but reply because it's coming to a random port has been dropped.
This was a problem is a stateless and you cannot you cannot adjust it because you will not able to understand order to know each website will send that applies through each port.
So how can you configure that stateless is it's a little bit different.
It's actually it's, it's solving this problem stateful stateless, has this problems that, you know, whatever you configure here, we're stuck with it, but he will not do anything else, the stateful firewall, it's kind of different in a way that if you have the same scenario, you are sending a request through Port 80.
And you are allowing Port 80 on your firewall, he will let him in.
But the thing is he are tracing the requests.
So whatever applies coming back, he will check zero reply for this specific request came back on which port and according to that he will dynamically open this port.
So he's tracing or his following the request to be able to open the port for the reply.
So it's kind of dynamic.
This is a stateful firewall, we have as I told you, the application firewall which work on application layer, and as I told you, you're going to find all the definition and you just need to know that deep about the different kinds of firewall.
The second important point about firewalls that you need to be aware of is a structure how are we going to implement firewall Are we just going to make a fire or implement a firewall between the internal and external network are we going to create a DMZ with a fire route before and after.
So we need to know those architecture.
And we have like mainly three or four architecture.
So for instance, webs is the packet filtering, routing, which is just putting a simple firewall between the two different networks, this is called the packet This is the simple way of firewall.
So if we go here, and we create it or we check this kind of firewall based, you will see just a simple way you have two different network internal networks and a network and you are putting just a firewall between them.
This is one way for implemented is called packet filtering.
This is a simple implementation.
We have another model on another architecture, which is screen hosted firewall Do not be confused between those two, because actually those are quite important.
Screen toasts firewall system, it also the same way except network as a packet filter, and application layer ryzen, right, just note down.
It has two different functions.
It's a packet filtering, and also a application firewall.
So it's similar, but it has two different function.
Interesting one is a third one.
And this is the actually the DMZ firewall, if any one of you are not aware of the DMZ DMZ, just a network that you put between your internal network and the internet as a, it will separate your network from the internet, for instance, assumes that inside your network, you have some servers that need to be exposed to the internet, like you have a web server where we're going to put the company website, and people from the internet will be allowed to access or you have a mail server if you cannot put those server that will be accessible from the internet within your internal network.
Because by doing that anyone can compromise one of those several he would be compromising their land.
That's why we create a network that has no server.
And we separate this network from our network from our internal network.
This is actually I believe it's a good example.
So this is the internet.
And then you build the network here we put all the server that need to be exposed to the internet.
And then you put your internal network here.
And you put two firewalls, one between the internet and the DMZ, and one between the DMZ and you're so you're trying to harden your system a little bit.
So the screen subnet firewall, just gets a subnet as a keyword.
I guess a subnet as a keyword subnet mean, it's there is a third network which is internal and external.
Do you and whom hosted firewall it's a specific wire rule we are putting two network adapters so because the juhan at me mean it has two different network adapter.
So those are the architecture about for how to implement the firewall.
This will be a very basic lecture where we will be talking about type of network topology.
I know that most of you are aware of that.
But anyway, since it's inside the curriculum, we'll briefly go through all of them.
So we know that we have different kinds of network we have LAN local area network, we have xwin wide area network, we have the ken Just campus area networks is like a college campus we have a man Metropolitan Area Network which is a network that cover a city for instance or enabled we have a pen personal Area Network This is like wireless mouse or a Bluetooth or something like that and we have a switch network and routing network then the network topology and topology mean how network could be connected together.
So we used to have the star topology, ring topology where we are connecting all the machine I'm sorry, let's start with the first one.
First one is one we are using a star topology we are putting one centralized device and all the machine is connected to this device could be a hub it could be a switch, but this topology or this kind of architecture is this is called a star topology.
What is the problem with star topology single point of failure, this is very important terminology.
Please write it down for any network to evaluate the network effectiveness, you have to check something called the single point of failure.
In such topology, do we have a single point of failure Do you have one device, if it failed, it will drop down the network Yes, we have set up it's up fail, all the network will not be able to communicate because this is single point of failure where the client or the computer are not single point of failure because if this computer failed, it will affect all these user who's working with this computer, but the remaining of people will be able to still use the network that's why we're adding to hub or to switch for redundancy.
Second topology is a bus topology.
And we used to do that you know back in the early 90s that we have some specific network card with a T terminal and you connect all the machine on one segment you don't have a route you don't have a hub or a switch and you have to close the segment with something called determinant and this advice is called the bus topology.
The disadvantage of that is that any carton sizes wire will lead to the downfall of the whole network we have the ring topology which also has some issue for instance information if you are sending information from the first computer here to this computer there he has to go through all the computer or from this one to this one he has to go to all the computers This was one of the problem beside any cut in the wire will lead to the same results but you should know that ring topology it's not just the legacy topology we still using it.
So fiber networks that we are using today network in you know for high speed internet, this is ranked topologies they are using ring topology they are not using stars they're not using bus they are using the link to punch but they are doing some redundancy as you can see later on and so on.
Then, according to that each network has our each topology has its own weakness.
So what Which one do you consider the best topology the mesh topology I'm sorry and mesh topology mean you are connecting all the machine to all the machine.
So as you can see over here, some computers they are all connected to each other.
So if any wire you know get cut or any problem happened to any wire you still can network still is running because there is alternative paths.
But mesh topology it's easy if you have a small network like this one but what if you have a complicated network I mean you have like 100 machine or 200 this will be very very complicated.
So we are using something called perpetual mesh, looking for the machines that is more critical and then connect them together.
So this is part related to topology.
Now we'll give a brief about the media network could be connected through wired or wireless in wire we have different kinds of wires that you should have a brief about them.
So why are we are using Be sure to So what kind of why I'm sorry, what kind of fire we are using.
Inside the network if it's a LAN we are using UTP cable or an twisted shield pair cable and UTP cable is it just the cable that has eight wire UTP sorry you to be kept.
By the way Google image will be very useful for you while you are studying in this course especially things like physical security because a lot of people do not have that information about physical security type of cam type of firefighting tool type of and this kind of thing.
Unless you saw it yourself, you'll not be able to memorize it.
So this is the UTP cable.
And as you can see it has a wire with different color and this is how we are connecting the UTP cable There is a rose a similar cable.
And actually UTP cable has different categories of cat three cat for cat five, cat six, and each one has a speed sukkah three can support up to 10 megabyte per second cat four can support to 100 megabyte per second, get five, one gigabyte per second unified settings, the sunflower just have small brief about them.
We'll also have an SCP SCP is a twisted shield pair, and it has a shield on the outside as you can see, which makes it a little bit easier.
Or sometimes if you are putting wire inside the place where is the electromagnetic field, it's better to have an STP so this is one use the lab there is some limitation for STP and UTP which is that you can use the cable for only 100 m meter.
So, you cannot have a cable long as you know one kilo or 200 meters a limitation of that is distance you should have this cable between machine within 100 meters.
Okay, another type of cable is a fiber cable.
And fiber, we have two different kinds of fiber.
fiber.
Fiber is kind of complicated, you know, it's it has, you know, some specific devices and so on.
But you should know that we have two different kinds of fiber, we have a single mode and we have multimode.
So we have the single mode fiber cable.
And this is what ISP is using I mean, this is a complicated one, single mode fiber.
Okay, so this has to be done with an I mean, electrician need to implement this kind of cable is very, very complicated.
While we have another type, it's called multimode, multi mode fiber cable.
And this is actually can be used by us, I mean, you can go and buy, it's very easy to implement.
And it just has some good advantage over UTP is that the limitation of this cable is 375.
So this is how far you need to know about images the cable wireless will be explaining that by the end of this module because right wireless are using radio frequency and we have some discussion about it.
So this is a major part that you need to be aware or images that you need to be aware in senate work on this next lecture, we'll be talking about different types of transmission.
And I believe this one's gonna need some attention because we'll be talking about some protocols and you need to be little bit focusing while we are talking about the way we are transmission transmitting information into between different devices.
This will be a very important lecture in the network domain.
And I want you to give me some attention beside please have a pen and paper and start taking notes about what I'm going to tell you in this part.
Now because this part actually is confusing a lot of people when it comes to the exam, here we will be talking about the remote access technology in the meaning of assumes that you have two different sites, site a and site B.
And you need to connect those two sites together because they are not physically located on the same place.
You are one site in one city and another site in a different city.
And you have been requested from your manager to connect those two sites.
How many options do you have? Number one, we have leased line.
Okay.
So we have a lease line or a dedicated line.
Now the leased line a just a dedicated connection between those two sites.
So you have one site in one state and another site in another state or city.
You need to have one connection between them you'd be going to your local ISP or your telecommunication company tells them I need the connectivity between site a and site B.
And they will give you a connection between those two sites.
And actually they already have cables between them.
Cities.
So they will give you a connection between those two sides.
And they will give you a plug inside zone inside your organization.
We call that the demarcation point where everything behind this hole is the telecommunication, responsibility and everything after this hole, which inside your organization, it's your responsibility.
Now, the good thing about Lee's line, it's dedicated connection, I mean, security is very, very high, because it's just the dedicated connection between those two sides.
No one is there.
It's not like the internet was everyone where everyone is connected worldwide.
Now, this is a dedicated connection between those two sides.
But the problem is a leased line is cost leased line costs, actually is very high.
So if we have, we're talking about couple of 1000s of dollar per month around.
So if you, if you have like five sites, I have five sites, and you need to connect them together, this will cost you too much money.
So the good thing is about the good thing about the leased line is about the dedication and security and the bad things about cost.
And we have different kinds of leased line, we will be explaining the difference between them, I'm just going to give you an introduction, and we'll be going and getting a brief about each one of them.
So we have the T one line.
And we have the T three, and we have the U one, u one, and T three, and E one.
You should know that T one speed, it's 1.44, I believe megabyte per second.
So it's not about the speed, this line will not give you that high speed, it's about the security.
So this would be the first option.
Second option will be the internet.
Now if we are concerned about the cost, and this is actually kind of expensive to have those, I need like 353 or five connectivity, and I have to pay that amount every month, I can use the internet.
And the internet is a very good solution because everyone has an internet connectivity.
So we can connect those sites together through the internet.
What is the advantage and disadvantage of the internet advantage is definitely the cost it will not cost me anything everyone now have internet at their organization.
So I just need to have a connection between the site.
But the problem will be security because this is a public network.
Yes, we can have over like past that.
Or we can solve that by using a VPN connection and VPN will be explained here as a brief, but it will be explained in more depth into the cryptography.
So the problem is when I'm sending and receiving information through the internet, it's a public network, I mean, it can be captured by any one of the network.
So I can solve that by implementing a VPN and VPN, which is a virtual private network, I can create a tunnel between the two sides through the internet, where will traffic would be encrypted between those two sides.
So even if someone was able to capture this traffic, you will not be able to read it.
So I can create an encrypted tunnel between the sides.
But still security will be an issue there.
Okay.
Now, there is actually one solution between those two solution which, you know, has been found in different name.
I mean, it used to be frame relay, frame relay or another version was called ATM.
I'm not talking about the ATM, banking ATM, there was a technology called ATM.
And now we are using today technology we are using MPLS they are all NP n.
S, they are all on the same category.
It's a category between zilis line and internet connectivity and using a VPN.
Let me explain to you the concept of frame relay and MPLS and so on.
Just open here.
Let's go to Google.
And let me give you a brief about frame relay.
Now, the thing was leased line based thing was a leased line that no one is using I mean if you as an organization has a leased line you'll notice that no one is using the full bandwidth all the time.
Okay, let's take this scenario for instance.
He just went to so they take an advantage from that so if you have a leased line on your organization, you notice that you are not using the full bandwidth 24 seven and also as a customer I'm not using the full bandwidth for 24 seven so the idea of ATM or frame relay or MPLS in most of the concept that Okay, let's do this because no one is using the full bandwidth full time let's have three leased line and give them to six people.
So, I'm going to combine together three leased line as a telecommunication company and gives them to six user depend on that no one is using the full bandwidth 24 seven and when you go to subscribe for a frame relay you will be writing your our eight will be giving to you the committed rate the eyes are the telecommunication company will tell you you will not have less than that amount okay.
So they are giving some leased line to more amount of customer and by doing that they are utilizing the bandwidth and the effectiveness of the leased line.
So frame relay or ATM or MPLS they have some difference but the concept is It's same idea of leased line it's a little bit public I mean between different customer but they are well known customer but it's not public as Internet.
So, you have the effectiveness of the cost and you have the security of the leased line this is idea of frame relay MPLS ATM and so on.
Now, what other methods remaining for the remote connection? Do you remember on the old day how we used to connect together or to the internet there was a dial up connection right dial up sorry.
So the first or one of the remote connection method was dial up until now some people are using dial up I mean some places do not have internet high speed internet they will use the internet to connect to different sites so still is used.
Now what do I need to know about those different kinds of remote connection for example, you need to know their definition and you need to know some details how deep let me show you.
So if you go here and we go through the different protocols, so for instance, let's take the VPN or actually let's start with these line.
Now this part I want you to give some attention to that and I want you to highlight some of the important point because it's quite important.
So let's start with different remote technology specification and what exactly do you need to know when it comes to remote technology? transmission we need this line this is really should be here.
Yes, okay.
So fire roll VPN VPN twisted pair we went through that the tunnel network type Yes, here we go.
So we're going to start the same way we had the discussion first was a leased line what is a leased line Okay, this is one dedicated communication How many times have you need to know the three different types we have the T one the speed is 1.5 t 344 point seven and E one European This is up to 2048 megabytes per second okay.
So, the first part that you note you need to know about dedicated line or leased line.
They are considered the same actually.
There is some difference between them but they are considered as the same.
So the first point which is speed, you need to know this Part, let me just highlight it just to point to the sink.
Okay.
This is the first part second, which is very, very important protocol.
What protocol are used in this line, we have the measure protocols.
The generic means, once it is used everywhere it's called the PPP Point to Point protocol.
And this actually, it's what we are using right now.
But before that there was one called slip serial line IP.
And you need not just to know the name of the protocol use, but what was the difference between them what is the difference between slip and PPP both of them are leased line protocol.
So this one for instant show interface to communicate with external host can be used over Remote Access Server.
Plus, why while the PPP, and this feature didn't exist in slip, can use some authentications.
This one didn't have an authentication and you can use authentication sharpened Pap, this is a message for authentication.
Shep is a new one Pep can send text in clear, concise information, clear text, we have also icnd.
And case this is also used.
No but actually this is a different protocol.
So for leased lines, those are the two protocols that you need to know.
Then we have the DSL when connectivity and webs the ADSL and sdsl.
So some measure what we have at home is usually a DSL, asynchronous DSL.
Why the I'm sorry, a symmetric DSL.
Well, the ones that businesses use is symmetric DSL, what is the difference between the ADSL is amount of download it's higher since amount of upload while the sgsn they are equal amount.
What else do we have? Yes, now we're going to talk about the packet switching network and this is a network that was between the internet and between the leased line which is the frame relay and ATM and so on.
So, you need to know before it is lines or x 25 we have a frame relay m frame relay.
So as you can see how far do I need to know just a small introduction about it like for instance you should know that we have the ATM yes ATM what is the specific about ATM that is used a specific size certified byte fix at sitesell.
So each cell is 3553 byte.
So you can see like small orders and he will tell you for instance, which packet switch or network has affected sides you've seen 53 byte size.
So this is how far you need to go.
Now let's talk about VPN VPN as I told you is just going to give you a brief right now but our main discussion will be about VPN will be during the during the cryptography.
Now VPN, we have two different protocols, we have protocols that we are using over the internet and we have a VPN protocols that we are using over dial up.
So over the top we used to have Point to Point transfer tunneling protocol called pptp.
And as I told you check what is remarkable when it comes to definitions.
So for instance, this is a point to point protocol mean, I cannot connect one machine to many machines should be one machine to one machine.
It's a tunneling protocol and it shows in dial up network only.
It's not used over the internet, while lttp this is also a point to point singer Point to Point same.
And it worked on port 15.
And also on the dial up now on the internet to use.
On the internet, we use a protocol IPsec IPsec.
It's an alternate talk.
So see, this is remarkable difference.
And it support IP version six.
And it's operate on network layer.
So you just need to read those kind of definition to be to be now starting from here you'll find that a lot of definitions is there and a lot of terminology is here.
So I will suggest to you some way for studying that I believe you will find it very effective to memorize when it comes to big amount of information.
And I tried that myself and I found it very, very effective way.
Okay, this, this is a way for studying a method of studying is called mind mapping and I believe maybe Some of you are aware of the technique where you are drawing the thing.
So you start drawings information.
So for instance, you can put here network and then from the network, we have remote connection we have the network types you have.
And then you put from the network type, we have a remote connection, right, the VPN, we have a leased line, we have the internet, or frame relay or switching network.
And from this one, we have Zeus protocol and you put picture and smiley face and frame really, as a technique for studying.
It's a very, very effective way.
And I try that myself, especially in those kinds of topics, where we have a lot of memorization, and it has a scientific explanation, because they are saying that it's easier to study or memorizing pictures and Walt.
So, according or actually you will find with this specific lecture, you will find my mind mapping, implementation for sonetel.
But you should not study mine, you have to do your because this is how you can memorize it.
And if you are not very good in drawing, you can do that using a computer application free.
It's called x mine.
x mine, this is what I'm using, but it's on my other computer is not here, an X mind, it's a way for mind mapping like this one, very easy to use.
And you can search on YouTube for any video, it's very easy to implement.
But I believe this is very effective when you study a topic that has a lot of terminology.
So this is things that I want to share with you.
And I'm going to share with you some mind mapping document.
And but you have to do your own mind mapping.
This lecture, we will be talking about wireless security protocol.
And I just need to give a brief about wireless how it's working, and what should you consider.
Now wireless, it's a different kind of network and wireless, as you all know, are working on radio wave.
And radio wave frequency.
This is actually where all the law enforcement and government and mobile and everything are using to connect.
So when you are using radio wave, you need to have a license except for a specific frequency, which we call the unlicensed frequency.
And this is where all our device are working on the unlicensed frequency is the frequencies that we are using, and do not request any license or permit.
So in wireless, when you configure a wireless, what do you do when you configure a wireless network? Let me just open a router and let see how the wireless router is configured? And what should you consider.
So a very good way for testing that will be a packet tracer software.
They have a feature related to wireless, what is it? What is it? Here we go.
So let's assume that you are building a wireless network.
What do you need to consider? And what setting are you putting? So assuming that I will build a wireless network? Okay, this is my router.
And we're going to go to goi so it will be easier to configure.
And I'm sorry, the size is a little bit small, but you get the point.
So let's go to wireless configuration.
So what is the first thing, the first thing that we need to do is to configure an SSID maybe it's not showing here because the size is too big.
So we need to configure here the SSID, which is the name of the network, the SSID is a one Zed showing who someone is scannings in a terminal, you click here and you find some network there, those are called SSID.
Now SSID is mandatory except I mean if you didn't write anything, it will keep the default one.
So you should write something in an essay.
Now the first question is when you have an access point or wireless router and you put an SSID is your and start you are and then start scanning using your laptop or smartphone to get access to this wireless.
Is your smartphone or laptop.
What is the one who's scanning or is it the access point or wireless router is one announcing about itself actually is the second one when we are assigning an SSID to any access point, he will start announcing about itself calling I am here and my name is set.
And what happened is that your device will just capture this packet.
So he will be knowing the smartphone or laptop that user is an access point by this name.
That's why it's very recommended that once you configure your access point, and then you may choose that all the device has been connected to go and disable this feature, instead of enable make it disabled SSID broadcast this may find under a different name, it could be disabled as you broadcast, it could be disabled beaking it could be hide access points, I have same function, which is you are preventing or you are stopping your access point to start announcing about itself.
It's a good security mechanism.
Because otherwise, anyone can scan, he will know that there is an access point on this area, and you will try to crack it.
But if it's hidden or it's not announcing about itself, maybe you're going to make this thing look a bit more secure.
The second after assigning the SSID is to assign a key.
So when you go here, we will find in the wireless security.
Yeah, the no I'm sorry, here wireless.
And we can choose from here is a security and how to decrease the size of Okay, anyway.
So we you should found different key that you can assign to your wireless.
So we have WEP and WPA and WPA two, we try one more time.
So let's go here, wireless.
And we should see the wireless security team is not working here.
So under why security security you should find three different key that you can assign to your access point or you can keep it open, which is definitely not recommended.
Now in wireless, as we saw in the slides, we have three different key.
Now the question is, what is the key? Is it a password? Definitely not.
Because we are all using the same key.
And this is not a password characteristic password should be unique.
But when we put the key on site, the access point to allow people to connect using this key, everyone will have the same key.
So what happens usually if you keep Zach's point open it will send and receive in plain text.
But when you put the key it will encrypt the traffic coming and going.
And it will this keys that you are giving to us or we'll be able to decrypt the traffic Susie will be able to read the information.
So it's an encryption decryption key.
And because of that, you need to use one of the good encryption key.
So there is different characteristics a WEP key is considered as the weakest one it can be break in like 10 minutes or maybe less, because choosing an encryption protocol called RC four.
And RC four is considered very very easy to to break.
WPA are using RC four also but was a bigger key of C four code with a bigger key but it's also weak while WPA two which we are considering strongest, it's using an encryption protocol is called a s which is considered a very good encryption protocol.
So when you are assigning a key to your access point, you should use WPA two to make sure it will be secured and will be hard to crack it can be cracked by zero but it will be hard to crack.
Now we will be talking about attacks.
And we keep as we keep saying in each lecture attack is very very important.
But the good thing is that you're going to find a lot of repeated attack in this module.
So for instance, we have the virus attack and warm and Trojan car in the same category malicious software and you know that malicious or malware are divided into two different parts.
We have the spying things like Trojan or keylogger or we have ones that do damage like virus and war.
So those are malicious software and malicious code are the same you know because you can add to it the new type of money malicious code like ransomware.
And this kind of malicious code, man in the middle attack, we spoke about that where you can manipulate the switch.
So he will send the traffic to you as a hacker instead of sending to the original location, and how people are using that based on this ARP request and ARP reply.
If you don't remember the technique, just get back to the network architecture, where we explained how switches working and how's how's the switch is working, and how we can our how hackers are doing man in the middle attack or sniffling.
Now, the important attack here is that at some detail is a denial of service.
The line of service or Distributed Denial of Service is that you are trying to send a huge amount of packet to a server or a service to crash it.
We know that actually as a concept, but there is some details here in this module.
And it's important to know about that.
So for instance, let me give you a small example about how to how a denial of service used to be implemented.
If I'm do a ping on a web server like yo www.yahoo.com what is exactly this, sir? Yeah.
Oh, sorry.
Not if you are doing ping on a website like Yeah, what is exactly what happened, my computer will send four packet which is very small size, 32 bytes to the Yahoo server.
And if Yahoo has a ping running, and I'm sorry, the ICMP protocol running he will reply back with the same amount and the same size.
So you can see here that four packet has been sent and four packet has been received.
Now I can misuse that I can type ping the same website but minus T and minus t may may mean make it continuously.
So he will keep sending pink and yellow have to reply back.
And also I can type minus L which change the size of the packet.
So I can put the maximum size I believe it was 65,000.
So I mean six five MB.
So now what I'm trying to do is I'm trying to send the huge continuously packet very large packet and yo has to reply back to me and I can do the same from three or four different machine and now he has to reply to those three and four machine same amount and same so definitely this attack will not get to Yeah, but if you lose that on a single client machine, it may affect its performance.
So now he has to reply to those four or five machine with the same amount of packet and the same size.
This attack is called the ICMP flow at Florida tech.
So you are sending a lot of traffic that will that will lead to crash into system you will reach not your any computer if you are doing this attack against he will reach a stage where he cannot reply because you know he keep replying to everyone with the same amount continuously use the same size.
So it will lead to crashing.
So this is called the ICMP floating another attack that I need to discuss with you.
It's called the SYN flood attack.
So if we like search here, let's go to Google.
So the nine of service it's important to know the different kinds of attack, not just the definition of attack.
So let's talk about something called a three way handshake.
Because this is basic objects attacks three way and check now in network usually, when two computers are communicating together, I mean, if you are communicating with yell to open Yahoo page, okay, how it go, I mean, three, we can check out things are starting.
So assumes that we have let me Yeah, this one is okay.
So assume I have a computer and I have a server.
And this is my computer, and this is Yahoo or Google website.
Now to be able to communicate, I will not send the request for that right away, I'm going to send something called sin.
And the server needs to reply back with something called SYN ack and I have to send an ACK uncensor communication stuff.
This is called the three way handshake.
So this is how the communication starts.
It's like when you are calling someone over the phone.
It's not like once he i o opens the line, you're going to start talking right? You're going to say hello.
This is a sense that you are saying I'm on the line and you're gonna say Hello, this is that you know, acknowledgement I can hear you Yes, go ahead and say You can tell me I speak to Mr.
And then you can start the composition.
So there is some initiation process before starting the conversation, so one of the very effective way for doing actually was quite effective till like soon or actually, at some early time, we used to do this for testing and it was very, very effective.
So what happened is I can misuse it, or any hacker can misuse it.
I'm not a hacker, I'm just talking as an example.
So what I'm saying is, let's assume this is a hacker guy, he will send a SYN to the server, the server will send a SYN ack, mean, I get your sin.
And I'm acknowledging it.
I'm waiting for the acknowledgement.
So we can start the conversation.
Zachary will not send Zach and he will send another sin.
So by not sending the ack, he kept one session pending.
The server is waiting to four sec.
And so he will establish the communication and start communicating.
But he didn't send the ack so the session is pending.
Now.
The Hacker will send another sin, then the server will send another SYN ack and waiting for Zach He will send not sent there.
So now I have two session pending, he will send one more session and gets an ACK and we are waiting for Zack Zachary will not center.
And if we keep doing that for a while, like 500 or 1000 session, now the server will not have any free session to give it for any other user.
So you as a regular user is trying to connect you know get a connection to this computer.
This is called a SYN flood attack.
Okay? Also it will lead to denial of service.
Those are two major attack but actually there is some more like two or three more that you're going to need to memorize.
So denial of service is very, very, very important to know the different kinds of attacks.
So we have the dose, this is a definition.
It's you are leading to crashing system, D those that you are using something called botnet or zombie.
It's a small malicious codes that you are spreading over the network.
And they are connected to something called command and control someone sitting somewhere else or they can send the request to the oldest machine.
And it can lead to crashing systems.
The ones that we just explained is called Smurf attacks.
It is depend on ICMP, we have the SYN flood.
I just also explained this attack as well.
We have the land attack where you are spoofing the TCP IP SYN packet.
So it depends about faking your packet connection.
We have the Friesian, another attack that is I believe using UDP just get the key word you know the major key word but you should memorize till drop where you are putting the source and destination I believe is the same.
So those attacks are very, very important in denial of service, you should expect one of those.
So denial of service here in the network.
Need more studying or need to know more detail is not just to know that there is an attack called denial of service.
This lecture we'll be talking about some security mechanisms in the network.
So we have the ACL or access control list.
This is can be used to put some rules or allow some traffic or deny some traffic, same concept of fire rule.
We already spoke about fire rule and we'll create a video about it.
We have something called IDs and IPS that we explained on chapter one intrusion detection system or intrusion prevention prevention system.
And we have the same solution, which is event management solution.
But besides this technique, also we have attack like caller ID attack which is an attack that shows a caller when case of dial up, we have not attack I'm sorry caller ID mechanism we have calling back some services when you try to call them because number can be spoofed.
So when you try to call them it will disconnect you and we'll let you We'll call they will call us themselves.
I'm just tricking us attack.
So we have different kinds of security mechanisms that we can implement inside a network should be here.
So definitely somewhere here.
Security security Yes, this one, we have reserved restricted access.
This is also considered, it's not as a slide, but it's very, very important so that you can restrict some access, you have the code that when user can call, or user calling a place, you can disconnect him and call him back.
And this is because if he's using a spoofed number or a fake number, you will be knowing that you have the caller ID.
This is also can be added to their security mechanisms that can we that we can use to secure our network.
We spoke about different components of the network.
And one point remaining in this module, which is the application and how to provide availability.
I mean, whatever we spoke about was related to confidentiality and integrity and also availability and only spoke about denial of service.
On this focus inside the network, we'll be focusing about the concept of availability, and to prevent the single point of failure.
Now, let me give you a small scenario.
And then let's see how to utilize it assumes that we have a network.
And this network has some very important server that has a very confidential type of information.
And those information should be available all the time 24 seven, assumes This is a bank, a huge bank, where customer can log in anytime from any place, draw money, or check their account and so on.
So you cannot have any downtime.
Now, where those where all those information are saved, they are saved inside the hard drive, or some hard drive or any kind of storage inside your network.
Now, this hard drive, as this hard drive may be a subject for any kind of damage.
I mean, maybe it's our driver crash, maybe it will be affected with the virus problem happens all the time.
So the question is, do we have any sync to make sure that if any problem happened to the harddrive physical or any kind of problem, we will not have any downtime? Yes, we have something called a raid implementation.
raid stands for redundant array of independent disk.
And the idea is that if I have a very important server, like the one we have right here, we can add in instead of just having one hard drive, I will add two or three or four drive and I will combine them together.
So it will be showing to people who's using the server as just one storage or one hard drive.
And the thing is that if I do such implementation, whenever I'm saving a file, in any of those disks, it will automatically be saved on the remaining this because for you it will show only one hard drive.
This is called the rate.
It's to combine physical harddrive actually they have to be physically you cannot combine logical partition, they should be physical hard drive with the same size.
So by doing that, whenever you save a file, it will be saved, saved on the three or two or four drive.
And in case of any failure, the system will still be running and functional and you'll be able to retrieve the information.
For it we have different level.
So I'll talk about the major one, which is raid zero, and raid one and raid five and raid 10.
Those are the measures right now raid zero, and it has another name it's called stripping was working in a different way.
So, raid zero or also called stripping was quite different than other raid now raid zero depend on our resume it was working that you get two different harddrive should be physical to physical hard drive and same storage and you configure them to work as level zero rate.
Now, what happened is whenever you create a file, it will be stripped or it will be cut or divided to two different parts.
One will be saved on this one and the second will be saved on disk.
Now, this will not be considered a redundancy solution.
I mean if one hard drive failed, you cannot even use a second hard drive because the half of half of those files are saved on the other drive that has been failed.
So it was not used for redundancy or high availability it was used for high performance.
So when you do that, the performance of retrieving the file from the storage is was high So strip, I'm sorry, raid zero was about the performance, not the redundancy.
raid one, which is also called mirroring was differences that you also have to add to hard drive physical hard drives same size.
And whenever you save a file, it will be saved on the two copy will be saved each copy on one of the drive.
So any file that you save will be copied on the two drive.
So if you if you have one failure, I mean if one of those two hard drive fail, you still have, you will be able to work all the file will be there, you just gonna have blinking on your screens that one of the file has failed.
And the only problem was raid One was that it's waste 50% percent of the storage in the meaning of assumes that I have two hard drive each one is one terror, I combined them together and I create raid one.
So total should be two terror.
But what we'll be showing to the user wanted only 50% will not be showing because it will be used for redundancy.
So the only disadvantage of raid one was a waste of storage.
Now let's talk about raid five.
raid five is similar to raid one, but you should use in raid five, at least three hard drive.
And the amount of storage that will be lost will be lower.
I mean depends about the number of drives.
If you have three hard drives as raid five, you're going to lose 30% cannot be used this will be used for redundancy.
Well, if you have four hard drive raid 520 5% cannot be or will be wasted.
If you are using five hard drives, it will be 20% actually, it's one over n where n is the number of drives.
So whenever you add more harddrive whenever this is will allow you to lose less amount of storage.
Finally return which is combining raid zero and raid one Actually Actually it's called read one zero, not 10 because it has the stripping and mirroring.
Now, how you'll be seeing those questions as the exam he will ask you your management request to implement the rate for high performance which one should you choose zero or one or 5%, for instance, or for redundancy or something like that.
So you should know the characteristic of each of those rate.
Finally, in this domain, we'll be talking about backup, which is also providing availability.
Now backup.
It's a very important topic in general, even in real life.
But we should consider the backup best practice before going and explaining different kinds of backups.
So for instance, on which media are going to take backup, are we going to take that on an external hard drive? This is not recommended? Because actually anything that has mechanic can be damaged easily if it's failed, or something.
Are you going to take that on optical media like a DVD or something? Also, it's not recommended because it has a lifetime.
It's usually recommended to take backup on a tape drive.
Where are you be? Where are you saves a backup backup should be saved somewhere remotely not on the same premises and so on.
But on this lecture, we need to explain the different kinds of backup.
Now in backup, we usually have three different kinds of backup.
And a lot of people get confused about two specific type.
So we have the full backup which taking full information is quite clear.
And we have the differential backup and we have say incremental backup.
What is the difference between differential backup and incremental backup? Let's take the differential backup first, which is the one on the incremental backup force which is one on the right side.
Of course, most people will not be taking full backup every day because you know some organization has a huge amount of information.
So they are taking one full backup per week or per month.
And the remaining of the week they may take incremental or differential backup.
Let me explain the difference for you for people who are not aware of that assumes that I am on the first day, which is Sunday I'm taking a full backup.
The second day, I will just take some modifications that happened on the second day.
So I will take the modification from the previous day.
On the third day Tuesday.
I'm going to take some modification that will happen that happened from the previous day from Monday.
On Wednesday.
I'm just going to take some modification since that happened since Tuesday, and so on, while in differential, I'm taking the modifications that happened from the last backup, meaning on Monday, on Sunday, I took a full backup.
On Monday the same I took the modifications that happened since Sunday.
On Tuesday, I took the modifications that happened since Sunday, not since Monday.
So I'm taking the modifications that happened since the last full backup.
On Tuesday, I'm taking some modifications that happens in the last two cup.
So it will include Sunday, Monday, and I'm sorry, Monday, Tuesday and Wednesday.
And on Thursday, I'm taking some modifications that happened since the last full backup.
How's that is different than each other? They will be different when it comes to restoring.
So in this case, like in the incremental case, if a problem happened on Wednesday, how many tape are on Thursday? How many tapes Do you need, we're going to need 40.
So full backup, and three hours of tape.
While so he needs a full backup.
And you need the remaining tape for Monday, Tuesday Wednesday.
While it was the same problem happened on Thursday, how many back how many tapes Do you need, you're gonna need only to the full backup as the previous day backup.
So the difference will be in restoring the amount of tapes that you're going to need while you are restoring your system.
And if you are doing that per month, you're taking one full backup per month.
If a problem happened by the end of the month, you're going to need like 29 or 30 tape.
While if you are doing differential, you can just need to tape the full backup tape and the day before tape.
So the difference would be inside the restoring.
We have also some kind of backup like remote churning backup or you're talking backup remotely and electronic vaulting backup, but one of them is taking transaction by transaction remotely, chances are one is taking bulk bulk data but all of them are remotely as well.
And finally, the concept of single point of failure is very, very important inside our network, where we need to identify what is the point device or equipment that if it failed, it will lead to any kind of downtime to the network.
And I try to make some redundancy for that.
So this was network domain, it's a big domain.
And I went brief as as much as I was able to simplify that.
It's very important to try to write down all the terminology I believe sunflower will help you a lot when it comes to gathering everything in like three pages.
And starting from the next lecture, we're going to start going through the question and see how the question look like and you have to answer all the domain question to be able to be ready for the exam.
So let's see how's the question for the network look like? Now let's take some network questions.
The World Wide Web its network in an overlay top of the internet Virtual Private trusted and along secrets a virtual network.
So an easy question switch marriage technology of what and what switch marries hub and rich because happy Buddha broadcasting while bridge was not which of the following major type is most easily to be tapped.
Most of the problem exists in everything except the fiber.
So always fiber is not insides option.
So twisted pair for instance.
Actually, those are quite easy questions.
But okay, which of the following are most resistant to environment? Anything that has a lot of feature rubies, a fiber optic? I mean, you know, it seems that whatever we got was kind of easy questions.
But it shows that it's not that complicated about network to be more into the definition or the characteristic of something First domain that we are going to discuss will be the access control.
Now before going through the domain and explaining the details, and finally, before going through the exam questions, and what should you expect in the exam, when it comes to access control, we have some definitions that we need to explain.
So the first definition, which is extremely important, it may seem simple, but actually, when it comes to exam preparation, this is kind of important, which is how do you define security? I think I mean, Before explaining any topic, or any domain in this course, how can you define security? How can you say that your organization is secure, we have what we call the security triangle, which is three factor if you can implement them, you will consider yourself secure, which is confidentiality and integrity and availability, also known as CIA.
So, security is defined as confidentiality, integrity and availability.
So whatever we're going to explain during this course, should be under one of those category.
So, for instance, if we are implementing password, and access control, this is considered to provide confidentiality because when I'm implementing a password, or an access control, I make sure that only authorized people will have access to the information.
So now I can make sure that unauthorized people do not have access so I can provide confidentiality.
While if I'm talking about taking backup and doing redundancy, to make sure that the information is available all the time.
This is to provide availability.
While I'm, if I'm doing something that will confirms that the information will not be manipulated.
This is considered integrity, let me give you an example.
assumes that you are sitting somewhere and you are connecting to a website and you are writing, you are buying something from a website.
So whatever you are writing, it will go from your client computer to the back end server that is located in another country.
So assuming someone is sitting on the same network, maybe you are in public place, you're connected to the public Wi Fi, he's sitting on the same network.
And he's sniffing the network, we'll be talking about sniffing insides attack.
So he's sniffing the network.
And whatever you are writing his he can see it, he can see your credit card information, your personal information.
Now, this is against integrity, whoever designed this network didn't provide integrity, meaning that the information will not be sent from place a to place B without being manipulated.
So someone can sniffers a network, he can see what you do, he can change.
So this is against the integrity.
So any topics that we are covering during this course should be under one of those three categories confidentiality, integrity and availability.
And actually, you may find set inside the exam.
So for instance, he may ask you cryptography, encryption and decryption it's providing what confidentiality or integrity or availability, cryptography provide confidentiality, and integrity but has nothing to do with availability, access, control, provide what and so on and so forth.
So anything that we'll be explaining during this course, before we start explaining, you have to first sync what exactly will be provided.
So, I can only say that I am secure in my organization, I can provide confidentiality, integrity, and availability.
This is the first definition.
And as we agree, you should always think about what is the benefit of implementing some control is it for confidentiality, is it for integrity is it for availability, this is extremely important as a basic definition.
second definition that we need to point to before we start our courses are names.
So usually, when we have someone accessing computer we call this user and this is a server or computer now we're going to use different names during this course.
We'll be using subject for user an object for the resources or computer or server.
So now we have a subject to access an object.
Subject most necessarily is user sometimes you are connecting to a website and then you need to buy something As a website, I mean, when you are connected to the website, you are the subject and the server that holds the website is object.
But the object is connected to another back end server from where he is retrieving information.
So now the server becomes a subject and the back end server becomes option.
So whoever access is called subject people or machines, and who whoever get access to I mean, like a server, this is called an object.
So the names that we'll be using during this training will be subject and object, not user and server or client.
So the subject are co accessing object and getting information from object.
And the rule is saying that, by default is the nine.
So the rule is access control, or is the role that the subject cannot automatically access object, they should be some control.
And this is what we'll be explaining incisor.
Course, it says I'm sorry, is the access control.
So there should be some control.
And this control if no setting is done in this control by default subject is not to allow to access object, you as user by default, you cannot access as a beep as our people account, bank account unless you have the permission for doing that.
So the default rule is subject, it's denied to access object.
Okay.
Now on the next lecture, we're going to start talking about the access control.
And what exactly do we mean by access control? Before we start talking about access control, I just want to remind you with the introduction lecture, where we agreed that when we are talking about information security, it covers three different area, it cover physical security, cover, technical security, and it cover administrative security.
So from now on, whenever we are talking about any topic, do not just consider the technical security, because as we discussed earlier, most of us came from the same background, which is, which is a technical security.
But now we'll be talking about technical security, also known as logic and security and physical security and administrative security.
And we're going to start by the finding what is an access control now assumes that you are doing a security implementation for any organization, a new company, it's, you know, it's launching their business and they ask some experts to implement some security, what is the first step that should be done? In, in in the security? What is the first implementation of security, it's usually say, access control.
Access Control has another name, which is triple A authentication, authorization and accounting.
So when we are talking about access control, we meant three different items should be implemented.
I mean, when I'm saying we need to implement access control, it's not just to implement a password on the system or on the door or something like that.
It's that we are implementing three different items, authorization, authentication, and accounting.
So that access control usually referred to authentication, authorization, and accounting.
And we add to that I, which is identification.
So we're going to explain each one of those the identification, authentication, authorization, and accounting.
Now, here's the proper way for implementing the access control.
First, we need to identify the individual or entity attempting to access so we have a company and we have some employee we need to know who will have to access the information, the premises, and we need to identify them.
Are we going to allow only employee to access our information? Are we going to allow the contractor Are we going to allow our customer who need to identify who will will access our information? So it started by identifying the people who can access that information.
Then we're going to verifies the identity of the individual or entity.
Okay, so assumes that we are In an organization, and I'm going to give access to all my employee, okay, this is the authentication part that people will have access.
But definitely this access will be with different kinds of permission.
I mean, definitely the CEO of this organization will have different type of axes than regular employee, then labor, right zanza driver.
So different people that may have axes should that have different permission.
And this is what we are calling authorization.
So authentication is to identify the people that are going to have access to the system where authorization is to give some people different kinds of access, because it doesn't make sense.
If I give all the employees same kind of access, it will not make any sense.
The third part of the access control which is logging.
So I have to whenever someone access to the system and the system one more time, I'm not just talking about technical says it could be a technical system, it could be the physical premises.
But to ever one of the employee access some resources, I should log Zed in a logging system.
So I can later on review them.
If someone's telling me someone logged in last week, at this time, I should have a record from where I can identify this is called the logging or the accounting.
And definitely just to be a need to be reviewed periodically.
So the point is, implementing access control means implementing authentication, implementing authorization and implementing accounting.
And each one of those items will be explained during this domain.
And we're going to talk about different models, if we are talking about authentication, how many models do we have, we have something you know something you have something you are doing and explains it in depth in a few minutes.
If we are talking about authorization, how many model Do we have, and which model is more suitable to our business, we have the Mac, we have the deck we have the non deck.
So each of those category of access control has different models.
And you have to select what is suitable to your business.
As we agree access control, its administrative access control, physical access control, technical access control.
So for instance, let's talk about technical because most of us came from technical background, if we are assigning a username and password on our system, this is authentication, right? While when we assign permission have on file and printers and resources, different permission to different user, this is authorization.
And when we are keeping the logs for all user activity, this is the accounting part.
physical security, when people have access to the facility or to the organization door or they have to the data center, they have access to it.
This is authentication.
Maybe I have access cards that allow me to go to an organization, but this access card will not allow me to go to any place inside the organization, maybe some places I'm not allowed to like the technical room like the data center, this is called authorization.
And finally, definitely I'll be having logins that will allow me to trace if I need to get a specific record for a specific date.
This is accounting.
So access control is implemented not just on the technical but technical, physical and administrative.
Now is the category of access control.
And actually let's let's explain that in a more wide way or more generic way.
In security.
We have different kinds of layer or when we implement security we have different kinds of layer.
And please give attention to the slide because it's a little bit confused and I remember an exam question that was confusing about this part.
So usually we have a preventive layer.
So in security will have a preventive layer like what like the firewall for instance, in technical like firewall, firewall prevent intruder to log into my network, right.
In physical the door door is a preventive layer that will not allow intruder to go to my facility.
While detective layer could be something like surveillance scam, if you have a surveillance camera inside your organization, it will not prevent an intruder but it will detect an if an intruder in technical What do we consider a detective layer in detect and in in physical security, I'm sorry in technical security IDs, intrusion detection systems.
This is software for people who didn't work was IDs before IDs is software that map or is that sniffers and network and any suspicion behavior he will notify you He will not stop it, he will just notify you.
So this detective layer corrective likes antivirus.
So if you have an antivirus and if you have an antivirus and he detect the virus, he would remove that this is a corrective layer and directive or sometimes called the third so directive anther, I believe they are the same, which is just an indication if you have a sign on the door saying for authorized people only.
This is a deter, or also called directive.
I mean, it's it's let's, let's focus on the tour right now.
It tell people that you should not be allowed to go in why we're using that sometimes you find the sign and the door is not even closed.
Why is it? Is it important to have a sign telling us? It's the it's important from a legal perspective, I mean, if I find the sign on the door is that saying that this is for authorized people only.
And I ignore that and I entered the door you know those people hold will have some legal as they can take some legal issue against me because I knew that I should not be inside and I went inside.
So the third is important here is here is a tricky question exam question.
fences around the facility, what do you consider them as a preventive detective? corrective deter? Actually most people would think righto is fences is preventive.
But actually, and we're gonna see that in physical security fences, according to IC square is its deter.
No fences will stop an intruder.
So it's a deter.
It's not a preventive.
And this is showing you the kind of tricky questions that you may find insights exam.
So we're going to start with access control implementation.
Okay.
And I'll start with authorization, the different authorization mark, I mean, I know that we have three different it means access control, we have so syndication we have authorization and website counting.
But I would like to start with sorry.
I would like to start with the authorization second one, the type of permission.
Now let me go to my board.
And let me explain this part.
So in authorization to make sure that we have enough time, yes.
So I'll talk a little bit about authorization.
Right now, we have three different model that we can implement when it comes to permission.
The first model, this is the model we are using in Windows.
So in Windows, how do we provide permissions, we will get all the resources file or printer or folder.
So we have this file and this file and so on, and we will get all the user This is called a matrix.
And then we're going to start assigning for each user some permission on those resources or on those files.
So Bob has read permission on payroll one, but he has no permission on pay one.
What he has readwrite ownership on part one, what is the difference between right and ownership, ownership can delete.
And Alice has different permission on different funds.
This model is called the deck and this is what we are using in Windows.
So the first model that we are referring to this is the most common one.
And this is called me just change the color.
So this is called the data model or the discretionary access control.
So let me write it down.
Sorry.
It's hard to use this kind of Yeah, here we go.
So the first model is deck.
Access Control.
The second model, it's actually so and this is what we are using in the noise.
Okay, discretionary access control.
Second one.
It's called the Mac, mandatory access control and This is usually used in military and government.
And this is quite different.
Okay? And you have to give attention to that because actually, this is important for the exam.
Now before going in explaining zetec when it comes to assigning permission, who is the one who should say that, you know, Bob should have this permission, and Alice should has this permission, is it the technical guy, actually not.
The one who should say, or should assign the permission is the owner of the data owner, it's not necessarily the one who created the file.
But maybe is the functional manager, I mean, I am the HR manager, I know who should access what.
So it's not the technical guys that should assign the permission, or decide about permission, it's that the owner, the technical guy should just implement those permission, but he's not the one who's deciding.
Now we'll be talking a little bit about the Mac access control.
And I believe this is very, very important because it will be related to many subjects that we'll be talking about later on.
So how's the mandatory access control is working mandatory, as I mentioned, it's different sensor deck access control.
And this is usually implemented in military and in government, it's thought by data classification.
So the first thing you need to do is one, you need to classify the information.
I'm sorry about that, I think it's better to use the keyboard.
So, first thing we'll do we get all the information inside this organization and we start giving them classifications This is top secret, this is secrets, this is confidential and so on number two, for each user, we are given giving a clearance level clearance level.
So, this user maybe have a top secret clearance, this user maybe have a confidential clearance.
So, again, how is mandatory access control working for each user as I explained, he will have first you start by classifying your information then for each user you are giving clearance level top secret or secret or confidential or now is that by that do we mean that let me show you an example for that.
So, by doing that, does it mean that the one that has a top secret clearance can see any top secret actually not the another factor will be implemented is called need to know.
So for me as a user, I have a clearance level and I had a need to know that should match the clearance level or the classification level of the information and the information should have any tools that match mine.
So for instance, myself, I have a need to know on For instance, if I'm working in military, I have a top secret cleaners, but I have need to know for only weapon information.
So I can only check weapons information and so on.
So, the implementation of mandatory access control is that we are classifying information first we have different classification and then we are giving for user clearance 11 and we are giving them another factor called need to know and their clearance level and need to know should match the data classification level answer need to know as well.
So, this is the mandatory access control.
So we have the Mac and we have the deck we also have the non discretionary access control.
Now as our access control could be things like role based access control, sometimes you are giving the access according to the role.
So for instance, assumes that you have a department inside your organization's it has a very high turnover.
So people keep coming and going and resigning and hiring people so whenever you have the company hire someone you give him And then he will leave after a while.
In this case, it's better to do that role based, I'm going to create an access control, I'm going to create the group by the name of HR, for instance, I'm going to give the permission for HR, I will not give permission for users, I'm going to give them by role.
So whoever is a member of HR will have those roles applied to him, we have rule based access control legs, a firewall firewall is a rule based, you put some rules and any traffic coming in or out, he will inspect those rule if it match, it will let him in, we have a content based on all of those is called non discretionary access control.
So access control based on the content and wherever time based, I can have access controls at work from nine to five throws working out.
So the point here is that we have three different model when we are talking about authorization, the deck, this is one used in Windows XP Mac, this is the military or government models and non discretionary access control.
On the previous lecture, we started by authorization, but actually authorization is the second step of the access control.
First step is identification and authentication.
identification is just to have a user name.
So for instance, what do you think may make more sense when you are looking to assist in just using a password? Or you have to use a username and password? And user name is not secret? I mean, it's written in in a clear way, it's not hidden.
Why is important to have an identification part, not just the parcel? Why do you use identification? Why do we use username and password and not just the password? Because it's helping for the accountability? I mean, if all of us having only password now if I'm checking some logs or tracing, how can I know which parcel belongs to which user.
So it's important for identity for logging.
But the important part in this lecture will be user.
authentication.
And authentication is the first step inside the access control.
And we have three different way of a syndication we have something you know, something you have and something you are so so syndication could be using three different models.
As we explained in authorization, we had three models, the Mac and deck, a non deck also in authentication, web three models that you can choose from based on the type of your business and the sensitivity of your information.
So we're going to start start with something you know, something who you know, is password power.
So if you're going to make authentication inside your network based on something, you know, that's mean, you're going to depend on people password.
password is usually considered cheapest and weakest authentication methods.
I mean, it's very, very easy to crack a password whatever the password those hard or complex, because password can be captured in different way.
So that's why we always say is as possible the cheapest, because it will not cost us anything, I don't have to buy a reader for a fingerprint, or a device for smart card, it's built in inside the system.
And the system has an option to allow a password on it.
So it's cheapest, but also is the weakest way, we have different way for assigning password, we have the password, which is a regular password, we have something called the passphrase which is instead of password.
And they're recommending that right now, you can write a full phrase I like to do shopping on July full phrase.
So this will be a little bit harder to break where to break.
And you have the pen like and also ones that we are using on our ATM machine and so on.
So there is different format of the password but they are all comments at it.
Own are something you know, I mean, people need to memorize that.
And it's not easy.
I mean now is the best practice, practice when we are talking about password.
That user should have different passwords, all of them complex to different account.
It's not easy to implement that you know, because people will not memorize six, seven password all of them are complex for different accounts.
So it's not that easy to implement.
Besides those different password, password passphrase then we have something called cognitive password, which is like what is your mother's maiden name, this is called cognitive password.
And while we are doing summarization by the end of this chapter, we'll be going through those different terminology related to the access control.
So this is something you know, of course, if you decide to implement a password as a way for authentication, or this would be the model for authentication, you should have some control on it.
So you should implement some policies like what two likes one we are using in Windows password should be complex, more than n character, it should be having captain and small should have a lifetime, it should expire up to one and you have to enforce user to change their password.
So you should have some control, at least you are hardening your password, but after all, I have to tell you password can be break in a very easy way.
So I cannot guarantee 100% whatever policy I'm implementing, that this will make us comfortable.
What kind of password we are talking about now technical person.
But what about the physical password if you have a pin number on like, the doors, people access the door using a pin number is the same same concept as a password, but it's a physical password.
So second one would be something you have.
So another model for authentication, something here, it could be something like a smart car, it could be a magnetic strip cards that you can sweep and let you in or sweep on your mobile or your smart, your laptop and login could be an RFID radio frequency ID set you know, you just need to wave in front of the reader and so on it could be talking device, I will just focus about the smart card and talking device.
Smart Card.
You know it's a card that has this shape, this shape has some information, you can use that for authentication.
Now, what is the problem with with this kind? Or is this more than in general, what is the problem with something you have? So the problem is, it's it will cost two will definitely be more expensive than using the password.
Beside people may lose those devices.
So whenever they lose a card, you need to issue a new card or a token device and so on.
So this one attack related to this kind of card is called micro affair, you're going to get that during the revision of the access control.
After finishing this domain where we'll be explaining the attack related to the smartcar I think it's very important for the exam, you'll get a lot of questions asking you about attacks.
So you have to write down whatever attack we are talking about to have to write it down.
Now, another type of something you have would be the talking device and talking device and a lot of people aren't aware of that they just the devices that generate one time password is considered very effective actually.
So whenever you are, you are trying to syndicate you push one button, it will generate one time one time password valid for like one hour.
And you have to use this password.
This is a very good technique for authentication.
In talking device, we have two different types.
We have synchronous and asynchronous talking device.
The same one we are looking here, it's called synchronous.
And this synchronous device depends on timing.
I mean, definitely.
On the other side, I mean if this is a banking talking device that you are using to log into your bank account, definitely, definitely on the bank because they have a server that generate a password on the same method or algorithm is that match? I mean how's it will be knowing that this is the right password.
Now the password that this device says synchronous device is generating depend on time.
So the factor here It depends about when are you generating that and on the other hand are under the other place.
The bank or us organizations have a server set has a formula also depending on time, and when you click on it and you generate the password, it will be compared on the other side.
Based also on time.
Let me show you the asynchronous that has like a paired on it.
So a synchronous, let me show it to you.
Hey Sin Pro is talking the asynchronous it's similar to synchronous.
Now, the synchronous device it just synchronous talking devices like this one it has a push button where you are clicking click on it it will generate the password say synchronous it's like this one okay, it has a pad on it you have to type a pin number and it will generate a password according to that.
So, the thing is synchronous one if you lost it and someone was able to find it and he know his account he can generate the password, but if you have a synchronous you know even if you lost it and someone gave it to be able to generate a password, you have to know a pin number.
So, we have a synchronous talking device and asynchronous talking device.
And you should know that the synchronous depends on timing.
The third model is that we'll be explaining is something you are and I want you to give some attention here because I can guarantee is that you may find the question about certain subjects, especially the something you have something you are we are considering something you are the most expensive, but the most secure way for a syndication something you are could be any biometric device a fingerprint reader a hand geometry, an iris scan, face recognition, a voice recognition also we have some kind of devices that we consider behavior base I mean, in something you have something you are which is a biometric device, it's considered two different types.
We have a physiology based and behavior based physiology based it's like a fingerprint something depends on your physiology on your you know, biometric, your eye scan or voice recognition behavior base, it's something like for instance, the signature bed you know, some devices you can write your signature on it and it will compare that to your real signature, this is called behavior based or some keyboard that will check how the pressure when you are using the keyboard This is called behavior based.
This is considered as I mentioned, very expensive but also very secure.
And to be able to understand their characteristic in general, I strongly strongly recommend this website there is a website that show you how can you compare between different biometric device and what is the characteristic of each one if you are going to buy any biometric device How can you choose? So, if we go to Google and the site name is 360 biometric 360 by your sorry by you metric so 360 biometrics excellent website from where you can go and you check the different kinds of biometric device behavior base physiology base, how can you we compare between them the different functionality in each one of them and so on.
So it's a very good resources to understand more about source biometric device and how they are working and how can you evaluate between them it's a very, very nice website getting back to our presentation.
Now, this actually is the most important slide in the something you are and as I told you, most probably you will find the question about certain size exam.
Now we explain so far as a different problem in different kinds of different problem in different kinds of devices.
I mean, in something you you, you know, the password the password can be break easily.
We'll be talking about that attack after few minutes.
There is a lot of problem when it comes to password.
It can be break.
It can be sniffer this can be social engineering.
I mean, you can get the passwords very easily.
Something you have could be losted.
It's not that it's very it's better than the password but also has its own problem.
What is the problem is biometric problem is a biometric.
It's to adjust the sensitivity.
And this actually is extremely important graph.
Let me explain to you when we are talking about the fingerprint scanning.
Let me get back here to this website.
Let's talk about the fingerprint scanning, getting back here.
Okay to fingerprint scanning, how the fingerprint is scanner are working.
Okay, so let's take a fingerprint, as you can see, when you have a fingerprint scanning, how it work is that it's not here, getting back, when he's reading your fingerprint, he's not taking a picture of your fingerprint, and later on, you will compare this picture is another picture, he's taking some point up from your fingerprint from your finger, and measures the distance between them and transferred them to value, then whenever you try to syndicate and you put and you put your fingerprint, he will do the same and compare this value to that value.
But maybe your finger is a little bit sweaty, maybe it's a little bit in an angle, it's not on the same way they are putting.
So you will not have the exact same value.
Now, what is the amount of error accepted? I mean, you know, what is the error value set, you can accept maybe the value that has been taken while you are calibrating It was 100.
This mean, if I put my fingerprint one more time, and the output was 80, should he accepts it, should we accept 20 as an error, less or more.
So that's why getting back to my graph here, the one down here, this x this is considered as the sensitivity.
And the one here, this is considered the failure attempt.
Okay, so let's explain that, if you start increasing the sensitivity, like we are doing here, okay, meaning that he has to get the exact same value of my fingerprint.
So if my fingerprint was a little bit sweaty, if my fingerprint was not put in this exact same way, I use this the first time, he will not accept it.
So but so by increasing the sensitivity, I'm increasing the number of failure.
So now, every time I try to syndicate he do not accept I have to try one and two and three time until he's accepting because he has a very high sensitivity.
So, the high sensitivity will cause something called the f are our false rejection error, which is I have been rejected, but I should not be rejected.
This is called the false rejection error are another name for it, it's type one error.
If I do the opposite one, I decrease the sensitivity what will happen is I have a big error rate.
So, whoever tried to authenticate, he will authenticate.
So, by decreasing the failure, the number of failure would be less and this will cause another kind of error which is more dangerous issue is called the FA R or false acceptance rate meaning I should not be accepted, but I have been accepted.
So it's more dangerous and this is as a different name is type two.
So, intersection of those two curve will introduce another terminology called car crossover error rate.
And this is how we are evaluating the biometric device, I mean, if you have two different car, I will look for the lower CRS This means more effective.
So, please give a big attention to this graph and understand what is type one error the false rejection rate and what is type two error the false acceptance rate and which one is more dangerous than one you may find the question asking you what is type one error is it fA r f is is it s er is it f RR and whatever name it is.
So very, very important to understand this biometric do not lose this question please.
What to consider when it comes to authentication? I mean, should we consider using something you have something you are we should consider a multi authentication factor and more than one authentication factor.
So if I'm using a fingerprint and a face recognition, do you consider that multi authentication factor, no sources single authentication factor, because you are using two from the same methods.
So when I'm saying multi authentication factor, I mean, a password and fingerprint scan one from each modern.
This is the recommended authenticate authentication models to be used the multi authentication factor In this lecture, I will be talking about the single sign on.
Now, single sign on, it's a very important topic in access control.
And later on during this domain, I want to distinguish between the single sign on and the central administration.
Let's talk about single sign on.
First, what is single sign on here is a scenario assumes that inside your network, you have more than one server, you have a SQL Server, you have an Oracle server, you have a SharePoint Server, you have a file server, we have a printer.
Now for each user, you're going to need to assign different permission on different server.
So user a gonna need to have some permission on the SQL Server, maybe he has lower permission on Oracle server, maybe have higher permission on SharePoint and so on.
So for each user, he gonna need to memorize different account on different services.
And this is not very effective way for access control.
But you know, opposite in a better way for doing that, what if each user has one account only.
And once he logged in, he can have access to all the server behind this network.
So he will have to log into the domain first and log into the SharePoint and then login to the know he have one account, where I can assign the proper permission on the same account to different services seem very effective.
But what is the side effect of that if someone was able to compromise his account, he will be able to access all his resources.
While if we have separate account on separate resources, if someone compromised one account, he will not be able to get the other resources.
So single sound has its own advantage, but also this advantage.
And we already are using that I don't know if you noticed that or not.
But when you log into Microsoft Windows domain, you notice that you can have access to all your resources resources one time.
So using the same account, you can access your file server, you can access your shared folder, you can actually use the same account, you don't need to have similar account.
And we're going to talk about one specific protocols that is implemented.
And actually this is implemented in Windows and in Linux is called Kerberos.
It's a single sign on protocol that can be used to allow people to log in just one time and access all the resources.
So one more time Single Sign On allow a user to log in one time and all the resources permission will be assigned to an account.
And we call that the key to the kingdom.
Because if it if the user lost it, or someone else compromised it, he will be able to access all second.
Now what exactly do we need to learn for the exam, when it comes to single sign on, you need to learn how it works.
So this is a very important slide.
And you need to understand how the Kerberos protocol, single sign on protocol works.
Now to be able to have a single sign on protocol, you need to have something called as you can see on your right, key distribution server.
So to implement Kerberos, you need to have kgs, or key distribution service.
Inside the server, you have two different server, you have an authentication server and you have a ticket granting server and we're going to explain that.
But it could be one server has to function which could be two separate function.
But after all, what do we call that? The key distribution server.
So here's the scenario.
We have one user.
And we have a network.
And this network has a file server and a print server and SharePoint servers have many server sets we are and we need to implement the single sign on so the user login and automatically he will be able to access his account on the file server and SharePoint and so on.
You don't need to memorize more than one account how it works.
So here is how Kerberos works.
This is my user Alice, she's sitting and she's writing her username and password.
Where are the username and password saved are saved on sort of certification server.
So the first Throne of the kds is working as an authentication server.
So she's writing your username and password and as you click on Enter Sue's username and password will be sent to the authentication shell server to validate them.
Now here's the tricky part here.
When Alice are sending her username and password, only his user name will be sent password will not be sent to the authentication server.
And this is to prevent sending the password over the wire so if someone is sniffling or doing a man in the middle attack, you will get up So what happened is the way Kerberos work that Alice will send his her user name, he will type the username and password.
The user name will be sent to the syndication server, but the password will be kept on her computer inside the cache.
So once syndication server receive the user name, he will only receive his user name, he will not receive the password, saying I am Alice and I want to look and he said, okay, unless you have your password, and I also have your Password Safe, I'm gonna send you a text that is encrypted with your password.
And if you are able to decrypt it using your password, just mean you are Alice.
One more time, Alice will send username authentication server will use the password as an encryption key it will not be used for validation, he will said you are saying your Alice fine, I'm going to send you a text and I'm going to encrypt this text using your password.
And since you have your password cached inside your computer, if the password has been decrypted, it was your key mean was your password method means this is the right password.
So both of them will be using the password as an encryption and decryption key.
And by doing that we are preventing for sending the password over the wire.
So this is a very tricky part, or the first things that you need to be about, you need to know about characters, they are not sending the password over the wire, actually.
So Alice will do nothing everything will be done behind the scene.
But this is how it worked.
All his username will be sent and the server will send a challenge for Alice, or a text that has been encrypted with Alice's password and is waiting if she is really Alice, her password will be able to decrypt the text.
This is the first step.
Now once authentication server confirms that this is Alice, automatically the TGS or the ticket granted server will send to the asset to Alice, a TGT ticket granting ticket it will send to asset it will send to Alice a Ticket Ticket granted it just a piece of codes that we consider like an ID.
So the TGT will issue an ID for Alice.
So next time Alice need to authenticate, you don't need to send the user name and receives this challenge and encrypted you just need to show her ID to the server.
So to make things more simple, the TGT will issue to Alice a ticket which is considered like an ID.
And it will be issued based on the authentication server approval.
Okay, so now Alice holds a TGT now the TGT it's a piece of code, but it's kept inside memory.
It's not saved on hard drive.
I mean, if Alice shut down her computer, she need to repeat this process one more time, send things user name and receiving this encrypted text and decrypt that was her password and but whenever she's on this ticket, it's inside the memory.
It's not kept on sides, the TGT is kept it's kept inside her memory, then Alice is gonna say, Okay, I have been authenticated and I received the ticket now Could you please allow me to access to the file server.
And she gonna show her ticket to the server and ask him to let him access to the file server.
According to that she will be having another ticket says the server will issue for asset for Alice, another ticket calls the session ticket St.
and Alice can only be acts as a file server using those two tickets, the TGT that has been received at the beginning.
And the STS that has been answered as a TGT that has been issued as the beginning and the STS that has been issued once and is requested to access the file server.
And unless Alice have those two tickets, she will not be able to access file server.
What about if there is another server Oracle server she need to do the same she's going to talk to the TGS telling him I need to access the Oracle server.
He said fine, show me your TGT.
Alice will show the TGT and the KD S will issue another St.
That is valid for the Oracle server now LS to be able to access the Oracle server.
She needs the TGT and the st for this Oracle server.
So for Alice to access any resources, how many tickets you need to take one of them has been issued at the beginning and it will be common in any connection to any devices.
Second one st it's related to whatever services trying to connect.
So she will be Having an STL file servers it will be different at SC for Oracle server and will be different than st for SharePoint server or file server.
So for each server should have one common ticket TGT.
And one very varying or variable ticket which is St.
This is how the es es or I'm sorry, how Kerberos as a single sign on protocol is working is important to understand the steps is important to understand what is the kds, it acts as a authentication server and ticket granting server, it's important to understand that in kerbals, we are not sending a password over the wire.
And it's important to understand that Alice to be able to access any device, I'm sorry, any resources binds the network, say she needs two different key TGT.
And this is it's not changing.
And st depends from one service to another service.
We have other SSL protocol besides Kerberos, who have csme, we have Federation.
They are vary from you know, like sesame's using asymmetric encryption, which is using symmetric and asymmetric which is more powerful.
But actually I want you to focus on Federation if you're going to ask you and say executive exam, it usually asked for the Federation Single Sign On besides Kerberos.
What is the Federation Single Sign On? This is the single sign on between website I mean, if you saw inside the question website, is asking about Single Sign On related to website is a federation what is Federation or single single sign on it? So when you What can I say when you authenticate assumes that you are booking an airline ticket online.
So you went to the page, and you reserve your ticket and you made the payment? Then he will ask you would you like to reserve a hotel room? Or would you like to rent a car and if you check, if you click on OK, he will redirect you to the renting car website, which could be a different website, but you will be logged in with the same account.
And you will be using the same credit card information.
So you did the single sign on between different websites.
This is called Federation.
So Federation is a single sign on related to websites.
So if you got the question, single sign on, and you find a key, which is web sites, it's a federation not Kerberos.
Be aware of those keywords because usually this is what they are doing besides exam, they will put a keyword that will change the option to choose.
So the key word for Federation Single Sign On is his website.
Okay, now, before going through zetec, I just need to explain in the next lecture, what is the central administration? And what is the difference between central administration and between the single sign on in this lecture, we will be talking about central administration about a product called radius.
And I want you to be able to distinguish between radius and between single sign on.
So single sign on it's different story has been already explained.
But what is radius exactly? Now, let me give you a small scenario, it will show you how it can be implemented assumes that you have a user that need different kinds of login to the network.
I mean, if he's inside the company as a company, he need to log in through the switch.
If he's using his laptop or smartphone, he needs to log into the network using the Wi Fi.
If he's outside, you need to connect to the company network using VPN.
And some places doesn't have internet so he can need to log in using dial up.
So for such user, how many account Do you need, you need like four account right.
And in a big organization for each user, you may need to give him four different account to be able to log into the network from those four different places.
So you need to have a network on the VPN.
And another I'm sorry, you need to have a password on the VPN server, you need to have a password on the Remote Access Server a password on the switch on why and so on.
So to simplify this process, we can have the radius connected to the network as you can see in the image in the screen.
And this regex software will hold just one account.
So he registers a database that has all username and password.
Now when one user try to log in through a VPN, for instance, the VPN server will become a URL will try to validate the account from the RADIUS server.
So VPN will not be keeping any accounts, he will try to validate if this is a valid account from the RADIUS server.
And according to that he will allow or deny, if the user tries to log in from remote access servers, Remote Access Server will try to validate the password from the register or same password.
So now the user can have only one password, you don't need to have different kinds of passwords on different device.
So this is a central administration scenario.
And this is the idea of using radius.
Now, you need to know about a brief about radius and about different product, that it's under the same category, I mean, we have radius, we have diameter, we have the taxi, we have the taxi plus.
And some of them support the voice.
Some of them are encrypted traffic.
So you just need to know a brief about each one of those, you will find that in small description about each one of them inside this sunflower document.
So very important to understand the central administration and to distinguish between the central administration and the single sign on single sign on its authentication and authorization.
radius, it's mainly authentication, I mean, now they have some products that do the same, but don't get confused, just to have one centralized place for all the devices to authenticate from.
So it become an back end server to be to syndicate for a VPN and dial up and any other server so user can have only one account.
So this is the idea of radius.
And as I told you, you you will find that in different location inside the site, some flour, but as I told you, you just need to know about the different product.
So they have like five product radius, diameter taxi, taxi plus x taxi, just the brief about each one of those will be great.
But you should know the idea what exactly is the benefit of using said in this lecture, we will be talking about access control, attack, and access control attack, actually attack in general is very important for the exam.
Many questions will come inside the exam asking you about the definition of a specific attack.
So we'll give some attention to that.
And the good point is that many attack will be repeated in different domain.
So you're going to find some attack here that will be repeated on the upcoming domain, which will give us the chance to keep repeating the definition.
So you will not forget about them.
So please give attention to attack.
And I would strongly recommend to have a sheet or a document where you are writing down zetec answer definition.
So here in access control attack, we have two different kinds of attack, we have the software attack, and we have we have the human element attack.
Let's start with the software attack.
I'm going to start with a similar attack.
So for instance, we have here an attack called the dictionary attack and brute force attack, which is kind of similar attack and I would like to add to them and please write it down some attack called the rainbow table attack.
So those three attacks actually focusing about cracking the password.
Let's talk about dictionary attack first because it's kind of simple attack dictionary attack it just you are using some program that keep trying the password you know a lot of program arzerra Let me show you a proof of concept.
So, if we go to Google and go to for instance there is an application called the Brutus Brutus cracking protest password okay.
So, this application for instance, this is how it looks like you are putting here is a computer IP or name and you are putting here what service you need to crack the password is is HTTP or is is a telnet or whatever.
And from here you are choosing a dictionary file.
This is a text file that have all old a lot of words, you know, like the same type of file that is found in Microsoft toward you know, when you are writing in Microsoft or how he is able to identify as the driver of spelling mistakes, he got the dictionary file that have all English word.
So when you are writing a words that does not exist in this dictionary, he will put an LED red underline and tell you this is the wrong spelling.
And when you right click on it, it will give you from the dictionary, all the similar road.
This is the kind of file he's using to crack your password.
So we're going to try to crack the password using a dictionary file.
And he gonna try word by word, this is called the dictionary attack where you are using a dictionary file and an automated application, he gonna start cracking one by one.
So point here, this will be effective.
In case of that your password is an English word.
I mean, if you are writing your password password, or football or anything like that, that can be found in the dictionary, this will be easy to crack using a dictionary attack.
While brute force attack it's a similar attack, except he's not trying from the dictionary file is only trying from randomly.
So if the dictionary file didn't work, you're gonna try letter by letter and number by number and sign by sign until he gets a password.
So you're gonna try is an ABS and ABCs and ABC, 123, and so on.
Now, the brute force attack, take time, especially if you are using a complex password, that's smart.
That's why most of the organization has now a complex password policy set it should be more than eight character capital and small and special character.
And this is to make the brute forcing very hard.
If you have such sitting, it takes few years to be able to crack or to get old combination of the password.
So brute force attack, it's effective if the password was not a complex password, but if it was a complex password, definitely you cannot use it.
I would like to add to this dictionary and brute force attack another attack from the same family please write it down because this was one of the exam question called the rainbow table attack.
So rainbow table attack.
It's a password cracking attack, except it's a little bit advanced it rainbow table.
Attack.
So the rainbow table attack.
It's a little bit advanced, what is the concept of rainbow table? Let me explain to you now the thing with a dictionary attack or or whatever attack you are talking about.
dictionary attack, why is taking too long time I mean, when we are talking about dictionary attack, why I'm sorry about brute force attack.
Why is not that effective? Because usually the passwords are saved on your computer.
encrypted as hash.
So what happened is, when you try a brute force attack, what happened, you're gonna try the letter.
And then he will encrypt it the same type of encryption, it's inside on your computer.
I mean, if you are using Microsoft Windows and you are cracking the windows password, windows, our savings are fine in an encryption called lm hash, this would be discussing the cryptography.
So the brute force application will start taking a letter and encrypt it to lm hash and then try to authenticate using this password will not work, then you're going to try abs and ABCs and ABS and so on and so forth.
This will take time because most of the effort will be lost in the encryption and decryption in rainbow table attack, it's quite different.
You go to some website, and you download some encrypted file.
So for instance, we can go to let me see let's open a Google website.
For instance, you can go to rainbow free rainbow table.com and free rainbow table.com.
And you can go and you can download the table so you can tell him I need a table that has lm hash password that has from six to 10 letters and has small and capital and special character.
So you will be having you'll be you have to download the tables that may be around maybe 20 gb or 30 gb.
But when you launch this table, when you launch this table what happened is he will just compare encryption with encryption.
I mean it's different that brute force brute force, take each letter and encrypted and tested.
Why a rainbow table it's a file that includes all password encrypted So he's going to try to compare encryption encryption.
So it's take less time than brute force, and it's very, very effective.
But all of those are considered a crack and password attack, brute force, dictionary attack and rainbow table, then we are going to talk about denial of service and distributed denial of service.
This is an attack that affects affect the availability of the system.
So I can try to launch a lot of traffic on web server and cause the server to be down so the user cannot be able to use it, I mean, I can launch some huge amount of traffic on a mail server of any organization.
Now those people who's working inside the organization cannot use mid server.
Now we're gonna have a discussion about denial of service in the network domain, because there is different types.
But I want to distinguish between do those denial of service and distributed denial of service or DDoS denial of services and attacks that you are doing from one computer to one server trying to crash the server and prevent user from using a server distributed denial of service that you are attacking one server from many computer and this is much more effective.
Let's see how it looked like.
So if we go here, and we type D, di, D, or s, Gtech.
So you can see that one person it's called the comment and control, usually one attacker are launching Some are spreading some malicious code on other machines called the zombie or the dust.
And what happened is he has the capability to send the request for all those malicious code, botnet or zombie or dusts has a different name to attack one server.
So it's a very, very effective attack, because it's it led to a huge amount of traffic from a huge amount of machines.
So it's a kind of effective attack.
This is called the distributed denial of service.
And as I told you, this is called the one who's managing that is called command and control center.
And they are doing that as a business right now you are going you can go to the underground society, and ask them to crash any service and it will cost you around $20.
So it become more as a business right now.
Now, let's talk about different kinds of attacks.
We're going to talk about similar attacks, we're going to talk about the trapdoor backdoor maintenance, hope, Trojan, they are all on the same category.
What is that? Exactly? Those are some applications that lead to lack of information.
So for instance, a backdoor it's some software malicious software is that you may get infected with it will open a port on your machine, we're going to explain the port on the network and allow someone to connect to your network.
What is the maintenance of extra maintenance hook is the same concept except it has been done for good use.
But it has been misused.
So usually who's doing the maintenance hook programmers or developers so if I'm doing a program for a company, I can put the back door that allow me to connect to this program.
So if they have any problem, I can solve the problem remotely.
It has been done for good use, but if someone was able to get some information about this backdoor
He will be able to log into the network and manipulate sets.
That's why when you are doing a development for your organization, you have to ask the developer do not put any maintenance or actually have to make him sign that set, your system doesn't have any maintenance.
So trapdoor backdoor maintenance are in the same area, we have the buffer overflow.
And this will be explained also in the network part where I can start manipulating the computer memory.
So assumes that I'm using a program and this program is taking some information from me and put them inside memory and do some processing like calculator when you're writing that number on calculator, it will be taken and saved into memory and then some processing will be done on it.
What if I put out I sent to the memory, more information that he can manage, what will happen is it will crash and not just crash.
But if I was able to reach the memories, there is some critical area and sad memory that whatever I can send that it will be executed.
So buffer overflow, it's manipulating memory.
And we'll take some proof of concept later on malicious code, like virus and warm and ransomware anything that may affect the file or the hardware or is information.
This is also considered a access control.
Access Control attacks.
sniffing sniffing is a layer two attack usually done inside land where people can have some applications that monitor everyone traffic so I can have on my computer program that anyone inside my network wired or wireless, I can see what exactly he's sending an old username and password and what informations on.
moderation.
It's an attack related to cabling.
And then never saw this attack live.
But you should know the definition of that is just that you can sniffer or you can see the traffic through the wire.
I mean, that's why they are asking you for the network wire it should be hidden.
Because it seems at some devices when you put them on the network wire.
You can see what exactly information is going through this wire.
spoofing mean faking spoofing your IP mean faking your IP or spoofing your mac address or full spoofing email.
So this is also considered an access control attack.
Okay, so let's see if we have time for the Yeah.
So now let's talk about the human based attack.
Now when we are talking about human based, let me tell you that most of the attacks the last 10 years is a major one like Sony, RSA, Aramco, Saudi Arabia, no sauce, old DoS attack actually, was because of the human based.
So a lot of big organizations are like Sony, they have the latest and greatest technology.
And they have all kinds of security compliance and all experts and they have been compromised more than one time.
They Bell muster visa, all of them has been compromised.
And the major cases, as I told you, is based on the people intentionally or not intentionally, I can spend one week trying to compromise the network, and bypass the firewall and so on, or I can send an email for the employee inside, hoping that if someone opens his email and click on the link, he will let me in.
So it's quite effective.
So realistically, the human base is quite effective.
So we have attacks like guessing password.
A lot of people are assigning passwords that is easy to guess, like password, plus 123, or a name of their family member, or, you know, so you can try by guessing the password, shoulder surfing.
And this is if you are looking beside someone where his writings a password, dumpster diving, which is looking inside the trash, maybe you can find the sticky notes that has a password on it seft and social engineering and this is the most effective effective attack where you are trying to convince people depending on the week our illness so for instance, you are calling someone over the phone you are assuming that you are from technical support.
And you search online you're able to get some information about technical support people working then as their name.
So you mentioned that I'm this guy from technical support.
You have a virus on your machine, please share your password.
So we can go and read almost as possible.
It may be seem very basic, but actually realistically it work.
And there is a book that if you get a chance I want you to read this called the art of deception for a guy called Kevin Mitnick.
He was one of the very famous social engineering and he spent most of his life in jail but now he's one of the biggest security experts and consulting But he was writing his experience how he was able to compromise banks and FBI and Ericsson and many, many of the major companies just by social engineering, quite interesting.
So if you get a chance, please read it actually, you know, it will give you a lot of like knowledge about social engineering and how to prevent social engineering.
And spoofing, which is the same concept, which is faking.
So I can spoof my caller ID.
So I can be calling someone and it will show it's coming from your his bank.
And I can ask for any information or I can spoof a spoof SMS, or I can spoof email.
So also, this is attack related to access control to part remaining in this domain, which would be the intrusion detection system, and penetration testing.
We'll be covering two upcoming lecture.
In this lecture, we'll be talking about intrusion detection system or IDs.
And we're going to talk about different kinds of intrusion detection system.
But during the network, and during the physical, we'll be going more in depth regarding that answer type.
What is intrusion detection system or is IDs, intrusion detection system or mainly network intrusion detection system, it's a detective technique.
So this is how it works.
It if you have an IDS, it could be an appliance or a software and you run that inside your network, it will start sniffing the network it will start capturing all type of traffic inside your network.
And if he detect any malicious traffic, he will notify you He will not stop it.
That's why it's called intrusion detection.
While we have another product called intrusion prevention system IPS works the same way except when he found some malicious code, some malicious traffic he will stop them.
So their intrusion detection systems sniffer your network analyzer traffic.
And if he found any suspecting traffic, he will detect and notify but he will not stop it.
Now, if you need to be more familiar with that, you can install a program called snort, snort one of the major application for IDs to be to go through this applications and see how it works.
But for the purpose of this course, you don't need to know specific product or you not you don't need to know how to configure it or anything like that.
You just need to know the functionality of ideas.
Under which category it won't work as a detective layer.
It's not a preventive while firewall is preventive, but IDs is detective and we have two different type and some tricky part here.
So an idea is we have the signature based signature based SIG net based and we have sorry, based signature based and behavior based the new fee are based now what is the difference between them signature based will work as an antivirus.
So you put some signatures, and he start monitoring the traffic inside the network.
And he found if he found any malicious traffic, he will detect and notify while behavior base.
It's smarter than that behavior base.
You let that running for your network for a while, two weeks three week until he built a baseline and he will know what is normal.
And according to that, if anything else abnormal show up he will identify that as a suspicious behavior.
It's like you are getting a security guard in your site or your organization.
And you don't tell him anything.
And you need to let him work for a couple of weeks.
He will be checking people coming in and out for two three week eventually he will know who are the people whose work inside this organization.
And whenever an intruder show up, he will know that he's this guy do not belong to this organization.
It's kind of the same topic.
So behavior based it's more smarter accepted, take more time to configure because You'll get a lot of false positive and he will suspect everything.
Besides if your network is compromised from the beginning, he will consider compromise ation is normal.
So this is a two type also we have two category of we have two category of IDs we have the network is IPS network these, where you have an IPS that sorry, you have an IPS that run inside your network and detect all kinds of traffic.
And this is working life.
I mean, he's sniffing the network, any traffic going from any machine to any machine is going through the IPS software or appliance.
And we have a host, these IPS will, you can install it on your computer, host based IPS, you can install it on your computer and you will detect anything suspicious.
Now there is a tricky point here that you may expect the question about that for an exam.
network based IDs is taking his information from where from capturing live traffic.
While so host based IPS, he's taking his information from event viewer and logs.
So he's not really working life event viewer.
He's analyzing the traffic from the event viewer, for instance, and any log that you have on your system.
So this is actually very, very important to consider that host based IPS, I'm sorry, IDs are using logs and events to analyze the traffic while natural bees are using the real traffic.
Now before closing this lecture, I just want to distinguish between the technical ideas that we are talking about right now and the physical ideas that we'll be talking about on the physical second.
Because we have an intrusion detection system when it comes to physical security, you know, this device that car implement in stores, that if someone tried to break in, it will launch any kind of alarm, this is also considered an idea sensor is type of magnetic and voice detection and this kind of thing, but this will be explained into the physical security domain.
But right now we are talking about the technical security ideas, by the way, another way for technical insight CISSP it's logic.
And so whenever you get asked about logic and security layer, or logical domains, this is considered as a technical domain.
After finishing the access control domain, so we just need to go through the sunflower and focus about some of the important point before going and solving some question and seeing the type of question we may face inside the exam.
No, in the sunflower document, some domain or two page while some domain or three or some domain or five depends about how long or how big the domain is, and some domain are one page.
So the access control it's actually two page.
So let's see what exactly do we need to check before going.
So the identification and as a triple A, this is actually we went through that type of access controls the deck and Mac and their specification.
This is also important, um, just you know reviewing the document as a preventive and corrective defining or categorizing security.
Also this is important I'm just pointing to some important topic.
Now the type of password you'll find more than one type, I mean you'll find this concave password which is things like your mother's maiden name or something like that passphrase one time password hashing.
Yeah, identifying the two different kinds of talking device time based and not time based synchronous and asynchronous.
As you can see nothing major it Kerberos single sign ons istep are very, very important.
And please give you specific attention for things that is underlined or capital letter.
This is very, very important.
This is how Single Sign On work explains that in depth there is other type of single sign on like sesame like pro night, but as you can see just as given line, but definitely single sign on is the most important party directory service some access control mythology like radius, we already explained radius TAXI TAXI plus the same concept or same definition repeated in Central Park.
Okay.
What else? Yeah, standard or sometime important like Active Directory or Domain Services, what is the standard for that? Or smartcard? What is the standard for that? So the standard number, just write it down inside your CISSP notes.
Web Access Management, password management profile update, like also the NIST publication are important for penetration testing, or any last publication, you'll find that only you need to be aware of around nine NIST publication number k.
In penetration testing, you'll notice that there is some different name like blue team, Red team, white box black box, so you know, we explained that that during the domain, but sometimes you will find them under a different name.
So you know, just go through it.
So for instance, there is a part here regarding the sole that is used in Linux that we explained put some randomization.
Now this was in cryptography, I'm sorry.
But it's quite easy.
Okay.
Now, let's go and check some question and see how exactly they look like.
According to our discussion, at the beginning of this course, we agreed that whenever we finish a domain, you need to go to this specific website, and answer all the questions related to this domain.
On each domains, they have around 100 questions besides one of the good benefit about this course it has the full course mp3 for free, so you can download it and listen to it while you are driving or while you have time.
So the objective for taking few question 345.
Question a just to see how tricky The question is.
So or how to practice a question.
And I want to tell you that it's very important to answer as much question as you can, because, as you notice, on the access control, and same concept apply on the remaining of the domain, that the exam is the content is actually just a very, very high level, but it's too much.
And the problem that people facing, and that's why a lot of people do not create the exam easily is that the exam is tricky.
So you need to learn how to get the tricky words inside the question.
And how to think the same way ice square are thinking.
So let's see some question and let's discuss that during the question.
So I'm going to each domain has two questionnaires.
Each one has around 50 questions.
So I'm going to take like few couple of them or something just to get an idea of the question.
Now, here is the first question.
So the question is saying Which of the following is not a result of a penetration testing? modify access, control permission, identify network vulnerability, evaluate IDs effectiveness or enhance incident response procedures.
Now, if you think about it, what could be the result of because one of the things that you should consider for the exam, this it's not a ordered list, or I mean usually they are not asking straightforward they will ask it for its opposite so well, which of which zoning is not a result of penetration testing.
So let's take them for instance, evaluating the incident response.
This could be a result from my penetration testing because people are doing penetration testing, they may check your incident response.
Is user detecting the problem? And how's your reporting? evaluating the IDS? effectiveness? Yes, I'm doing penetration testing, I'm going to see if I'll be detected or not.
Identifying network vulnerabilities, this could be an result for penetration testing.
But what about the first one? modifying access control permission? Definitely, this is not because actually permission, it's assigned based on need to know for instance, so I cannot say, as an output of my penetration testing, please give to this gentleman higher permission, it doesn't make any sense.
Who should say that this should get higher or lower permission, their function and manager or dependents need to know so it's not a result from the output.
It's not an output from penetration testing.
So if I select this one, I click on submit, it will give you the explanation.
Now, it's very, very important to read the explanation in both way if you are right, or if you are wrong, because if you are wrong, you need to know why you are wrong.
But if you are right, you need to know did you sink the right way? Or it was just a coincidence.
So explanation is extremely important.
So it doesn't matter if you answer all the question wrong at the beginning, but you have to read the explanation because this is actually very, very important for us.
This is a question about rain is an internal internal auditor who considers audit logs.
She is talking to her vice president explained to her explaining the importance of having logs.
So as you can see here, what is the weakest reason she is not asking what is the best reason to have a log or managing solo course on weakest? But the good thing is that inside the exams, they will put that in bold, what is not what? So is it because unprotected log can be easily alternative by intruders after committing a crime.
Now, this is important.
Or this is true.
If you check anyway, because I don't spend the time reading the question, but you find that the weakest one is that the an approved change order clock may hurt the consistency of the reporting.
So the report will not be looking nice or something like that.
This is not a very good reason to keep log management or something like that.
Okay.
In logs, what is the most operating system and application allow an administrator to configure the default the data will be captured in an audit log or security purpose, which of the following is least important see the least important item to be captured? what not, it's not very important to be captured system performance output data.
Laser, I'm sorry, last user who acts as a device, number of unsuccessful attempts, number of successful attempts.
So this is kind of confusing.
I mean, it's better for us to remove the things that do not apply mean, unsuccessful attempt is very important.
Last user who attended or this very important in case you do troubleshoot, so we are confused between system performance and number of successful access attempts.
So let's see this one number of successful is incorrect.
Its system performance output that my opinion is that system performance output data should be captured.
But I told you that it's all about IC square mentality.
So you need to read the explanation.
And why is this not? Because after a while, you'll get some intelligence.
And you'll be thinking the same way as they are thinking.
Okay, host based intrusion detection system IDs, we have the host based maintain utilize which of the following performs their analysis.
I mean, he's getting the information from where sonetel base is getting the information from the traffic, but the host base on your computer, actually is the host based IDs are getting the information from the audit log and system file.
So he's not capturing the life packet he checking the log event viewer is getting the information from and this is actually was written in sunflower to quite clear, and so on.
So I believe that you can see how quick is a question is it's not technical, it's not hard.
It just needs some attention while we're answering and most importantly, it needs that you get the mentality of ice square house they are thinking you know what I mean? So this is very important, and you will not be able to get it unless you solve as much question as you can.
It's not about knowledge, it's about zero mentality.
Cloud Security is a very important topic is the new CISSP course.
And the recent exam include some good amount of question about cloud security.
The challenge that I had, while I'm preparing this course, that's the topic of cloud security was divided into different domains.
We don't have a separate domain from for cloud security.
But the topic itself was divided into the eight domains of the CISSP training.
And according to that one of the domain was explaining the type of cloud services and as of domain was explaining the different cloud layer security, a certain domain was explaining the cloud security attacks, and so on, and so forth.
And I decided set to combine all those lectures together in one separate chapter.
It's not a separate domain.
But I think this is very important.
And by going through those lecture in this chapter about cloud security, you will feel comfortable about any question that you're going to face inside the exam related to cloud security.
The topics that I selected in this chapter was taking from my certified cloud security professional from IC square, there is a lot of common topic between this course and between the CISSP.
So one of the additional benefits will be by going through this chapter and understands what is a cloud says the different type of cloud services and how to implement cloud security in different layers, it will be helpful for you to pass the CISSP exam.
And in case you decided to take the ccsp after finishing the CISSP, it will not take that much effort.
So those lecture in this chapter was taking from the IC squared ccsp.
And it's important to the CISSP.
And in the future, if you plan to take this certificate as well, those lecture room will help you to be able to pass the exam from the first session.
So let's go through the different cloud security terminology, and the best practice when it comes to implementing security in cloud.
Before starting to define different terminology related to cloud computing, I would like to refer you to a very important documents that will be used during this training, which is NIST Special Publication 801 45.
This NIST special Special Publication include all the cloud computing definition that will be needed during this training.
So you can download it from here.
And I also going to attach the document to this lecture.
This document you will find the terminologies that you need to know before start the training.
What is the definition of cloud computing? What is the computing resources, a configurable computing resources, like a network or server or storage or application, you're going to see is the terminology of service models, like software as a service or platform as a service or infrastructure as a service.
And you get to learn the basics from here, but we're going to explain them in depth.
After a few minutes.
You get to know the definition of of deployment models or what different types of deployment models so private clouds, public clouds, hybrid clouds.
So our main reference in the finding measure terminology related to cloud computing will be the next publication 801 45.
So I will suggest before starting to download this document is is a very small document and have a look about those definition before starting explaining them in depth.
In this lecture, we're going to talk about the different types of cloud computing services.
We have the infrastructure as a services, or is, we have the platform as a service or pass.
And we have the software as a service or SaaS.
Now what is the difference between them? Let's check this diagram.
When you manage your own IT services on premises, you are managing the full stacks up to the cooling and the network and the storage server, everything is managed by you.
So the first cloud computing service, which is the infrastructure, cloud computing, you are giving a part of those stack to be managed by an MSP or a managed service provider.
So the cloud computing or the MSP will manage for us the network, the storage, the server and the virtualization.
But you can still manage yourself 's operating system to be used the middleware, the runtime, the data is application.
So only a part in green will be managed by the MSB.
The platform as a service, you are giving everything to be managed by the service provider except the data ends application.
But everything else will be managed by the MSP.
While the software as a service, you are giving everything to the service provider.
And you just are subscribing into the service.
And a good example for that is office 365.
You are just subscribed to use the software, you are not managing anything, you're not managing the network, you are not managing the storage virtualization everything is managed by z MSP.
So those are the three different modern of cloud computing.
So let's take some realistic example about the IRS or pass or cess.
In this domain, we will be covering security assessment and testing.
This is quite important to evaluate if the security that you are implementing in your organization, is it effective or not? In the sense that how can you know that the technical security implemented in your organization? It's effective? How can you knows that the firewall that you implemented recently in your infrastructure, it's working effectively, and it can prevent any kind of attacks? How can you know that the policy and procedures that you are using as a part of the administrative security, it's an effective policy.
So security, which is quite important.
It's not just to implement technical equipment and administrative security, but also you need to evaluate their effectiveness.
That's why and this is quite important.
Most of the security framework like ISO 27,001, or or PCI, DSS, or HIPAA, most of the information security framework that we are using, is requesting to do a vulnerability assessment and penetration testing once per year.
I'm not sure about it's once per year or twice per year, but it has to be done frequently.
What is the purpose of doing it? Why are we doing a vulnerability assessment or a security or penetration testing frequently, just to evaluate that money and effort we spent on security, it's enough and it's effective as well.
So in this domain, we will be talking about the different way for evaluating the security or security assessment and testing.
We're going to talk about vulnerability assessment and what is difference between vulnerability assessment and penetration testing.
We're going to talk about auditing.
We're going to talk about admist administrative and technical security evaluation.
But instead of keeping this domain dry, just by explaining the concept, I will try to show you some of the tools as well.
So you will be knowing for instance, if you need to do a vulnerability assessment using one of the tools How can you do that and what will be output offset? We will discuss topics related to our portfolio And 12 is a very important topic covered here.
And in the next domain will be is a vulnerability is a patch management, which usually it's an output for a vulnerability assessment, and I'm going to explain to you what is a patch management process? And what do we mean by patch management in the first place.
So here we're going to talk about the system security control testing, software security control testing, where we'll be talking about code reviewing and everything related to software, software security, because software also right now is considered one of the weaknesses in any system.
We're gonna talk about secure process data collection, and we're going to talk about audit.
So let's start with the security assessment.
As we agree, before we start in system in that we need to own it, we need to test both administrative and technical control.
So it's not enough to test the technical control.
If I'm doing a penetration testing or vulnerability assessment.
Most probably I'm focusing about the technical control, checking, can I bypass the firewall? Can I bypass the antivirus? Can I bypass technical security control? This will not be enough.
Because what if you have a strong technical control but you don't have an administrative control, which is related to the policy and procedures.
So I'm going to show you how to test both technical and administrative, then you need to examine the entire security posture in ways that we need to examine the policies organization security's a management altitude to security are they committed to security or not.
So it's a full testing process, not just a part of it.
But before doing that, you need to have some consideration some risks need to be considered before doing a security assessment.
First, we need to make sure that if we plan to take or to make a security assessment, it should cover everything that technical control, administrative control policy and procedure management commitment.
So it needs to cover everything related to risk management, then, you need to make sure that the testings that you are you are doing will not disturb any production environment.
So if you are doing a vulnerability assessment, there is a process for doing it, you should inform the proper team first, you should send them what will be tested.
And some of the tests need to be done after working hour.
This is quite important.
It's not that you should do the test anytime.
Because in some environment, that production environment if it gets affected in any way, it will affect their business and reputation.
So it's quite important to consider what the Stourbridge what the still this disturb may happen due to this testing, then we need to the result of the testing need to be managed and actually if you are following any framework, Wednesday, audit will come to you they will check the result of the testing this will not be enough.
So if you are ISO 27,001 certified, and because ISO is requesting that you should do a vulnerability assessment and penetration testing frequently.
One of the questions that you may get from the auditor is to see the report from the this testings a vulnerability assessment or penetration testing report.
So it's not enough to show him that you did the report by time or it needs it as a security assessment by time, but also need to show the auditor what task or what action has been taking to close this finding.
And this will be explained more in this domain.
So testing is a full cycle process.
We will be talking about the different way for testing as a full process for test.
And I will guide you with some of the tools that we are using realistically in our environment.
And also I'm going to share with you some of the template for the result of PSA testing.
Because as I was saying, it's not just it's not about just conducting the test, but it's quite important to remediate or to close the finding.
This is the important part and sometimes the finding is technical and sometimes it's not.
So this is quite important is the risk conducting to the security assessment, and especially is a point related to not affecting the operational work.
I'm going to show you how it's usually done in the real world.
In this lecture, the testing itself should be running according to a strategy.
It's not like let's, you know, you guys are with your team.
And you said, Okay, let's do testing tomorrow, it shouldn't be done this way.
So properly is to have a plan is that we are doing a vulnerability assessment testing, for instance, twice, twice per year, the first quarter, and the second is the first six months, and then the second month or maybe each quarter of the year.
So it should be done according to a policy, and then you should write report, and then you should send it to the concerned team to work on those solving.
Now, you will see that this could be in a different way.
I mean, if you are doing that, for instance, for your developer team, if you have a developer team in house, it will be done in a different way.
Well, if you're doing that, for as a technical team, also, there is some consideration for doing it.
But in general, it should be done according to a security assessment policy.
You should create a security assessment methodology.
And this will be showing in this lecture assigning testing role and responsibility who is responsible for what determine which system will be test.
And this is important, if you have an infrastructure, what exactly we'll be testing, I'll be testing the critical one.
If you have a server, and the server is a critical server to my business, this needs to be tested because it if it gets compromised or crashed for any reason, it will affect my business.
So when it comes to the priority, I will not be able to test everything in my organization, but I need to identify the systems that will be testing according to their criticality, then, you need to determine how you will approach the testing, addressing the logistic issue, the legal regulation is a policy consideration.
And also this would be clarified to some example later on.
Carry out testing, I don't think any incidents that arise during or because of the testing, what if something went wrong, you are trying to testing a web application and it crashed? Or you are trying to test it in like a production environment.
And a problem happened? Do you have the rollback plan, how long it will take you to retrieve the system you should have a plan for that maintains the CIA principle confidentiality, integrity and availability, analyze data and create report that will turn technical findings into a risk.
Don't forget that the report that you will submit as a result of your from your testing, it will be sent to different entity including management, you should not keep it very technical report, because it will not be easy to understand.
But you need to translate the technical part to risk.
We have this problems that may cause that and we already covered the risk in the first domain.
So it's quite important to consider the risk Actually, it's not just important, it's a requirement.
It's a government requirement.
It's a regulation requirement, you have to test your security.
So let's start and see the different way for testing it.
And as I told you, I'm going to share a lot of templates.
And I'm going to share a lot of methodology, and some demonstration just to prove the concept.
Of course, the demonstration will not be a part of the exam, but at least you'll be knowing what we are doing and what the results will be getting and so on.
So what should be the output of a security assessment testing? As we mentioned in the previous lecture, we have two different type of security assessment administrative and technical security system.
In the administrative assessment, the output should be something like the responses by management and user to security related questions.
It could be the list of existing among existing procedures or documentation.
What documentation is not there? Do you have procedures for access control? Do you have procedures for encryption? Do you have a procedure? So you need to check what procedures and other documentation are available or not available? Could be the two records observation of user and management activity could be to record the observation of existing procedures and policy.
So this could be some of the administrative assessment test output.
And as I told you, I'm going to show you some of those documents as templates.
Of course, not real information.
But I'm going to show you a sample of the assessment for administrative assessment.
While for technical assessment, it could be the gyre current firewall configuration of each system, a lot of system will have a firewall.
But we do not review the firewall from time to time.
And maybe we did assign the rules, but we are not using any anymore.
So the firewall need to be reviewed frequently is quite important.
antivirus patch management or patch level of each system.
Are you updating your antivirus because you know, all the antivirus needs to be updated.
And it needs to be done through a management system, not randomly on each machine.
List of known potential vulnerability found on HSM and this is mainly a vulnerability assessments that we're going to see later on in this course, I'm going to show you the tools that will identify the vulnerability and will rank them according to their criticality is this vulnerability very critical or less critical or minimum.
And if you can relate this point to the due diligence and due care that we spoke about in the first domain, that you as an security officer need to be aware of the vulnerability on your system.
And you can only be aware of that if you are doing frequently vulnerability assessment.
List of the full configuration of each system also, we're going to see is that a lot of system will have a default configuration, a default username and password default setting.
So you need to make sure that you change the default configuration.
A very small example will be the administrative account on each system, do you disabled this account by default, the default if you are using some equipment, routers or switches, most of them has default account and you just can go to the full password, the comm www the default password will come.
And it will give you a list of all the default account in different system.
So you need to identify the default configuration and default account, list of unused user account funds found on each system.
Now you as an organization, you have people coming and then people leaving the company, and people join it for a small period of time for a project and then they leave the company.
How do you manage it? Do you have user on your system for account or account for users that they are not there anymore? Do you verify the account frequently? What is your sequence? Or what is your process for deleting an account? Do you delete it right away someone leaves the company.
So you will delete his account right away.
Or do you keep it for a while you disable his account and make keep it for instance for two or three months.
According to the policy.
Don't forget, everything needs to be done according to a policy and then deleted after set.
So you should have a policy list of user privilege level on each resources or system.
privilege is a big issue.
So you need to have a list of all user who got privilege and why it needs to be justified.
So this is some of the technical assessment output.
Later on, you're gonna see some samples of both of source reports.
But this what you need to have in your mind when as an output for the test assessment.
Let's start with the vulnerability assessment as a way for testing your security, for inability assessment just to identify your weakness.
Now it consider that not all vulnerability represent the risk.
Sometimes you may have learnability, but it doesn't have any threats.
We already covered that in the first domain.
So vulnerability, it's important, but you need also to classify them or to rank them according to their criticality.
And we're going to take a couple of demo in this domain.
Instead of keeping this topic dry, I'm going to show you a real vulnerability assessment process how it's done, what tools is usually used free and paid.
What kind of report you'll be getting what is the most important part for inability assessment.
So before show us a demonstration using different tools, let's talk about when it should be performed.
When should I do it for novelty assessment, we should do that when you first deploy a new update or new or updated system.
So you got us system or you are updating system let's do it from the welfare assessment just to see if this system is vulnerable.
The vulnerability as has been identified when you were in the military have been identified.
So there is some new vulnerability or announced on some of the website.
So for instance, a new weakness in Windows system so I should scan my Windows system is is vulnerable or not.
If a secure breach or cure.
So I need to check, do we have any other weaknesses that may allow any new breaches or not, or need to document a security state of system.
So I need to know where I'm standing right now when it comes to security.
vulnerability scanning could include port scanner, protocol analyzer, packet analyzer, network enumeration, and intelligence gathering.
So let's see how we are doing that practically.
Now, we're gonna start with the vulnerability assessment, and a vulnerability assessment as a process, it's quite important for two different reasons.
First, this will be a core fees that will be needed for all upcoming phases.
So for the penetration testing for reporting, vulnerability assessment is very important to identifies availability, and then eliminate the false positive, and then try to test the remaining vulnerability, is it exploitable or not? But the second and most important reason is that vulnerability assessment by itself, sometimes it's a separate task.
And it's one of the compliance requirement.
So besides a penetration testing, you may need to do only vulnerability assessment for any organization.
So you can do that you can run any vulnerability management tools, as you're gonna see in this section, and get report and you need to fine tune the report.
So it will be readable for management and non it people and then shows them the type of vulnerabilities they have, and what is the recommended solution for solving them.
So what I'm trying to say here is that a vulnerability assessment could be a project by itself, not just a part of the full penetration testing project.
And we're going to try to do different types of vulnerability assessment.
Because actually, it depends on your project scope, if you are doing a network penetration testing, so the type of vulnerability assessment that you're going to do, it's related to the network.
And you're going to use the tools that help you identify the network vulnerability.
While if you are doing the same for a web application, you may need the different tools with a different type of vulnerability assessment methodology.
So it depends on what exactly your scope.
So we're gonna use few tools in this section showing you how it works, is the reporting part.
But again, you have to practice that to yourself, and choose the tools that is suitable for your project and for your scope.
So the first tool that we're going to use is nessus, which was one of the oldest we're very, very common, very, very useful, and effective as well.
So nurses, we already saw in the previous section, how to download answers, and how to set up nurses.
So if you remember after it's a web based application, so it should be inside, I did add the URL in my favorites, here we go.
And this is the login screen, we're going to click on Sign in.
And this is nature's interface.
next lecture, we're going to start some virtual machine and then we're gonna run the vulnerability assessment against those machine.
And we're going to discuss the output that came and how it can be used for the next phase, or how it can be submitted in report to management as a separate task.
In the previous lecture, we saw some of the common vulnerability assessment tools.
And in the next lecture in the same section, we're going to see some of the penetration testing tool.
Now, it's not about those specific tools, as I keep saying that you can use whatever is comfortable for you, and whatever is suitable for the project that you are working on.
So the project and according to the scope of the project, you may select to.
We went through some of the tools but let me show you some more free of them in Kali Linux, that include most of the vulnerability and penetration testing tool that you may use.
So which tool should I use, I cannot tell you that I'm just showing you different tools.
And I want you to get used to it and get practice to it, using it and use whatever is comfortable for you and whatever is suitable for the projects that you are running.
So for instance, if your project is a project, a web application website So you need to scan a web application, there is a lot of tools, there is hundreds of tools.
But if you go to Kali Linux ones that we set up in the virtual machine in the previous lecture, and go for instant to web application analysis, you will find a lot of tools that you can use.
So for instance, we have this tools, it's very, very powerful.
I used it before.
So this is a web application analyst.
And you will find different tools for vulnerability for especially for web application.
So for instance, I like this tool, very much OS Zed, and we'll talk about that later on is that it's an open source web application project where you can or actually they usually publish is the most common vulnerability every year.
So they will check in the web application, how many vulnerabilities are found that match the top 10 vulnerabilities.
So this is the interface, it's a free tools, and very effective.
And I'm just showing you the tools, we're going to use different tools.
But we will not be able to cover all the Governability assessment tools are all the penetration testing tools, we are just getting the concept and I'm I leave to you to try to use them and even to search for more and use whatever is comfortable for you.
So wasp, zap is web application vulnerability assessment is that is straightforward graphical interface is key, carrying the next slide, but its graphical interface.
So as you can see, this is was observed very effective tools.
And you can add a project, and it has a very good library depend on this the top 10 vulnerability assessment here, you can put the URLs that you want to check the vulnerability for.
And we're gonna see some example using this specific tool.
So the point here, it's not that you need to have three or four tools that will be used.
The point here is that you need to know that there is a lot of a variety of tools, and on different platforms on Windows and Linux.
And some of them are free, some of them are paid.
So before you start working on penetration testing project, you need to specify the tools that you're going to use, and you never think about the underground tools.
So you should not go to those dark or Deep Web website and try to get one of those underground tools that may cause a lot of problem in your project.
When you work in a professional level, you have to use a professional tools.
So this also is another tools that I wanted to point to.
And if you just open your Kali Linux machine and check you'll find a lot of vulnerability assessment tool for web application and for system and so on.
And you know, you can just open and go through them in a brief way, because most of them are working in the same way.
So they are giving, you know, the same output but in a different way.
Another point that I want to mention is that when you do a project do not depend on only one tools.
This is very important, because different tools will give you different trip different results.
And as I mentioned that earlier, using your analytical techniques that we're going to learn during this training, you will have your own report.
So do not use those automated report, you have to read it and read a report from another tools and read on the same target and see what could be support false positive, false positive and what could be a real vulnerability and real weakness.
Starting from the next section, we're still working on a get familiar with the tools but we're going to point to some penetration testing tools.
So let's see some of the common penetration testing.
Let's move to the penetration testing part for evaluating our security.
Now penetration testing is different than vulnerability assessment in ways that vulnerability assessment will just will will just identifies weakness, while penetration penetration testing will test if this weakness can lead to compromising the system or not.
So for instance, I may have a vulnerability which is an open port, this could be considered a vulnerability.
Now the penetration testing will try to hack the system from this open port.
This is an example very simple example because actually penetration testing it's much more deeper sense.
And usually when we do a penetration testing we need to identify our scope.
What exactly is our scope for from a penetration testing is it Network penetration testing, is it a white box, a black box? Is it a social engineering penetration testing, we have many types, which we're going to explain in a few minutes.
So penetration testing cannot replace a vulnerability assessment and vice versa.
Both of them are important.
And both of them are a compliance requirement.
So in this section, we're going to talk about the penetration testing process, what are the phases in penetration testing what you should be expecting from each phases and so on.
But you need to understand that, when you do a penetration testing to a customer, you need to get some results in ways that you need to show them I was able to compromise the system, I was able to get access to this database, I was able to create a folder I was able.
So it's not like a vulnerability assessment where you just identify or showing the management weakness here, you need to show them that you were able to get into their system from those weakness.
So it's quite important to like use a tool that will allow you to do a proper penetration test.
Now penetration testing is very restrict, I mean, it sounds like the way you are seeing it in a second hacking course, you will not get an underground tool and use it, you have to use a proper tool, you have to have a proper plan.
You need to have a plan for any incidents that may happen during during the test and rollback in case of any problem.
So we're going to talk about more and I may give you one like example about penetration testing tool.
Now, there is some preparation when it comes to penetration testing, who will be commissioning the test? Who will conduct this test? Who will be the test to be conducted? What are the test limitations, this is very, very important.
This limitation, it's not a general test, you need to only get or to do the scope of the test.
What tool would be used into the test this is also very important.
Sometimes you may find the tool online, you don't know what is separate tools and you don't know what damage it will do.
And when you are working in a professional environment is different when you are then when you are testing at home.
So all those are quite important to figure out.
Now, what are the process or the step for doing a penetration testing.
Now there is many phases and each phases got to have its own results.
And I may give you some demo about some of those phases just to prove the concept.
So first, usually we start the penetration testing with the reconnaissance.
reconnaissance is just to gather information about your target.
Now, don't forget that when someone is hiring you to work as a penetration testing.
He's asking you to act as a malicious hacker.
He's asking you to do what a hacker is doing.
So we need to follow that methodology.
So usually start by doing reconnaissance.
You have a target.
And then you start collecting information about this target.
How much information are available public online.
next lecture I'm going to show you a reconnaissance lecture to give you an idea what I'm what I'm talking about.
But we are using only public record for reconnaissance, I can get a lot of information about public record, I can get people email who is working on a specific company I can get the IP is operating system that those web servers using also Safari on websites will show you a couple of email a couple of demonstrations of the finishing.
And from the reconnaissance you may have in tune into your report apart related to that, you can say is that I found too many information are published public.
Maybe you need to do an NDA for your employee telling them You do not need to, to publish such such information public.
You know, I saw in many websites where people would write down problems that they are facing in their company technical problem and looking for assistance.
So those are very critical.
Some people are uploading like information about the router setting and asking for other people for to help in different blogs or Facebook group and so on.
So reconnaissance is just to collect information from public faces.
Then we have the scanning, scanning it to collect technical information for more specific information like open port on the system service running operating system.
network topology, scanning, it's to start getting more information from disk Adding information, I can start looking for weakness.
So if this customer I from the scanning, I know that he's using Windows XP in one of the machines, then I can look for what are his weakness in Windows XP.
And this is quite easy and it's you know in all webs in many websites you can find like vulnerability website where you can check for any vulnerability related to an operating system or an application and so on.
And then exploitation based on the reconnaissance and scanning and the vulnerabilities have been found, and how it can be exploited, I can try to exploit the system.
And after exploiting system or hacking system maintaining access, so after compromising the system, I need to put something to allow me to log in every time I want, I don't want to go through the same steps one more time.
So I need to put like a key like a backdoor or I need to to mitigate my migrate my process to a system process.
So even the user cannot get rid of me.
And finally, I need to write downs report.
This is a very high level explanation of the penetration testing, I will put some like videos showing different steps.
But actually, this is not the real out the full process, but it will give you an idea about what I'm talking about.
But before going or showing some demonstration, I just want to let you know that there is different kinds of penetration testing, there is a black box.
And black box penetration testing is where the customer will not give you any information, they will hire you.
And they will tell you I just want to know if you don't know anything about our system, can you get into our system and compromising and then you have to start everything from the beginning, we have the white box was that you will have some information about your target.
And you will be requested to do a penetration testing.
And where is the gray box, which is a portrait kind of information.
But also we have the social engineering penetration testing, it's very, very common.
So there is different kinds and different different reserve different fees.
I mean, if you are doing a full or a black box penetration testing, you will get paid much more than white box, and so on.
So let me show you some demonstration about some penetration testing tools, how they are working.
And then we're going to move to the next part of this course.
Now we're going to talk about security operation.
Now this will not be a very big domain, because actually a lot of those point has been covered in previous domain.
So we're going to talk about security operation concept.
We're going to talk about physical security, which is which has already been covered in a previous domain, personal security, logging and monitors and monitoring, which we'll also covered in a previous domain, preventive measurement, resource provisioning and protection.
Now, don't forget set rules a domain where we spoke about some of the main administrative policy sayings like the least privilege, dual control.
Mandatory vacation, this is mainly operational security.
We're going to talk about protection for an ability management, change management, incident response, all those points has been covered investigation, disaster recovery planning, disaster recovery strategy, disaster recovery implementation.
So I will not repeat the same lectures.
But I'm going to just focus about the points at who's here and who's not in different domains.
I don't really feel that this domain, it's different than just combining different points together even you're gonna find things related to access control, and so on.
So let's go through it.
And let's just talk about the points that was not covered in previous lectures.
Let's talk more about operations security.
First, I don't want to get you I don't want you to get confused when you start reading about operation security, because you're going to see that most of the topic covered here has been covered in different domains.
So you're not spend time or effort while going through operation security.
But I want you to understand the concept of operations security operation.
The point here is that open our discussion, security is usually divided to technical security and administrative security and physical security as well.
Secure is a generic concept.
But here we need to focus on the security related to the business in the sense that security should be implemented to protect the business not to protect the assets, but to protect the functionality of the business.
And I will give you a small example assumes that you are a government entity and you are issue a license construction license.
So any contractor who wants to build something a house or something, he needs to have a license from your entity from your business.
And because the law issuing a construction license is quite critical, it should be controlled, but what if you left only one employee responsible for that.
So anyone who need a construction license, he will go to this employee in your government entity, and he will request for a license and submit the document and submit the fees and then get the license What if this employee decided to do something wrong, he decided to like take a or do some fruit or take money to ignore some of the requirement.
Okay, what will be the results of that, this will definitely affect your reputation.
And it may get you may lose life because of that, because people can get licensed easily, they will not follow any regulations, they will build whatever house then it may end up with crashing or whatever.
This is a small example.
So according to that, because issue, a license is critical, let me push it.
Or let me make this process done by three different people, not only one, not two, three of them, each one needs to approve as a reward.
By doing that you are putting administrative or operational security on the operation of your business.
So this is like a small example to identify the critical business function and start putting controls on them to prevent fraud and prevent any kind of illegal activity.
This is the concept engineer.
And I believe we already spoke about some of the policy earlier in one of the domains talking about the dual control talking about this privilege, need to know and so on.
So in general, the focus of operation security is to maintain operational resilience, you need to make sure that your core business function is operating well.
And you are putting all control not to affect the operation of security.
Because if you consider security only to prevent against hackers, and virus, this is not enough.
But what about people which we which is most of the illegal and most of the problems that happen to big organization, it's because of corruption inside the company, people start or employees start looking for the critical business function and how it's done.
And they can get advantage of that.
So we are protecting our business.
So you are protecting the valuable assets.
This can be physical protection, or it could be information protection for asset information asset protection control system account.
Also, this is to control the user account, according to their criticality effectiveness of the Security Service Management.
So in general, I hope you understand what is operation security is security operations all about.
Now, I know that we went through that before talking about some of the policies, privilege and so on.
But here it's giving you some examples.
So you can relate the topics that we spoke about related to the policy, information operation security, with example here.
So what do we mean by least privilege So usually, user by default, should get the privilege related to his job and access to only the fire related to his job.
cannot set or forget permission levels.
Review actually is quite important to frequently reviews access.
It's not like you're giving people access and that's it according to their job description everything.
But you need to reduce it from time to time.
And why we are doing that because people keep moving.
Maybe he didn't leave the company because they follow the employee leaves the company according to the policy his account will be disabled.
But what if he moved from one department to another department? You will not and he still have permission to the work or to the critical file to have the previous department.
So you cannot figure that out unless you are reviewing the privilege, frequently common end user account, you need to disable the administrative account.
Another very important policy in security operation is separation of duties.
So for instance, one who's taking backup should not be the same one who's restoring, right? Because if you give only one guy, the backup permission and restore permission, you have full access to your that and whatever your business is, you could be a bank, and this guy could be higher there, he's taking low salary, and he decided to get all the information.
But when you give backup to someone, and restore to someone else, you know, to be able to do something illegal, those two people need to be combined.
And this is not easier.
Get the one who are like deleting should be different than the one who are entering the data.
And so on and so forth.
Now, this may be quite obvious, but actually, the ways they ask about that inside the exam, it's that in a different way, sometimes it could be it's not a technical scenario.
Like for instance, someone is working in a coffee shop.
And two people is working on coffee shop, I remember the rules, a question like that, but I don't remember the exact same syntax.
But the point was, two people are working in a coffee shop.
And one of them is working is a full day.
So he got a key to open and close a coffee shop, while the second guy is working only a part time.
So he requested the key, he's not the one who opens a coffee shop morning time or evening time, he requested a key.
And the management, or the owner of this coffee shop refused to give him this key.
Because it's not why he needs the key is not opening the coffee shop or closing? under which policy Do you consider that? Okay, and I remember his answer was least privilege.
I mean, why do you need access to the key he will not using? So what I'm trying to say is that sometimes the question will be not straightforward, not that obvious, he will give you a scenario and then you need to consider which of those rules, least privilege or separation of duties or do or control or need to know which policy apply on the situation.
So you need to understand the concept behind it, why you are doing it, the user account special privilege who need to have a special privilege on his account.
Job rotation, this is actually very critical in ways that you need to do it in the right ways that will not be affecting the business I should not keep especially is a critical and sensitive position, I should not be keeping one guy to the same position for a long time.
Because if we do that, you know he may use it, misuse it.
So from time to time, people who are working in backup need to be moving to the restoration and people from restoration in Fira.
But actually realistically, in real life, I saw that implemented in financial positions, especially in big organization, like as a finance manager will be moving to like payroll, still be doing something related to finance.
But we do not keep one guy for a very long time in his possession.
I know that we already spoke about that in the first domain, but still, you need to review them and relate them to realistic scenario.
And also be aware of other policy like mandatory vacation or need to know or governmental control.
And don't forget all those has been explained in depth into the sunflower document.
The last domain in this course will be the software development security.
And this is actually one of the challenging domain because of the amount of terminology in this domain.
And unless you are from a development background, you're going to need to do a little bit of effort there.
But I'll be pointing to the important part in such domain.
Now on the first part, there is an introduction part regarding the different programming language and the programming language.
What exactly it consists and we have the source code that will be combined to machine code.
So just explaining how the process of programming is going language also has been categorized to combine language like C language that you are writing in English and it needs to be combined to the machine code.
So it become an executable, we have interrupted language, we have the procedural language object oriented distributed programming technique, it will be good to read at least one line about each one of them, it's not the subject of the question, but just to be aware of and we have different generation of language.
So, we have the first generation machine code second generation will be was a little bit higher assemblies and we have the third generation Fortran and COBOL and C and Pascal, fourth generation FoxPro and Oracle and so on.
And now, we have artificial intelligence and fifth generation, they are saying that we are on the 4.5 generation right now.
Anyways, this is an introduction for the different language and four different programming language sinks start from this part, which is system lifecycle.
Now, if you are doing a software development for an organization, what should be the process for them, by the way.
Right now, according to security statistic, the measure compromise ation for any system can be done or usually it's done through application layer or people layer.
I mean, no one is compromising through network right now.
So a lot of compromise ation, it's more effective if it's done through the application layer because of the weakness in SAS application.
So my point is, you may have 100% secure network, but because you are running an application that is not secure, it will lead to compromise in the system.
And the measures compromise ation.
That happened a few years back done through the software.
I mean, I don't know if you heard about PayPal has been compromised, no information has been stolen, but it was denial of service, MasterCard, Visa card and everything like that.
And some of those actually had some problem with SQL injection, which we're going to explain this but So, my point is usually there is a weakness inside the application because it's has been made by people and people do mistakes.
So, what is the system lifecycle, what is a proper system lifecycle, it should start with progress project initiation, then system concept development, then, so, after all, it should be started with a project because it has a start date and end date and then planning the project then you start collecting requirements requirement analysis, then you do the system design, and then software development and integration and testing and then implementation operation and maintenance and finally disposal.
So, this is the lifecycle of any system.
And this is how we do I mean, even realistically, it's usually a project and it starts by collecting requirement it needs to be planning because resources need to be assigned.
Budget needs to be assigned and you start collecting requirements from the customer what exactly he requires request in such application.
And then you do the design and software development and then testing and then implementation and operational and finally disposal.
In software category, we have two different kinds of software we have the proprietary software, I mean the software is that you are not allowed to see the source code like Microsoft Windows, for instance, when we bought Microsoft Windows or Microsoft Office or any Microsoft product, they will not give us the source code.
They will give us only his executable and a license to use it while Linux is considered an open source.
So you can see the source code.
A lot of people think about open source that is like free.
No, it's it could be paid, but actually after all you can have the open source and right now there is actually a lot of discussion about that.
But I believe that people eventually will goes open source because open source has been reviewed by many people because when you like Linux for instance, it has an open source so many people can reviewed a lot of flow will be discovered and it will be more secure.
While if you are getting Microsoft Windows.
You don't know how it has been written.
So from time to time, Microsoft released a patch or as self is back to solve that problem but you never know what was the problem or you know if they have a problem or not.
Also when you are buying software, we have a full discussion And we have a partial discussion, are we going to release all information or a partial information? Now, this is all just introduction.
I mean, it's not really an important subject common sense.
And just an introduction.
Starting from next lecture, we're going to start talking about the important part inside the software development.
Like what is an escrow agreement is very important.
from a security perspective, what is the security models, system development models that is used? What is the most common attacks for security, I mean, starting from the next module, things would be a little bit in depth.
So this was just an introduction, and let's see the important part in the software development domain.
In this lecture, we're going to explain the different software development methods.
When you do a software development, there is different methods.
And each of those Smith methods has its advantage and disadvantage.
So the fourth first model is the waterfall software development model.
This is the process, how software will be developed.
So as you can see, it's a sequential process.
So it starts with defining the process phase, then estimating phase or steps, durations and creating an acceptance setup, then it's not about knowing the name of the step, it's the model itself.
So model itself that whenever you finish one phase, it will be closed, and then you can start the second phase.
That's why they call it zone waterfall models, because it cannot be going from down to up it should be going from up to down.
So whenever you finish one phase, for instance, you finish collecting requirements, that's it, you start the design, you cannot get back to the collecting requirement one more time.
And from a security perspective on this is actually a good model, because you whenever you finish a phase, you close all the risk associated to this phase, so you start a new phase.
So this one depends that when you finish a phase, you don't get back to the previous one.
This is called the waterfall model, or software development model.
an opposite model is called sasami model, which is you're doing everything parallel, you are collecting requirements, you are doing the design, you're doing some implementations and you may get back to the collecting requirement or the designing.
So the all phases of development is done.
Parallel together is a Cisco's sasami model.
And maybe security here it's a little bit a concern, but effectiveness is very very important because sometimes when you work on a project especially in develop a software development project, customer had some new requirement if you are following a waterfall model, you will not be able to get his new requirement again or get back to the design phase while when you are doing sashimi model, you can do that.
Certain model is called a sprint software development model.
Ora has another name, plan to act, plan, do check act or PDCA.
This is actually more as a quality more than that it's a continuous process.
It's not closing.
So you plan you develop, you check for any weakness if there is any problem, you act and then you plan again.
So it's a continuous process.
And the Finder of this model is called the meaning, but it's more as a quality model and as a model exactly room models and the concept of the clean room model is that if you do a process or you spend time at the beginning in your software development, it will prevent from keep doing change after that.
So if you did the software in a very rushed way, then the customer will keep asking for changing requirement and for modifications.
But if you spend more time at the beginning, maybe the project will take longer time.
But eventually you will reduce the amount of change needed or amount of modification sites application prototyping model it just to give a sample because especially in software development sometimes the developers team spend long long time preparing for software and then when they show the customer after going through the process of planning and requirement Collecting requirements and designing and implementing, then when you start showing stock estimate, he said this was not what I was expecting.
So it's very actually risky process.
So, prototyping is to once you agree with the customer about software and collect the requirements, you do him a prototype a sample of the product by application.
So, this is how it look like.
So you are limit, you are doing some limitation for his expectation.
So you will know, eventually what we'll be getting this is called a prototype model.
As well, software development, it's more into the another project management model.
So it's not really a software development model.
It's a project management model.
The idea of Agile is that when you do software development, it usually take long time until you get deliverable for the customer, because there is a lot of process that you are doing before getting something life you are collecting requirement, you are doing system analysis you're doing.
Designing, so it will take time until the customer can see something.
Well, if you follow us right in software development.
The good thing about agile is that customer will be involved during the whole project will be getting deliverable during the whole project.
So it's designed in a ways that you can divide the work on different phases and customer will always get the deliverable.
So you don't have to wait for a long time until he gets a project deliverable.
Case, or case, it's something existent for software engineering, I'm sorry, yeah, Computer Aided software engineering.
This is actually software, it's software that allow you to design a program and allow to design the flow of the program, what is the input, what is output, and it's very, very complicated software, I mean, you need like four or five months to be able to analyze the software, and definitely need to become from a development background.
So case is a software Computer Aided software engineering, that allow you to design your software and designs, the input and the flow of the information and so on.
Now, once we get a software developed in our company, and it's up and running, and it's saving our data and information.
Now, change will be requested from time to time.
So for instance, one of the user or one of the manager may request to report one of us or may request some modification adding some screen, so a change will be requested.
Now, it's very important to consider the process of change request in your organization, how change will be processed a process, I mean, if someone needs to change, they need to change something inside the program, add the field or either report, you just need to call the developer and ask him to do change, it should not be done this way, because maybe this change would affect any other things from security or from efficiency.
So you need to have a proper change request process.
So, most of the organization has a change request that start with requesting the change.
So, the employee who needs a change will write requests, maybe on a paper on or soft copy and send this request this request will be checking and it will be assist I mean, they will be the effect of changing of doing such change.
So according to that it may be approved or it may be rejected.
And then so it will be approved the change, then communicate the change documents that change.
So it will be can be traced who did this change, and why because when you are doing a change request, you have to specify why and then test and reporting and implementing the change and report the change.
So the point is, it's not about the steps in such a slide it's that you should have a change request process.
And this change should be documented and it should be for a reason because unless you are not to unless you do that people will keep change for any reason.
They said okay, I don't like the screen color.
You cannot change inside your systems that will affect your security.
Because of the same concept apply for configuration, so also should have a configuration management process.
If I need to open a firewall port if I need to change something inside the configuration give a permission or something like that.
So also it should be assigned and it should be tested and it should be approved or rejected.
And then it should be, it should be applied.
So change management, and configuration management.
This is a very important process inside the software development lifecycle.
This lecture will explain some of security consideration, or let's say some of the software attacks.
We agree during this course that attack is very important for the exam.
And the good thing is that you're going to find that most of those attacks recovered in different modules.
So we spoke about buffer overflow about cover chain and malware.
malformed input, this is a very, very important attack when it comes to software.
And we are talking about manipulating the input like SQL injection and cross site scripting, especially SQL injection was one of the attacks that is very, very Tina with it's considered one of the highest attacks.
That's why after this lecture, I added two small demonstration about SQL injection from my ethical hacking course, just not to keep talking theoretically, but also to show you how the poor validation of the input can lead can lead to a full compromise ation of the system.
So just to get out of those theoretical and definition so on, I added two different lecture, very interesting lecture about SQL injection.
I want to watch those lecture and torture those attacks.
And to let me know, what is your opinion how's that can be prevented.
In your software development lifecycle, we spoke about object reuse, we spoke about social engineering to city zoo, we spoke about that when we saw the tempering data, and trapdoor and backdoor so most of the attack has been covered on a previous section.
But I wanted to add a couple of videos just to show you one of the attack in a realistic way.
Finally, in this module, or in this domain, we're going to talk about the software controls type what control I can add to my software so it become more secure.
So we can harden the security kernel, we can work with the privilege state, we can try to prevent buffer overflow.
By validating the input we can try to manage or protect the memory covered channel cryptography.
This is all allowed to secure our software, we can also try to protect password by having a policy for a strong password.
Environment separation by considering the place where the information are saved, they are secure, they are far from theft, or any environmental damage, taking backup, doing training and scanning the system eventually.
So those are some of the controls that we can implement to harden our software.
And also, one of the things that you need to consider is the level of integrity is a very important concept inside software.
Because the thing is if you have a software that will save your data Now besides the protection parts that you are protecting against hackers or against any malicious activity, what if someone was your employee was not actually I mean, he's putting the input in an an integrity way.
So he for instance, he adds some financial information but unintentionally, he wrote some wrong number.
So after all the information will lost the integrity it's not an attack it just a bad behavior or someone is not giving attention while he's putting information.
So you should provide some kind of integrity like two people validate the information.
Or for instance, you notice sometimes when you are putting your information and you're putting your ID or social security, they will only accept number oh you are putting your cell number or mobile number.
They will only accept number you cannot add letters This is to provide the level of integrity.
So as a security professional Now you should beside her the neuro software, you should also provide some level of integrity for your information to make sure that whatever information has been inputted are valid, and they are not actually losing any kind of integrity.
So it's a very important concept as one.