WEBVTT 1 00:00:00.080 --> 00:00:03.000 Welcome to the Deep Dive, the show where we really 2 00:00:03.000 --> 00:00:05.400 try to pull out the essential knowledge from some pretty 3 00:00:05.440 --> 00:00:06.320 complex stuff. 4 00:00:06.440 --> 00:00:08.480 Yeah, making sense of it all for you exactly. 5 00:00:08.919 --> 00:00:14.359 And today we are diving deep into well cybersecurity. It's 6 00:00:14.480 --> 00:00:18.760 fascinating and honestly just absolutely critical these days. Our guide 7 00:00:18.760 --> 00:00:24.600 it's this incredibly thorough document Effective Cybersecurity, A guide to 8 00:00:24.800 --> 00:00:27.039 using best practices and standards. 9 00:00:27.559 --> 00:00:30.839 Quite a title it is, but it's packed with good information. Yeah, 10 00:00:30.879 --> 00:00:33.799 and our mission here for you listening is really to 11 00:00:33.840 --> 00:00:35.039 give you that inside track. 12 00:00:35.159 --> 00:00:36.920 Yeah, cut through the noise precisely. 13 00:00:37.119 --> 00:00:39.159 We're going to sift through all that material, pull out 14 00:00:39.159 --> 00:00:42.200 the really important bits, maybe some surprising facts, and definitely 15 00:00:42.200 --> 00:00:43.200 the practical insights. 16 00:00:43.280 --> 00:00:44.960 You get up to speak quickly, right, I want you to. 17 00:00:44.960 --> 00:00:48.880 Feel well informed, sharp, without getting bogged down by just 18 00:00:48.920 --> 00:00:51.240 the sheer volume of it all. Yeah. Think of this 19 00:00:51.280 --> 00:00:56.240 as your shortcut to really understanding effective cybersecurity. 20 00:00:56.280 --> 00:01:00.320 Okay, let's unpack this then, because cybersecurity it often feels 21 00:01:00.320 --> 00:01:04.760 like this huge tangled mess, right, technical jargon, constant threats. 22 00:01:04.879 --> 00:01:08.319 It can definitely seem that way, impenetrable sometimes, So what. 23 00:01:08.280 --> 00:01:11.719 Are we actually protecting? And maybe more importantly, why is 24 00:01:11.760 --> 00:01:13.680 it just so darn hard to get right. 25 00:01:14.079 --> 00:01:16.560 That is absolutely the place to start. So the main 26 00:01:16.680 --> 00:01:20.319 guide we're looking at points to a well a widely 27 00:01:20.480 --> 00:01:23.319 used standard recommendation X point one two zero five from 28 00:01:23.319 --> 00:01:26.760 the ITU for a clear definition, and at its core, 29 00:01:27.000 --> 00:01:31.519 cybersecurity is about well pretty much everything we do. The tools, 30 00:01:31.519 --> 00:01:36.359 the policies, security concepts, safeguards, guidelines, the whole shebang, the 31 00:01:36.400 --> 00:01:41.480 whole shabank. Yeah, risk management, approaches, actions, training, best practices, 32 00:01:41.519 --> 00:01:44.519 assurance technologies, all the stuff we use to protect the 33 00:01:44.519 --> 00:01:49.000 cyberspace environment and crucially organization and user's assets. 34 00:01:49.079 --> 00:01:52.760 Okay, assets, that sounds broad. What does that actually mean here? 35 00:01:52.840 --> 00:01:54.840 It is broad. It's much more than just computers. We're 36 00:01:54.840 --> 00:02:01.120 talking all connected computing devices, sure, but also personnel, the people, infrastructure, applications, services, 37 00:02:01.400 --> 00:02:05.359 telecommunications systems. It's a lot. Yeah, And just to be clear, 38 00:02:05.439 --> 00:02:07.760 cybersecurity itself, it's kind of an umbrella term. It covers 39 00:02:07.760 --> 00:02:09.199 information security. 40 00:02:08.759 --> 00:02:10.599 Which isn't just electronic stuff. 41 00:02:10.439 --> 00:02:14.560 No, exactly electronic information, but also non electronic forms. And 42 00:02:14.639 --> 00:02:15.919 it covers network security too. 43 00:02:16.039 --> 00:02:18.520 Okay, so it's broad. Now here's where I think it 44 00:02:18.520 --> 00:02:23.879 gets really interesting. The guide highlights these like deep seated 45 00:02:23.960 --> 00:02:28.479 dilemmas almost paradoxes. Yeah, that make cybersecurity so tricky. 46 00:02:28.800 --> 00:02:32.800 Absolutely, these are fundamental challenges. A key paper mentioned CiCe 47 00:02:32.919 --> 00:02:37.840 fourteen calls them cybersecurity dilemmas, and there they're really revealing, 48 00:02:38.000 --> 00:02:41.400 like what, Well, First, just the sheer scale and complexity 49 00:02:41.439 --> 00:02:45.280 of cyberspace. It's enormous. It's constantly changing. You've got everything 50 00:02:45.319 --> 00:02:48.319 from your mobile phone to industrial control. 51 00:02:47.960 --> 00:02:50.520 Systems, extra protect all of that exactly. 52 00:02:50.199 --> 00:02:53.039 It's inherently challenging. Second, and this is a classic one, 53 00:02:53.080 --> 00:02:56.199 the conflict between making things easy to use and making 54 00:02:56.199 --> 00:02:56.840 them secure. 55 00:02:57.120 --> 00:02:59.439 Ah yeah, convenience versus security. 56 00:02:59.680 --> 00:03:03.439 Right, Simpler systems, more isolated ones, they're easier to lock down, 57 00:03:03.800 --> 00:03:07.120 but we all demand more features, more connectivity, and that 58 00:03:07.199 --> 00:03:08.719 adds complexity. 59 00:03:08.159 --> 00:03:10.159 Which often means less security. 60 00:03:09.800 --> 00:03:13.360 Often, yeah, ironically. And the kicker is if security gets 61 00:03:13.400 --> 00:03:16.639 too inconvenient, people will find ways around it. It's just 62 00:03:16.800 --> 00:03:17.479 human nature. 63 00:03:17.719 --> 00:03:19.400 That's a huge factor, it really is. 64 00:03:19.639 --> 00:03:23.120 And finally there's the danger of just you know, making 65 00:03:23.159 --> 00:03:26.159 it up as you go along to grow your own approach. 66 00:03:26.639 --> 00:03:27.159 Winging it. 67 00:03:27.680 --> 00:03:32.639 Pretty much, the text is clear ad hocs cybersecurity just 68 00:03:32.680 --> 00:03:37.120 trying to patch things together without following establish best practices 69 00:03:37.159 --> 00:03:40.719 and standards. That's basically asking for trouble. Like building a 70 00:03:40.719 --> 00:03:43.159 bridge without blueprints, you just wouldn't do it. 71 00:03:43.280 --> 00:03:46.520 That makes perfect sense. Okay, So the digital world's complex 72 00:03:46.840 --> 00:03:50.599 people are a challenge. How do organizations even start to 73 00:03:50.599 --> 00:03:53.479 bring order to this? The source points to something called 74 00:03:53.520 --> 00:03:54.479 security governance. 75 00:03:54.520 --> 00:03:57.479 Security governance, yes, think of it as the rule book 76 00:03:57.560 --> 00:04:01.039 and the oversight for security. The definition is the framework 77 00:04:01.080 --> 00:04:04.199 by which policy and direction is set, okay, providing senior 78 00:04:04.240 --> 00:04:07.520 management with assurance that security management activities are being performed 79 00:04:07.520 --> 00:04:10.520 correctly and consistently. So it's about setting the direction and 80 00:04:10.560 --> 00:04:11.520 making sure it's followed. 81 00:04:11.639 --> 00:04:13.759 Like the Compass for security. 82 00:04:13.199 --> 00:04:16.839 Exactly, and its core principles are key. One security needs 83 00:04:16.879 --> 00:04:19.040 to be everywhere in the organization, not just an IT 84 00:04:19.360 --> 00:04:23.319 problem right baked in baked in. Two, you adopt a 85 00:04:23.399 --> 00:04:27.639 risk based approach, so decisions about what to protect and 86 00:04:27.680 --> 00:04:30.240 how much to spend are based on actual risk. You know, 87 00:04:30.279 --> 00:04:31.680 the organization's appetite for. 88 00:04:31.720 --> 00:04:33.120 Risk, not just gut feelings. 89 00:04:33.199 --> 00:04:36.360 Not just gut feelings. And three, you have to continuously 90 00:04:36.439 --> 00:04:41.160 monitor and improve link security performance to the overall business goals. 91 00:04:41.279 --> 00:04:42.439 It's an ongoing thing. 92 00:04:42.279 --> 00:04:45.199 That sounds robust, and it's not just a vague idea, right. 93 00:04:45.279 --> 00:04:49.480 There are specific roles like the c isso, yes, the. 94 00:04:49.439 --> 00:04:53.879 C ISO Chief Information Security Officer. This role is critical, 95 00:04:54.120 --> 00:04:57.319 really central. They've got the overall responsibility for the whole 96 00:04:57.480 --> 00:05:02.399 enterprise information security program pretty much. They act as the 97 00:05:02.399 --> 00:05:05.800 main link between the executives and the security program. They 98 00:05:05.879 --> 00:05:09.439 establish and maintain the isms the information Security Management system, 99 00:05:09.480 --> 00:05:13.040 which is like the security playbook essentially, yes, the comprehensive 100 00:05:13.040 --> 00:05:16.199 approach to managing all security processes and policies. They also 101 00:05:16.240 --> 00:05:19.720 define the risk treatment plan, monitor everything and for bigger companies, 102 00:05:19.839 --> 00:05:23.920 frameworks like COVID five suggest having importing committees too, Oh right, 103 00:05:23.920 --> 00:05:27.240 like an information Security Steering committee making sure good practices 104 00:05:27.279 --> 00:05:30.920 are used everywhere, and maybe an enterprise risk management committee 105 00:05:31.040 --> 00:05:34.000 looking at risk across the entire business, not just it. 106 00:05:34.759 --> 00:05:36.839 Oh okay, so there's structure at the top. But you 107 00:05:36.879 --> 00:05:40.000 mentioned in people earlier it's not just the executives, right, 108 00:05:40.079 --> 00:05:44.040 what about everyone else? The guide really stresses human resource 109 00:05:44.040 --> 00:05:46.360 security across the whole employee journey. 110 00:05:46.639 --> 00:05:49.759 Absolutely, it's not just the c suite. It starts before 111 00:05:49.800 --> 00:05:53.120 someone's even hired, during the hiring process. 112 00:05:53.120 --> 00:05:55.319 Really how so, well. 113 00:05:55.240 --> 00:05:59.160 Checking applicants properly is vital. Organizations can actually be liable 114 00:05:59.240 --> 00:06:01.959 for negligent and hiring if they don't do due diligence 115 00:06:02.439 --> 00:06:04.160 and an employee then causes harm. 116 00:06:04.360 --> 00:06:05.879 Wow, Okay, then. 117 00:06:05.800 --> 00:06:09.079 During ongoing management you've got two main types of employee 118 00:06:09.079 --> 00:06:12.600 caused security issues. There's accidental or negligent stuff. Maybe they 119 00:06:12.600 --> 00:06:14.480 didn't understand a policy or took a shortcut. 120 00:06:14.519 --> 00:06:16.000 We've all been tempted, right. 121 00:06:16.319 --> 00:06:20.000 Versus malicious intent someone deliberately trying to cause damage. 122 00:06:20.079 --> 00:06:22.079 So how do you deal with the accidental stuff? 123 00:06:22.240 --> 00:06:26.279 That's where security awareness and education come in. It's crucial 124 00:06:26.680 --> 00:06:30.519 for reducing that accidental or negligent harm. You need a 125 00:06:30.519 --> 00:06:33.560 baseline for everyone, maybe like a cybersecurity essentials. 126 00:06:33.160 --> 00:06:35.680 Program, basic training for all exactly. 127 00:06:35.759 --> 00:06:39.279 And then more specific role based training for jobs with 128 00:06:39.439 --> 00:06:43.279 particular security needs. The big goal here is fostering a 129 00:06:43.360 --> 00:06:45.480 real culture of security. 130 00:06:45.040 --> 00:06:47.319 Where it's just part of how things are done. 131 00:06:47.439 --> 00:06:50.759 Yeah, where people understand why security matters and what their 132 00:06:50.800 --> 00:06:53.879 part is. It's not just ticking boxes, like being part 133 00:06:53.920 --> 00:06:55.759 of a team where everyone knows the play. 134 00:06:56.519 --> 00:06:58.639 And what about when someone leaves. 135 00:06:58.600 --> 00:07:01.800 Termination of employment? That's another critical point. You need procedures 136 00:07:01.879 --> 00:07:05.279 to immediately remove all their access, get back company data. 137 00:07:05.959 --> 00:07:07.959 Basically lock the doors behind. 138 00:07:07.759 --> 00:07:11.480 Them securely, right, prevent any parting shots. Okay, so governance 139 00:07:11.519 --> 00:07:14.399 and people are key, but you mentioned risk. Before you 140 00:07:14.399 --> 00:07:16.360 can build defenses, you need to figure out what you're 141 00:07:16.360 --> 00:07:21.360 defending against. Information risk assessment sounds a bit like detective work. 142 00:07:21.519 --> 00:07:24.199 It kind of is the formal definitions the overall process 143 00:07:24.199 --> 00:07:28.839 of risk identification, risk analysis, and risk evaluation. Breaking that down, okay, 144 00:07:28.839 --> 00:07:32.319 think of it like this. First, you identify what could 145 00:07:32.360 --> 00:07:34.199 go wrong. Those are your. 146 00:07:34.040 --> 00:07:36.399 Threats like malware hackers yep. 147 00:07:36.680 --> 00:07:38.959 Then you figure out where your weaknesses are that those 148 00:07:39.079 --> 00:07:42.920 threats could exploit those a your vulnerabilities. 149 00:07:42.240 --> 00:07:44.199 Like unpatched software exactly. 150 00:07:44.759 --> 00:07:48.680 Then you put in place controls measures to reduce those vulnerabilities. 151 00:07:49.360 --> 00:07:52.000 But the really key part is assessing two things for 152 00:07:52.040 --> 00:07:56.519 each threat, the potential impact how bad would it be 153 00:07:56.560 --> 00:07:59.199 if this happened? And a likelihood how likely. 154 00:07:59.079 --> 00:08:00.800 Is it to happen impact it's in likelihood. 155 00:08:00.839 --> 00:08:03.839 Without understanding both, you're just guessing where to focus your 156 00:08:03.879 --> 00:08:06.879 efforts and your budget. You need that info to make smart. 157 00:08:06.639 --> 00:08:09.519 Decisions, so you prioritize the big likely risks. 158 00:08:09.600 --> 00:08:12.079 That's the idea. And it's not something you do once 159 00:08:12.439 --> 00:08:15.079 one source X point one zero five to five really 160 00:08:15.160 --> 00:08:18.879 highlights that risk management is iterative. It's a continuous cycle. 161 00:08:18.639 --> 00:08:19.480 Always reassessing. 162 00:08:19.920 --> 00:08:20.319 Got it. 163 00:08:20.439 --> 00:08:23.319 Now, you mentioned protecting assets. We established it's broad. But 164 00:08:23.399 --> 00:08:25.319 what kind of things that we're talking about specifically? Is 165 00:08:25.360 --> 00:08:26.720 it just computers and data? 166 00:08:26.800 --> 00:08:30.439 Oh? Much broader? Assets are defined as anything of value 167 00:08:30.480 --> 00:08:34.799 to the business that requires protection. So yes, hardware, software, information, 168 00:08:35.399 --> 00:08:40.320 but also less tangible things right like the company's reputation, goodwill, 169 00:08:41.320 --> 00:08:44.240 even employee morale can be an asset impacted by a 170 00:08:44.240 --> 00:08:45.039 cyber incident. 171 00:08:45.279 --> 00:08:47.080 Interesting, So how do you track all that? 172 00:08:47.519 --> 00:08:50.679 You identify them and document them? Note doubt who owns it, 173 00:08:50.879 --> 00:08:54.240 where it is, what business function it supports, and really 174 00:08:54.240 --> 00:08:57.879 importantly the data type or classification. 175 00:08:57.399 --> 00:08:58.960 How sensitive is the data on it? 176 00:08:59.080 --> 00:09:02.960 Exactly? That classification helps determine the assets value, which might 177 00:09:03.000 --> 00:09:05.879 be monetary or based on how critical that information is. 178 00:09:06.080 --> 00:09:07.399 It drives the whole risk process. 179 00:09:07.559 --> 00:09:10.000 Okay, And the threats, where do they come from? Is 180 00:09:10.000 --> 00:09:12.080 it just like random attacks or are their patterns? 181 00:09:12.240 --> 00:09:14.840 There are definitely patterns, though it can feel chaotic. Sometimes 182 00:09:15.080 --> 00:09:18.919 organizations use threat intelligence sources think reports from security companies 183 00:09:18.919 --> 00:09:21.679 like trust Wave or Cisco to understand the landscape so 184 00:09:21.759 --> 00:09:24.360 they know what's out there, right, And you can categorize 185 00:09:24.360 --> 00:09:27.519 threats in different ways, sometimes by the actor, is it 186 00:09:27.600 --> 00:09:31.639 cyber criminals after money, state sponsored groups, maybe an unhappy insider, 187 00:09:32.399 --> 00:09:36.399 or you can categorize them by the action hacking, malware, 188 00:09:36.559 --> 00:09:40.639 social engineering, phishing attacks. And remember those dilemmas we talked about, you. 189 00:09:40.559 --> 00:09:42.159 Are the complexity, ease of use. 190 00:09:42.759 --> 00:09:45.840 Well, some specific threat types tie back to those, like 191 00:09:46.039 --> 00:09:50.919 distortion I think automated misinformation, fake news, stuff that compromises 192 00:09:50.960 --> 00:09:55.679 systems by feeding them bad data. Or deterioration where your 193 00:09:55.720 --> 00:09:59.120 existing controls just get weaker over time because tech change 194 00:09:59.200 --> 00:10:01.440 is so fast, or new regulations pop. 195 00:10:01.320 --> 00:10:04.840 Up so you constantly have to watch for things just degrading. 196 00:10:04.879 --> 00:10:06.720 Absolutely, continuous assessment is key. 197 00:10:06.759 --> 00:10:08.600 So how do you actually measure all this risk? Is 198 00:10:08.639 --> 00:10:11.279 it just assigning high, medium, low or is there something 199 00:10:11.320 --> 00:10:12.799 more scientific? 200 00:10:12.960 --> 00:10:16.240 Both really qualitative methods like your low medium high, or 201 00:10:16.399 --> 00:10:19.480 maybe estimating frequency like less than once a year. Yeah, 202 00:10:19.519 --> 00:10:20.039 those are. 203 00:10:19.879 --> 00:10:22.279 Common gut feeling plus some structure. 204 00:10:22.120 --> 00:10:24.919 Kind of yeah, But for a more rigorous approach, you 205 00:10:25.039 --> 00:10:29.039 use quantitative methods. There's a methodology called fair factor analysis 206 00:10:29.080 --> 00:10:30.120 of information risk. 207 00:10:30.320 --> 00:10:30.679 Fair. 208 00:10:30.879 --> 00:10:33.840 Yeah, it's basic ideas that all risk can be measured 209 00:10:33.879 --> 00:10:38.799 and quantified. It often involves probabilistic estimates, maybe running complex 210 00:10:38.840 --> 00:10:43.399 simulations like thousands of what if attack scenarios to predict 211 00:10:43.399 --> 00:10:44.919 the dollar cost and likelihood. 212 00:10:44.919 --> 00:10:46.840 Wow, Okay, that sounds complex. 213 00:10:47.120 --> 00:10:50.279 It can be, but tools exist to help, like a 214 00:10:50.320 --> 00:10:54.000 business Impact Reference table or burnt Burnt. It's a table 215 00:10:54.000 --> 00:10:57.879 that helps you consistently define different types of impact financial loss, 216 00:10:58.200 --> 00:11:02.519 reputation damage, operational disruption, and their severity levels maybe from 217 00:11:02.759 --> 00:11:06.919 insignificant up to catastrophic. So everyone's speaking the same language about. 218 00:11:06.679 --> 00:11:08.519 Impact, standardizing it exactly. 219 00:11:08.960 --> 00:11:13.240 And another standard tool is CVSS, the Common Vulnerability Scoring System. 220 00:11:13.639 --> 00:11:16.720 It gives vulnerabilities a score based on things like how 221 00:11:16.759 --> 00:11:19.120 easy they are to exploit and what the impact would be. 222 00:11:19.559 --> 00:11:21.840 Helps you prioritize which flaws to fix first. 223 00:11:22.120 --> 00:11:24.960 Okay, so you understand the assets, the threats, the risks. 224 00:11:25.000 --> 00:11:28.000 Now you build the defenses. That's where security controls come in, right. 225 00:11:27.919 --> 00:11:31.960 That's exactly right. Security controls are basically the measures implemented 226 00:11:32.000 --> 00:11:35.559 to reduce vulnerability. They're your locks, your alarms, your firewalls, 227 00:11:36.039 --> 00:11:37.320 all the defenses. 228 00:11:36.879 --> 00:11:38.039 And there are guides for these. 229 00:11:38.240 --> 00:11:41.399 Oh yes, authoritative sources like NISSED SB eight hundred and 230 00:11:41.399 --> 00:11:45.799 fifty three, the CIS Critical Security Controls ISO twenty seven 231 00:11:45.840 --> 00:11:49.559 thousand or two. These provide massive lists and guidances like 232 00:11:49.600 --> 00:11:51.840 the blueprints for building a secure environment. 233 00:11:51.519 --> 00:11:53.039 And controls work in different ways. 234 00:11:53.240 --> 00:11:56.399 Yeah, they can mitigate risk differently. For instance, a firewall 235 00:11:56.440 --> 00:11:59.759 filter might avoid risk by blocking bad traffic entirely, stop 236 00:11:59.759 --> 00:12:03.159 it at the door. Right. An incident response plan mitigates risk. 237 00:12:03.720 --> 00:12:05.879 It lessens the damage if an attack does get through. 238 00:12:06.200 --> 00:12:09.840 And something like cyber insurance, that's risk transfer. You're shifting 239 00:12:09.840 --> 00:12:11.519 some of the financial risk to an insurer. 240 00:12:12.000 --> 00:12:15.080 Interesting. Okay, let's get specific. What about something we all 241 00:12:15.120 --> 00:12:18.840 deal with daily system access logging into things? 242 00:12:19.000 --> 00:12:24.919 Right? System access has three core functions. First, authentication, proving 243 00:12:24.960 --> 00:12:25.879 you are who you say. 244 00:12:25.720 --> 00:12:28.200 You are, showing your ID basically, yeah. 245 00:12:28.000 --> 00:12:33.039 Verifying identity. Second authorization, once you've verified, what are you 246 00:12:33.039 --> 00:12:34.600 actually allowed to do or access? 247 00:12:35.000 --> 00:12:35.679 Your permissions? 248 00:12:35.720 --> 00:12:40.000 Your permissions? And third accountability making sure actions can be 249 00:12:40.080 --> 00:12:42.840 traced back uniquely to who did them, so there's a 250 00:12:42.879 --> 00:12:48.279 record and responsibility. Now, for authentication proving who you are, 251 00:12:48.679 --> 00:12:51.879 there are generally three types of factors. First, the knowledge 252 00:12:51.879 --> 00:12:53.600 factor something you. 253 00:12:53.519 --> 00:12:55.679 Know, passwords, pns exactly. 254 00:12:55.840 --> 00:12:59.320 The big thread here is password cracking, even if they're stored, hashed, 255 00:12:59.720 --> 00:13:03.879 you know, scrambled. That's why strong password policies blocking common 256 00:13:03.919 --> 00:13:07.919 weak ones using things like one time password devices OTPs 257 00:13:07.919 --> 00:13:08.679 are vital. 258 00:13:08.399 --> 00:13:10.000 Where you get a new code each time. 259 00:13:10.200 --> 00:13:13.799 Right. Second factor possession something you have, like. 260 00:13:13.799 --> 00:13:16.759 A security keyfob or a smart card. 261 00:13:16.679 --> 00:13:20.879 Precisely hardware tokens, smart cards, electronic ideas. The threats there 262 00:13:20.879 --> 00:13:23.720 could be eavedropping on the communication or replay attacks where 263 00:13:23.759 --> 00:13:25.919 someone records your log in and tries to reuse it later. 264 00:13:26.080 --> 00:13:27.159 Sneaky can be. 265 00:13:27.480 --> 00:13:30.039 And the third factor is inherence something you are. 266 00:13:30.240 --> 00:13:32.240 Biometrics, fingerprints, face. 267 00:13:32.080 --> 00:13:35.720 Scans, YEP, fingerprint, face iris scans, uneral first, then verify 268 00:13:35.759 --> 00:13:39.519 each time. The challenge there is something called presentation attacks. 269 00:13:39.200 --> 00:13:41.559 Or PA faking the biometric. 270 00:13:41.240 --> 00:13:43.279 Trying to fool the scanner with a fake figure print 271 00:13:43.399 --> 00:13:46.519 or a photo. Yeah. Now, the really powerful thing here 272 00:13:46.639 --> 00:13:49.960 is using two or more of these factors together. That's 273 00:13:50.200 --> 00:13:53.080 multi factor authentication or MFA, like. 274 00:13:53.039 --> 00:13:55.960 A password plus a code from your phone exactly. 275 00:13:56.080 --> 00:13:59.919 It dramatically increases security because an attacker needs to compro 276 00:14:00.039 --> 00:14:03.360 buys multiple different types of factors, not just steal a 277 00:14:03.399 --> 00:14:04.440 password makes sense. 278 00:14:04.679 --> 00:14:08.159 So once you're in, how do organizations control what you 279 00:14:08.159 --> 00:14:09.879 can do? That's access control right right. 280 00:14:09.960 --> 00:14:11.879 That's where access control models come in. There are a 281 00:14:11.919 --> 00:14:15.919 few main types. Discretionary access control or DAC is probably 282 00:14:15.960 --> 00:14:17.440 the most common one you encounter. 283 00:14:17.480 --> 00:14:18.240 How does that work? 284 00:14:18.519 --> 00:14:21.559 It's where the owner of a resource decides who gets access. 285 00:14:22.200 --> 00:14:24.440 Like on your own computer, you decide who could read 286 00:14:24.480 --> 00:14:25.320 or write your files. 287 00:14:25.480 --> 00:14:26.759 Okay, I control my stuff. 288 00:14:26.799 --> 00:14:31.039 Then there's mandatory access control or MAC. This is much stricter, 289 00:14:31.279 --> 00:14:34.039 system enforced. You see it more in military or high 290 00:14:34.039 --> 00:14:39.000 security environments. Access is based on security labels or classifications, 291 00:14:39.039 --> 00:14:40.240 not just the owner's choice. 292 00:14:40.240 --> 00:14:40.840 More rigid. 293 00:14:41.279 --> 00:14:46.120 Very Then you have role based access control RBAC. Access 294 00:14:46.240 --> 00:14:48.200 is granted based on your job role in the. 295 00:14:48.240 --> 00:14:52.759 Organization, So all engineers get engineer access, all sales folks 296 00:14:52.759 --> 00:14:53.759 get sales access. 297 00:14:53.840 --> 00:14:58.559 Pretty much simplifies administration. And finally there's attribute based access 298 00:14:58.600 --> 00:15:02.039 control or ABA. This is where granular are more flexible. 299 00:15:02.120 --> 00:15:06.519 How So, access decisions are based on multiple attributes of 300 00:15:06.559 --> 00:15:09.759 the user, the resource they're trying to access, even the environment, 301 00:15:09.879 --> 00:15:12.279 like maybe you can only access certain data if you're 302 00:15:12.320 --> 00:15:14.039 on the corporate network during business hours. 303 00:15:14.159 --> 00:15:16.360 Ah, context matters exactly. 304 00:15:16.559 --> 00:15:19.679 SP one eight one hundred and three gives examples like that, location, 305 00:15:19.919 --> 00:15:21.399 time of day, device type. 306 00:15:21.519 --> 00:15:24.240 Okay, that covers getting in and moving around. Let's zoom 307 00:15:24.279 --> 00:15:27.399 out a bit. What about the big infrastructure pieces server 308 00:15:27.519 --> 00:15:28.320 software development? 309 00:15:28.519 --> 00:15:32.480 Good question. Let's start with server configuration and virtualization. Servers 310 00:15:32.480 --> 00:15:35.120 are prime targets, right. Compromise one and you might get 311 00:15:35.159 --> 00:15:36.039 access to the whole network. 312 00:15:36.120 --> 00:15:36.720 Yeah, big risk. 313 00:15:37.000 --> 00:15:41.240 So organizations increasingly use virtualization, creating virtual versions of servers 314 00:15:41.279 --> 00:15:44.200 or networks. It helps with efficiency and management. You have 315 00:15:44.240 --> 00:15:46.919 different types like type one hypervisors. 316 00:15:46.399 --> 00:15:48.759 Which run directly on the hardware baar metal. 317 00:15:48.600 --> 00:15:52.519 Right, generally seen is more secure versus type two hypervisors, 318 00:15:52.519 --> 00:15:54.879 which run on top of an existing operating system may 319 00:15:54.879 --> 00:15:58.799 be a bit less secure. And containers are another sort 320 00:15:58.799 --> 00:16:02.000 of lighter weight virtualization approach that's popular. 321 00:16:02.039 --> 00:16:03.799 But virtualization has risks too. 322 00:16:03.919 --> 00:16:07.559 Oh yeah. A major concern is VM escape. That's where 323 00:16:07.639 --> 00:16:11.440 malicious code inside one virtual machine manages to break out 324 00:16:11.480 --> 00:16:15.200 and access the underlong hypervisor or maybe other vms on 325 00:16:15.240 --> 00:16:15.960 the same host. 326 00:16:16.080 --> 00:16:17.679 Ooh, that's bad, very bad. 327 00:16:18.200 --> 00:16:22.720 Needs careful configuration. Now, moving to system development and application security. 328 00:16:22.759 --> 00:16:25.799 The big concept here is security by design. 329 00:16:25.600 --> 00:16:29.639 Building security in from the start exactly, not tacking it 330 00:16:29.679 --> 00:16:30.279 on at the end. 331 00:16:30.519 --> 00:16:32.639 It needs to be part of every phase of the 332 00:16:32.639 --> 00:16:36.639 system development life cycle the SDLC, from the initial idea 333 00:16:36.759 --> 00:16:38.679 right through to retiring the system. 334 00:16:38.759 --> 00:16:39.559 How do you achieve that? 335 00:16:39.840 --> 00:16:43.279 Well, things like DevOps culture help. It encourages collaboration between 336 00:16:43.279 --> 00:16:48.080 development operations and security teams, automating security checks into the development. 337 00:16:47.639 --> 00:16:49.600 Pipeline, making it part of the flow right. 338 00:16:49.919 --> 00:16:52.759 And for applications themselves, you have tools like Web application 339 00:16:52.840 --> 00:16:55.799 firewalls or wfs. They sit in front of web apps 340 00:16:55.799 --> 00:16:56.960 and filter out common. 341 00:16:56.679 --> 00:16:58.519 Attacks, protecting websites yep. 342 00:16:58.919 --> 00:17:03.440 And one often overla is end user developed applications EDAs. 343 00:17:03.679 --> 00:17:06.559 What are those like? Complex spreadsheets people. 344 00:17:06.279 --> 00:17:11.279 Build exactly those monster spreadsheets? Maybe simple databases people create themselves. 345 00:17:11.480 --> 00:17:14.720 They seem harmless, but they can have huge risks, errors, 346 00:17:14.720 --> 00:17:17.640 no audit trails, compliance problems, hidden. 347 00:17:17.359 --> 00:17:20.599 Costs, stuff it doesn't even know about sometimes. 348 00:17:20.039 --> 00:17:23.880 Often so you need a framework to manage them too. Governance, people, 349 00:17:24.480 --> 00:17:26.680 process technology. You can't just ignore them. 350 00:17:26.720 --> 00:17:31.119 Good point. Okay, what about sneakier threats malware hiding on 351 00:17:31.279 --> 00:17:34.160 systems or sensitive data leaking out right. 352 00:17:34.200 --> 00:17:37.319 So malware protection malware is just you know, hostile or 353 00:17:37.319 --> 00:17:43.039 intrusive software. The guide lists loads of types of adware, spyware, ransomware. 354 00:17:42.519 --> 00:17:44.599 The nasty stuff that locks your files that's the. 355 00:17:44.519 --> 00:17:47.400 One, rootkits that hide deep in the system, even fileless 356 00:17:47.440 --> 00:17:50.039 malware that runs only in memory, making it really hard 357 00:17:50.039 --> 00:17:50.559 to spot. 358 00:17:50.759 --> 00:17:52.160 So anti virus is key. 359 00:17:52.440 --> 00:17:56.640 Antivirus software is a core defense. Yes. Best practices are 360 00:17:56.680 --> 00:17:59.720 things like real time scanning, making sure it monitors common 361 00:17:59.720 --> 00:18:03.519 appleations like email and browsers, and keeping it constantly updated 362 00:18:03.680 --> 00:18:06.880 with the latest threat signatures. Got to keep it sharp absolutely. 363 00:18:07.519 --> 00:18:12.559 Then there's data loss prevention or DLP, stopping leaks exactly. 364 00:18:13.200 --> 00:18:16.839 Its whole purpose is to identify sensitive information and prevent 365 00:18:16.880 --> 00:18:19.599 it from leaving the organization without authorization. 366 00:18:20.000 --> 00:18:21.359 How does it know what's sensitive? 367 00:18:21.839 --> 00:18:24.279 It looks at data in three states where it's vulnerable, 368 00:18:24.680 --> 00:18:27.440 data in motion traveling across the network like in an email, 369 00:18:27.680 --> 00:18:30.880 data atrests stored on servers or laptops, and data in 370 00:18:31.039 --> 00:18:34.400 use actively being processed in memory or by the CPU. Okay, 371 00:18:34.559 --> 00:18:37.240 And it uses various techniques to spot the sensitive stuff, 372 00:18:37.400 --> 00:18:40.559 keyword matching, looking for specific patterns like credit card numbers, 373 00:18:40.640 --> 00:18:43.880 exact data matching against a database of sensitive info, or 374 00:18:43.960 --> 00:18:46.920 even fingerprinting entire documents. 375 00:18:46.599 --> 00:18:48.880 Like a digital signature for a secret file. 376 00:18:48.839 --> 00:18:51.400 Kind of Yeah, so the system recognizes it if someone 377 00:18:51.440 --> 00:18:54.000 tries to, say, upload it to a personal cloud drive. 378 00:18:54.599 --> 00:18:57.160 And related to this is digital Rights management. 379 00:18:56.839 --> 00:18:59.160 DRM, like on movies or music. 380 00:18:59.240 --> 00:19:03.160 Similar idea but for corporate data too. Policies in tech 381 00:19:03.359 --> 00:19:06.079 to control how digital content can be used after it's 382 00:19:06.079 --> 00:19:10.519 been distributed, maybe preventing printing or forwarding, and underpinning a 383 00:19:10.559 --> 00:19:14.640 lot of this. Secure communication and data protection is cryptography 384 00:19:14.759 --> 00:19:20.400 and public key INFRASTRUCTUREKI encryption and keys right, using things 385 00:19:20.480 --> 00:19:23.799 like secure hash functions, they create a unique fingerprint of 386 00:19:23.920 --> 00:19:27.359 data to ensure it hasn't been tampered with. Ensuring integrity. 387 00:19:27.799 --> 00:19:32.039 Key management is critical too, especially understanding crypto periods. 388 00:19:31.720 --> 00:19:34.119 Meaning how long a key should be used exactly. 389 00:19:34.400 --> 00:19:36.799 Key shouldn't be used forever because they become more vulnerable 390 00:19:36.839 --> 00:19:39.759 over time. And PKI is the whole system for managing 391 00:19:39.799 --> 00:19:42.079 public keys and digital certificates. 392 00:19:41.480 --> 00:19:43.880 The things that let your browser trust a website. 393 00:19:44.119 --> 00:19:47.920 That's a big part of it. Yeah, secure communication, identity verification, 394 00:19:48.039 --> 00:19:49.839 it's the trust infrastructure of the Internet. 395 00:19:49.880 --> 00:19:54.440 Really Okay, So we've built defenses, but stuff still happens, right, 396 00:19:54.720 --> 00:19:58.799 breaches occur? What then? This is where incident management kicks in. 397 00:19:59.039 --> 00:20:03.039 Absolutely critical, because no defense is perfect. First, though, a 398 00:20:03.119 --> 00:20:07.400 quick distinction, there's a security event that's just something happening 399 00:20:07.400 --> 00:20:10.319 that might have security implications, maybe a failed log in, 400 00:20:10.519 --> 00:20:13.839 a blip on the radar, right, versus a security incident. 401 00:20:14.079 --> 00:20:20.200 That's when something occurs that actually potentially compromises your confidentiality, integrity, 402 00:20:20.279 --> 00:20:24.119 or availability, like a successful hack. That's the real deal. 403 00:20:24.000 --> 00:20:27.079 Got it? So what's the process for handling an incident? 404 00:20:27.400 --> 00:20:30.160 The incident response live cycle, often based on this SP 405 00:20:30.279 --> 00:20:33.680 eight hundred and sixty one, has four main phases. First, 406 00:20:33.839 --> 00:20:35.200 and maybe most important, is. 407 00:20:35.440 --> 00:20:37.880 Preparation getting ready before it happens. 408 00:20:38.000 --> 00:20:41.640 Exactly having policies, plans, training tools all set up before 409 00:20:41.680 --> 00:20:43.640 an incident. You don't want to be figuring this out 410 00:20:43.759 --> 00:20:46.279 during a crisis. It's like having your fire department ready. 411 00:20:46.400 --> 00:20:46.839 Makes sense. 412 00:20:46.960 --> 00:20:50.400 The detection analysis. This is where you actually identify that 413 00:20:50.480 --> 00:20:53.359 an incident is happening, figure out what's going on, often 414 00:20:53.440 --> 00:20:57.240 using event correlation, linking seemingly random alerts together to see 415 00:20:57.240 --> 00:20:59.759 the bigger picture. How bad is it, what's. 416 00:20:59.599 --> 00:21:02.759 Effect, finding the fire and assessing it good analogy. 417 00:21:03.359 --> 00:21:08.079 Third phase containment, eradication and recovery. This is the hands 418 00:21:08.119 --> 00:21:11.920 on part. Stop the bleeding, contained the attack, get rid 419 00:21:11.920 --> 00:21:14.720 of the threat, eradicate the malware, and get things back 420 00:21:14.720 --> 00:21:19.759 to normal securely. Recovery often involves restoring from clean backups, 421 00:21:19.799 --> 00:21:24.000 patching systems, changing passwords, the cleanup crew pretty much, and 422 00:21:24.119 --> 00:21:28.160 finally post incident activity. This is absolutely crucial, but sometimes skipped. 423 00:21:28.480 --> 00:21:29.720 The lessons learned. 424 00:21:29.519 --> 00:21:32.200 Phase figuring out what went wrong and how to stop. 425 00:21:31.960 --> 00:21:36.279 It next time exactly, evaluating the response, improving procedures. It 426 00:21:36.319 --> 00:21:40.599 also includes forensic analysis, digging into the details, preserving evidence 427 00:21:40.640 --> 00:21:44.200 carefully in case legal action is needed, like a post mortem. 428 00:21:44.279 --> 00:21:48.400 Okay, that's the digital response, but cybersecurity isn't purely digital, 429 00:21:48.480 --> 00:21:51.160 is it. What about protecting the actual buildings, the hardware. 430 00:21:51.480 --> 00:21:53.079 Physical security just as vital. 431 00:21:53.400 --> 00:21:55.039 You can have the best firewalls in the world, but 432 00:21:55.039 --> 00:21:57.079 if someone can walk in and unplug your server or 433 00:21:57.119 --> 00:21:59.000 steal it, game over right. 434 00:21:59.039 --> 00:21:59.960 So what are the threats there? 435 00:22:00.319 --> 00:22:05.799 They fall into three buckets. Environmental think natural disasters, fire, flood, 436 00:22:06.000 --> 00:22:11.279 extreme weather, even chemical spills, technical power failures HVAC issues 437 00:22:11.319 --> 00:22:19.079 causing overheating, dust, electromagnetic interference, and human caused unauthorized access, theft, vandalism, 438 00:22:19.079 --> 00:22:22.359 even insider threats. Doing physical damage lots to worry about, yep. 439 00:22:22.680 --> 00:22:25.839 So the approach is defense in depth. For physical security too, 440 00:22:26.000 --> 00:22:29.759 think layers like an onion layer. Yeah, concentric boundaries start 441 00:22:29.799 --> 00:22:34.359 with a site perimeter, fences, gates, then the billing perimeter, doors, windows, reception, 442 00:22:35.000 --> 00:22:38.240 then maybe the computer room itself with stronger locks, and 443 00:22:38.319 --> 00:22:42.039 finally locking equipment racks. Each layer has tighter access control. 444 00:22:42.119 --> 00:22:45.720 You might have unrestricted areas, restricted areas and really secure 445 00:22:45.799 --> 00:22:46.680 exclusion areas. 446 00:22:46.839 --> 00:22:50.519 Makes sense, multiple barriers and ultimately all the security physical 447 00:22:50.559 --> 00:22:53.240 and digital. It's about keeping the business running, isn't it, 448 00:22:53.279 --> 00:22:56.319 which leads to business continuity exactly. 449 00:22:56.440 --> 00:22:59.319 Business continuity is defined as the ability of an organization 450 00:22:59.359 --> 00:23:02.200 to maintain a se medental functions during and after a 451 00:23:02.240 --> 00:23:04.960 disaster has occurred. It's about keeping the lights on or 452 00:23:04.960 --> 00:23:06.240 getting them back on quickly. 453 00:23:06.480 --> 00:23:07.400 What does that involve? 454 00:23:07.559 --> 00:23:11.839 Key elements include continuity of management. Who's in charge of 455 00:23:11.880 --> 00:23:15.160 the boss isn't available? Train staff may be cross trains 456 00:23:15.160 --> 00:23:19.079 so people can cover critical roles, Resilient IT systems, backups, 457 00:23:19.400 --> 00:23:24.240 diverse communication paths and backup facilities, alternate buildings. 458 00:23:24.000 --> 00:23:26.279 Equipment, planning for the worst. 459 00:23:25.920 --> 00:23:29.400 Pretty much, and it involves balancing cost against two key metrics. 460 00:23:29.839 --> 00:23:32.680 RTO recovery time objective how fast you need to be 461 00:23:32.799 --> 00:23:36.119 back up and running, and RPO recovery point objective how 462 00:23:36.200 --> 00:23:39.240 much data can you afford to lose measured in time 463 00:23:39.359 --> 00:23:40.480 like the last hour's worth. 464 00:23:40.599 --> 00:23:44.039 Ah so, how quickly and how much data loss is? 465 00:23:44.079 --> 00:23:47.240 Okay? Right, it's a trade off. Faster recovery un less 466 00:23:47.279 --> 00:23:50.400 data loss usually cost more, and readiness is key here too. 467 00:23:50.720 --> 00:23:55.599 Awareness programs, specific training like evacuation drills and critically exercising 468 00:23:55.599 --> 00:23:57.680 and test in the plans regularly. You don't want the 469 00:23:57.680 --> 00:23:58.880 first test to be the real thing. 470 00:23:59.039 --> 00:23:59.559 Definitely not. 471 00:24:00.039 --> 00:24:03.920 And there's an evolving idea here called business resilience. It 472 00:24:03.960 --> 00:24:06.799 goes beyond just bouncing back. It's about adapting, being flexible, 473 00:24:07.079 --> 00:24:09.680 maybe even building systems that can self configure or self 474 00:24:09.720 --> 00:24:12.319 heal after disruption. More proactive, more adaptive. 475 00:24:12.400 --> 00:24:19.119 Yeah, okay, one last pace. You've got governance, people, risk assessment, controls, 476 00:24:19.319 --> 00:24:25.359 incident response, physical security, continuity plans. How do organizations know 477 00:24:25.440 --> 00:24:27.559 if any of this is actually working? And how do 478 00:24:27.559 --> 00:24:28.559 they keep getting better. 479 00:24:28.960 --> 00:24:31.960 That's where security monitoring and improvement comes in. It's about 480 00:24:32.039 --> 00:24:36.160 checking your work and learning. First, security audits like an 481 00:24:36.240 --> 00:24:40.119 inspection sort of independent reviews to check if controls are adequate, 482 00:24:40.119 --> 00:24:42.920 if policies are being followed, and to detect any breaches 483 00:24:43.000 --> 00:24:45.880 or weaknesses. They look at things like audit trails, logs 484 00:24:45.880 --> 00:24:50.000 of who did what when on systems, applications, user actions, 485 00:24:50.039 --> 00:24:51.400 even physical access. 486 00:24:51.160 --> 00:24:52.960 Logs, checking the records exactly. 487 00:24:53.440 --> 00:24:58.640 Second, security performance measurement. This means defining clear, measurable metrics 488 00:24:58.839 --> 00:25:01.640 things you can actually track, like what like the percentage 489 00:25:01.680 --> 00:25:04.359 of systems that have critical patches applied within x days 490 00:25:04.720 --> 00:25:07.319 or the number of security incidents detected per month. Things 491 00:25:07.359 --> 00:25:10.119 that are objective, reproducible and show progress. What are your 492 00:25:10.119 --> 00:25:12.559 security goals. It's like your security. 493 00:25:12.119 --> 00:25:14.039 Report card, quantifying it right. 494 00:25:14.400 --> 00:25:17.920 And Third, it all feeds into continuous improvement using the 495 00:25:17.960 --> 00:25:23.440 results from audits, performance metrics, incident reviews, self assessments. All 496 00:25:23.480 --> 00:25:28.160 that feedback loops back into refining policies, updating controls, maybe 497 00:25:28.240 --> 00:25:29.039 changing training. 498 00:25:29.240 --> 00:25:30.519 So it's a constant cycle. 499 00:25:30.680 --> 00:25:33.240 It has to be because the threats are always changing. 500 00:25:33.720 --> 00:25:36.680 Technology evolves. You never just set it and forget it. 501 00:25:37.000 --> 00:25:39.960 Cybersecurity requires constant vigilance and adaptation. 502 00:25:40.400 --> 00:25:44.880 Wow. Okay, so wrapping this up, what does it all mean? 503 00:25:45.319 --> 00:25:48.400 We've really journeyed through a massive landscape here, haven't we? 504 00:25:49.039 --> 00:25:51.519 From the basic definitions those tricky dilemmas. 505 00:25:51.640 --> 00:25:52.960 Yeah, why it's so hard to. 506 00:25:53.000 --> 00:25:57.200 Managing people, assessing risk, building all those layers of defense, 507 00:25:57.240 --> 00:26:00.160 technical and physical, responding when things go wrong, keeping the 508 00:26:00.160 --> 00:26:03.000 business running, and constantly checking and improving. 509 00:26:03.200 --> 00:26:06.119 It's a lot, But hopefully breaking it down like this helps. 510 00:26:05.839 --> 00:26:07.799 I think. So it feels like we've navigated a really 511 00:26:08.000 --> 00:26:09.680 comprehensive guide. 512 00:26:09.359 --> 00:26:12.000 And the goal for you listening was to give you 513 00:26:12.000 --> 00:26:15.880 that solid foundation, those practical insights, to turn what can 514 00:26:15.920 --> 00:26:19.599 feel like overwhelming information into knowledge you can actually use 515 00:26:19.880 --> 00:26:21.960 or at least understand better. 516 00:26:21.960 --> 00:26:24.039 Right, actionable knowledge exactly. 517 00:26:23.920 --> 00:26:25.839 And maybe leave you with the final thought to chew on. 518 00:26:26.079 --> 00:26:28.680 Oh well, as our lives get more and more tangled 519 00:26:28.720 --> 00:26:32.839 up with things like AI autonomous systems, how is that 520 00:26:32.880 --> 00:26:36.279 going to change cybersecurity? How will concepts like control and 521 00:26:36.279 --> 00:26:40.079 accountability even work when the systems won't be making decisions 522 00:26:40.119 --> 00:26:40.519 on their own? 523 00:26:40.599 --> 00:26:44.200 Huh? That's yeah, what new dilemmas might pop up for 524 00:26:44.319 --> 00:26:48.839 us for organizations when AI is managing security or potentially 525 00:26:48.880 --> 00:26:50.240 becoming a threat itself. 526 00:26:50.359 --> 00:26:52.119 It's definitely something to think about, isn't it. Yeah, the 527 00:26:52.200 --> 00:26:53.480 landscape is always shifting. 528 00:26:53.720 --> 00:26:56.480 A really thought provoking question to end on. Thank you 529 00:26:56.519 --> 00:26:59.240 for joining us on this deep dive today. Keep exploring, 530 00:26:59.359 --> 00:27:02.279 keep learning, and apply these insights to stay safer in 531 00:27:02.359 --> 00:27:03.240 our digital world.