API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 11th, 2019
555
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 31.05 KB | None | 0 0
raw download clone embed print report
  1. Security Fundamentals: Core Security
  2. One of the building blocks of successful IT security practices is a fundamental understanding of security layers. Explore some of the main core concepts in IT security.
  3.  
  4. The Core Concept of Confidentiality
  5. [Video description begins] Topic title: The Core Concept of Confidentiality. Your host for this session is Travis Welton. [Video description ends]
  6.  
  7. Confidentiality is a key component in IT security to protect your privacy and data from unauthorized users. In this video, I'll discuss the characteristics of confidentiality.
  8.  
  9. [Video description begins] Screen title: Intro to Security Principles. [Video description ends]
  10.  
  11. Intro to security principles: an intro to security. Before you can even begin to start securing your environment, you need to have a good understanding of what it is you're trying to protect, why it needs protecting, and what you're trying to protect it from. The CIA triad is one of the first acronyms you're going to learn when dealing with security principles. CIA triad stands for confidentiality, integrity, and availability.
  12.  
  13. [Video description begins] A diagram appears on the screen depicting the relationship among Integrity, Confidentiality, Availability and Confidentiality. [Video description ends]
  14.  
  15. It's extremely important to make sure that your confidential information is kept confidential, that you can verify the integrity of your data, and that it's always available when needed. The core concepts of confidentiality.
  16.  
  17. [Video description begins] Screen title: The Core Concept of Confidentiality. [Video description ends]
  18.  
  19. Confidentiality, as it relates to data and information security, means mitigating unauthorized access to sensitive network assets. And this can be accomplished through various levels of encryption, authentication, and access controls. The different confidentiality classifications.
  20.  
  21. [Video description begins] Screen title: Confidentiality Classifications. [Video description ends]
  22.  
  23. In the private sector, there is public, internal, and confidential. And in government agencies there is unclassified, restricted, secret, and top secret. It's important to make sure that you classify all of your assets so that you can ensure that they are effectively protected with the right amount of security.
  24.  
  25. The Core Concept of Integrity
  26. [Video description begins] Topic title: The Core Concept of Integrity. Your host for this session is Travis Welton Screen title: The core concept of Integrity. [Video description ends]
  27.  
  28. The core concept of integrity. Integrity and as it relates to data and information security means the protection of data and information against unauthorized or accidental changes.
  29.  
  30. [Video description begins] Encompasses data/ information consists of Consistency, Accuracy, Validity. [Video description ends]
  31.  
  32. Integrity, by its very definition, means consistency, accuracy, and validity. Maintaining your data integrity.
  33.  
  34. [Video description begins] Screen title: Maintaining Data Integrity. Screen title: Maintaining Data Integrity. [Video description ends]
  35.  
  36. Data and information integrity can be accomplished through the use of security programs, which manage and detect changes to your information, permissions to control access to assets, and auditing and accounting processes to record changes.
  37.  
  38. The Core Concept of Availability
  39. [Video description begins] Topic title: The Core Concept of Availability. Your host for the session is Travis Welton. Screen title: The Core Concept of Availability. [Video description ends]
  40.  
  41. The core concept of availability. Availability is the third core security principle. And in relation to data and information security, availability means the general, unfettered accessibility of resources to users, systems, and/or applications as required. Threats to data and information availability.
  42.  
  43. [Video description begins] Screen title: Threat To Data/Information Availability. [Video description ends]
  44.  
  45. Threats come in two common categories, accidental, which would involve threats such as natural disasters, equipment failures and unplanned outages. And deliberate threats, such as denial of service attacks and network worms.
  46.  
  47. The Impact of Threats and Risks
  48. [Video description begins] Topic title: The Impact of Threats and Risks. Your host for the session is Travis Welton. Screen title: The Impact of Threats and Risks. [Video description ends]
  49.  
  50. The impact of threats and risks. Risk management, risk management is identifying, assessing and prioritizing threats and risks with a focus on negative risks. A risk is defined as the likelihood of an event occurring. A threat is a specific risk that could result in an unwanted breach by exploiting system vulnerabilities. The purpose of a risk management plan. The purpose of a risk management plan is to remove risks where possible. You want to mitigate the consequences of those risks which can't be prevented.
  51.  
  52. [Video description begins] Screen title: Risk Management Plan Detailed - Risk Assessment. [Video description ends]
  53.  
  54. In detail, a risk management plan starts with a risk assessment. To perform a risk assessment, you want to identify risks that may harm your environment.
  55.  
  56. [Video description begins] Screen title: Risk Management Plan Detailed - Risk Evaluation. [Video description ends]
  57.  
  58. The next step is risk evaluation, you want to evaluate risks against two factors. The first is the likelihood that the risk will occur. And the second is the impact the risk will have on your environment.
  59.  
  60. [Video description begins] Screen title: Risk Management Plan Detailed - Risk Prioritization. A graph is displayed in which the X axis represents Likelihood and the Y axis represents Impact. High risk is represented in red color and low risk is represented in green color. [Video description ends]
  61.  
  62. The next step is risk prioritization, you can prioritize identified risks in two ways. Utilizing a risk matrix to assist in risk ranking, and outline a risk score. Risk response, when responding to risks,
  63.  
  64. [Video description begins] Screen title: Risk Management Plan Detailed - Risk Response. [Video description ends]
  65.  
  66. you want to respond in one of four typical methods. The first is avoidance, mitigation, acceptance, and finally, transfer. Avoidance and mitigation, risk avoidance is removed by
  67.  
  68. [Video description begins] Screen title: Risk Management Plan Detailed - Avoidance and Mitigation. [Video description ends]
  69.  
  70. choosing to not participate in event or activity. You avoid the risk altogether. Risk mitigation means minimizing the risk through interventions which lower the likelihood or impact that the risk will occur. Acceptance and transfer, risk acceptance is knowing that the risk is
  71.  
  72. [Video description begins] Screen title: Risk Management Plan Detailed - Acceptance and Transfer. [Video description ends]
  73.  
  74. there and accepting the likelihood or the impact of the risk. And risk transfer is shifting risk responsibility to a third party. Residual risk, it's important to be aware of any residual risk.
  75.  
  76. [Video description begins] Screen title: Residual Risk. [Video description ends]
  77.  
  78. Residual risk is what remains subsequent to implementing measures to lessen the likelihood or impact of a negative incident.
  79.  
  80. The Principle of Least Privilege
  81. [Video description begins] Topic title: The Principle of Least Privilege. Your host for the session is Travis Welton. Screen title: The Principle of Least Privilege. [Video description ends]
  82.  
  83. The principle of least privilege. The principle of least privilege is a security measure that can apply to a user, system, program, or process that defines the least amount of rights or access required to effectively accomplish its function.
  84.  
  85. [Video description begins] Screen title: The Principle of Least Privilege Challenges. [Video description ends]
  86.  
  87. Although the principle of least privilege has been around for a long time, organizations have struggled to effectively implement it. Regulatory requirements have driven organizations to focus on its implementation and ensure the principle is followed. Sarbanes-Oxley, also known as SOX, HIPAA, the Health Insurance Portability and Accountability Act, and HITECH, the Health Information Technology for Economic and Clinical Health Act are all examples of some of these regulations. Some difficulties lie within the diversity of corporate work environments. Hundreds to thousands of users need to be regulated. Many of these users are dispersed over numerous geographical locations. They require access to multiple applications, file servers, and print servers. Access requirements may vary by location, user type, and department security levels. And application and system permissions also have to be taken into account. Regular requirement auditing is required to ensure that successful implementation across the enterprise.
  88.  
  89. [Video description begins] Screen title: The Principle of Least Privilege Strategies. [Video description ends]
  90.  
  91. Some principles of least privilege strategies are to use groups. Ensure users and applications are effectively placed into groups to streamline permissions assignments. Use accounts as intended. Ensure that administrators only use admin accounts for admin tasks. And standardize accounts. Define a number of account types based on user roles and assign as appropriate. There are some third-party applications that are also available to help streamline and assist in permissions management. Processes and procedures establish a framework for account management which defines creation, attribute, assignment, and maintenance of all accounts.
  92.  
  93. Social Engineering
  94. [Video description begins] Topic title: Social Engineering. Your host for the session is Travis Welton. Screen title: Social Engineering. [Video description ends]
  95.  
  96. Social engineering. Social engineering is a malicious practice or attack through which deception is used to gain access to networks, systems, or data. Attackers will attempt to gain personal, sensitive information from trusting individuals to further their exploits. The attack can occur by various means. Through email, over the phone, or even in person. Avoiding social engineering attacks.
  97.  
  98. [Video description begins] Screen title: Avoiding Social Engineering. [Video description ends]
  99.  
  100. Some techniques to help avoid social engineering attacks are to be distrustful. Any communication through which requests are made for sensitive internal information should be met with suspicion. Report these occurrences to the appropriate personnel and exercise caution. Sensitive information should not be provided to anyone that does not have the rights to that information. Be sure to confirm the identity of the requester. Validate the identity of all unknown requestors of sensitive internal information by requesting their name, phone numbers, and photo IDs.
  101.  
  102. [Video description begins] Confirm identity is displayed on the screen. [Video description ends]
  103.  
  104. And avoid sending information over email. Personal, sensitive, internal information shouldn't be conveyed via email requests, and be wary of any embedded links within email messages.
  105.  
  106. Attack Surface Analysis
  107. [Video description begins] Topic title: Attack Surface Analysis. Your host for this session is Michael Murphy. Screen title: Attack surface. [Video description ends]
  108.  
  109. In this video, we want to talk about attack surface analysis. And when we think about the attack surface, we're thinking about the open doors on the network. Entry points that attackers can use to breach your system. The network or applications for malicious intent. And that can be grouped into three major buckets. The applications, the network, and the employee attack surfaces. And we want to take a look at each of these in their turn.
  110.  
  111. [Video description begins] Screen title: Application Attack Surface. [Video description ends]
  112.  
  113. The first thing, when it comes to the application attack surface. If you're in the business of building apps, and everybody's building apps these days. If you're in that business, these are some of the concerns that you have. Now those concerns are very different from those folks that are purchasing cloud services applications. Or that are not really running cloud-based services for their employees. When we think about those folks, which make up the vast majority of the world. You're going to follow the recommendations from the vendor as to what security implementations or measures you might take.
  114.  
  115. But if you're the app dev, if you build your own applications. Then some of the considerations that you want to focus on include how much code an application has. The tighter that code can be written, the less likelihood that there'll be an exploit that can be developed against it. How many data inputs are there? The more that there are, the more ways to get into the application, the more ways that you can access it every time I add a data input. I'm potentially opening a door that somebody could exploit. And commonly, right, we think about buffer overflow attacks that would fall into that category. How many and what types of services are you running, right? And that's why I started the conversation by making the distinction between the two groups. When I'm in the average, small to medium-sized business, right, less than 500-employee kind of business.
  116.  
  117. It's uncommon for me to find a lot of proprietary apps there. I'm not saying it doesn't happen but it's uncommon, right? And the reality is if you are, let's say, the local dental supply house with 120 employees. And you're entirely a Windows shop running a SQL server and an Exchange server. That's your whole network, pretty much. Your services are well known, the ports that they use are well known. And the vendor, the Microsoft Corporation, has built layered security into those applications. Now that's not to say that exploits don't come along, they do. But we have intrusion detection systems, antivirus and antimalware solutions that should always be running on top of things looking for those. It's the application developers that open the doors that let folks in. And so we want to make sure that we secure those doors, like listening ports that the application uses.
  118.  
  119. [Video description begins] Screen title: Network Attack Surface. [Video description ends]
  120.  
  121. The network attack surface. It used to be that there was my network, there was a firewall device and then there was the rest of the world, right? But the moment that I put a wireless access point in, suddenly my network extends out into the parking lot 35 feet. And that's a different world to live in. And so we want to think about the implications of our network design and the location of critical systems. Do I have a critical piece of copper that runs from the first floor to the second floor network, and it runs outside the building and is exposed? Anybody could come along and put a vampire tap in there and start capturing packets off my network. That's a concern to me. What's the location and the configuration of the firewalls? And here we're talking about the security of the devices. Are they in a place where people can get to them? Do they sit under the receptionist's desk in the lobby, right? We want to avoid those kinds of exposures. The physical access to those devices changes everything for an attacker. Configuration and aspects of security related network devices, like your intrusion detection systems and VPN connections. Again, there I'm going to follow the vendor recommendations. And continue to run antivirus and antimalware.
  122.  
  123. [Video description begins] Screen title: Employee Attack Surface - Considerations when assessing the employee attack surface. [Video description ends]
  124.  
  125. Now, this is a little trickier. The question of social engineering, and the human factor because we all make mistakes. And what I have found is that the vast majority of occasions where there's human error or somebody let's a virus loose on the network. It's a human error, it's a mistake. And we want to distinguish those mistakes and try to remediate them with user education, which I do not believe is an oxymoron. We want to distinguish human error from malicious behavior. The fellow who's got a grudge against the company and intentionally releases something on the network. That's a real concern. Social engineering tends to be less of a concern if you're not in the boutique brokerage house downtown. That's where we get concerned about social engineering and direct attacks against individuals in the company. Proper evaluation of the three attack surfaces will better position you in identifying areas of exploitable weakness.
  126.  
  127. [Video description begins] Screen title: Download Attack Surface Analyzer. [Video description ends]
  128.  
  129. Finally, you want to go out and get yourself the attack surface analyzer from the Trustworthy Computing Group. Microsoft has adopted this tool for its own internal use and testing. It snapshots your system state before and after installation. And then displays changes to key elements of the Windows attack surface that have changed. Because you've put a new piece of software on that machine. This is a look at attack surface analysis.
  130.  
  131. Threat Modeling
  132. [Video description begins] Topic title: Threat Modeling. Your host for this session is Michael Murphy. [Video description ends]
  133.  
  134. In this video, we want to talk about the new threat modeling tool from
  135.  
  136. [Video description begins] Screen title: Threat Modeling. [Video description ends]
  137.  
  138. the Microsoft Corporation. And it's important to put this tool in the proper perspective. The function of the tool or where the tool is utilized is in the software development and design phase of your application development projects. And so this is a tool that's principally used by developers. And it gets used over and over and over again, right, during the project life cycle. We're going to go ahead and start out by diagramming the communication model of our application. Then, we'll identify potential areas that need to be remediated or mitigated. Now, that can be something like, okay, the application is going to require a dedicated port. We're going to choose for our own purposes, port 46888. And that's a port from the ephemeral port range, which means that it's not a well-known port.
  139.  
  140. There shouldn't be conflicts with other applications using that port. But, this is going to be a cloud-based service. So that means that everybody that uses this service is going to have to open 46888. How do we communicate that out to the folks that configure the network devices? And then, how do we secure it? With authentication and encryption protocols. And so the port is open but if you can't meet the authentication and encryption protocols, you don't get in. And then how else do we defend that port? And that's the mitigation phase. And, once those changes are made, we can go ahead and validate that the application works. And it accepts the authentication and encryption protocols and responds in kind, and that port is well-locked. It's as secure as we can make it today. And then the whole thing starts all over again as we move through that software development process.
  141.  
  142. [Video description begins] Screen title: Download the Threat Modeling Tool. [Video description ends]
  143.  
  144. Now, the threat modeling tool is a download from the Microsoft Download Center. And before you even download the threat modeling tool, you can start by diagramming and creating your models. Then, Microsoft has provided as part of the tool, templates that will match the common communication processes and protocols that we use. Based on the IETF standards, right, the Internet Engineering Task Force standards. Using those templates, I'll build my model. Here's my application, here's the communication processes in use. This is what that flow looks like. I'll analyze the threats. Where's the potential for a malicious user to exploit this system against us? And then this is where the tool is so important in creating easily shared reports, and the reports are easy to create inside the tool. Why that bit is so important is because that's going to be the communication channel.
  145.  
  146. From the application developers that are modeling their software in its design phase. Out to the network engineer who's going to have to open and secure those ports on the router devices. To the database admin who's going to have to secure the communication channel from the frontend UI that the developers have to the backend database. To the email exchange administrator who's going to have to enable a mailbox so that our application can automatically send emails to stakeholders. The reporting piece of this is what will fluidly lubricate the communication channel between the application dev team. And all the other stakeholders in the project. This is a look at threat modelling and the new threat modelling tool from the Microsoft Corporation.
  147.  
  148. Site Security
  149. Securing all removable devices and mobiles will help in keeping your data safe and protecting you against threats. In this video, I'll discuss the characteristics of site security. Physical Site Security, control over who accesses your physical environment, assets and data is very important. Security measures to consider are badge readers, keypads for access to sensitive areas, office and desk keys, guards to control access, and log books to record people's entry. Physical site security cost. Be sure to consider the costs when determining your security plan. Evaluate the importance of the data and resources that you are protecting, and design your security appropriately. Ensure your security measures aren't overly cumbersome. Implement proper training for staff. And if security measures are too arduous, users may be tempted to circumvent them. Access control.
  150.  
  151. [Video description begins] Heading: Site Security. The multiple layers of security that protect and defend sensitive site assets are as follows: the Outer Perimeter that consists of the Fence or Building Doors, the layer within the outer layer that consists of the Guard Desk, the Internal Perimeter that consists of Elevator or Office Environment, the Data Center Access that is displayed in the layer within the internal perimeter, and the innermost layer that consists of the Locked Servers or Racks. [Video description ends]
  152.  
  153. Access control is the context of physical site security that involves the restriction of access to resources, to only those who require access through the use of fences, guards, door locks, and more. Securing the physical premises. This incorporates defense in depth. It's a layered site security. There are multiple layers of security to protect and defend sensitive site assets. If outer layers are breached, then inner layers remain to thwart attackers from accessing sensitive areas. Physical Site Security, Physical Premises. The Physical Premises is often divided into three zones. There's the external perimeter, which is the outermost portion of the physical premises, like driveways and parking lots. The internal perimeter, which consists of buildings on the premises, or only those buildings that you occupy should there be other tenants on the premises. And secure areas, sensitive locations within the building such as network rooms, data centers, wiring closets, and server rooms.
  154.  
  155. Physical site security, external perimeter. Your external perimeter is the first line of defense which, depending on your environment, can consist of things such as security cameras, which can be costly, so be sure to balance your monitoring costs with your recording schedule. Lighting, fencing, gates, and guards. The internal perimeter, your internal perimeter consists of exterior doors and walls. And any internal security measures with the exception of your internal secure areas, such as external/internal door locks, keypads, card readers, cameras, concierges, and smoke detectors. Implement the principle of least privilege from the physical perspective by segregating your internal space appropriately. Giving users only access to what they require access to. Secure areas, your secure areas consist of the most sensitive rooms or locations within your environment's internal perimeter.
  156.  
  157. Network rooms and wiring closets and server rooms, for example. Any secure area where strict security control is required in order to minimize unauthorized access from either external attackers or unwanted internal employee access. And access is limited through the use of security doors, keypads, card readers, biometric systems, cameras, and intrusion detection systems. Physical site security, site security processes. You should also implement site security processes for each area. External perimeter could have processes such as parking lot access management, guard patrol schedules, and tracking entries and exits, dealing with abandoned packages and suspicious people. For your internal perimeter, sign in procedures, door locking schedules, delivery processes, escorting visitors, personal equipment entry and removal procedures. And in your secure areas, these will generally have strict procedures in place, such as who's allowed to enter and when.
  158.  
  159. Computer Security
  160. [Video description begins] Topic title: Computer Security. Your host for the session is Travis Welton. Screen title: Computer Security. [Video description ends]
  161.  
  162. Computer security. Computer security generally refers to securing physical computers, which typically are servers, desktops, and mobile computers. Servers are back-end machines which host centralized applications and services such as domain controllers, email servers, and web servers. Desktops are front-end machines, typically utilized by end users to interact with back-end services that run on servers. And mobile computers, those are laptops, notebooks, netbooks, tablets, and smartphones. They function similarly to desktops, but they have the added flexibility of mobility.
  163.  
  164. [Video description begins] Screen title: Computer Security - Servers. [Video description ends]
  165.  
  166. Some things to consider when you're physically securing servers. Servers are expensive. They provide mission critical services and applications. They should be locked in a data center, or a server room, or a computer room. At the very least, servers should be locked with a security cable, or in a security cabinet or rack, with a locking door.
  167.  
  168. [Video description begins] Screen title: Computer Security - Destops. [Video description ends]
  169.  
  170. Some considerations for physically securing desktop computers and mobiles. Desktop computers are generally inexpensive, especially compared to servers. They're typically used in secured offices or at home. And generally, computer security cables are sufficient enough to secure a desktop or a mobile computer.
  171.  
  172. Removable Devices and Drives
  173. [Video description begins] Topic title: Removable Devices and Drives. Your host for the session is Travis Welton. Screen title: Removable Devices and Drives. [Video description ends]
  174.  
  175. Removable devices and drives. Removable devices and drives can be in the format of MicroSD or SD cards, thumb drives and flash drives. External drives, such as external hard drives. And removable media like floppy disks, CDs, and DVDs. They generally connect to a computer via USB ports and card readers, or even through Firewire ports. Removable device security challenges.
  176.  
  177. [Video description begins] Screen title: Removable Devices and Drives - Security Challenges. [Video description ends]
  178.  
  179. There are numerous security challenges with these items. Primarily, there's loss, the most common issue, especially with USB drives. If possible, it's recommended that you implement authentication and encryption on your USB thumb drives, such as Microsoft's BitLocker To Go. Raise awareness as to the risks of data storage on something so easily misplaced. Theft is another security challenge. The convenience of portability also makes such items easy to steal. Keep these items with you or lock them in secure locations. The devices are cheap, but the data can be confidential and irreplaceable. And the third big security challenge is espionage. The best measure is to protect data from unauthorized access and employ the principle of least privilege. If a user doesn't need access to mobile USB drives, if they don't need access to their USB ports on their computer, they can be locked down to prevent them from stealing your sensitive information.
  180.  
  181. Mobile Device Security
  182. [Video description begins] Topic title: Mobile Device Security. Your host for the session is Travis Welton. Screen title: Mobile Device Security. [Video description ends]
  183.  
  184. Mobile device security. Mobile devices such as laptops, PDAs, and smartphones represent one of the most difficult security challenges for your organization. These devices can store large amounts of sensitive data that, if lost or stolen, can have an immeasurable impact on your organization. When dealing with laptops specifically, some of the options for
  185.  
  186. [Video description begins] Screen title: Mobile Device Security - Laptops. [Video description ends]
  187.  
  188. securing them include alarms, which can be motion sensitive and alert you when the device is moved. Security cables, which allow for anchoring of the laptop to a secured object. Safes, which are virtually impenetrable and can be secured to an immovable object. Docking stations. Many docking stations contain some combination of a key or padlock, depending on the model. And theft recovery software should be used. This allows for tracking of the device should it be lost or stolen. When dealing with PDAs and smartphones,
  189.  
  190. [Video description begins] Screen title: Mobile Device Security - PDAs and Smartphones [Video description ends]
  191.  
  192. these devices can be even more difficult to secure than laptops. Some recommendations are employ passwords and encryption. Utilize remote wiping applications and GPS measures for tracking. Always keep your mobile device with you or within sight. And don't leave the device unattended in a vehicle. Also, when traveling, it's a good idea to use a hotel safe if one is available to you.
  193.  
  194. Keyloggers
  195. [Video description begins] Topic title: Keyloggers. Your host for the session is Travis Welton. Screen title: Keyloggers. [Video description ends]
  196.  
  197. Keyloggers, Keyloggers are defined as a device that can capture keystroke input. These can be either logical, for example, a covertly installed application. Or physical, an actual device that's placed between the keyboard and the computer. There are also wireless sniffers out there that can be used to capture wireless keyboard input. And for this reason, many companies disallow the use of wireless keyboards entirely. Whichever option is used, these keyloggers will capture user keyboard input and replay it in order to procure sensitive information, for example, passwords, credit card numbers, and user IDs. The defense against keyloggers.
  198.  
  199. [Video description begins] Screen title: Keyloggers Defense. [Video description ends]
  200.  
  201. If it's a physical keylogger that you're looking to defend against, the best thing to do is a visual inspection. Any extra devices between the computer and the keyboard could be a keylogger. And this is especially important to check when you're using a shared or public computer. To defend against logical keyloggers, it's important to ensure that antimalware software is up to date. And also, User Account Control can be used to help ensure that no unauthorized software is installed. To defend against wireless sniffers, utilize a wireless keyboard which supports encryption.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!