WEBVTT

1
00:00:00.080 --> 00:00:02.640
<v Speaker 1>You know, think about logging into your online bank, or

2
00:00:02.640 --> 00:00:05.719
<v Speaker 1>maybe swiping your badge at work, getting into a secure area,

3
00:00:06.400 --> 00:00:08.560
<v Speaker 1>or even just hopping onto the office Wi fi. We

4
00:00:08.560 --> 00:00:11.519
<v Speaker 1>do this stuff all the time, right, but have you

5
00:00:11.560 --> 00:00:13.560
<v Speaker 1>ever stopped to think about what's really going on behind

6
00:00:13.599 --> 00:00:18.679
<v Speaker 1>the scenes, all the systems, the safeguards keeping things secure. Okay,

7
00:00:18.800 --> 00:00:21.079
<v Speaker 1>let's unpack this a bit. Today we're doing deep drive

8
00:00:21.079 --> 00:00:25.239
<v Speaker 1>into information systems auditing insecurity. And forget that old image

9
00:00:25.280 --> 00:00:28.920
<v Speaker 1>of like a dusty account. We're talking about the guardians

10
00:00:28.920 --> 00:00:31.719
<v Speaker 1>of our digital world. Our physical space is too. These

11
00:00:31.760 --> 00:00:34.520
<v Speaker 1>are the pros, often with certifications like the SISA that

12
00:00:34.600 --> 00:00:38.039
<v Speaker 1>certified Information Systems auditor who make sure our tech works

13
00:00:38.439 --> 00:00:42.159
<v Speaker 1>and crucially work safely. Our mission really is to get

14
00:00:42.200 --> 00:00:44.759
<v Speaker 1>inside the heads of these IS auditors. How do they think,

15
00:00:45.039 --> 00:00:47.799
<v Speaker 1>what risks are they looking for? And maybe uncover some

16
00:00:48.399 --> 00:00:50.880
<v Speaker 1>surprising ways they protect everything from your bank account to

17
00:00:50.920 --> 00:00:53.200
<v Speaker 1>the building you might be sitting in right now. We've

18
00:00:53.200 --> 00:00:55.359
<v Speaker 1>got a great cease of steady guide here as our source,

19
00:00:55.719 --> 00:00:58.320
<v Speaker 1>which gives us a fantastic shortcut into their world.

20
00:00:58.520 --> 00:01:00.479
<v Speaker 2>Yeah, and what's really key, I think is that it's

21
00:01:00.520 --> 00:01:03.119
<v Speaker 2>not just about hunting for mistakes already made. It's more

22
00:01:03.159 --> 00:01:07.079
<v Speaker 2>about understanding the whole tech ecosystem of an organization from

23
00:01:07.120 --> 00:01:11.680
<v Speaker 2>the ground up. The goal is building resilience, proactively thinking ahead,

24
00:01:11.760 --> 00:01:12.879
<v Speaker 2>not just reacting right.

25
00:01:12.959 --> 00:01:15.879
<v Speaker 1>So it's not just ticking boxes on a checklist. Auditors

26
00:01:15.879 --> 00:01:19.159
<v Speaker 1>are thinking about risk fundamentally. Our source gives us some

27
00:01:19.200 --> 00:01:22.000
<v Speaker 1>clear ways to define it. Often it's simplified down to

28
00:01:22.359 --> 00:01:26.920
<v Speaker 1>probability times impact. Makes sense. But there's another formula they use,

29
00:01:26.959 --> 00:01:30.840
<v Speaker 1>maybe a bit more vivid. Risk equals A times V

30
00:01:31.480 --> 00:01:36.200
<v Speaker 1>times T, so that's asset times vulnerability times threat. Let's

31
00:01:36.239 --> 00:01:39.040
<v Speaker 1>break that down real quick. Asset is anything valuable, could

32
00:01:39.079 --> 00:01:43.040
<v Speaker 1>be data, hardware, reputation, even people. Vulnerability that's a weakness

33
00:01:43.120 --> 00:01:47.000
<v Speaker 1>the organization can often control, like sloppy coding or forgetting

34
00:01:47.040 --> 00:01:50.120
<v Speaker 1>to patch. And threat is what might exploit that weakness,

35
00:01:50.120 --> 00:01:53.840
<v Speaker 1>often external stuff like hackers, malware, or even a flood. Now,

36
00:01:53.879 --> 00:01:56.680
<v Speaker 1>this AVT formula, it sounds neat, but is it always

37
00:01:56.680 --> 00:01:58.359
<v Speaker 1>that easy to put numbers on or is there some

38
00:01:58.480 --> 00:01:59.439
<v Speaker 1>art to it in practice?

39
00:01:59.599 --> 00:02:02.439
<v Speaker 2>Oh, that's great point. That formula gives a solid framework, definitely,

40
00:02:02.760 --> 00:02:06.640
<v Speaker 2>but quantifying each part that's where the skill the art

41
00:02:06.680 --> 00:02:11.280
<v Speaker 2>comes in. It really helps auditors pinpoint inherent risk, that's

42
00:02:11.319 --> 00:02:13.919
<v Speaker 2>the baseline risk before you put any controls in place.

43
00:02:14.240 --> 00:02:16.000
<v Speaker 2>Then they look at the controls and figure out the

44
00:02:16.000 --> 00:02:19.800
<v Speaker 2>residual risk, what's actually left over after those defenses. And

45
00:02:19.840 --> 00:02:22.560
<v Speaker 2>the big picture implication here is about focus, right, You

46
00:02:22.599 --> 00:02:27.759
<v Speaker 2>can't protect everything perfectly, so this helps channel resources attention

47
00:02:28.120 --> 00:02:31.319
<v Speaker 2>to where the risk is highest, which makes you think,

48
00:02:31.479 --> 00:02:33.919
<v Speaker 2>how do you assess risk in your own projects or

49
00:02:34.080 --> 00:02:36.280
<v Speaker 2>just daily life? Do you think about both how likely

50
00:02:36.319 --> 00:02:38.360
<v Speaker 2>something is and how bad it could be and what's

51
00:02:38.439 --> 00:02:39.680
<v Speaker 2>left after your precautions?

52
00:02:39.840 --> 00:02:43.080
<v Speaker 1>That makes total sense prioritization. So once you figured out

53
00:02:43.080 --> 00:02:45.840
<v Speaker 1>the risks, you need controls. Our Guide breaks these down

54
00:02:45.879 --> 00:02:48.479
<v Speaker 1>into types, which is really helpful for understanding how defenses

55
00:02:48.479 --> 00:02:51.680
<v Speaker 1>get layered. Let's start with preventive controls. These aim to

56
00:02:51.680 --> 00:02:54.960
<v Speaker 1>stop bad things before they happen. I think multi factor authentication,

57
00:02:55.400 --> 00:02:59.599
<v Speaker 1>good firewalls, or segregating duties so one person can't do everything.

58
00:02:59.639 --> 00:03:01.719
<v Speaker 1>Sense Are these sort of the bedrock?

59
00:03:02.039 --> 00:03:05.639
<v Speaker 2>Absolutely, they are the foundational layer. A strong preventive control

60
00:03:05.719 --> 00:03:08.879
<v Speaker 2>is always your best bet. Stops the problem entirely ideally,

61
00:03:09.479 --> 00:03:12.039
<v Speaker 2>but let's be real, nothing's ever one hundred percent fool proof,

62
00:03:12.039 --> 00:03:13.039
<v Speaker 2>so you can't just stop there.

63
00:03:13.080 --> 00:03:15.879
<v Speaker 1>You need backups, and that's where detective controls step in,

64
00:03:16.240 --> 00:03:19.120
<v Speaker 1>the ones that spot issues after they've happened, things like

65
00:03:19.759 --> 00:03:24.719
<v Speaker 1>security cameras, log monitoring, maybe even having solid business continuity plans.

66
00:03:24.479 --> 00:03:27.680
<v Speaker 2>Ready exactly, they're your warning system. If something gets past

67
00:03:27.759 --> 00:03:29.159
<v Speaker 2>the first wall, cag.

68
00:03:28.960 --> 00:03:31.360
<v Speaker 1>It quick, and then if something is detected, then.

69
00:03:31.240 --> 00:03:34.879
<v Speaker 2>You need corrective controls. These are about fixing it, restoring

70
00:03:34.960 --> 00:03:39.319
<v Speaker 2>data from a backup, patching that vulnerability someone exploited, maybe

71
00:03:39.400 --> 00:03:42.879
<v Speaker 2>revokeing access. It's the cleanup crew, basically getting things back

72
00:03:42.919 --> 00:03:44.080
<v Speaker 2>to a known good state.

73
00:03:44.360 --> 00:03:47.719
<v Speaker 1>We also have deterrent controls like a simple warning CCTV

74
00:03:47.800 --> 00:03:51.039
<v Speaker 1>and operation sign just making someone think twice. And finally,

75
00:03:51.280 --> 00:03:55.439
<v Speaker 1>compensating controls. These are clever workarounds when the main control

76
00:03:55.520 --> 00:03:58.639
<v Speaker 1>isn't practical, like maybe in a small company you can't

77
00:03:58.639 --> 00:04:03.639
<v Speaker 1>perfectly segregate duty, so you compensate with really thorough log reviews.

78
00:04:04.039 --> 00:04:07.360
<v Speaker 1>It's fascinating how they layer up. What I find really

79
00:04:07.400 --> 00:04:09.840
<v Speaker 1>interesting is how they work together. You might have a

80
00:04:09.840 --> 00:04:12.479
<v Speaker 1>security guard that's a deterrent outside a locked door that's

81
00:04:12.520 --> 00:04:15.680
<v Speaker 1>preventive if someone does get through the lock. Somehow, the

82
00:04:15.719 --> 00:04:19.480
<v Speaker 1>CCTV detective helps figure out what happened, and that leads

83
00:04:19.519 --> 00:04:23.120
<v Speaker 1>to actions to fix the vulnerability, corrective controls. It's like

84
00:04:23.120 --> 00:04:26.720
<v Speaker 1>this mesh of defenses. So with all these layers, what's

85
00:04:26.720 --> 00:04:30.600
<v Speaker 1>a common mistake or trap organizations fall into when setting

86
00:04:30.639 --> 00:04:31.199
<v Speaker 1>up controls.

87
00:04:31.360 --> 00:04:33.439
<v Speaker 2>Well, often it's focusing too much on the tech side

88
00:04:33.439 --> 00:04:36.879
<v Speaker 2>and forgetting the people aspect, or maybe investing heavily in

89
00:04:36.959 --> 00:04:40.839
<v Speaker 2>say firewalls, but leaving physical security week. Auditors are always

90
00:04:40.839 --> 00:04:43.720
<v Speaker 2>looking for those kinds of imbalances or assumptions that just

91
00:04:43.800 --> 00:04:46.279
<v Speaker 2>one control is enough when you really need that integrated

92
00:04:46.279 --> 00:04:47.680
<v Speaker 2>strategy that makes sense.

93
00:04:47.800 --> 00:04:50.240
<v Speaker 1>People are often the weakest link, aren't they. Okay, let's

94
00:04:50.240 --> 00:04:52.839
<v Speaker 1>shift focus. Now we've seen how auditors think about risk

95
00:04:52.879 --> 00:04:57.040
<v Speaker 1>and controls. Let's apply that to something familiar. Online banking

96
00:04:57.240 --> 00:05:00.680
<v Speaker 1>super convenient, right, But our source highlights a heavy dependence

97
00:05:00.959 --> 00:05:05.360
<v Speaker 1>on internet service providers and naturally big cyber risks like

98
00:05:05.439 --> 00:05:09.360
<v Speaker 1>hacking system down time and ensuring transaction integrity.

99
00:05:09.519 --> 00:05:14.120
<v Speaker 2>Right, that convenience factor brings in dependencies on external companies

100
00:05:14.120 --> 00:05:17.279
<v Speaker 2>which the bank doesn't directly control. That just broadens the

101
00:05:17.319 --> 00:05:20.720
<v Speaker 2>potential attack surface. So for an auditor, that means looking

102
00:05:20.720 --> 00:05:25.160
<v Speaker 2>closely at governance, at confidentiality, integrity, availability arrangements, how well

103
00:05:25.240 --> 00:05:28.160
<v Speaker 2>is security testing done? And like we all experience that

104
00:05:28.240 --> 00:05:32.319
<v Speaker 2>two factor authentication prompt, that's a classic powerful preventive control.

105
00:05:32.360 --> 00:05:34.839
<v Speaker 2>It really helps mitigate those risks run someone just stealing

106
00:05:34.839 --> 00:05:36.839
<v Speaker 2>your password, adds that vital second check.

107
00:05:37.000 --> 00:05:39.759
<v Speaker 1>Okay, let's wish from digital to physical for a moment. Yeah,

108
00:05:39.800 --> 00:05:42.920
<v Speaker 1>physical security might seem obvious locks on doors, but the

109
00:05:42.920 --> 00:05:47.639
<v Speaker 1>guide details some pretty sophisticated layers. Beyond standard dead bolts.

110
00:05:47.839 --> 00:05:51.839
<v Speaker 1>You've got combination locks need changing, often electronic card locks

111
00:05:51.839 --> 00:05:54.000
<v Speaker 1>which are easy to deactivate if for card is lost,

112
00:05:54.439 --> 00:05:58.240
<v Speaker 1>and for really critical places, biometric locks, fingerprints, iris scans.

113
00:05:58.759 --> 00:06:01.199
<v Speaker 1>But then there's this concept I FI fascinating dead man

114
00:06:01.240 --> 00:06:04.959
<v Speaker 1>doors or man traps. It's basically two doors in sequence.

115
00:06:05.120 --> 00:06:07.480
<v Speaker 1>The second door won't open until the first one closes

116
00:06:07.480 --> 00:06:10.879
<v Speaker 1>and locks behind you, and usually only one person is

117
00:06:10.920 --> 00:06:13.279
<v Speaker 1>allowed in that little space between the doors at a time.

118
00:06:13.560 --> 00:06:17.000
<v Speaker 1>It's a clever way to stop tailgating or piggybacking, someone

119
00:06:17.040 --> 00:06:20.000
<v Speaker 1>sneaking in right behind someone authorized. Like physical two.

120
00:06:19.800 --> 00:06:22.720
<v Speaker 2>Factors exactly, it forces single entry, and you combine that

121
00:06:22.759 --> 00:06:26.160
<v Speaker 2>with things like CCTV cameras strategically placed, making sure the

122
00:06:26.160 --> 00:06:28.240
<v Speaker 2>footage is kept long enough, maybe three months, as the

123
00:06:28.240 --> 00:06:30.720
<v Speaker 2>guide suggests, becomes a key detective control too.

124
00:06:30.959 --> 00:06:34.000
<v Speaker 1>And don't forget environmental controls. In places like data winners,

125
00:06:34.360 --> 00:06:37.199
<v Speaker 1>fire suppression is crucial, but the source points out a

126
00:06:37.240 --> 00:06:40.439
<v Speaker 1>really important safety risk with older systems like carbon dioxide

127
00:06:40.560 --> 00:06:44.240
<v Speaker 1>or a halon. They work by reducing oxygen, which is

128
00:06:45.360 --> 00:06:47.839
<v Speaker 1>obviously dangerous in a room where people might be working. Yes,

129
00:06:47.839 --> 00:06:49.680
<v Speaker 1>sufifacation risk, that's right.

130
00:06:49.680 --> 00:06:52.600
<v Speaker 2>Which is why for manned areas you now see safer

131
00:06:52.639 --> 00:06:56.720
<v Speaker 2>alternatives like FM two hundred or argonite gas. They suppress

132
00:06:56.759 --> 00:07:00.000
<v Speaker 2>fire without displacing oxygen to dangerous levels. It's that balance

133
00:07:00.000 --> 00:07:01.839
<v Speaker 2>once again, protecting assets and people.

134
00:07:01.959 --> 00:07:04.800
<v Speaker 1>So think about your own workplace for a second. What

135
00:07:04.920 --> 00:07:10.160
<v Speaker 1>physical controls, visible or maybe hidden, are protecting things data centers,

136
00:07:10.240 --> 00:07:13.439
<v Speaker 1>server rooms, even just your own desk. Now back to

137
00:07:13.480 --> 00:07:15.600
<v Speaker 1>the digital world for a bit. How do we prove

138
00:07:15.639 --> 00:07:18.920
<v Speaker 1>who we are online? Our sources talk about the three

139
00:07:19.000 --> 00:07:23.360
<v Speaker 1>classic factors of authentication. You probably use these constantly. First,

140
00:07:23.399 --> 00:07:27.240
<v Speaker 1>there's something you know, like your password or a pin number. Second,

141
00:07:27.319 --> 00:07:29.920
<v Speaker 1>something you have, maybe a physical token, a smart card

142
00:07:30.000 --> 00:07:32.639
<v Speaker 1>or that one time codes into your phone. And third

143
00:07:33.079 --> 00:07:37.560
<v Speaker 1>something you are biometrics fingerprint, face scan, IRIS scan, and

144
00:07:37.600 --> 00:07:40.399
<v Speaker 1>two factor authentication, which we keep mentioning just means using

145
00:07:40.399 --> 00:07:42.680
<v Speaker 1>a combination of two of those, like that digital dead

146
00:07:42.720 --> 00:07:43.680
<v Speaker 1>Man door for your login.

147
00:07:43.839 --> 00:07:46.279
<v Speaker 2>It significantly boosts security, no doubt. But then you have

148
00:07:46.360 --> 00:07:49.800
<v Speaker 2>things like single sign on sso super convenient, right, one

149
00:07:49.839 --> 00:07:52.399
<v Speaker 2>password for lots of apps. But what's the catch. Well,

150
00:07:52.439 --> 00:07:55.000
<v Speaker 2>the big disadvantage is it creates a single point of failure.

151
00:07:55.519 --> 00:07:59.319
<v Speaker 2>If that one SSO password gets compromised, uh oh, an

152
00:07:59.360 --> 00:08:03.040
<v Speaker 2>attacker potentially access everything it protects. It really highlights that

153
00:08:03.120 --> 00:08:05.959
<v Speaker 2>constant tension between making things easy for users and keeping

154
00:08:05.959 --> 00:08:06.600
<v Speaker 2>things secure.

155
00:08:06.800 --> 00:08:09.879
<v Speaker 1>Good point. And what about when data gets old, we

156
00:08:09.920 --> 00:08:12.240
<v Speaker 1>need to get rid of it securely just hitting delete

157
00:08:12.240 --> 00:08:15.639
<v Speaker 1>on your computer? Yeah, that doesn't really cut it. Our

158
00:08:15.680 --> 00:08:19.759
<v Speaker 1>source mentions degaussing basically using strong magnets to scramble data

159
00:08:19.800 --> 00:08:22.519
<v Speaker 1>on magnetic media like tapes or older hard drives if

160
00:08:22.519 --> 00:08:25.639
<v Speaker 1>you want to reuse them. But for truly ensuring data

161
00:08:25.759 --> 00:08:30.079
<v Speaker 1>is gone forever, especially sensitive stuff, physical destruction is listed

162
00:08:30.120 --> 00:08:33.279
<v Speaker 1>as the most effective way shredding pulverizing.

163
00:08:33.879 --> 00:08:38.399
<v Speaker 2>Absolutely for physical media you control, destruction is definitive, But

164
00:08:38.480 --> 00:08:41.559
<v Speaker 2>think about the cloud now or virtual machines gets more complicated,

165
00:08:41.600 --> 00:08:45.080
<v Speaker 2>doesn't it. Auditors now have to worry about secure logical erasure,

166
00:08:45.200 --> 00:08:48.000
<v Speaker 2>something called crypto shredding where you destroy the encryption key,

167
00:08:48.519 --> 00:08:52.159
<v Speaker 2>or verifying the cloud provider's disposal methods. It just shows

168
00:08:52.159 --> 00:08:55.200
<v Speaker 2>how deep this thinking has to go. Protecting data isn't

169
00:08:55.240 --> 00:08:57.320
<v Speaker 2>just about when it's live, but also making sure it's

170
00:08:57.320 --> 00:08:58.320
<v Speaker 2>securely retired.

171
00:08:58.559 --> 00:09:02.000
<v Speaker 1>Okay, let's move into the network. When you think network security,

172
00:09:02.000 --> 00:09:05.840
<v Speaker 1>you probably think firewall. But it's not just one monolithic wall.

173
00:09:05.919 --> 00:09:09.240
<v Speaker 1>It's a system with different types doing different jobs. You

174
00:09:09.279 --> 00:09:12.840
<v Speaker 1>start with basic packet filtering, just looking at addresses, but

175
00:09:12.919 --> 00:09:15.360
<v Speaker 1>then you get more advanced, all the way up to

176
00:09:15.480 --> 00:09:19.240
<v Speaker 1>application level firewalls. These are pretty smart. They don't just

177
00:09:19.320 --> 00:09:21.879
<v Speaker 1>check the address label. They actually look inside the package,

178
00:09:21.919 --> 00:09:25.480
<v Speaker 1>at the data content itself. Much deeper inspection, and there

179
00:09:25.480 --> 00:09:28.639
<v Speaker 1>are special ways to set these up special components, like

180
00:09:28.879 --> 00:09:32.240
<v Speaker 1>a bastion host. Think of it as a heavily armored

181
00:09:32.240 --> 00:09:35.440
<v Speaker 1>guard post. It's designed to be the only system that's

182
00:09:35.559 --> 00:09:39.720
<v Speaker 1>directly exposed to the public Internet. Everything else hides behind it, right.

183
00:09:39.759 --> 00:09:42.120
<v Speaker 2>It takes all the direct hits theoretically, and then you

184
00:09:42.159 --> 00:09:44.879
<v Speaker 2>have proxy servers. They act as a go between your

185
00:09:44.960 --> 00:09:47.720
<v Speaker 2>computer talks to the proxy, the proxy talks to the Internet.

186
00:09:47.879 --> 00:09:51.080
<v Speaker 2>This helps hide to your internal network structure and addresses

187
00:09:51.120 --> 00:09:52.120
<v Speaker 2>from the outside world.

188
00:09:52.399 --> 00:09:55.240
<v Speaker 1>And you combine these things the source flags, the screen,

189
00:09:55.320 --> 00:09:58.960
<v Speaker 1>subnet firewall often called a DMZ or demilitarized zone as

190
00:09:59.000 --> 00:10:03.200
<v Speaker 1>the most secure configure. This typically uses two firewalls, maybe

191
00:10:03.279 --> 00:10:06.840
<v Speaker 1>routers acting as firewalls, plus a bastion host in between,

192
00:10:07.240 --> 00:10:08.559
<v Speaker 1>creates layers.

193
00:10:08.320 --> 00:10:12.200
<v Speaker 2>Like an airlock exactly that. DMZ is a classic example

194
00:10:12.240 --> 00:10:15.519
<v Speaker 2>of defense and depth. You create this buffer zone. Public

195
00:10:15.559 --> 00:10:17.919
<v Speaker 2>services like a web server might live in the DMZ,

196
00:10:18.320 --> 00:10:22.279
<v Speaker 2>isolated from your really sensitive internal network. An attacker would

197
00:10:22.279 --> 00:10:25.559
<v Speaker 2>have to breach multiple layers to get inside. Auditors love

198
00:10:25.639 --> 00:10:28.720
<v Speaker 2>seeing well configured DMZs. They're checking not just that there

199
00:10:28.720 --> 00:10:31.559
<v Speaker 2>are firewalls, but how they're configured, how they work together.

200
00:10:31.799 --> 00:10:35.039
<v Speaker 1>Makes sense. Now, what about VPNs. Lots of us use them,

201
00:10:35.080 --> 00:10:38.240
<v Speaker 1>especially for remote work virtual private networks. They create that

202
00:10:38.320 --> 00:10:41.519
<v Speaker 1>secure encrypted tunnel over the public Internet, using things like

203
00:10:41.559 --> 00:10:45.200
<v Speaker 1>tunneling protocols and ip SEC for encryption. Sound secure, but

204
00:10:45.240 --> 00:10:46.000
<v Speaker 1>what are the risks?

205
00:10:46.120 --> 00:10:49.879
<v Speaker 2>Well, VPNs are great for confidentiality, but they post challenges.

206
00:10:50.240 --> 00:10:54.919
<v Speaker 2>One is that firewalls often cannot adequately examine encrypted VPN traffic.

207
00:10:55.480 --> 00:10:58.679
<v Speaker 2>So potentially maliciou stuff could tunnel right through your perimeter

208
00:10:58.759 --> 00:11:02.639
<v Speaker 2>defenses hidden inside that encrypted stream. Okay, and a really

209
00:11:02.639 --> 00:11:06.159
<v Speaker 2>significant risk is the endpoint device itself, the remote computer

210
00:11:06.240 --> 00:11:09.879
<v Speaker 2>connecting in. If that laptop is already compromised with malware,

211
00:11:09.919 --> 00:11:11.879
<v Speaker 2>it can just send that malicious code through the VPN

212
00:11:11.960 --> 00:11:16.360
<v Speaker 2>tunnel right into the organization's private network bypassing a lot

213
00:11:16.360 --> 00:11:19.240
<v Speaker 2>of defenses, Which leads to the question for you, the listener,

214
00:11:19.480 --> 00:11:21.559
<v Speaker 2>how secure is the device you use to connect via

215
00:11:21.639 --> 00:11:25.240
<v Speaker 2>VPN and is the VPN itself configured correctly? Because poor

216
00:11:25.240 --> 00:11:28.720
<v Speaker 2>configuration is another major risk area. Strong crypto doesn't help

217
00:11:28.759 --> 00:11:29.759
<v Speaker 2>if the setup is leaky.

218
00:11:30.000 --> 00:11:32.679
<v Speaker 1>Right, the tunnel might be strong, but what's going through

219
00:11:32.679 --> 00:11:37.039
<v Speaker 1>it or where it ends up matters hugely. Okay. Finally,

220
00:11:37.080 --> 00:11:40.879
<v Speaker 1>let's touch on Wi Fi security. Wireless is everywhere. How

221
00:11:40.879 --> 00:11:43.679
<v Speaker 1>do we lock that down? Our source mentions some practical

222
00:11:43.720 --> 00:11:47.440
<v Speaker 1>steps auditors look for. One is m MA filtering. This means

223
00:11:47.480 --> 00:11:50.960
<v Speaker 1>configuring the router to only allow devices with specific pre

224
00:11:51.039 --> 00:11:55.360
<v Speaker 1>approved hardware addresses MASc dresses to connect, kind of like

225
00:11:55.399 --> 00:11:56.039
<v Speaker 1>a guest list.

226
00:11:56.159 --> 00:11:59.440
<v Speaker 2>Yeah, it adds a layer. Then absolutely crucial is encryption.

227
00:11:59.759 --> 00:12:02.799
<v Speaker 2>The guide points to WPA two as the strong standard

228
00:12:02.840 --> 00:12:05.799
<v Speaker 2>you should be using. WPA three is even better now,

229
00:12:05.799 --> 00:12:09.039
<v Speaker 2>but WPA two is the minimum baseline. The scrambles the

230
00:12:09.120 --> 00:12:12.200
<v Speaker 2>data flying through the air, so eavesdroppers can't easily read it.

231
00:12:12.240 --> 00:12:15.960
<v Speaker 1>The guide also mentions disabling SSID broadcasting. That's hiding your

232
00:12:15.960 --> 00:12:18.279
<v Speaker 1>network name so it doesn't pop up automatically in lists,

233
00:12:18.759 --> 00:12:21.559
<v Speaker 1>so it knows. This isn't strictly necessary unless you're maybe

234
00:12:21.559 --> 00:12:25.159
<v Speaker 1>trying to avoid advertising a public hotspot. Security by obscurity

235
00:12:25.279 --> 00:12:26.720
<v Speaker 1>isn't super strong on its own.

236
00:12:26.919 --> 00:12:33.320
<v Speaker 2>True. And finally, disabling DHCP. DHCP automatically assigns IP addresses

237
00:12:33.320 --> 00:12:36.320
<v Speaker 2>to devices joining the network. Disabling it means you have

238
00:12:36.360 --> 00:12:39.639
<v Speaker 2>to manually configure the IP address on each device. It

239
00:12:39.679 --> 00:12:42.120
<v Speaker 2>makes it harder for an unauthorized person to just jump on.

240
00:12:42.440 --> 00:12:44.240
<v Speaker 2>A bit more hassle, but more control.

241
00:12:44.360 --> 00:12:47.039
<v Speaker 1>Yeah, these are all practical things, things auditors check and

242
00:12:47.080 --> 00:12:49.000
<v Speaker 1>things you can even check on your own home network,

243
00:12:49.080 --> 00:12:52.480
<v Speaker 1>understanding the why behind them. So we've covered a lot

244
00:12:52.519 --> 00:12:55.360
<v Speaker 1>of ground today, a real whirlwind tour through how I

245
00:12:55.639 --> 00:12:59.720
<v Speaker 1>auditors think, from breaking down risk into assets, vulnerabilities and

246
00:12:59.720 --> 00:13:02.919
<v Speaker 1>threat to building layered defenses with all those different types

247
00:13:02.919 --> 00:13:05.440
<v Speaker 1>of controls, we've seen how just one week spot a

248
00:13:05.480 --> 00:13:08.519
<v Speaker 1>missing control, a shared password, maybe an unpatched system can

249
00:13:08.559 --> 00:13:11.919
<v Speaker 1>cause big problems, and how layers from physical deadman doors

250
00:13:11.919 --> 00:13:15.200
<v Speaker 1>to complex firewall rules and VPNs work together to try

251
00:13:15.240 --> 00:13:16.120
<v Speaker 1>and keep things safe.

252
00:13:16.159 --> 00:13:18.320
<v Speaker 2>Absolutely, and the key takeaway, I think is that this

253
00:13:18.399 --> 00:13:22.519
<v Speaker 2>is never static. Technology changes constantly, threats evolve, but those

254
00:13:22.559 --> 00:13:28.960
<v Speaker 2>core principles know your assets, understand your weaknesses, layer your controls, preventive, detective, corrective,

255
00:13:29.000 --> 00:13:32.679
<v Speaker 2>and so on, those remain essential, Which maybe leaves the

256
00:13:32.720 --> 00:13:35.759
<v Speaker 2>final question for you, the listener. In our super tech

257
00:13:35.759 --> 00:13:39.600
<v Speaker 2>dependent lives, are we doing enough to think like these auditors,

258
00:13:39.639 --> 00:13:42.879
<v Speaker 2>do we really understand the why behind the security measures

259
00:13:42.879 --> 00:13:46.039
<v Speaker 2>we use or are we just sort of clicking accept

260
00:13:46.080 --> 00:13:47.120
<v Speaker 2>and hoping for the best.

261
00:13:47.159 --> 00:13:49.919
<v Speaker 1>A very important question indeed. Well thanks for diving deep

262
00:13:49.960 --> 00:13:53.440
<v Speaker 1>with us today on information systems, auditing, and security. Keep learning,

263
00:13:53.759 --> 00:13:56.919
<v Speaker 1>keep asking those white questions, and stay curious. Hopefully you

264
00:13:56.960 --> 00:13:59.960
<v Speaker 1>now feel a bit more informed about this really complex

265
00:14:00.120 --> 00:14:01.440
<v Speaker 1>but vital field